diff --git a/modules/services/acme.nix b/modules/services/acme.nix
index 1911e346..d6e0d707 100644
--- a/modules/services/acme.nix
+++ b/modules/services/acme.nix
@@ -3,10 +3,18 @@ inputs:
   options.nixos.services.acme = let inherit (inputs.lib) mkOption types; in
   {
     enable = mkOption { type = types.bool; default = false; };
-    certs = mkOption
+    cert = mkOption
     {
-      type = types.listOf (types.oneOf [ types.nonEmptyStr (types.listOf types.nonEmptyStr) ]);
-      default = [];
+      type = types.attrsOf (types.submodule (submoduleInputs:
+      {
+        domains = mkOption
+        {
+          type = types.nonEmptyListOf types.nonEmptyStr;
+          default = [ submoduleInputs.config._module.args.name ];
+        };
+        group = mkOption { type = types.nullOr types.nonEmptyStr; default = null; };
+      }));
+      default = {};
     };
   };
   config =
@@ -14,6 +22,7 @@ inputs:
       inherit (inputs.lib) mkIf;
       inherit (inputs.config.nixos.services) acme;
       inherit (builtins) map listToAttrs;
+      inherit (inputs.localLib) attrsToList;
     in mkIf acme.enable
     {
       security.acme =
@@ -23,16 +32,17 @@ inputs:
         certs = listToAttrs (map
           (cert:
           {
-            name = if builtins.typeOf cert == "string" then cert else builtins.elemAt cert 0;
+            name = builtins.elemAt cert.value.domains 0;
             value =
             {
               dnsResolver = "8.8.8.8";
               dnsProvider = "cloudflare";
               credentialsFile = inputs.config.sops.secrets."acme/cloudflare.ini".path;
-              extraDomainNames = if builtins.typeOf cert == "string" then [] else builtins.tail cert;
+              extraDomainNames = builtins.tail cert.value.domains;
+              group = mkIf (cert.value.group != null) cert.value.group;
             };
           })
-          acme.certs);
+          (attrsToList acme.cert));
       };
       sops.secrets."acme/cloudflare.ini" = {};
     };