diff --git a/modules/nixos/services/agenix/default.nix b/modules/nixos/services/agenix/default.nix
index d7f9207d..50fa65c2 100644
--- a/modules/nixos/services/agenix/default.nix
+++ b/modules/nixos/services/agenix/default.nix
@@ -58,6 +58,7 @@ in {
       (mkIf cfg.sobotka.enable {
         secrets = {
           cloudflareFirewallApiKey.file = "${self}/secrets/cloudflareFirewallApiKey.age";
+          cloudflareDnsApiToken.file = "${self}/secrets/cloudflareDnsApiToken.age";
           vaultwardenCloudflared.file = "${self}/secrets/vaultwardenCloudflared.age";
           vaultwarden-env.file = "${self}/secrets/vaultwarden-env.age";
         };
diff --git a/modules/server/caddy/default.nix b/modules/server/caddy/default.nix
index 91a1accb..831df77c 100644
--- a/modules/server/caddy/default.nix
+++ b/modules/server/caddy/default.nix
@@ -12,11 +12,6 @@ in {
     server.caddy.enable = mkEnableOption "Enables caddy";
   };
   config = mkIf cfg.enable {
-    age.secrets.cloudflare-env = {
-      file = "${self}/secrets/cloudflare-env.age";
-      owner = "caddy";
-      mode = "400";
-    };
     networking.firewall = let
       ports = [80 443];
     in {
@@ -24,20 +19,20 @@ in {
       allowedUDPPorts = ports;
     };
 
-    # security.acme = {
-    #   acceptTerms = true;
-    #   defaults.email = config.server.email;
-    #   certs.${config.server.domain} = {
-    #     reloadServices = ["caddy.service"];
-    #     domain = "${config.server.domain}";
-    #     extraDomainNames = ["*.${config.server.domain}"];
-    #     dnsProvider = "cloudflare";
-    #     dnsResolver = "1.1.1.1:53";
-    #     dnsPropagationCheck = true;
-    #     group = config.services.caddy.group;
-    #     environmentFile = config.age.secrets.cloudflare-env.path;
-    #   };
-    # };
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = config.server.email;
+      certs.${config.server.domain} = {
+        reloadServices = ["caddy.service"];
+        domain = "${config.server.domain}";
+        extraDomainNames = ["*.${config.server.domain}"];
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1:53";
+        dnsPropagationCheck = true;
+        group = config.services.caddy.group;
+        environmentFile = config.age.secrets.cloudflareDnsApiToken.path;
+      };
+    };
 
     services.caddy = {
       enable = true;
diff --git a/modules/server/vaultwarden/default.nix b/modules/server/vaultwarden/default.nix
index 6d8856ec..903337af 100644
--- a/modules/server/vaultwarden/default.nix
+++ b/modules/server/vaultwarden/default.nix
@@ -15,7 +15,7 @@ in {
       enable = mkEnableOption "Enables vaultwarden";
       url = lib.mkOption {
         type = lib.types.str;
-        default = "vault.${cfg.domain}";
+        default = "${cfg.domain}";
       };
       cloudflared = {
         credentialsFile = lib.mkOption {
diff --git a/secrets/cloudflareDnsApiToken.age b/secrets/cloudflareDnsApiToken.age
new file mode 100644
index 00000000..78eb006f
Binary files /dev/null and b/secrets/cloudflareDnsApiToken.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 11e6d0f3..c5e1b45e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -14,4 +14,5 @@ in {
   "vaultwarden-env.age".publicKeys = [cnst kima usobotka rsobotka];
   "cloudflareFirewallApiKey.age".publicKeys = [cnst kima usobotka rsobotka];
   "vaultwardenCloudflared.age".publicKeys = [cnst kima usobotka rsobotka];
+  "cloudflareDnsApiToken.age".publicKeys = [cnst kima usobotka rsobotka];
 }