diff --git a/hosts/vps1/default.nix b/hosts/vps1/default.nix
index 2b6d1c4..a6a8b69 100644
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -1,6 +1,5 @@
 {
   config,
-  pkgs,
   lib,
   self,
   ...
@@ -10,6 +9,7 @@
   imports = [
     ./hardware-configuration.nix
     ./gitea.nix
+    ./kanidm.nix
     ../server.nix
   ];
 
@@ -47,50 +47,11 @@
     groups = {
       jellyfin = { };
     };
-    extraGroups.acme.members = [
-      "kanidm"
-      "nginx"
-    ];
   };
 
   services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 
-  security.acme.certs."auth.vimium.com" = {
-    postRun = "systemctl restart kanidm.service";
-    group = "acme";
-  };
-
-  services.kanidm =
-    let
-      baseDomain = "vimium.com";
-      domain = "auth.${baseDomain}";
-      uri = "https://${domain}";
-    in
-    {
-      package = pkgs.unstable.kanidm;
-      enableClient = true;
-      enableServer = true;
-      clientSettings = {
-        inherit uri;
-      };
-      serverSettings = {
-        bindaddress = "127.0.0.1:3013";
-        ldapbindaddress = "100.64.0.1:636";
-        domain = baseDomain;
-        origin = uri;
-        tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
-        tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
-      };
-    };
-
   services.nginx.virtualHosts = {
-    "auth.vimium.com" = {
-      useACMEHost = "auth.vimium.com";
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "https://127.0.0.1:3013";
-      };
-    };
     "outline.vimium.com" = {
       forceSSL = true;
       enableACME = true;
diff --git a/hosts/vps1/kanidm.nix b/hosts/vps1/kanidm.nix
new file mode 100644
index 0000000..0ae5c0e
--- /dev/null
+++ b/hosts/vps1/kanidm.nix
@@ -0,0 +1,51 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  baseDomain = "vimium.com";
+  domain = "auth.${baseDomain}";
+in
+{
+  services.kanidm =
+    let
+      uri = "https://${domain}";
+    in
+    {
+      package = pkgs.unstable.kanidm;
+      enableClient = true;
+      enableServer = true;
+      clientSettings = {
+        inherit uri;
+      };
+      serverSettings = {
+        bindaddress = "127.0.0.1:3013";
+        ldapbindaddress = "100.64.0.1:636";
+        domain = baseDomain;
+        origin = uri;
+        tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
+        tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
+      };
+    };
+
+  services.nginx.virtualHosts = {
+    "${domain}" = {
+      useACMEHost = "${domain}";
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:3013";
+      };
+    };
+  };
+
+  users.extraGroups.acme.members = [
+    "kanidm"
+    "nginx"
+  ];
+
+  security.acme.certs."${domain}" = {
+    postRun = "systemctl restart kanidm.service";
+    group = "acme";
+  };
+}