diff --git a/hosts/nom/secrets/host.pub b/hosts/nom/secrets/host.pub
index 3019155..97a005f 100644
--- a/hosts/nom/secrets/host.pub
+++ b/hosts/nom/secrets/host.pub
@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICOdYhY/DnXpizajoeLefH6gsc/RX9x3Y6T3C1a+0sb0
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH64l5nh2ryG+1I2sXvfr7m8kTLP5N3CmnK12MHHKSfr
diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix
index 0c62b50..4db9c22 100644
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@@ -1,4 +1,8 @@
-{config, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
   imports = [
     ../../modules/optional/hardware/hetzner-cloud.nix
 
@@ -16,9 +20,23 @@
 
   users.groups.acme.members = ["nginx"];
   wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443];
+
   services.nginx.enable = true;
   services.nginx.recommendedSetup = true;
 
+  services.nginx.virtualHosts.${config.repo.secrets.global.domains.me} = {
+    forceSSL = true;
+    useACMEWildcardHost = true;
+    locations."/".root = pkgs.runCommand "index.html" {} ''
+      mkdir -p $out
+      cat > $out/index.html <<EOF
+      <html>
+        <body>Not empty soon TM. Until then please go here: <a href="https://github.com/oddlama">oddlama</a></body>
+      </html>
+      EOF
+    '';
+  };
+
   meta.promtail = {
     enable = true;
     proxy = "sentinel";
diff --git a/modules/acme-wildcard.nix b/modules/acme-wildcard.nix
index 9652470..318bf28 100644
--- a/modules/acme-wildcard.nix
+++ b/modules/acme-wildcard.nix
@@ -6,6 +6,7 @@
   inherit
     (lib)
     assertMsg
+    elem
     filter
     genAttrs
     hasInfix
@@ -37,9 +38,12 @@ in {
         # If no such domain is found then an assertion is triggered.
         domain = submod.config._module.args.name;
         matchingCerts =
-          filter
-          (x: !hasInfix "." (removeSuffix ".${x}" domain))
-          config.security.acme.wildcardDomains;
+          if elem domain config.security.acme.wildcardDomains
+          then [domain]
+          else
+            filter
+            (x: !hasInfix "." (removeSuffix ".${x}" domain))
+            config.security.acme.wildcardDomains;
       in
         mkIf submod.config.useACMEWildcardHost {
           useACMEHost = assert assertMsg (matchingCerts != []) "No wildcard certificate was defined that matches ${domain}";
diff --git a/secrets/rekeyed/nom/1f37a986a31d7e4d88df8b59d91fcd91-initrd_host_ed25519_key.age b/secrets/rekeyed/nom/1f37a986a31d7e4d88df8b59d91fcd91-initrd_host_ed25519_key.age
deleted file mode 100644
index 6ca7d9f..0000000
--- a/secrets/rekeyed/nom/1f37a986a31d7e4d88df8b59d91fcd91-initrd_host_ed25519_key.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 grkLKQ wT/F1RZNRPv/nEpRO2K6uaaUgblmQ+Snl0l0oaQ8biQ
-l2Spr1bBxZ780TqPyzLu8e+Bu/V7wHGVEOnht6obgm4
--> a-grease ajoj }}yuQ_]d ]\g'
-WsHmUGNgl8O1jJaoW2mHzJtxngWIQWUngA0y/Q
---- yG/0WUD+R7eWZv+DNiH24Y8GW3FvYgHDftlFi8ngpdA
-oå)8ù!ÛX?r¸€%²ÜJ‘Ù†R¢q9éò_¤Ÿ]·jr;ÚCå?ï,vLFð‹÷­‰é5DÚx&Ü.1/î½vN;H’4‡7\øV€›ÿ£„Ô> Ÿ6ÐLÒ9!Ãõ>:þ™*¹Uóßåðíêóî5b­[®„ñéÂh/nSo²
-	'ø(iÏ—ÒˆŽy5D.]èI†c”ç–JFY_-Z‘Ã	Ÿ›Ô!ÏLÉØ0Vë¢ñê^3ó¯ïÆOÕ)í3QÝèÿ‹ôÔ.åô¶<a“‡ìÓWJ™ÐmnKM$û¿L¬ãAXƒttÍØG““Í-e.æ­zœ×5¨I,c€OÝ8\´ù©ŸI,?ƒ{Ë.É	!‘¹ös&cvhº	ÏüAP¶5iƒ60v=·Å×Ž ·Rˆdš9NÇÒ„Á
-IµÍ‚õê¸*p\) sceÔuHfºªþ¬dùK®;]`9}ó½ë®u£¬¢L}V~äÖ…@jÔ,Xà+¬ñ3Áwüªä”š±–x†¢¿‰¢ÞöÜõh¶<&æj&5…¾êŠyT+û=
\ No newline at end of file
diff --git a/secrets/rekeyed/nom/69289feee2d5937fef7af87d9e69ff21-my-gpg-pubkey-yubikey.age b/secrets/rekeyed/nom/69289feee2d5937fef7af87d9e69ff21-my-gpg-pubkey-yubikey.age
new file mode 100644
index 0000000..ebf78d2
Binary files /dev/null and b/secrets/rekeyed/nom/69289feee2d5937fef7af87d9e69ff21-my-gpg-pubkey-yubikey.age differ
diff --git a/secrets/rekeyed/nom/721d8d346921babf7fd06eb73e5636b3-my-gpg-pubkey-yubikey.age b/secrets/rekeyed/nom/721d8d346921babf7fd06eb73e5636b3-my-gpg-pubkey-yubikey.age
deleted file mode 100644
index 13be521..0000000
Binary files a/secrets/rekeyed/nom/721d8d346921babf7fd06eb73e5636b3-my-gpg-pubkey-yubikey.age and /dev/null differ
diff --git a/secrets/rekeyed/nom/d1cb656317c735d7c4c2275747fb21c4-initrd_host_ed25519_key.age b/secrets/rekeyed/nom/d1cb656317c735d7c4c2275747fb21c4-initrd_host_ed25519_key.age
new file mode 100644
index 0000000..32220c2
Binary files /dev/null and b/secrets/rekeyed/nom/d1cb656317c735d7c4c2275747fb21c4-initrd_host_ed25519_key.age differ
