diff --git a/kubernetes/secrets/cert-manager/cloudflare-api-token.nix b/kubernetes/secrets/cert-manager/cloudflare-api-token.nix
new file mode 100644
index 0000000..b92d6c7
--- /dev/null
+++ b/kubernetes/secrets/cert-manager/cloudflare-api-token.nix
@@ -0,0 +1,17 @@
+{ config, ... }:
+{
+    sops.templates."cloudflare-api-token.yaml" = {
+        mode = "0444";
+        content = ''
+            apiVersion: v1
+            kind: Secret
+            metadata:
+                name: cloudflare-api-token
+                namespace: cert-manager
+            type: Opaque
+            stringData:
+                api-token: ${config.sops.placeholder.cloudflare_api_token}
+        '';
+        path = "/var/lib/rancher/k3s/server/manifests/secrets/cloudflare-api-token.yaml";
+    };
+}
\ No newline at end of file
diff --git a/kubernetes/secrets/default.nix b/kubernetes/secrets/default.nix
index 44eb527..40dc532 100644
--- a/kubernetes/secrets/default.nix
+++ b/kubernetes/secrets/default.nix
@@ -2,5 +2,6 @@
   imports = [
     ./cloudnativepg/s3-backup-creds.nix
     ./cloudnativepg/weyma-pgsql-replication.nix
+    ./cert-manager/cloudflare-api-token.nix
   ];
 }
\ No newline at end of file
diff --git a/security/sops.nix b/security/sops.nix
index 271273b..2516c0a 100644
--- a/security/sops.nix
+++ b/security/sops.nix
@@ -21,6 +21,8 @@
             cnpg_s3_backup_key = {};
 
             weyma_pgsql_replication_tls_key = {};
+
+            cloudflare_api_token = {};
         };
     };
 }
\ No newline at end of file
diff --git a/security/sops_nix.yaml b/security/sops_nix.yaml
index aa7ab95..08bade3 100644
--- a/security/sops_nix.yaml
+++ b/security/sops_nix.yaml
@@ -2,6 +2,7 @@ pw_williamp: ENC[AES256_GCM,data:HuZKDBB+9FHzoMg8KrCIdQ==,iv:DvCAqtsE/JbCGmlW7cz
 pw_root: ENC[AES256_GCM,data:hbPcqxEFhdH4Y6KOFFCMfujL0B9uHzmNAwNNK4qLEVE=,iv:XrwGEYbc9OWckvoRfrKJmjXjB13BJG6lit5TR+Xarn8=,tag:fWtL0tsXBuCQHGorRlNIfw==,type:str]
 cnpg_s3_backup_key: ENC[AES256_GCM,data:zaMuxcu2XwgkmhkYnYKeZQQwRzSEJGPT2662B7k5JHzCH4e1TEEd+A==,iv:Na2iAuqgx8UNnDvXvP3N+csqVZFTsDwqR6OKeO/b/GY=,tag:jHeFVdRdTwk83XG6T1TwGA==,type:str]
 weyma_pgsql_replication_tls_key: ENC[AES256_GCM,data:WHCH9DJMa5/L9BCNAyfYUmgptCLu+NVtEIDjjPeb7adDUfz/fDwAUB7TOXBf19AyXaCD4NTw4IVm6UVp9/8azpAVyQ5uR5R0X3eVYAEdIHUQdOPVQsCmIQTAMwih2G41QedM3Q+gA/JRIqxX+DwtH44Celb069VmiGmlzwLbvPt9d9ZREs3KKr7p/GvVoa2atMk74/qLAKSmkAP9yZJ3q5azmmQ5/skECWmvRJ4prr/uUpIzzMIIQ6kyaafE3sKf8s/+rlsb+zT+6T527OX54xmp0QCDPQuqhEiuFvLXnqxiDwcgZ+QWbFQwj5ubCU++F3GtasCec5/wTSKa26MgNd7DvSwpQH0vdxszOoxStxNAXSouIevwFdKsvAZP60x3jWs+BcFry+cFlVrAMp5NmQ==,iv:JN+9SeyIx4kJfTiuFucLp8cKCEGeWvd3DbNeMsfeVms=,tag:GSkGD1kRmzruG0bWmxa+xA==,type:str]
+cloudflare_api_token: ENC[AES256_GCM,data:luEm0zRdyUgOe4VxJ6IrTlKSf5tk4ayQn7MwbImvn2Eswzq4tXdCsQ==,iv:BoI/p2n5+RIfL6KsiOViv5RlhpCkP5ylEOf7eRBjxcw=,tag:dxN1qRoaYnCoBepWSmBRBQ==,type:str]
 sops:
     age:
         - recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
@@ -13,7 +14,7 @@ sops:
             Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
             F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-17T23:33:54Z"
-    mac: ENC[AES256_GCM,data:Sl/Ah1zqTOAXKZhY7YX5Q842UoeYmBUmEFOxPF84NsxkPBLXX4VhvkHv03zptmvFVYnmUUKwzjjcJAzSb8izvNC4pjShhvmYPOZ04cbPP1lCZ21Z5A7PoKUqifDiFgwESZLUj6wyuvJX/euNLAjwr0XED2dILAbXw3h2A8smPu8=,iv:sDuGfuq+kHB6z9HyUZvjBJuIcztd3YlGkDPL0jaa7A8=,tag:oCCO5ge0Dur83IeOamG+vA==,type:str]
+    lastmodified: "2026-03-19T22:11:05Z"
+    mac: ENC[AES256_GCM,data:E5PsFbu3XLpqAX3x3EFEkFd9XgUeaZraSmYhjItCoAmIZE7qy1/10j2B72tGtDC0GQ5o/0cC0mkjkHqUJZjdmGUTQ2+dKC1rSBDpOsrLEMPqKgxsfxXYRRWK1zqK0tlIhDcGECWAvcq9oIArZ5yMQB88dYIZ+u/AX5PHOLvDH6Y=,iv:KP8BAqyrNzk7VwZrtJBXtpQ79ySBwQzMs3hd8S42yLc=,tag:i0USZC6KkZuoHoNjHY2rGg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.2