diff --git a/fediversity/garage.nix b/fediversity/garage.nix
index ea400df..e38acc8 100644
--- a/fediversity/garage.nix
+++ b/fediversity/garage.nix
@@ -172,10 +172,12 @@ in
         s3_api.root_domain = ".${fedicfg.api.domain}";
       };
     };
+
     services.nginx.virtualHosts."garagePortProxy" = {
       forceSSL = true;
-      enableACME = true;
-      serverName = "*.${fedicfg.web.rootDomain}";
+      useACME = true;
+      serverName = fedicfg.web.rootDomain;
+      serverAliases = lib.mapAttrsToList (bucket: _: "${bucket}.${fedicfg.web.rootDomain}") cfg.ensureBuckets; ## TODO: use wildcard certificates?
       locations."/" = {
         proxyPass = "http://localhost:3902";
         extraConfig = ''
@@ -183,6 +185,7 @@ in
         '';
       };
     };
+   
     systemd.services.ensure-garage = {
       after = [ "garage.service" ];
       wantedBy = [ "garage.service" ];