diff --git a/infrastructure/certmanager/.sops.yaml b/infrastructure/certmanager/.sops.yaml
new file mode 100644
index 0000000..6ab5309
--- /dev/null
+++ b/infrastructure/certmanager/.sops.yaml
@@ -0,0 +1,3 @@
+creation_rules:
+  - path_regex: '.*\.yaml$'
+    age: age15hfu6avfx8egwkhydm6yst3arep70sklrh7eah05wslud3v90vyqrpph4j
diff --git a/infrastructure/certmanager/cloudflareapikey.enc.yaml b/infrastructure/certmanager/cloudflareapikey.enc.yaml
new file mode 100644
index 0000000..3e042df
--- /dev/null
+++ b/infrastructure/certmanager/cloudflareapikey.enc.yaml
@@ -0,0 +1,23 @@
+apiVersion: ENC[AES256_GCM,data:Hag=,iv:1f4CAyLIzzvEFwmWVAm35vlHX0lJTMWxi0K5m+TkI20=,tag:R4hRY43pmjNNF41LB8AhKg==,type:str]
+kind: ENC[AES256_GCM,data:mCTDAVLb,iv:TSIGjqjQVjXumYhk1zSwDU64hwpNneysMv0ybyIeODE=,tag:X53fHlgw5VAGCPBM0+3xOQ==,type:str]
+metadata:
+    name: ENC[AES256_GCM,data:6FmuiIZQR9HZngWHKiQIIjpN,iv:T4VtvkGCwkqgo4fMMTvwMw9pH85biwi5Trb5xJa0wBs=,tag:R1lDINdYizF6eFUVEPUhUg==,type:str]
+    namespace: ENC[AES256_GCM,data:qFv1fMdoG+YGgV4s,iv:Vl3UFxq7J1IaKk/6ssyB2Wob1JV+J78zHB0TAhhHdFM=,tag:RpASN0/yTfc1ANSkck4FxA==,type:str]
+type: ENC[AES256_GCM,data:fzU0AxBh,iv:Rh9a+3BS4fFlC5ZNdgiK+4VfhN9fwQ7mG6ZQEJqxU+E=,tag:wJT8bumEo9WJhKJPsIAFgw==,type:str]
+stringData:
+    token: ENC[AES256_GCM,data:TewnG+eR339PJTrJcnVZy/R2ZR8WQdxJRx1ma9BSsL077XcLq4wba41fdAOzkHAcn3SS8Fc=,iv:0sy1X4vmP93db3b7JwPzn46qGOseE48K+f0goEmYGSI=,tag:kJ85hYG13reHqFIlWz1ZwQ==,type:str]
+sops:
+    age:
+        - recipient: age15hfu6avfx8egwkhydm6yst3arep70sklrh7eah05wslud3v90vyqrpph4j
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWWN2QTlFU1NaZm9VNFUr
+            MEJmMnZnTXZkR1V5U00xL0V2YWpuMkFVT3lBCnM4Y0NhTndySU5EdlV5OGlSVmNN
+            UVliaUlxN0o2ZnByTG9sUXBkZE1meGcKLS0tIGRaZElTRVNvbStOSUo0OGRYbGRw
+            Y0Y2RFdvcGFaUU5SbmI2TmZEc21zWFkK+AsM03RbilD41nUsBFx/OzE8crIGm9iJ
+            5N2qwqAdNyLCiy46RoZhSwwcJEp9wT00DT7Ey23vHEzLMnAuK1dQ9A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-22T03:32:30Z"
+    mac: ENC[AES256_GCM,data:yL6EqGeq5ue0F+CAYxna7igiItXKp+EbraqESPkTbMQeuWWK97RIzoxbMBaj8i/8DfhOaQKoH6kz1BoYu9/kH6ZfAIalRcyN/3qzK1xJzGIqgsidKuPtr6DuiXs3YIPBW8PIRCnJuEZlKV4cscXg8fIVLhTxB/9p8MJVfjJ1rHk=,iv:CeD/as5DStyhslAvb80uXn2vLMZAjWkSW3TR4GG3f7E=,tag:PH0wSXuZ2eNdp35oII9uVQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/infrastructure/certmanager/clusterissuer.yaml b/infrastructure/certmanager/clusterissuer.yaml
new file mode 100644
index 0000000..42ccce9
--- /dev/null
+++ b/infrastructure/certmanager/clusterissuer.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    email: jethro.cotton3@gmail.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-account-key
+    solvers:
+      - http01:
+          ingress:
+            class: traefik
diff --git a/infrastructure/certmanager/kustomization.yaml b/infrastructure/certmanager/kustomization.yaml
index 0370974..453a169 100644
--- a/infrastructure/certmanager/kustomization.yaml
+++ b/infrastructure/certmanager/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - namespace.yaml
   - helmrelease.yaml
+  - cloudflareapikey.enc.yaml