diff --git a/hosts/nixos/porthos/secrets/acme/dns-key.age b/hosts/nixos/porthos/secrets/acme/dns-key.age
index fce2a84..d7f159e 100644
--- a/hosts/nixos/porthos/secrets/acme/dns-key.age
+++ b/hosts/nixos/porthos/secrets/acme/dns-key.age
@@ -1,8 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 cKojmg bQFr9oAnbo1rI/MpUV8wQz/Xj7iZY4ZU+Swf0nSIQFw
-zama2XJ0gdvUlD2GHMhmZqHSxHe+dKSfXnHoWDcSw7Y
--> ssh-ed25519 jPowng gitUwSKTNKWLSxnwa185O7x/u0ul93g8wPESdZaKRk8
-uvBIfAUkZp5sg6rfeEGvL5ZDV8m2uSEotW02kjPN3Hw
---- SZxe5f/CUZBvPQa2Sz/UBY3L68rMkIGGRuZPk7YE+Vg
-¾r ú&…¥‹{~v?¨}=Ä
-}+¿SQ’M[²]Œ±kMÒAàtŒÃmMë/£µLsü|Þ…m©CÀñiYC}ƒŽ‡çxŽ€
\ No newline at end of file
+-> ssh-ed25519 cKojmg Ec0xt1uJTva8MxUdoTVX5m3uWaIiRlodf345FEM7Uzs
+aJIneWFJPB5HVeoUGp57agXih9YeZ6xMEbyQ+zJtWQY
+-> ssh-ed25519 jPowng B5XotRgv7s/FUegGhceBj7EoukewNUOIFl4TFRQf1EQ
+PgGCBd/Pqwp7ayqi7okHBGF1SfFpwT4KlHJ/np6p2uQ
+--- AeLgwGz6k3OABb53cXNaCU/sgI4FlU1s6p8PhAaFOlg
+1ÌÉCÔ¹ð¤ŽULfI1¸Hm»Ûòb}m””îŸ¡ ÁÅ¡ìg•ß0¦¢–¤`XG>\>¹8rŽz+Š›Y ™¼`—Ê¢.JBUÏ!zÂ¸Z50ú*õ¡ÙŸ¤×ÖÇ®IôÔ]¹‹ÏåI
+Äµ¿–oÒÛ°…g„®„ÒêÁ³Â¿Ÿt’©nƒºãcz[»{
+jçå&ÁõõNæ°Nÿo{õš½‚-eP¾=L‰™6¦.SP:»e¶–
\ No newline at end of file
diff --git a/modules/nixos/services/nginx/default.nix b/modules/nixos/services/nginx/default.nix
index e305b29..e5a87de 100644
--- a/modules/nixos/services/nginx/default.nix
+++ b/modules/nixos/services/nginx/default.nix
@@ -86,7 +86,7 @@ in
         type = types.str;
         example = "/var/lib/acme/creds.env";
         description = ''
-          Gandi API key file as an 'EnvironmentFile' (see `systemd.exec(5)`)
+          OVH API key file as an 'EnvironmentFile' (see `systemd.exec(5)`)
         '';
       };
     };
@@ -281,6 +281,7 @@ in
 
                 locations."/" = {
                   extraConfig =
+                    # FIXME: check that X-User is dropped otherwise
                     (args.extraConfig.locations."/".extraConfig or "") + ''
                       # Use SSO
                       auth_request /sso-auth;
@@ -414,7 +415,8 @@ in
         {
           "${domain}" = {
             extraDomainNames = [ "*.${domain}" ];
-            dnsProvider = "gandiv5";
+            dnsProvider = "ovh";
+            dnsPropagationCheck = false; # OVH is slow
             inherit (cfg.acme) credentialsFile;
           };
         };