diff --git a/hosts/hermes/ddns.nix b/hosts/hermes/ddns.nix
new file mode 100644
index 0000000..e8ea1c0
--- /dev/null
+++ b/hosts/hermes/ddns.nix
@@ -0,0 +1,13 @@
+{config, ...}: {
+  services.cloudflare-dyndns = {
+    enable = true;
+    ipv4 = true;
+    ipv6 = false;
+    proxied = false;
+    deleteMissing = false;
+    domains = [];
+    apiTokenFile = config.age.secrets.cloudflare-api.path;
+  };
+  # services.cloudflare-dyndns.domains = [];
+  age.secrets."cloudflare-api".file = ../../secrets/cloudflare-api.age;
+}
diff --git a/hosts/hermes/default.nix b/hosts/hermes/default.nix
index a49190c..da82c9e 100644
--- a/hosts/hermes/default.nix
+++ b/hosts/hermes/default.nix
@@ -2,6 +2,7 @@
   imports = [
     ./hardware-configuration.nix
     ./configuration.nix
+    ./ddns.nix
     ./quassel.nix
     ./fail2ban.nix
     ./containers.nix
diff --git a/hosts/hermes/forgejo.nix b/hosts/hermes/forgejo.nix
index f4d79c6..21ba439 100644
--- a/hosts/hermes/forgejo.nix
+++ b/hosts/hermes/forgejo.nix
@@ -6,6 +6,7 @@
   domain = "git.cleslie.uk";
 in {
   services = {
+    cloudflare-dyndns.domains = [domain];
     forgejo = {
       enable = true;
       database.type = "postgres";
diff --git a/hosts/hermes/headscale.nix b/hosts/hermes/headscale.nix
index d907330..5555b0b 100644
--- a/hosts/hermes/headscale.nix
+++ b/hosts/hermes/headscale.nix
@@ -13,6 +13,7 @@ in {
         ip_prefixes = "100.64.0.0/10";
       };
     };
+    cloudflare-dyndns.domains = [domain];
     caddy.virtualHosts.${domain}.extraConfig = ''
       reverse_proxy localhost:${toString config.services.headscale.port}
     '';
diff --git a/hosts/hermes/media.nix b/hosts/hermes/media.nix
index 694a787..e1e5252 100644
--- a/hosts/hermes/media.nix
+++ b/hosts/hermes/media.nix
@@ -85,6 +85,8 @@ in {
       };
     };
 
+    cloudflare-dyndns.domains = ["media.cleslie.uk" "watch.cleslie.uk" "request.cleslie.uk"];
+
     jellyfin = {
       enable = true;
       package = pkgs.jellyfin;
diff --git a/secrets/cloudflare-api.age b/secrets/cloudflare-api.age
new file mode 100644
index 0000000..1ee3de6
--- /dev/null
+++ b/secrets/cloudflare-api.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 /RyXeg p2ROUhWiDQDOjALQnhhf566js8ivYTsgwNfCaaoe6yQ
+UnCc2/4lb+PxnrKdAPVqwAyXavFGr8M3NV3+fSSdAU0
+-> ssh-ed25519 aSaoJQ hHqpvUCaH5RLAQwTdH1llfF/0aTraXtl25qFDaFhUwk
++4VMHc3PGR9HBlVTw4anbYORQPgFl24WGF5pwmt7w20
+--- qa7ctM764SNg3u/ITk+6DRXbLqF1Lom1xgKysY9DrkE
+��Z��;Q�
+7�k�4%��#����pq���v�y�]
i�eǺ�]
ɩi��!4�=�s�䉁Jf�p�H�s��29���s��F}��˪�#�i8�
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 5dec7e0..6aed516 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,4 +10,5 @@ in {
   "mesh-conf-infra.age".publicKeys = keys.c ++ allSystems;
   "mesh-conf-cleslie.age".publicKeys = keys.c ++ allSystems;
   "forgejo-password.age".publicKeys = keys.c ++ [systems.hermes];
+  "cloudflare-api.age".publicKeys = keys.c ++ [systems.hermes];
 }