diff --git a/hosts/architect/options.nix b/hosts/architect/options.nix
index 88b0598..f3091ae 100644
--- a/hosts/architect/options.nix
+++ b/hosts/architect/options.nix
@@ -129,7 +129,7 @@ with lib;
     services.nginx.virtualHosts = mapAttrs
       (domain: conf: {
         forceSSL = true;
-        enableACME = true;
+        useACMEHost= "giugl.io";
         locations = mapAttrs
           (path: location: {
             proxyPass = "http://${location.host}:${toString location.port}${location.path}";
diff --git a/roles/acme.nix b/roles/acme.nix
index bd22485..c072c02 100644
--- a/roles/acme.nix
+++ b/roles/acme.nix
@@ -1,10 +1,25 @@
-{ options, lib, config, ... }:
+{ config, ... }:
 
+let
+  giuglioDomain = "giugl.io";
+in
 {
-  config.security.acme = {
+  age.secrets.ovh = {
+    file = ../secrets/ovh.age;
+    owner = "acme";
+  };
+  security.acme = {
     acceptTerms = true;
+    certs.${giuglioDomain} =
+      {
+        dnsProvider = "ovh";
+        environmentFile = config.age.secrets.ovh.path;
+        extraDomainNames = [ "*.${giuglioDomain}" ];
+      };
     defaults = {
       email = "letsencrypt@depasquale.giugl.io";
+      dnsProvider = "ovh";
+      environmentFile = config.age.secrets.ovh.path;
     };
   };
 }
diff --git a/secrets/ovh.age b/secrets/ovh.age
new file mode 100644
index 0000000..5a60fe0
--- /dev/null
+++ b/secrets/ovh.age
@@ -0,0 +1,29 @@
+age-encryption.org/v1
+-> ssh-rsa QXZdow
+aYgowxTfdGOqTYOZBbkg/dH7f+m6nvVF/8qZX0DE4hazln/QS9maWbkOwD7FLldm
+HRNV/YwZZEhbujHbDqgxnXk7Q11KOA72864B6mF2VZUruyo0cnACqo7OyzwApqv/
++LPjGb9h/gCJpQ3a5Jdh202FfaNGAh358fZVDyd37XPSOykiIAAxgMlDyn+96OiM
+P2vsyduWXDsqzCqtiNQrKVjryI5CIGOTAcYTgQ35S3uXFD8Gu27KfagUwZp2hdyp
+3WmGl+ZTrPNdOwzLWGj/RXaeTslABn1Owmq1naASRvJpp97ToynRzkDA50rBqUyR
+vGVB9IJxSjkSm3BJ4UAI6rpoz/6t2jkfNNE1cPix4AYjPAMyU+uiUSaZ/UBkwlXw
+08rM1eGcBaErB1ExcDV5+jUCdJBfi6Q9vIG7Ty4wbN1PfztAhzEyzT0L1bTn1AKC
+4S9n5lqFa1CdraK9eh2A+o9CNlkta+Z24ctPTVqBYtImBTKHOTofhr0omQdFV6M2
+bhxsOoAAoNhwn/lWC2fAcgfPQrUOW524+eHyPjsvf4rNNv0bk5EP1J4vMrWr9rqJ
+v5GEQ77YVXYQthiyg74XYc3Eo8sbtE+ncDoOquzdT385POd870qi1ht+JMY6OEmj
+q8lxVau2SFTKPkkmZKmtoNrYdKp5+DsB3nOUKcIXofs
+-> ssh-ed25519 7eGqHw cCrhq1kfav4TYAUOpP4O6fQ958O37Uad2jX9SUrnxn4
+TSiMyrYsdblB5SFwZpw7HhmicWX1vNomhBP4HtlvHJo
+-> ssh-rsa tO3rGg
+J6oPMt6hiry6ks3hlAjUAY1AzEYU+7voto5XC+I6Fmyfabz9zaJ3TtbCPVF5BRNR
+DOYLiD24EbcVoqECn2A2MRK1xH4owBD5YaE3Il2NwSJHhC+ZhROaMTu5mHxbzK/u
+BF2MLRZ0Bwwq4szaHoFf12TFwNtIRZXS9m6l4jHdsxWj6x0iui18p3JLxij1cVwE
+03rSWz+9c8bpZ6LHuPJAhatBZHSZwkKwH8Dn8NOxCLmVNRM4PyvJsj9lRn7fMwRY
+64QI2z6bRAry6oINbVAAOsPlM0Ix+7hbFs/UstnENFqfcDvPzrrhALDhuDLIJpGu
+WgAaMStZGjydy0oqHJceuduxVreqTlfiki7yruRFqRBgjMopwOsw5i9UPWR6SZ+E
+cUCFeEynUMrmFSp5qvDX0WtkU2G/GRFEPaB+k+UN+JduIRb2RBCLt2uG0249TwO8
+T4sq098XTM8wARgOv6n51lHFCPpM3iSbP5KMCYH9FhsJV0Qu9Q7157McNZuVL9Ie
+
+--- KYLAPCcTkg/tF2c2ni4UaBTV5AhUleg8GgJH0oRQSK0
+½;¬jŒaç¾„ïÓÄ5`hÂŒø»æy;JúãÈå³C¢µ‡£ÏwX:eßøw³ù»ÜH
+Lhe’­jCÓ2¨ì"#Ëµ„=Î/Ç²ˆ1ÒÅÿ¼™^Nû$ÃéM·úqN…v1µØÁ–Ç”ç¸T¦ÌñÙ—Ç0FsÕ(WeõöË…¡˜Ý8|^‹iYFQæ3œ ¡Õ­
+A¤1­ïEÜÂÚM_=;•¸‚×jFÜVý[Ýät°¬{©w×…ÊÖ)
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9426ac2..bf4764e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,4 +11,5 @@ in
   "nextcloud-database.age".publicKeys = pubkeys;
   "restic-environment.age".publicKeys = pubkeys;
   "restic-passwords.age".publicKeys = pubkeys;
+  "ovh.age".publicKeys = pubkeys;
 }