diff --git a/cert-manager/.gitignore b/cert-manager/.gitignore
index fdf8270..4a4f92f 100644
--- a/cert-manager/.gitignore
+++ b/cert-manager/.gitignore
@@ -1,4 +1,5 @@
 acme-dns.json
 cert-exporter.pem
 cert-manager.key
+cloudflare.api-token
 zerossl.secret
diff --git a/cert-manager/cluster-issuer.yaml b/cert-manager/cluster-issuer.yaml
index f294c65..727618c 100644
--- a/cert-manager/cluster-issuer.yaml
+++ b/cert-manager/cluster-issuer.yaml
@@ -15,6 +15,12 @@ spec:
       name: zerossl-prod
 
     solvers:
+    - dns01:
+        cnameStrategy: Follow
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare
+            key: cloudflare.api-token
     - dns01:
         cnameStrategy: Follow
         acmeDNS:
@@ -22,3 +28,14 @@ spec:
           accountSecretRef:
             name: acme-dns
             key: acme-dns.json
+      selector:
+        dnsNames:
+        - pyrocufflink.blue
+        - '*.pyrocufflink.blue'
+        - pyrocufflink.net
+        - '*.pyrocufflink.net'
+        - dustin.hatch.name
+        - '*.dustin.hatch.name'
+        - aimee-os.org
+        - '*.aimee-os.org'
+        - '*.import.firefly.pyrocufflink.blue'
diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml
index de2099f..a33f1bc 100644
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -35,3 +35,10 @@ secretGenerator:
   - acme-dns.json
   options:
     disableNameSuffixHash: true
+
+- name: cloudflare
+  namespace: cert-manager
+  files:
+  - cloudflare.api-token
+  options:
+    disableNameSuffixHash: true