diff --git a/flake.nix b/flake.nix
index e2d0bea..2310ce7 100644
--- a/flake.nix
+++ b/flake.nix
@@ -64,7 +64,11 @@
 
           pkgs = import nixpkgs {
             inherit system;
-            overlays = [ ] ++ config.overlays or [ ];
+            overlays = [
+              (import ./overlays/nginx-test.nix
+                (builtins.attrNames self.nixosConfigurations.${name}.config.security.acme.certs)
+              )
+            ] ++ config.overlays or [ ];
           };
         }
         (removeAttrs config [ "modules" "overlays" ])
diff --git a/overlays/nginx-test.nix b/overlays/nginx-test.nix
new file mode 100644
index 0000000..ef82377
--- /dev/null
+++ b/overlays/nginx-test.nix
@@ -0,0 +1,28 @@
+acme-certs: final: prev:
+  let
+    lib = final.lib;
+    crt = "${final.path}/nixos/tests/common/acme/server/acme.test.cert.pem";
+    key = "${final.path}/nixos/tests/common/acme/server/acme.test.key.pem";
+  in {
+  writers = prev.writers // {
+    writeNginxConfig = name: text: final.runCommandLocal name {
+      nginxConfig = prev.writers.writeNginxConfig name text;
+      nativeBuildInputs = [ final.bubblewrap ];
+    } ''
+      ln -s "$nginxConfig" "$out"
+      set +o pipefail
+      bwrap \
+        --ro-bind "${crt}" "/etc/certs/nginx.crt" \
+        --ro-bind "${key}" "/etc/certs/nginx.key" \
+        --ro-bind "/nix" "/nix" \
+        --ro-bind "/etc/hosts" "/etc/hosts" \
+        --dir "/run/nginx" \
+        --dir "/tmp" \
+        --dir "/var/log/nginx" \
+        ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/fullchain.pem\" \\") acme-certs}
+        ${lib.concatMapStrings (name: "--ro-bind \"${key}\" \"/var/lib/acme/${name}/key.pem\" \\") acme-certs}
+        ${lib.concatMapStrings (name: "--ro-bind \"${crt}\" \"/var/lib/acme/${name}/chain.pem\" \\") acme-certs}
+        ${lib.getExe final.nginx} -t -c "$out" |& grep "syntax is ok"
+    '';
+  };
+}