diff --git a/modules/server/acme.nix b/modules/server/acme.nix
new file mode 100644
index 0000000..1814275
--- /dev/null
+++ b/modules/server/acme.nix
@@ -0,0 +1,49 @@
+{
+  config,
+  secrets,
+  ...
+}: {
+  # Instead of managing certificates in each individual service, NixOS supports
+  # automatic certificate retrieval and renewal using
+  # `security.acme.certs.<name>` through the ACME protocol.
+  # https://nixos.wiki/wiki/ACME
+  # https://nixos.org/manual/nixos/stable/index.html#module-security-acme
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "admin@caspervk.net";
+      # The DNS challenge is passed by updating DNS records directly in the
+      # zone on the authoritative DNS server (Knot).
+      # https://go-acme.github.io/lego/dns/rfc2136/
+      dnsProvider = "rfc2136";
+      environmentFile = config.age.secrets.acme-lego-environment-file.path;
+    };
+  };
+
+  # Persist certificates
+  environment.persistence."/nix/persist" = {
+    directories = [
+      {
+        directory = "/var/lib/acme";
+        user = "acme";
+        group = "acme";
+        mode = "0755";
+      }
+    ];
+  };
+
+  age.secrets.acme-lego-environment-file = {
+    file = "${secrets}/secrets/acme-lego-environment-file.age";
+    mode = "400";
+    owner = "root";
+    group = "root";
+  };
+
+  # TODO
+  # https://search.nixos.org/options?channel=23.11&show=services.caddy.virtualHosts.%3Cname%3E.useACMEHost&from=0&size=50&sort=relevance&type=packages&query=services.caddy
+  # security.acme.certs."caspervk.net" = {
+  #   domain = "*.caspervk.net";
+  #   group = "users";
+  #   reloadServices = [];
+  # };
+}
diff --git a/modules/server/default.nix b/modules/server/default.nix
index 31df8d9..2f21acd 100644
--- a/modules/server/default.nix
+++ b/modules/server/default.nix
@@ -1,5 +1,6 @@
 {...}: {
   imports = [
+    ./acme.nix
     ./system.nix
   ];
 }