diff --git a/services/acme-cert-store.nix b/services/acme-cert-store.nix
index 109a3e8..7f05bb8 100644
--- a/services/acme-cert-store.nix
+++ b/services/acme-cert-store.nix
@@ -4,6 +4,7 @@
     isNormalUser = true;
     description = "Read-only access to certs";
     openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHj2PK6LHsanSqaz8Gf/VqHaurd5e6Y7KnZNBiHb9adT nextcloud"
     ];
   };
 
diff --git a/services/cert-store-client.nix b/services/cert-store-client.nix
new file mode 100644
index 0000000..7b33913
--- /dev/null
+++ b/services/cert-store-client.nix
@@ -0,0 +1,21 @@
+{ ... }:
+{
+  services.openssh.knownHosts."cert-store.vsinerva.fi".publicKey =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP4FaKqA2rQbxpdRBdGtb2lb5El/zbGnvmDfdYJdrxH7";
+
+  systemd.services.nginx = {
+    wants = [ "mnt-acme.mount" ];
+    after = [ "mnt-acme.mount" ];
+  };
+
+  fileSystems."/mnt/acme" = {
+    device = "cert-store@cert-store.vsinerva.fi:/home/cert-store/acme";
+    fsType = "sshfs";
+    options = [
+      "nodev"
+      "noatime"
+      "allow_other"
+      "IdentityFile=/etc/ssh/ssh_host_ed25519_key"
+    ];
+  };
+}
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
index 5d9041c..72cf342 100644
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@@ -1,6 +1,6 @@
 { config, pkgs, ... }:
 {
-  imports = [ ./acme-dns.nix ];
+  imports = [ ./cert-store-client.nix ];
 
   networking.firewall.allowedTCPPorts = [
     80
@@ -35,8 +35,8 @@
       virtualHosts.${config.services.nextcloud.hostName} = {
         forceSSL = true;
         kTLS = true;
-        enableACME = true;
-        acmeRoot = null;
+        sslCertificate = "/mnt/acme/fullchain.pem";
+        sslCertificateKey = "/mnt/acme/key.pem";
       };
     };
   };