diff --git a/modules/nixos/nginx/ssl.nix b/modules/nixos/nginx/ssl.nix
index 4c04a8b5..aa068f15 100644
--- a/modules/nixos/nginx/ssl.nix
+++ b/modules/nixos/nginx/ssl.nix
@@ -4,8 +4,9 @@
   ...
 }: let
   inherit (lib.options) mkOption mkEnableOption;
-  inherit (lib.modules) mkIf mkDefault mkOptionDefault mkOverride;
+  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault mkOverride;
   inherit (lib.trivial) warnIf;
+  inherit (config.services.nginx) virtualHosts;
   mkAlmostOptionDefault = mkOverride 1250;
   forceRedirectConfig = virtualHost: ''
     if ($x_scheme = http) {
@@ -56,6 +57,10 @@
             type = nullOr path;
             default = null;
           };
+          copyFromVhost = mkOption {
+            type = nullOr str;
+            default = null;
+          };
         };
       };
       locations = mkOption {
@@ -69,9 +74,20 @@
       ssl = {
         enable = mkOptionDefault (cfg.cert.name != null || cfg.cert.keyPath != null);
         forced = mkOptionDefault (cfg.force != false && cfg.force != "reject");
-        cert.name = mkIf cfg.cert.enable (warnIf (config.name.shortServer == null) "ssl.cert.enable set but name.shortServer is null" (
-          mkAlmostOptionDefault config.name.shortServer
-        ));
+        cert = let
+          certConfig.name = mkIf cfg.cert.enable (warnIf (config.name.shortServer == null) "ssl.cert.enable set but name.shortServer is null" (
+            mkAlmostOptionDefault config.name.shortServer
+          ));
+          copyCert = virtualHosts.${cfg.cert.copyFromVhost}.ssl.cert;
+          otherCertConfig = mkIf (cfg.cert.copyFromVhost != null) {
+            name = mkDefault copyCert.name;
+            keyPath = mkAlmostOptionDefault copyCert.keyPath;
+            path = mkAlmostOptionDefault copyCert.path;
+          };
+        in mkMerge [
+          certConfig
+          otherCertConfig
+        ];
       };
       addSSL = mkIf (cfg.enable && (cfg.force == false || emitForce)) (mkDefault true);
       forceSSL = mkIf (cfg.enable && cfg.force == true && !emitForce) (mkDefault true);
diff --git a/nixos/access/grocy.nix b/nixos/access/grocy.nix
index 532a24db..947b537c 100644
--- a/nixos/access/grocy.nix
+++ b/nixos/access/grocy.nix
@@ -19,6 +19,7 @@ in {
     };
     grocy'local = {
       inherit name;
+      ssl.cert.copyFromVhost = "zigbee2mqtt";
       local.enable = mkDefault true;
       locations."/" = mkIf (!grocy.enable) {
         proxyPass = mkDefault (if grocy.enable
diff --git a/nixos/access/home-assistant.nix b/nixos/access/home-assistant.nix
index 3a718054..f303cb1c 100644
--- a/nixos/access/home-assistant.nix
+++ b/nixos/access/home-assistant.nix
@@ -31,6 +31,7 @@ in {
     };
     home-assistant'local = {
       inherit name listenPorts;
+      ssl.cert.copyFromVhost = "home-assistant";
       local.enable = mkDefault true;
       locations."/" = {
         proxy = {
diff --git a/nixos/access/keycloak.nix b/nixos/access/keycloak.nix
index 648cead1..b2b5b952 100644
--- a/nixos/access/keycloak.nix
+++ b/nixos/access/keycloak.nix
@@ -38,7 +38,10 @@ in {
       };
       keycloak'local = {
         name.shortServer = mkDefault "sso";
-        ssl.force = mkDefault true;
+        ssl = {
+          force = mkDefault true;
+          cert.copyFromVhost = "keycloak";
+        };
         local.enable = true;
         inherit locations;
         extraConfig = mkIf nginx.vouch.localSso.enable ''
diff --git a/nixos/access/kitchencam.nix b/nixos/access/kitchencam.nix
index a3537890..c3de400f 100644
--- a/nixos/access/kitchencam.nix
+++ b/nixos/access/kitchencam.nix
@@ -65,6 +65,7 @@ in {
       };
       kitchencam'local = {
         inherit name locations listenPorts kTLS;
+        ssl.cert.copyFromVhost = "kitchencam";
         local.enable = true;
       };
     };
diff --git a/nixos/access/plex.nix b/nixos/access/plex.nix
index 05ce80a7..16af3d7b 100644
--- a/nixos/access/plex.nix
+++ b/nixos/access/plex.nix
@@ -64,6 +64,7 @@ in {
       };
       plex'local = {
         inherit name locations extraConfig kTLS;
+        ssl.cert.copyFromVhost = "plex";
         local.enable = true;
       };
     };
diff --git a/nixos/access/unifi.nix b/nixos/access/unifi.nix
index 9ae67cef..339822db 100644
--- a/nixos/access/unifi.nix
+++ b/nixos/access/unifi.nix
@@ -45,7 +45,10 @@ in {
           ssl = true;
           extraParameters = [ "default_server" ];
         };
-        ssl.force = true;
+        ssl = {
+          force = true;
+          cert.copyFromVhost = "unifi";
+        };
         inherit name locations extraConfig kTLS;
       };
       unifi = {
@@ -55,6 +58,7 @@ in {
       };
       unifi'local = {
         inherit name locations extraConfig kTLS;
+        ssl.cert.copyFromVhost = "unifi";
         local.enable = true;
       };
     };
diff --git a/nixos/access/vouch.nix b/nixos/access/vouch.nix
index 6a7d382a..6e0d1cb5 100644
--- a/nixos/access/vouch.nix
+++ b/nixos/access/vouch.nix
@@ -65,7 +65,10 @@ in {
           includeTailscale = false;
         };
         local.enable = true;
-        ssl.force = true;
+        ssl = {
+          force = true;
+          cert.copyFromVhost = "vouch";
+        };
         locations = mkMerge [
           locations
           (localLocations "sso.local.${networking.domain}")
@@ -73,6 +76,7 @@ in {
       };
       vouch'tail = {
         enable = mkDefault tailscale.enable;
+        ssl.cert.copyFromVhost = "vouch'local";
         name = {
           inherit (name) shortServer;
           qualifier = mkDefault "tail";
diff --git a/nixos/access/zigbee2mqtt.nix b/nixos/access/zigbee2mqtt.nix
index 2b242704..689f8377 100644
--- a/nixos/access/zigbee2mqtt.nix
+++ b/nixos/access/zigbee2mqtt.nix
@@ -21,6 +21,7 @@ in {
       };
       zigbee2mqtt'local = {
         inherit name;
+        ssl.cert.copyFromVhost = "zigbee2mqtt";
         locations."/" = {
           proxy.websocket.enable = true;
           proxyPass = mkDefault (
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index 3f879e9a..30cdd54f 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -216,39 +216,30 @@ in {
         local.denyGlobal = true;
         ssl.cert.enable = true;
       };
-      keycloak'local.ssl.cert.enable = true;
       vouch.ssl.cert.enable = true;
-      vouch'local.ssl.cert.enable = true;
-      vouch'tail.ssl.cert.enable = true;
       unifi = {
         # we're not the real unifi record-holder, so don't respond globally..
         local.denyGlobal = true;
         ssl.cert.enable = true;
       };
-      unifi'local.ssl.cert.enable = true;
       home-assistant = assert  home-assistant.enable; {
         # not the real hass record-holder, so don't respond globally..
         local.denyGlobal = true;
         ssl.cert.enable = true;
         locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString home-assistant.config.http.server_port}";
       };
-      home-assistant'local.ssl.cert.enable = true;
       zigbee2mqtt = assert zigbee2mqtt.enable; {
         # not the real z2m record-holder, so don't respond globally..
         local.denyGlobal = true;
         ssl.cert.enable = true;
         locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString zigbee2mqtt.settings.frontend.port}";
       };
-      zigbee2mqtt'local.ssl.cert.enable = true;
       grocy = {
         # not the real grocy record-holder, so don't respond globally..
         local.denyGlobal = true;
         ssl.cert.enable = true;
         locations."/".proxyPass = "http://${tei.lib.access.hostnameForNetwork.tail}";
       };
-      grocy'local = {
-        ssl.cert.enable = true;
-      };
       ${access.freepbx.domain} = {
         local.enable = true;
       };
@@ -256,9 +247,7 @@ in {
         useACMEHost = access.proxmox.domain;
       };
       plex.ssl.cert.enable = true;
-      plex'local.ssl.cert.enable = true;
       kitchencam.ssl.cert.enable = true;
-      kitchencam'local.ssl.cert.enable = true;
       ${access.invidious.domain} = {
         useACMEHost = access.invidious.domain;
         forceSSL = true;