diff --git a/systems/jeeves/default.nix b/systems/jeeves/default.nix
index 3dbbbb8..1f1b294 100644
--- a/systems/jeeves/default.nix
+++ b/systems/jeeves/default.nix
@@ -15,6 +15,7 @@ in
     "${inputs.self}/common/optional/zerotier.nix"
     ./docker
     ./services
+    ./web_services
     ./hardware.nix
     ./networking.nix
     ./programs.nix
diff --git a/systems/jeeves/services/acme.nix b/systems/jeeves/web_services/acme.nix
similarity index 58%
rename from systems/jeeves/services/acme.nix
rename to systems/jeeves/web_services/acme.nix
index cbbcfdd..538c1b6 100644
--- a/systems/jeeves/services/acme.nix
+++ b/systems/jeeves/web_services/acme.nix
@@ -1,39 +1,30 @@
+let
+  domains = [
+    "audiobookshelf"
+    "cache"
+    "gitea"
+    "jellyfin"
+    "share"
+  ];
+
+  makeCert = name: {
+    name = "${name}.tmmworkshop.com";
+    value = {
+      webroot = "/var/lib/acme/.challenges";
+      group = "acme";
+      reloadServices = [ "haproxy.service" ];
+    };
+  };
+
+  acmeServices = map (domain: "acme-${domain}.tmmworkshop.com.service") domains;
+in
 {
   users.users.haproxy.extraGroups = [ "acme" ];
 
   security.acme = {
     acceptTerms = true;
     defaults.email = "Richie@tmmworkshop.com";
-
-    certs."gitea.tmmworkshop.com" = {
-      webroot = "/var/lib/acme/.challenges";
-      group = "acme";
-      reloadServices = [ "haproxy.service" ];
-    };
-
-    certs."audiobookshelf.tmmworkshop.com" = {
-      webroot = "/var/lib/acme/.challenges";
-      group = "acme";
-      reloadServices = [ "haproxy.service" ];
-    };
-
-    certs."cache.tmmworkshop.com" = {
-      webroot = "/var/lib/acme/.challenges";
-      group = "acme";
-      reloadServices = [ "haproxy.service" ];
-    };
-
-    certs."jellyfin.tmmworkshop.com" = {
-      webroot = "/var/lib/acme/.challenges";
-      group = "acme";
-      reloadServices = [ "haproxy.service" ];
-    };
-
-    certs."share.tmmworkshop.com" = {
-      webroot = "/var/lib/acme/.challenges";
-      group = "acme";
-      reloadServices = [ "haproxy.service" ];
-    };
+    certs = builtins.listToAttrs (map makeCert domains);
   };
 
   # Minimal nginx to serve ACME HTTP-01 challenge files for HAProxy
@@ -60,4 +51,12 @@
   ];
 
   users.users.nginx.extraGroups = [ "acme" ];
+
+  # HAProxy needs certs to exist before it can bind :443.
+  # NixOS's acme module generates self-signed placeholders on first boot
+  # via acme-<domain>.service — just make HAProxy wait for them.
+  systemd.services.haproxy = {
+    after = acmeServices;
+    wants = acmeServices;
+  };
 }
diff --git a/systems/jeeves/web_services/default.nix b/systems/jeeves/web_services/default.nix
new file mode 100644
index 0000000..1133fcb
--- /dev/null
+++ b/systems/jeeves/web_services/default.nix
@@ -0,0 +1,9 @@
+{ lib, ... }:
+{
+  imports =
+    let
+      files = builtins.attrNames (builtins.readDir ./.);
+      nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
+    in
+    map (file: ./. + "/${file}") nixFiles;
+}
diff --git a/systems/jeeves/services/haproxy.cfg b/systems/jeeves/web_services/haproxy.cfg
similarity index 100%
rename from systems/jeeves/services/haproxy.cfg
rename to systems/jeeves/web_services/haproxy.cfg
diff --git a/systems/jeeves/services/haproxy.nix b/systems/jeeves/web_services/haproxy.nix
similarity index 100%
rename from systems/jeeves/services/haproxy.nix
rename to systems/jeeves/web_services/haproxy.nix