diff --git a/cluster/services/certificates/default.nix b/cluster/services/certificates/default.nix
new file mode 100644
index 0000000..d676559
--- /dev/null
+++ b/cluster/services/certificates/default.nix
@@ -0,0 +1,12 @@
+{
+  services.certificates = {
+    nodes = {
+      internal-wildcard = [ "checkmate" "VEGAS" ];
+    };
+    nixos = {
+      internal-wildcard = [
+        ./internal-wildcard.nix
+      ];
+    };
+  };
+}
diff --git a/cluster/services/certificates/internal-wildcard.nix b/cluster/services/certificates/internal-wildcard.nix
new file mode 100644
index 0000000..a8c1a26
--- /dev/null
+++ b/cluster/services/certificates/internal-wildcard.nix
@@ -0,0 +1,14 @@
+{ tools, ... }:
+
+let
+  inherit (tools.meta) domain;
+in
+
+{
+  security.acme.certs."internal.${domain}" = {
+    domain = "*.internal.${domain}";
+    extraDomainNames = [ "*.internal.${domain}" ];
+    dnsProvider = "pdns";
+    group = "nginx";
+  };
+}