diff --git a/README.md b/README.md
index f295fe6..e608ad8 100644
--- a/README.md
+++ b/README.md
@@ -13,20 +13,30 @@ server {
   hostname berlin.ccc.de;
   location "/.well-known/matrix/server" {
     default_type application/json;
+    add_header Access-Control-Allow-Origin "*";
     return 200 '{"m.server":"matrix.berlin.ccc.de:443"}';
   }
+  location "/.well-known/matrix/client" {
+    default_type application/json;
+    add_header Access-Control-Allow-Origin "*";
+    return 200 '{"m.homeserver": {"base_url": "https://matrix.berlin.ccc.de"}}';
+  }
 }
 ```
 
 # DNS
 
-```
-_matrix-fed._tcp.matrix.berlin.ccc.de.  IN SRV  10 0 443 matrix.berlin.ccc.de.
-#_matrix._tcp.matrix.berlin.ccc.de.     IN SRV  10 0 443 matrix.berlin.ccc.de.
-#_matrix._tcp.berlin.ccc.de.            IN SRV  10 0 443 matrix.berlin.ccc.de.
-_matrix-fed._tcp.berlin.ccc.de.         IN SRV  10 0 443 matrix.berlin.ccc.de.
-matrix.berlin.ccc.de.                   IN A     <IPv4>
-matrix.berlin.ccc.de.                   IN AAAA  <IPv6>
+```dns
+_matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
+_matrix-fed._tcp.berlin.ccc.de.  IN SRV    10 0 443 matrix.berlin.ccc.de.
+matrix.berlin.ccc.de.            IN A      195.160.173.25
+matrix.berlin.ccc.de.            IN AAAA   2001:678:760:cccb::25
+matrix.berlin.ccc.de.            IN CAA    0 issue "letsencrypt.org;validationmethods=http-01"
+matrix.berlin.ccc.de.            IN CAA    0 iodef "mailto:caa@xengi.de"
+matrix.berlin.ccc.de.            IN SSHFP  1 1 f40e117b002957939a454070adbbafe42d6f5842
+matrix.berlin.ccc.de.            IN SSHFP  1 2 8ba0c605a365ef5369e91c531dd86fabfe4ce6dbd5e8280093ec2672d67c329b
+matrix.berlin.ccc.de.            IN SSHFP  4 1 62d10fa57f8a1aa7469cd9b00621e4ce89261d91
+matrix.berlin.ccc.de.            IN SSHFP  4 2 ca80a6685984da140ac850e4951fa31e70b616e87f62f46437af3bfd215af887
 ```
 
 # Bots
diff --git a/configuration.nix b/configuration.nix
index 02c4f3d..7a0be5f 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -160,7 +160,6 @@
         renewInterval = "daily";
         email = "acme@xengi.de";
         group = "nginx";
-        webroot = "/var/lib/acme/acme-challenges";
       };
     };
   };
diff --git a/services/nginx.nix b/services/nginx.nix
index 8ac5477..a848f13 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -25,39 +25,10 @@ in
       quic = true;
       kTLS = true;
       forceSSL = true;
-      useACMEHost = fqdn;
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 443;
-          ssl = true;
-        }
-        {
-          addr = "[::]";
-          port = 443;
-          ssl = true;
-        }
-        {
-          addr = "0.0.0.0";
-          port = 8448;
-          ssl = true;
-        }
-        {
-          addr = "[::]";
-          port = 8448;
-          ssl = true;
-        }
-      ];
+      enableACME = true;
       locations = {
-        "/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
+        #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
         "/".return = "418 \"🫖\"";
-        "= /.well-known/matrix/client" = {
-          return = "200 '{\"m.homeserver\": {\"base_url\": \"https://matrix.berlin.ccc.de\"}}'";
-          extraConfig = ''
-            default_type application/json;
-            add_header Access-Control-Allow-Origin "*";
-          '';
-        };
         "~ ^(/_matrix|/_synapse/client)" = {
           recommendedProxySettings = true;
           proxyPass = "http://[::1]:8008";
@@ -70,8 +41,5 @@ in
       };
     };
   };
-
-  security.acme.certs."${fqdn}" = {
-    reloadServices = [ "nginx" ];
-  };
 }
+