diff --git a/system-apps/cert-manager/config/ClusterIssuers/letsencrypt-dubyatp-xyz.yaml b/system-apps/cert-manager/config/ClusterIssuers/letsencrypt-dubyatp-xyz.yaml
new file mode 100644
index 0000000..6ab9bd4
--- /dev/null
+++ b/system-apps/cert-manager/config/ClusterIssuers/letsencrypt-dubyatp-xyz.yaml
@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-dubyatp-xyz
+  namespace: cert-manager
+spec:
+  acme:
+    email: me@williamtpeebles.com
+    preferredChain: ""
+    privateKeySecretRef:
+      name: letsencrypt-dubyatp-xyz
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            key: api-token
+            name: cloudflare-api-token-secret
\ No newline at end of file
diff --git a/system-apps/cert-manager/config/ExternalSecrets/cloudflare-api-token.yaml b/system-apps/cert-manager/config/ExternalSecrets/cloudflare-api-token.yaml
new file mode 100644
index 0000000..fff66dc
--- /dev/null
+++ b/system-apps/cert-manager/config/ExternalSecrets/cloudflare-api-token.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token-secret
+  namespace: cert-manager
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: weyma-vault
+    kind: ClusterSecretStore
+  target:
+    name: cloudflare-api-token-secret
+    creationPolicy: Owner
+  data:
+  - secretKey: api-token
+    remoteRef:
+      key: cert-manager
+      property: cloudflare-api-token
\ No newline at end of file