diff --git a/nixos/machines/frumar/default.nix b/nixos/machines/frumar/default.nix
index ee9e5df..d88acc2 100644
--- a/nixos/machines/frumar/default.nix
+++ b/nixos/machines/frumar/default.nix
@@ -13,6 +13,31 @@
     };
   }) ];
 
+  systemd.tmpfiles.rules = lib.mkAfter [
+    "d ${config.services.acme-sh.stateDir}/selfsign 0700 nginx nginx"
+  ];
+  systemd.services."yori-selfsigned-ca" = {
+    description = "Generate self-signed fallback";
+    path = with pkgs; [ minica ];
+    unitConfig = {
+      ConditionPathExists = "!${config.services.acme-sh.stateDir}/selfsign/selfsigned.local/key.pem";
+      StartLimitIntervalSec = 0;
+    };
+    serviceConfig = {
+      User = "nginx";
+      Group = "nginx";
+      UMask = "0077";
+      Type = "oneshot";
+      PrivateTmp = true;
+      WorkingDirectory = "${config.services.acme-sh.stateDir}/selfsign";
+    };
+    script = "minica --domains selfsigned.local";
+  };
+  systemd.services.nginx = {
+    requires = [ "yori-selfsigned-ca.service" ];
+    after = [ "yori-selfsigned-ca.service" ];
+  };
+
   services.nginx = let
     cert = config.services.acme-sh.certs.wildcard-yori-cc;
     sslCertificate = cert.certPath;
@@ -37,7 +62,9 @@
     };
     virtualHosts."frumar.yori.cc" = {
       enableACME = lib.mkForce false;
-      forceSSL = lib.mkForce false;
+      forceSSL = true;
+      sslCertificate = "/var/lib/acme.sh/selfsign/selfsigned.local/cert.pem";
+      sslCertificateKey = "/var/lib/acme.sh/selfsign/selfsigned.local/key.pem";
       default = true;
     };
   };
diff --git a/nixos/modules/acme-sh.nix b/nixos/modules/acme-sh.nix
index 2af49a2..ab88ef6 100644
--- a/nixos/modules/acme-sh.nix
+++ b/nixos/modules/acme-sh.nix
@@ -96,6 +96,9 @@ in
     };
   };
   config = {
+    systemd.tmpfiles.rules = if cfg.certs != {} then [
+      "d ${cfg.stateDir} 0755 root root"
+    ] else [];
     systemd.services = lib.mapAttrs' (name: value: lib.nameValuePair "acme-sh-${name}" (with value; {
       description = "Renew ACME Certificate for ${name}";
       after =
@@ -114,9 +117,6 @@ in
       };
       path = with pkgs; [ acme-sh systemd util-linuxMinimal procps ];
       preStart = ''
-        mkdir -p ${cfg.stateDir}
-        chown 'root:root' ${cfg.stateDir}
-        chmod 755 ${cfg.stateDir}
         mkdir -p "${statePath}"
         chown -R '${user}:${group}' "${statePath}"
         chmod 750 "${statePath}"