diff --git a/dev/host_vars/proxy.yml b/dev/host_vars/proxy.yml
index 6ce8de2..1f0dae2 100644
--- a/dev/host_vars/proxy.yml
+++ b/dev/host_vars/proxy.yml
@@ -8,6 +8,7 @@ manage_network: false
 proxy:
   #production: true
   dns_cloudflare:
+    opts: --test-cert
     #email: realemail@example.com
     #api_token: CLOUDFLARE_DNS01_API_TOKEN
     wildcard_domains:
@@ -15,14 +16,8 @@ proxy:
   servers:
     - domain: "{{ bitwarden_domain }}"
       proxy_pass: "http://127.0.0.1:8080"
-      tls:
-        cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
-        key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
     - domain: "{{ gitea_domain }}"
       proxy_pass: "http://127.0.0.1:3080"
-      tls:
-        cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
-        key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
 
 # docker
 docker_users:
diff --git a/roles/proxy/files/restart-nginx.sh b/roles/proxy/files/reload-nginx.sh
similarity index 100%
rename from roles/proxy/files/restart-nginx.sh
rename to roles/proxy/files/reload-nginx.sh
diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml
index 3e8d55c..44c0aa0 100644
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -20,10 +20,20 @@
 - name: Install nginx sites configuration
   template:
     src: server-nginx.conf.j2
-    dest: "/etc/nginx/conf.d/{{ item.domain }}.conf"
+    dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
     mode: '0644'
   loop: "{{ proxy.servers }}"
   notify: reload_nginx
+  register: nginx_sites
+
+- name: Enable nginx sites configuration
+  file:
+    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
+    state: link
+  loop: "{{ nginx_sites.results }}"
+  when: item.changed
+  notify: reload_nginx
 
 - name: Generate self-signed certificate
   shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
@@ -32,21 +42,21 @@
           -out    /etc/ssl/certs/nginx-selfsigned.crt'
   args:
     creates: /etc/ssl/certs/nginx-selfsigned.crt
-  when: not proxy.production
+  when: proxy.production is not defined or not proxy.production
   notify: reload_nginx
 
 - name: Install LE's certbot
   apt:
     name: ['certbot', 'python3-certbot-dns-cloudflare']
     state: present
-  when: proxy.production
+  when: proxy.production is defined and proxy.production
 
 - name: Install Cloudflare API token
   template:
     src: cloudflare.ini.j2
     dest: /root/.cloudflare.ini
     mode: '0600'
-  when: proxy.production and proxy.dns_cloudflare is defined
+  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
 
 - name: Create nginx post renewal hook directory
   file:
@@ -55,10 +65,10 @@
 
 - name: Install nginx post renewal hook
   copy:
-    src: restart-nginx.sh
-    dest: /etc/letsencrypt/renewal-hooks/post/nginx.sh
+    src: reload-nginx.sh
+    dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
     mode: '0755'
-  when: proxy.production
+  when: proxy.production is defined and proxy.production
 
 - name: Run Cloudflare DNS-01 challenges on wildcard domains
   shell: '/usr/bin/certbot certonly \
@@ -67,9 +77,9 @@
             --email "{{ proxy.dns_cloudflare.email }}" \
             --dns-cloudflare \
             --dns-cloudflare-credentials /root/.cloudflare.ini \
-            -d "*.{{ item }}"'
+            -d "*.{{ item }}" {{ proxy.dns_cloudflare.opts | default("") }}'
   args:
     creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
   loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
-  when: proxy.production and proxy.dns_cloudflare is defined
+  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
   notify: reload_nginx
diff --git a/roles/proxy/templates/nginx.conf.j2 b/roles/proxy/templates/nginx.conf.j2
index 8e47758..39c94a0 100644
--- a/roles/proxy/templates/nginx.conf.j2
+++ b/roles/proxy/templates/nginx.conf.j2
@@ -22,4 +22,5 @@ http {
   server_names_hash_bucket_size 128;
 
   include           /etc/nginx/conf.d/*.conf;
+  include           /etc/nginx/sites-enabled/*;
 }
diff --git a/roles/proxy/templates/server-nginx.conf.j2 b/roles/proxy/templates/server-nginx.conf.j2
index 84f73a2..718a96e 100644
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@@ -2,10 +2,18 @@ server {
   listen              443 ssl;
   server_name         {{ item.domain }};
   access_log          /var/log/nginx/{{ item.domain }}.log main;
-{% if proxy.production and item.tls.cert is not defined %}
+{% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
+{% for wildcard in proxy.dns_cloudflare.wildcard_domains %}
+{% set domain_regex = '^\*\.' + wildcard + '$' %}
+{% if item.domain | regex_search(wildcard) %}
+  ssl_certificate     /etc/letsencrypt/live/{{ wildcard }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ wildcard }}/privkey.pem;
+{% endif %}
+{% endfor %}
+{% elif proxy.production is defined and proxy.production and item.tls.cert is not defined %}
   ssl_certificate     /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
-{% elif proxy.production and item.tls.cert is defined %}
+{% elif proxy.production is defined and proxy.production and item.tls.cert is defined %}
   ssl_certificate     {{ item.tls.cert }};
   ssl_certificate_key {{ item.tls.key }};
 {% else %}