diff --git a/machines/gerd.nix b/machines/gerd.nix
index 0d7b3eb..c2a8eeb 100644
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@@ -6,6 +6,7 @@ in {
   imports = [
     ./../shared
 
+    ./../shared/applications/server/acme.nix
     ./../shared/applications/server/nginx.nix
     ./../shared/applications/state/ssh.nix
 
diff --git a/shared/applications/server/acme.nix b/shared/applications/server/acme.nix
new file mode 100644
index 0000000..9b206be
--- /dev/null
+++ b/shared/applications/server/acme.nix
@@ -0,0 +1,23 @@
+{ config, lib, ... }:
+
+{
+  # default acme settings
+  security.acme = {
+    acceptTerms = true;
+
+    defaults.email = "fricloudacme.cameo530@simplelogin.com";
+  };
+
+  # give Nginx access to our certs
+  services.nginx.group = config.security.acme.defaults.group;
+
+  # acme user
+  users.groups."${config.security.acme.defaults.group}".members = [];
+
+  # state
+  environment.persistence = lib.optionalAttrs config.mine.state.enable {
+    root.directories = [
+      "/var/lib/acme"
+    ];
+  };
+}
diff --git a/shared/applications/server/nginx.nix b/shared/applications/server/nginx.nix
index facd738..e5c281f 100644
--- a/shared/applications/server/nginx.nix
+++ b/shared/applications/server/nginx.nix
@@ -10,9 +10,6 @@ let
       -out "$out/ca.pem" -keyout "$out/ca.key"
   '';
 in {
-  security.acme.defaults.email = "fricloudacme.cameo530@simplelogin.com";
-  security.acme.acceptTerms = true;
-
   services.nginx = {
     enable = true;
 
@@ -25,9 +22,6 @@ in {
     # only allow PFS-enabled ciphers with AES256
     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
-    # give Nginx access to our certs
-    group = "acme";
-
     # setup a default site
     virtualHosts.default = {
       default = lib.mkDefault true;
@@ -49,8 +43,6 @@ in {
     };
   };
 
-  users.groups.acme = {};
-
   networking.firewall = {
     allowedTCPPorts = [80 443];
     allowedUDPPorts = [443];