diff --git a/cluster/base/infra/cert-manager.yaml b/cluster/base/infra/cert-manager.yaml
index 2304c29..4a172f1 100644
--- a/cluster/base/infra/cert-manager.yaml
+++ b/cluster/base/infra/cert-manager.yaml
@@ -16,3 +16,22 @@ spec:
     name: flux-system
   timeout: 5m0s
   wait: true
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: infra-cert-manager-configs
+  namespace: flux-system
+spec:
+  interval: 1h0m0s
+  path: ./infra/configs/cert-manager
+  dependsOn:
+  - name: infra-cert-manager
+  - name: infra-1password
+  prune: true
+  retryInterval: 1m0s
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  timeout: 5m0s
+  wait: true
diff --git a/infra/configs/cert-manager/config-cert-manager.yaml b/infra/configs/cert-manager/config-cert-manager.yaml
new file mode 100644
index 0000000..62dd606
--- /dev/null
+++ b/infra/configs/cert-manager/config-cert-manager.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: cloudflare-token
+  namespace: cert-manager-system
+spec:
+  itemPath: "vaults/cluster/items/cloudflare-token"
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: acme@yadunut.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-token
+            key: password
diff --git a/nixos/common/zerotier.nix b/nixos/common/zerotier.nix
index fd45f59..117e393 100644
--- a/nixos/common/zerotier.nix
+++ b/nixos/common/zerotier.nix
@@ -1,6 +1,7 @@
 {...}: {
   services.zerotierone = {
     enable = true;
+    joinNetworks = ["<network-id>"];
   };
 
   networking = {