diff --git a/hosts/athame/nixos/default.nix b/hosts/athame/nixos/default.nix
index f2db646a..2bd84663 100644
--- a/hosts/athame/nixos/default.nix
+++ b/hosts/athame/nixos/default.nix
@@ -29,6 +29,13 @@
 
   deploy.target = "infra";
 
+  security.acme.certs."athame.net.kittywit.ch" = {
+    domain = "athame.net.kittywit.ch";
+    dnsProvider = "rfc2136";
+    credentialsFile = config.secrets.files.dns_creds.path;
+    group = "nginx";
+  };
+
   networking = {
     hostName = "athame";
     domain = "kittywit.ch";
diff --git a/hosts/samhain/nixos/default.nix b/hosts/samhain/nixos/default.nix
index fc26d075..1a698296 100644
--- a/hosts/samhain/nixos/default.nix
+++ b/hosts/samhain/nixos/default.nix
@@ -38,6 +38,14 @@ in {
     value.shellCommand = "bitw get infra/hexdns-dynamic -f hostname";
   };
 
+
+  security.acme.certs."samhain.net.kittywit.ch" = {
+    domain = "samhain.net.kittywit.ch";
+    dnsProvider = "rfc2136";
+    credentialsFile = config.secrets.files.dns_creds.path;
+    group = "nginx";
+  };
+
   fileSystems."/mnt/hex-corn" = {
     device = "storah.net.lilwit.ch:/data/cornbox";
     fsType = "nfs";
diff --git a/services/nginx.nix b/services/nginx.nix
index f4f4192a..57484f93 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -1,6 +1,16 @@
-{ config, pkgs, witch, ... }:
+{ config, pkgs, witch, tf, ... }:
 
 {
+  secrets.files.dns_creds = {
+     text = ''
+     RFC2136_NAMESERVER='ns1.as207960.net'
+     RFC2136_TSIG_ALGORITHM='hmac-sha512.'
+     RFC2136_TSIG_KEY='${tf.variables.glauca_key.ref}'
+     RFC2136_TSIG_SECRET='${tf.variables.glauca_secret.ref}'
+    '';
+  };
+
+
   services.nginx = {
     enable = true;
     recommendedGzipSettings = true;