diff --git a/configuration/nginx.nix b/configuration/nginx.nix
index 14ba9d9..91c4fe1 100644
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@@ -49,6 +49,12 @@
   security.acme = {
     defaults.email = "tm@tlater.net";
     acceptTerms = true;
+
+    certs."tlater.net" = {
+      extraDomainNames = ["*.tlater.net"];
+      dnsProvider = "hetzner";
+      group = "nginx";
+    };
   };
 
   services.backups.acme = {
diff --git a/configuration/services/afvalcalendar.nix b/configuration/services/afvalcalendar.nix
index 0219e88..e27ba62 100644
--- a/configuration/services/afvalcalendar.nix
+++ b/configuration/services/afvalcalendar.nix
@@ -44,7 +44,7 @@
 
   services.nginx.virtualHosts."afvalcalendar.${config.services.nginx.domain}" = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     enableHSTS = true;
 
     root = "/srv/afvalcalendar";
diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix
index 3fcadeb..2462d9b 100644
--- a/configuration/services/conduit.nix
+++ b/configuration/services/conduit.nix
@@ -178,7 +178,7 @@ in {
   };
 
   services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
+    useACMEHost = "tlater.net";
 
     listen = [
       {
diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix
index 51b0212..ac206fc 100644
--- a/configuration/services/foundryvtt.nix
+++ b/configuration/services/foundryvtt.nix
@@ -24,7 +24,7 @@ in {
     inherit (config.services.foundryvtt) port;
   in {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     enableHSTS = true;
 
     locations."/" = {
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index ffd21dc..26fe2f8 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -41,7 +41,7 @@ in {
     httpPort = config.services.forgejo.settings.server.HTTP_PORT;
   in {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     enableHSTS = true;
 
     locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix
index 75b9777..eb5106e 100644
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@@ -38,7 +38,7 @@ in {
 
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     enableHSTS = true;
     locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
   };
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 73e075e..bd36041 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -45,7 +45,7 @@ in {
   # Set up SSL
   services.nginx.virtualHosts."${hostName}" = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     # The upstream module already adds HSTS
   };
 
diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix
index defcae1..387df57 100644
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@@ -16,7 +16,7 @@ in {
     serverAliases = ["www.${domain}"];
 
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     enableHSTS = true;
 
     locations."/".proxyPass = "http://${addr}:${toString port}";