diff --git a/hosts/poseidon/default.nix b/hosts/poseidon/default.nix
index 059126c..40d6562 100644
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@@ -108,7 +108,6 @@ in
 
     monitoring = {
       enable = true;
-      useACME = true;
       domain = "monitoring.${config.networking.domain}";
     };
 
@@ -157,9 +156,6 @@ in
     };
   };
 
-  security.acme.acceptTerms = true;
-  security.acme.email = "antoine97.martin@gmail.com";
-
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
   services.openssh.permitRootLogin = "no";
diff --git a/secrets/default.nix b/secrets/default.nix
index 6a0a042..9df6f72 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -14,6 +14,7 @@ with lib;
     nextcloud-admin-pass = lib.fileContents ./nextcloud-admin-pass.secret;
     nextcloud-admin-user = lib.fileContents ./nextcloud-admin-user.secret;
     lohr-shared-secret = lib.fileContents ./lohr-shared-secret.secret;
+    gandiKey = lib.fileContents ./gandi-api-key.secret;
 
     borg-backup = import ./borg-backup { inherit lib; };
 
diff --git a/secrets/gandi-api-key.secret b/secrets/gandi-api-key.secret
new file mode 100644
index 0000000..06a9eda
Binary files /dev/null and b/secrets/gandi-api-key.secret differ
diff --git a/services/bitwarden_rs.nix b/services/bitwarden_rs.nix
index 0dd8eff..65e3025 100644
--- a/services/bitwarden_rs.nix
+++ b/services/bitwarden_rs.nix
@@ -60,7 +60,7 @@ in {
       virtualHosts = {
         "pass.${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
 
           locations."/" = {
             proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
diff --git a/services/gitea/default.nix b/services/gitea/default.nix
index 641c85c..8997664 100644
--- a/services/gitea/default.nix
+++ b/services/gitea/default.nix
@@ -91,7 +91,7 @@ in {
       virtualHosts = {
         "git.${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
 
           locations."/" = {
             proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
diff --git a/services/jellyfin.nix b/services/jellyfin.nix
index 09382ee..8a4df98 100644
--- a/services/jellyfin.nix
+++ b/services/jellyfin.nix
@@ -24,7 +24,7 @@ in {
     # Proxy to Jellyfin
     services.nginx.virtualHosts."jellyfin.${domain}" = {
       forceSSL = true;
-      enableACME = true;
+      useACMEHost = domain;
 
       locations."/" = {
         proxyPass = "http://localhost:${toString jellyfinPort}/";
diff --git a/services/lohr.nix b/services/lohr.nix
index 03d1d53..45b9ecb 100644
--- a/services/lohr.nix
+++ b/services/lohr.nix
@@ -65,7 +65,7 @@ in
     services.nginx.virtualHosts = {
       "lohr.${domain}" = {
         forceSSL = true;
-        enableACME = true;
+        useACMEHost = domain;
 
         locations."/" = {
           proxyPass = "http://127.0.0.1:${toString cfg.port}";
diff --git a/services/matrix.nix b/services/matrix.nix
index 05dc395..7cf1807 100644
--- a/services/matrix.nix
+++ b/services/matrix.nix
@@ -171,7 +171,7 @@ in {
       virtualHosts = {
         "matrix.${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
 
           locations =
             let
@@ -199,7 +199,7 @@ in {
         "matrix.${domain}_federation" = rec {
           forceSSL = true;
           serverName = "matrix.${domain}";
-          useACMEHost = serverName;
+          useACMEHost = domain;
 
           locations."/".return = "404";
 
@@ -216,7 +216,7 @@ in {
 
         "${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
 
           locations."= /.well-known/matrix/server".extraConfig =
             let
@@ -243,7 +243,7 @@ in {
         # Element Web app deployment
         #
         "chat.${domain}" = {
-          enableACME = true;
+          useACMEHost = domain;
           forceSSL = true;
 
           root = pkgs.element-web.override {
diff --git a/services/miniflux.nix b/services/miniflux.nix
index 297eba7..43e51ca 100644
--- a/services/miniflux.nix
+++ b/services/miniflux.nix
@@ -50,7 +50,7 @@ in {
       virtualHosts = {
         "reader.${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
 
           locations."/" = {
             proxyPass = "http://127.0.0.1:${toString cfg.privatePort}";
diff --git a/services/monitoring.nix b/services/monitoring.nix
index 2aa66a5..23b1309 100644
--- a/services/monitoring.nix
+++ b/services/monitoring.nix
@@ -2,11 +2,12 @@
 
 with lib;
 
-let cfg = config.my.services.monitoring;
+let
+  cfg = config.my.services.monitoring;
+  domain = config.networking.domain;
 in {
   options.my.services.monitoring = {
     enable = mkEnableOption "Enable monitoring";
-    useACME = mkEnableOption "Get HTTPS certs";
 
     domain = mkOption {
       type = types.str;
@@ -76,8 +77,8 @@ in {
           proxyWebsockets = true;
         };
 
-        forceSSL = cfg.useACME;
-        enableACME = cfg.useACME;
+        forceSSL = true;
+        useACMEHost = domain;
       };
     };
   };
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
index bf85aef..8cbd3cd 100644
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@@ -66,7 +66,7 @@ in
       virtualHosts = {
         "cloud.${domain}" = {
           forceSSL = true;
-          enableACME = true;
+          useACMEHost = domain;
         };
       };
     };
diff --git a/services/nginx.nix b/services/nginx.nix
index a9f092f..134615e 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -1,7 +1,7 @@
 # Part of config shamelessly stolen from:
 #
 # https://github.com/delroth/infra.delroth.net
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 {
   # Whenever something defines an nginx vhost, ensure that nginx defaults are
   # properly set.
@@ -17,5 +17,23 @@
     };
 
     networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+    security.acme = {
+      acceptTerms = true;
+      email = "antoine97.martin@gmail.com";
+
+      certs =
+        let
+          domain = config.networking.domain;
+          gandiKey = config.my.secrets.gandiKey;
+        in {
+          "${domain}" = {
+            extraDomainNames = [ "*.${domain}" ];
+            dnsProvider = "gandiv5";
+            credentialsFile = pkgs.writeText "gandi-creds.env" gandiKey;
+            group = "nginx";
+          };
+        };
+    };
   };
 }
diff --git a/services/paperless.nix b/services/paperless.nix
index a315251..132a617 100644
--- a/services/paperless.nix
+++ b/services/paperless.nix
@@ -23,7 +23,7 @@ in
     services.nginx.virtualHosts = {
       "paperless.${domain}" = {
         forceSSL = true;
-        enableACME = true;
+        useACMEHost = domain;
 
         locations."/" = {
           proxyPass = "http://127.0.0.1:${toString cfg.port}";
diff --git a/services/transmission.nix b/services/transmission.nix
index b642c56..b55e0b8 100644
--- a/services/transmission.nix
+++ b/services/transmission.nix
@@ -56,7 +56,7 @@ in
 
     services.nginx.virtualHosts."${webuiDomain}" = {
       forceSSL = true;
-      enableACME = true;
+      useACMEHost = domain;
 
       locations."/".proxyPass = "http://127.0.0.1:${toString transmissionRpcPort}";
     };