diff --git a/laptop/main.nix b/laptop/main.nix
index 9ba6e02..1be9c0b 100644
--- a/laptop/main.nix
+++ b/laptop/main.nix
@@ -109,6 +109,20 @@
   # Enable the OpenSSH daemon.
   # services.openssh.enable = true;
 
+  security.pki.certificates = [ ''
+-----BEGIN CERTIFICATE-----
+MIIBjTCCATKgAwIBAgIRAMVH2+JHZ3wm2fLUlKjTYDswCgYIKoZIzj0EAwIwJDEM
+MAoGA1UEChMDS29wMRQwEgYDVQQDEwtLb3AgUm9vdCBDQTAeFw0yMzEyMDgxNDUx
+MTZaFw0zMzEyMDUxNDUxMTZaMCQxDDAKBgNVBAoTA0tvcDEUMBIGA1UEAxMLS29w
+IFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATdZBOkNynShXipzhuX
+f6dUByD3chNupNWsagYC5AlPRJT9fAeHEIK/bxWkFwRtLBDopWvBu9lHahBgpHc7
+y7rTo0UwQzAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBATAdBgNV
+HQ4EFgQU9AVtwipW5HDBLfZRH1KZCnIKCfowCgYIKoZIzj0EAwIDSQAwRgIhAMHj
+AipNdhQKIYPvMt/h1uW4xP3NTkitnmshM09+rIasAiEAlSalGddXDkqJBHhPD+Fr
+gpuVkfVkA8gQCXNs5F9TnxA=
+-----END CERTIFICATE-----
+  ''];
+
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 533fbab..67c6cfd 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -1,19 +1,11 @@
 { config, pkgs, lib, inputs, vars, ... }:
 let
   wireguardIp = vars.wireguardIp;
+  fqdn = "nextcloud.local";
+  useHttps = config.services.step-ca.enable;
 in
 {
-    age.secrets.nextcloud-cert = {
-        file = ../secrets/nextcloud-cert.age;
-        owner = "nginx";
-        group = "nginx";
-    };
-    age.secrets.nextcloud-key = {
-        file = ../secrets/nextcloud-key.age;
-        owner = "nginx";
-        group = "nginx";
-    };
-   # Enable Nginx
+    security.acme.certs."${fqdn}".server = "https://127.0.0.1:8443/acme/acme/directory";
     services.nginx = {
         enable = true;
 
@@ -28,18 +20,14 @@ in
 
         # Setup Nextcloud virtual host to listen on ports
         virtualHosts = {
-            "nextcloud.local" = {
+            "${fqdn}" = {
               serverAliases = [ wireguardIp ];
                 ## Force HTTP redirect to HTTPS
-                forceSSL = true;
+                forceSSL = useHttps;
+                enableACME = useHttps;
                 locations."~ \\.php(?:$|/)".extraConfig = ''
                   client_max_body_size 5G;
                 '';
-                #sslTrustedCertificate = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
-                sslCertificate = config.age.secrets.nextcloud-cert.path;
-                sslCertificateKey = config.age.secrets.nextcloud-key.path;
-                ## LetsEncrypt
-                #enableACME = true;
             };
         };
     };