diff --git a/modules/blocks/ssl.nix b/modules/blocks/ssl.nix
index 81d507c..5146f4d 100644
--- a/modules/blocks/ssl.nix
+++ b/modules/blocks/ssl.nix
@@ -7,21 +7,6 @@ in
   options.shb.ssl = {
     enable = lib.mkEnableOption "selfhostblocks.ssl";
 
-    sopsFile = lib.mkOption {
-      type = lib.types.path;
-      description = ''Sops file location.
-
-      To use Linode to prove the dns challenge, the content of the file should be the following,
-      with XXX replaced by your Linode API token.
-
-        LINODE_HTTP_TIMEOUT=10
-        LINODE_POLLING_INTERVAL=10
-        LINODE_PROPAGATION_TIMEOUT=240
-        LINODE_TOKEN=XXX
-      '';
-      example = "secrets/haproxy.yaml";
-    };
-
     domain = lib.mkOption {
       description = lib.mdDoc "Domain to serve sites under.";
       type = lib.types.str;
@@ -34,6 +19,23 @@ in
       example = "linode";
     };
 
+    credentialsFile = lib.mkOption {
+      type = lib.types.path;
+      description = ''Credentials file location for the chosen DNS provider.
+
+      The content of this file must expose environment variables as written in the
+      [documentation](https://go-acme.github.io/lego/dns/) of each DNS provider.
+
+      For example, if the documentation says the credential must be located in the environment
+      variable DNSPROVIDER_TOKEN, then the file content must be:
+
+      DNSPROVIDER_TOKEN=xyz
+
+      You can put non-secret environment variables here too or use shb.ssl.additionalcfg instead.
+      '';
+      example = "/run/secrets/ssl";
+    };
+
     dnsResolver = lib.mkOption {
       description = lib.mdDoc "IP of a DNS server used to resolve hostnames.";
       type = lib.types.str;
@@ -62,8 +64,8 @@ in
       defaults = {
         email = cfg.adminEmail;
         inherit (cfg) dnsProvider dnsResolver;
-        credentialsFile = config.sops.secrets.acme.path;
         enableDebugLogs = false;
+        credentialsFile = cfg.credentialsFile;
       };
     };
     sops.secrets.acme = {