diff --git a/hosts/orion/default.nix b/hosts/orion/default.nix
index dafde03..d906c65 100644
--- a/hosts/orion/default.nix
+++ b/hosts/orion/default.nix
@@ -103,6 +103,7 @@
   ];
 
   ataraxia.containers.tinyproxy.enable = true;
+  ataraxia.security.acme.enable = true;
   ataraxia.services.vaultwarden.enable = true;
 
   ataraxia.virtualisation.guests = {
diff --git a/modules/nixos/security/acme.nix b/modules/nixos/security/acme.nix
new file mode 100644
index 0000000..882f176
--- /dev/null
+++ b/modules/nixos/security/acme.nix
@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkIf;
+
+  cfg = config.ataraxia.security.acme;
+in
+{
+  options.ataraxia.security.acme = {
+    enable = mkEnableOption "Default acme settings";
+  };
+
+  config = mkIf cfg.enable {
+    sops.secrets.cf-dns-api = {
+      sopsFile = inputs.self.secretsDir + /misc.yaml;
+      owner = "acme";
+    };
+    security.acme = {
+      acceptTerms = true;
+      # defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; # staging
+      defaults.server = "https://acme-v02.api.letsencrypt.org/directory"; # production
+      defaults.email = "admin@ataraxiadev.com";
+      defaults.renewInterval = "weekly";
+      certs = {
+        "ataraxiadev.com" = {
+          extraDomainNames = [ "*.ataraxiadev.com" ];
+          dnsResolver = "1.1.1.1:53";
+          dnsProvider = "cloudflare";
+          credentialFiles."CF_DNS_API_TOKEN_FILE" = config.sops.secrets.cf-dns-api.path;
+        };
+      };
+    };
+    persist.state.directories = [ "/var/lib/acme" ];
+  };
+}