diff --git a/machines/ramus/configuration.nix b/machines/ramus/configuration.nix
index a5665b4..4160d03 100644
--- a/machines/ramus/configuration.nix
+++ b/machines/ramus/configuration.nix
@@ -27,7 +27,8 @@
     '';
   };
 
-  security.acme.certs.defaults.email = config.clan.core.vars.generators.acme.files.email.value;
+  users.users.nginx.extraGroups = [ "acme" ];
+
   security.acme.acceptTerms = true;
 
   imports = [ ./think-greater-chiangmai.nix ];
diff --git a/machines/ramus/think-greater-chiangmai.nix b/machines/ramus/think-greater-chiangmai.nix
index b9781de..d9dac83 100644
--- a/machines/ramus/think-greater-chiangmai.nix
+++ b/machines/ramus/think-greater-chiangmai.nix
@@ -41,6 +41,10 @@ let
 
     TEST_LOCAL = true;
   };
+
+  baseDomain = "wegetthingsmade.com";
+  domain = "think.${baseDomain}";
+  domainBackend = "think-backend.${baseDomain}";
 in
 {
   imports = [
@@ -99,23 +103,34 @@ in
 
   services.think-greaterchiangmai = {
     enable = true;
-    domain = "think.wegetthingsmade.com";
+    domain = domain;
     settings = commonSettings;
   };
   services.think-backend-greaterchiangmai = {
     enable = true;
-    domain = "think-backend.wegetthingsmade.com";
+    domain = domainBackend;
     settings = commonSettings;
   };
 
-  services.nginx.virtualHosts.${config.services.think-greaterchiangmai.domain} = {
-    addSSL = true;
-    forceSSL = true;
-    enableACME = true;
+  security.acme.certs = {
+    "${domain}" = {
+      email = config.clan.core.vars.generators.acme.files.email.value;
+      webroot = "/var/lib/acme/acme-challenge/${domain}";
+    };
+    "${domainBackend}" = {
+      email = config.clan.core.vars.generators.acme.files.email.value;
+      webroot = "/var/lib/acme/acme-challenge/${domainBackend}";
+    };
   };
-  services.nginx.virtualHosts.${config.services.think-backend-greaterchiangmai.domain} = {
+
+  services.nginx.virtualHosts.${domain} = {
     addSSL = true;
-    forceSSL = true;
-    enableACME = true;
+    useACMEHost = domain;
+    acmeRoot = config.security.acme.certs.${domain}.webroot;
+  };
+  services.nginx.virtualHosts.${domainBackend} = {
+    addSSL = true;
+    useACMEHost = domainBackend;
+    acmeRoot = config.security.acme.certs.${domainBackend}.webroot;
   };
 }