diff --git a/configuration/nginx.nix b/configuration/nginx.nix
index 14ba9d9..82baab0 100644
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@@ -49,6 +49,13 @@
   security.acme = {
     defaults.email = "tm@tlater.net";
     acceptTerms = true;
+
+    certs."tlater.net" = {
+      extraDomainNames = ["*.tlater.net"];
+      dnsProvider = "hetzner";
+      group = "nginx";
+      credentialFiles."HETZNER_API_KEY_FILE" = config.sops.secrets."hetzner-api".path;
+    };
   };
 
   services.backups.acme = {
diff --git a/configuration/services/afvalcalendar.nix b/configuration/services/afvalcalendar.nix
index 0219e88..e27ba62 100644
--- a/configuration/services/afvalcalendar.nix
+++ b/configuration/services/afvalcalendar.nix
@@ -44,7 +44,7 @@
 
   services.nginx.virtualHosts."afvalcalendar.${config.services.nginx.domain}" = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     enableHSTS = true;
 
     root = "/srv/afvalcalendar";
diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix
index 3fcadeb..2462d9b 100644
--- a/configuration/services/conduit.nix
+++ b/configuration/services/conduit.nix
@@ -178,7 +178,7 @@ in {
   };
 
   services.nginx.virtualHosts."${domain}" = {
-    enableACME = true;
+    useACMEHost = "tlater.net";
 
     listen = [
       {
diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix
index 51b0212..ac206fc 100644
--- a/configuration/services/foundryvtt.nix
+++ b/configuration/services/foundryvtt.nix
@@ -24,7 +24,7 @@ in {
     inherit (config.services.foundryvtt) port;
   in {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     enableHSTS = true;
 
     locations."/" = {
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index ffd21dc..26fe2f8 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -41,7 +41,7 @@ in {
     httpPort = config.services.forgejo.settings.server.HTTP_PORT;
   in {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     enableHSTS = true;
 
     locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";
diff --git a/configuration/services/metrics/grafana.nix b/configuration/services/metrics/grafana.nix
index 75b9777..eb5106e 100644
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@@ -38,7 +38,7 @@ in {
 
   services.nginx.virtualHosts."${domain}" = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     enableHSTS = true;
     locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
   };
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 73e075e..bd36041 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -45,7 +45,7 @@ in {
   # Set up SSL
   services.nginx.virtualHosts."${hostName}" = {
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     # The upstream module already adds HSTS
   };
 
diff --git a/configuration/services/webserver.nix b/configuration/services/webserver.nix
index defcae1..387df57 100644
--- a/configuration/services/webserver.nix
+++ b/configuration/services/webserver.nix
@@ -16,7 +16,7 @@ in {
     serverAliases = ["www.${domain}"];
 
     forceSSL = true;
-    enableACME = true;
+    useACMEHost = "tlater.net";
     enableHSTS = true;
 
     locations."/".proxyPass = "http://${addr}:${toString port}";
diff --git a/configuration/sops.nix b/configuration/sops.nix
index 53044fc..0746133 100644
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@@ -34,6 +34,10 @@
       "heisenbridge/as-token" = {};
       "heisenbridge/hs-token" = {};
 
+      "hetzner-api" = {
+        owner = "acme";
+      };
+
       # Nextcloud
       "nextcloud/tlater" = {
         owner = "nextcloud";
diff --git a/keys/production.yaml b/keys/production.yaml
index 7ed57b3..da90860 100644
--- a/keys/production.yaml
+++ b/keys/production.yaml
@@ -1,3 +1,4 @@
+hetzner-api: ENC[AES256_GCM,data:OsUfo86AzcBe/OELkfB5brEfsZ4gkbeehxwIVUBwQgE=,iv:Bt/cjlZ6oZEVUOQjWMDL7/mfL3HWLFAw1tEGeLMgeKg=,tag:TMU2XiHlMgP4aes10mIQYQ==,type:str]
 battery-manager:
     email: ENC[AES256_GCM,data:rYLUACXR/n+bLBmZ,iv:sUBEkh2+7qGjHZ5R23e/hoCiyTA7GTL4bJvXmxjZ5Sw=,tag:fdPMllaQQfRgX0WZKIre4g==,type:str]
     password: ENC[AES256_GCM,data:7cokZa6Q6ahSeiFPz+cV,iv:vz405P0IcG9FsAQXlY7mi78GuushQUKJm2irG6buGzc=,tag:JLHG2jTkJDGbinAq9dXRsQ==,type:str]
@@ -31,8 +32,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-04-06T15:32:49Z"
-    mac: ENC[AES256_GCM,data:ShqLJf9b20LdmjK6MMPtI3KicE+fPc0ejzVGEIdgbNs7ueDwdt7jqgpDrpiyf+vW86tr3I1E1VTlh127XlSH/RZDRRHehpX0tnBiF0zMscmt1vdinY4cPhTwhLJ1fdpVpY8ihdOqv0UFyC39HP78aWESX5S/dJZQ6vS7K5VGKTY=,iv:TYE9f9iyrUQxmMeKXApEYsSPcMWK8vndyBm7HtJyJPo=,tag:vSlobwA1R0Go7BYgNVpMkw==,type:str]
+    lastmodified: "2024-04-15T23:13:18Z"
+    mac: ENC[AES256_GCM,data:3/v+WgSWJ+VcBSBe1Wkis3z+tMmSjbKzLFqBB8xugc6DvgQG8J+1HRrPucLnpNNtEdmpyoTa72U6fPm6JnyUsuj5pLEghLprOJkqQNdRI06fllhw+9d3e3twx6D4oIIsVH6/io4ElXrGsGQTsfNbYhgn+987wa3WP5N25fBac3U=,iv:FL3tzPutOMN6IPkQfXIu/JOZT+OzUSqpMSQrUeXZQHE=,tag:jL1BTsYTA9XjrsjFszxZhA==,type:str]
     pgp:
         - created_at: "2024-03-18T04:02:00Z"
           enc: |-
diff --git a/keys/staging.yaml b/keys/staging.yaml
index 029e6ac..17e7875 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -1,3 +1,4 @@
+hetzner-api: ENC[AES256_GCM,data:1Zjp003j60g=,iv:+vDcyiqYm4A9CMIrW4oGZKdZiczatBcvfL4qYYhKwCg=,tag:Xeu8JuRm+b+5RO+wFR2M8w==,type:str]
 battery-manager:
     email: ENC[AES256_GCM,data:LM/EGzWHfVQ=,iv:jFaoUQuUfuGoOyj/GFpdI8TerH/c8D9fjvio+IEt2Tc=,tag:IWLiN011JEnHRLIXWQgfmA==,type:str]
     password: ENC[AES256_GCM,data:SUxjqS7SJHM=,iv:LvdKk88S+nSImh6/ZezbFGLCUBu1Lpdu+neF2xyHdBg=,tag:rcMyZuW4FVNbcbz00wQKBg==,type:str]
@@ -31,8 +32,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-04-06T15:33:40Z"
-    mac: ENC[AES256_GCM,data:qB9uDDM5K6+BmeAKyTJ0Sel6Um0Fc9IhdV3wAn13WxpwDtxmMsdqnwaewI/KepsRG3k76x9vkYL+oKkUysqq1r1FkocUDg4DnKnf1KtKo2Zm9MPcVRG833m6oDoTeGnmgrAMTDKy1tUdGkXW40IfbMakbSjSIfLbrymtoHeVbaE=,iv:8P8M4Ueo3Idlgo+Yqj6JUtFfWX949fz6HfRHEOy1/Vg=,tag:ou+IGZSQSfX6gNoxbpAipg==,type:str]
+    lastmodified: "2024-04-15T23:13:27Z"
+    mac: ENC[AES256_GCM,data:JhEVrKF2Jsqpdztcr3g5lMrgEFeLXfBRQTwQJ6PmLSNyDORcTU09TJPNWTPDnR5okDrvIU/wlzi5DZ8A0ebNhrKf6l0tNFBT9LSvQFHU5SBxqY/m8uEJKSrEC4IL5lugOOISDka2KSvYXVCXrumMHE5FnmOS/CgOZaZk6LUjPYA=,iv:ygygnSedcTo2Vsc56s2qrz1qkWchvSgvoiMTebRxQQ8=,tag:vf6z8rxsXmqzwpDy9Avifw==,type:str]
     pgp:
         - created_at: "2023-12-29T15:25:27Z"
           enc: |