diff --git a/deployments/kustomization.yaml b/deployments/kustomization.yaml
index 1108b6c..b53474b 100644
--- a/deployments/kustomization.yaml
+++ b/deployments/kustomization.yaml
@@ -11,3 +11,4 @@ resources:
   - dns/bind.yaml
   - dns/externaldns.yaml
   - files/nextcloud.yaml
+  - ssl/certmanager.yaml
diff --git a/deployments/ssl/certmanager.yaml b/deployments/ssl/certmanager.yaml
new file mode 100644
index 0000000..670df41
--- /dev/null
+++ b/deployments/ssl/certmanager.yaml
@@ -0,0 +1,63 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: flux-system
+spec:
+  url: https://charts.jetstack.io
+  interval: 1h
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.15.0
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: flux-system
+  install:
+    crds: CreateReplace
+    createNamespace: true
+  values:
+    installCRDs: true
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-rfc2136
+spec:
+  acme:
+    email: admin@hxme.net
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-rfc2136
+    solvers:
+    - dns01:
+        rfc2136:
+          nameserver: hawke.hxst.com.au:53
+          tsigSecretSecretRef:
+            name: hawke-tsig
+            key: tsig-secret
+          tsigAlgorithm: HMACSHA256
+          tsigKeyName: externaldns-key
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-cert
+  namespace: cert-manager
+spec:
+  secretName: wildcard-cert-tls
+  issuerRef:
+    name: letsencrypt-rfc2136
+    kind: ClusterIssuer
+  commonName: "*.hxme.net"
+  dnsNames:
+    - "*.hxme.net"