diff --git a/hosts/delta/acme.nix b/hosts/delta/acme.nix
new file mode 100644
index 0000000..aeb2663
--- /dev/null
+++ b/hosts/delta/acme.nix
@@ -0,0 +1,7 @@
+{...}: {
+  security.acme.certs."caspervk.net" = {
+    domain = "*.caspervk.net";
+    reloadServices = [];  # unbound.service
+  };
+  users.groups.acme.members = [];  # unbound
+}
diff --git a/hosts/delta/default.nix b/hosts/delta/default.nix
index ebf54d8..6d48621 100644
--- a/hosts/delta/default.nix
+++ b/hosts/delta/default.nix
@@ -3,6 +3,7 @@
     ../../overlays
     ../../modules/base
     ../../modules/server
+    ./acme.nix
     ./hardware.nix
     ./network.nix
   ];
diff --git a/modules/server/acme.nix b/modules/server/acme.nix
index 8b0d5a2..15ef5c0 100644
--- a/modules/server/acme.nix
+++ b/modules/server/acme.nix
@@ -15,6 +15,9 @@ lib.mkIf (config.security.acme.certs != {}) {
   security.acme = {
     acceptTerms = true;
     defaults = {
+      # For testing, Let's Encrypt's staging server should be used to avoid
+      # the strict rate limit on production. Default to production.
+      # server = "https://acme-staging-v02.api.letsencrypt.org/directory";
       email = "admin@caspervk.net";
       # The DNS challenge is passed by updating DNS records directly in the
       # zone on the authoritative DNS server (Knot).
@@ -42,12 +45,4 @@ lib.mkIf (config.security.acme.certs != {}) {
     owner = "root";
     group = "root";
   };
-
-  # TODO
-  # https://search.nixos.org/options?channel=23.11&show=services.caddy.virtualHosts.%3Cname%3E.useACMEHost&from=0&size=50&sort=relevance&type=packages&query=services.caddy
-  # security.acme.certs."caspervk.net" = {
-  #   domain = "*.caspervk.net";
-  #   group = "users";
-  #   reloadServices = [];
-  # };
 }