diff --git a/machines/porthos/services.nix b/machines/porthos/services.nix
index 9c74276..824265c 100644
--- a/machines/porthos/services.nix
+++ b/machines/porthos/services.nix
@@ -106,6 +106,9 @@ in
     };
     nginx = {
       enable = true;
+      acme = {
+        credentialsFile = builtins.toFile "gandi-key.env" my.secrets.acme.key;
+      };
     };
     paperless = {
       enable = true;
diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
index a68c8b9..bb773c9 100644
--- a/modules/services/nginx.nix
+++ b/modules/services/nginx.nix
@@ -60,6 +60,16 @@ in
   options.my.services.nginx = with lib; {
     enable = mkEnableOption "Nginx";
 
+    acme = {
+      credentialsFile = mkOption {
+        type = types.str;
+        example = "/var/lib/acme/creds.env";
+        description = ''
+          Gandi API key file as an 'EnvironmentFile' (see `systemd.exec(5)`)
+        '';
+      };
+    };
+
     monitoring = {
       enable = my.mkDisableOption "monitoring through grafana and prometheus";
     };
@@ -330,14 +340,13 @@ in
       certs =
         let
           domain = config.networking.domain;
-          key = config.my.secrets.acme.key;
         in
         with pkgs;
         {
           "${domain}" = {
             extraDomainNames = [ "*.${domain}" ];
             dnsProvider = "gandiv5";
-            credentialsFile = writeText "key.env" key; # Unsecure, I don't care.
+            inherit (cfg.acme) credentialsFile;
           };
         };
     };