diff --git a/configuration.nix b/configuration.nix
index da29410..2bd6e64 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -209,6 +209,11 @@ with pkgs;
       owner = "matrix-as-signal";
       group = "matrix-as-signal";
     };
+    secrets.acme = {
+      file = secrets/acme.age;
+      owner = "acme";
+      group = "nginx";
+    };
     identityPaths = [ "/etc/ssh/id_ed25519" ];
   };
 
diff --git a/modules/webstack.nix b/modules/webstack.nix
index 5463d46..e60c673 100644
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@@ -175,14 +175,13 @@
     acceptTerms = true;
     defaults = {
       email = "akasroua@disroot.org";
-      dnsResolver = "127.0.0.1:53";
       group = "nginx";
-      webroot = "/var/lib/acme/acme-challenge";
-      ocspMustStaple = true;
     };
-    certs."coolneng.duckdns.org".extraDomainNames = lib.attrsets.mapAttrsToList (
-      name: value: "${name}"
-    ) config.services.nginx.virtualHosts;
+    certs."coolneng.duckdns.org" = {
+      domain = "*.coolneng.duckdns.org";
+      dnsProvider = "duckdns";
+      environmentFile = config.age.secrets.acme.path;
+    };
   };
 
   # Generate dhparams
diff --git a/secrets/acme.age b/secrets/acme.age
new file mode 100644
index 0000000..7eb7f09
Binary files /dev/null and b/secrets/acme.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 220ef45..f50ee03 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -16,4 +16,5 @@ in
   "mqtt-receiver.age".publicKeys = [ zion ];
   "facebook.age".publicKeys = [ zion ];
   "signal.age".publicKeys = [ zion ];
+  "acme.age".publicKeys = [ zion ];
 }