diff --git a/modules/server/caddy/default.nix b/modules/server/caddy/default.nix
index 57a14dba..c7a914bc 100644
--- a/modules/server/caddy/default.nix
+++ b/modules/server/caddy/default.nix
@@ -12,6 +12,11 @@ in {
     server.caddy.enable = mkEnableOption "Enables caddy";
   };
   config = mkIf cfg.enable {
+    age.secrets.cloudflare-env = {
+      file = "${self}/secrets/cloudflare-env.age";
+      owner = "caddy";
+      mode = "400";
+    };
     networking.firewall = let
       ports = [80 443];
     in {
@@ -21,6 +26,7 @@ in {
 
     services.caddy = {
       enable = true;
+      environmentFile = config.age.secrets.cloudflare-env.path;
       # package = self.packages.${pkgs.system}.caddy-with-plugins;
     };
   };
diff --git a/secrets/cloudflare-env.age b/secrets/cloudflare-env.age
new file mode 100644
index 00000000..0aa737fa
Binary files /dev/null and b/secrets/cloudflare-env.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9a4581d3..c1a109b9 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,5 +10,6 @@ in {
   "keypem.age".publicKeys = [cnst kima];
   "mailpwd.age".publicKeys = [cnst kima];
   "gcapi.age".publicKeys = [cnst kima];
+  "cloudflare-env.age".publicKeys = [cnst kima usobotka rsobotka];
   "vaultwarden-env.age".publicKeys = [cnst kima usobotka rsobotka];
 }