diff --git a/deployments/kustomization.yaml b/deployments/kustomization.yaml
index 0f0c6ed..6b9d753 100644
--- a/deployments/kustomization.yaml
+++ b/deployments/kustomization.yaml
@@ -7,5 +7,6 @@ resources:
   - dns/
   - mariadb/
   - replicator/
+  - ssl/
   - auth/
   - nextcloud/
diff --git a/deployments/ssl/certmanager.yaml b/deployments/ssl/certmanager.yaml
new file mode 100644
index 0000000..6b9fb0a
--- /dev/null
+++ b/deployments/ssl/certmanager.yaml
@@ -0,0 +1,72 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: flux-system
+spec:
+  url: https://charts.jetstack.io
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: home-server
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.18.2
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: flux-system
+  install:
+    crds: CreateReplace
+    createNamespace: true
+  values:
+    installCRDs: true
+    extraArgs:
+      - --dns01-recursive-nameservers-only
+      - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-rfc2136
+spec:
+  acme:
+    email: admin@hxme.net
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-rfc2136
+    solvers:
+    - dns01:
+        rfc2136:
+          nameserver: hawke.hxst.com.au:53
+          tsigKeyName: "hxme-update-key"
+          tsigAlgorithm: HMACSHA512
+          tsigSecretSecretRef:
+            name: hxme-update-key
+            key:  hxme-update-key
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-hxme-net
+  namespace: home-server
+spec:
+  secretName: wildcard-hxme-net
+  secretTemplate:
+    annotations:
+      replicator.v1.mittwald.de/replication-allowed: "true"
+      replicator.v1.mittwald.de/replicate-to: "monitoring,authentik,nextcloud"
+  issuerRef:
+    name: letsencrypt-rfc2136
+    kind: ClusterIssuer
+  commonName: "hxme.net"
+  dnsNames:
+    - "hxme.net"
+    - "*.hxme.net"
diff --git a/deployments/ssl/kustomization.yaml b/deployments/ssl/kustomization.yaml
new file mode 100644
index 0000000..2c0445b
--- /dev/null
+++ b/deployments/ssl/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - certmanager.yaml