diff --git a/hosts/envoy/acme.nix b/hosts/envoy/acme.nix
index c257605..200c858 100644
--- a/hosts/envoy/acme.nix
+++ b/hosts/envoy/acme.nix
@@ -16,7 +16,6 @@ in {
   security.acme = {
     acceptTerms = true;
     defaults = {
-      inherit (acme) email;
       credentialFiles = {
         CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
         CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
@@ -25,6 +24,6 @@ in {
       dnsPropagationCheck = true;
       reloadServices = ["nginx"];
     };
-    wildcardDomains = acme.domains;
+    inherit (acme) certs;
   };
 }
diff --git a/hosts/envoy/secrets/local.nix.age b/hosts/envoy/secrets/local.nix.age
index e6ade60..fa32d3d 100644
Binary files a/hosts/envoy/secrets/local.nix.age and b/hosts/envoy/secrets/local.nix.age differ
diff --git a/hosts/sentinel/acme.nix b/hosts/sentinel/acme.nix
index c257605..200c858 100644
--- a/hosts/sentinel/acme.nix
+++ b/hosts/sentinel/acme.nix
@@ -16,7 +16,6 @@ in {
   security.acme = {
     acceptTerms = true;
     defaults = {
-      inherit (acme) email;
       credentialFiles = {
         CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
         CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
@@ -25,6 +24,6 @@ in {
       dnsPropagationCheck = true;
       reloadServices = ["nginx"];
     };
-    wildcardDomains = acme.domains;
+    inherit (acme) certs;
   };
 }
diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age
index e6ade60..b7a16d1 100644
--- a/hosts/sentinel/secrets/local.nix.age
+++ b/hosts/sentinel/secrets/local.nix.age
@@ -1,11 +1,11 @@
 age-encryption.org/v1
--> X25519 Iz/ZYzOsB5ONZTT2azO8HcfvwEdS8zjYv2a+gdSa6Rw
-3RvSD6jq4IKXOWmgFiLK0OgZkvrbRQZLqlYgiVMixAY
--> piv-p256 xqSe8Q A4BW1CqEWMOdGkIjIqvXJrzC54BBaEbnhywgd1UA9gQf
-lRdaSMaW/xFvzBYk56T6ld64vrFS4EbQdcJJarOd2hE
--> Xw[-grease ^u-qoTf JV
-7ht6GO0MH9xXNpmbVpi/NYiy27V0XHtE+qNmMqZSj0/rVtnYWMhm4Ezu+3Y
---- EYikW64z1mfwwVgFevfGeo4Sp4994H8WnvbJ+RfxMnc
-Pðlðb wqÚZêÿÉÞœä9‚ÁÃí—Ô«:V†ål~(Þƒ¦#xÒ£V[ã|!óæccVn»%®kÊYðr­;hS)ggELÀ€‘wZAôJHµÚj~a´Ëö{®*ªC8·
-ábÓi!˜ãÏ#â	K4¶‡À/3Ð$I§c7’Uèÿ…Tš°j«×f€Ëj`LX0f•hO%~ª”¥*]Þc“Óñ­¯›œÞR¤Aß0Øy¿0¤v¯²¨#{·CÙ.BqW-ÓÄÊÁž1WÂ7/jÈ”ã}!òÓãüçò/„¡öEb%Ô ƒ—št«q¼²!éùe>g€ó)Î›d~Üð„¨yA
-‰ZŽá¼NÐÏßìŸžmo–|„˜ÆrX˜Íˆº6T$¿~5ÜýýÍ‚Rj>û– zh•³•KIeÀdä}›Nó zZñãšá¢e`e¦ÝÄb~KÆÐ]hï1—ÇÉè½yF
\ No newline at end of file
+-> X25519 AvHay53WfH+7CtbB9XWEkpcXVDqFUtNXmb3O9kkzt3Y
+IucF4tsZgx7VsZ1jCuRbGOn/9m5ftvrJ9uBWs+F1XLE
+-> piv-p256 xqSe8Q A0rh+U5E0cN7K7oR8TSipN/AyHBxNoohLrGHEIiQ0jWo
+Qhi2dcShCBmodbO+QpxIwjjjMloe4NF9EQrXLecJt/w
+-> wfDXBMR-grease & qyMg
+UHgrFeFyejZpOlwsIQ1oviNwQVvNy+qrLfXc9LB5IiNE7MGn4Q
+--- OvK6sw/WcdoBELlN6UvJmzSc8Hi/+0xMfq58lxTm3TQ
+|ú1Û=£_¨¨m6œÌa®*ñkNÑœº±–ÝÕ_‘±Ÿ~çxÓ=Å÷øúö<
+ÛeBG‡^ã·X[FÄq8Tïø½Šd^¤Müíˆ{æ]‘>?.jÜ0~ÖU¼tü¡[ŽÊe	k	ù‘Ìtí½¬ÃÈ_§8còîãJÏÌèIâ®*‡oK^bkq¢E[0žIeA³†æöt­@¶\?Ï™¥uU¾±ßl˜0ˆ JiÌ‘ä¦‰Œ×ŽÍÉÈÏ…Ý74Êò'Ç·\y¨kOÖò?ä×IZ‚g‡(„þ (&Ô„¤„½tmÉ¯Ð]&qØY/­O\zÃ{“Ùá¬„_¿½˜ÖÇ±pžÉ‘>*r?¡>Š¢Ggvuy6˜Òl¶‡áÜÆuàþ’læ¿âB!1j:DfÒ˜±ñøäœYÌ°:`7¿f<éZ-×A¥Ç®7¿´‰Üp	þÚñ”(Ô	)‹È~çSùêNÆ·µ·Ç<!Ü>>‰N¡ÃmNl_?1kqüä–Ãá'$º*1/+­•P‡ë…š¯¦Pñ™SDDW¿*âfP3
+c·@}iË«ðó¹e~-¨!W„4Æñ	÷¶—~`§»Ÿšï›Ý]7±¿¾50øç
\ No newline at end of file
diff --git a/modules/acme-wildcard.nix b/modules/acme-wildcard.nix
index 47c158b..0aefecb 100644
--- a/modules/acme-wildcard.nix
+++ b/modules/acme-wildcard.nix
@@ -6,8 +6,9 @@
   inherit
     (lib)
     assertMsg
+    attrNames
     filter
-    genAttrs
+    filterAttrs
     hasInfix
     head
     mkIf
@@ -15,17 +16,19 @@
     removeSuffix
     types
     ;
+
+  wildcardDomains = attrNames (filterAttrs (_: v: v.wildcard) config.security.acme.certs);
 in {
-  options.security.acme.wildcardDomains = mkOption {
-    default = [];
-    example = ["example.org"];
-    type = types.listOf types.str;
-    description = ''
-      All domains for which a wildcard certificate will be generated.
-      This will define the given `security.acme.certs` and set `extraDomainNames` correctly,
-      but does not fill any options such as credentials or dnsProvider. These have to be set
-      individually for each cert by the user or via `security.acme.defaults`.
-    '';
+  options.security.acme.certs = mkOption {
+    type = types.attrsOf (types.submodule (submod: {
+      options.wildcard = mkOption {
+        default = false;
+        type = types.bool;
+        description = "If set to true, this will automatically append `*.<domain>` to `extraDomainNames`.";
+      };
+
+      config.extraDomainNames = mkIf submod.config.wildcard ["*.${submod.config._module.args.name}"];
+    }));
   };
 
   options.services.nginx.virtualHosts = mkOption {
@@ -36,14 +39,13 @@ in {
         description = ''Automatically set useACMEHost with the correct wildcard domain for the virtualHosts's main domain.'';
       };
       config = let
-        # This retrieves all matching wildcard certs that would include
-        # the corresponding domain. If no such domain is defined in
-        # security.acme.wildcardDomains, an assertion is triggered.
+        # This retrieves all matching wildcard certs that would include the corresponding domain.
+        # If no such domain is found then an assertion is triggered.
         domain = submod.config._module.args.name;
         matchingCerts =
           filter
           (x: !hasInfix "." (removeSuffix ".${x}" domain))
-          config.security.acme.wildcardDomains;
+          wildcardDomains;
       in
         mkIf submod.config.useACMEWildcardHost {
           useACMEHost = assert assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
@@ -51,8 +53,4 @@ in {
         };
     }));
   };
-
-  config.security.acme.certs = genAttrs config.security.acme.wildcardDomains (domain: {
-    extraDomainNames = ["*.${domain}"];
-  });
 }