diff --git a/modules/nixos/services/cloudflare.nix b/modules/nixos/services/cloudflare.nix
index ad9f0ec..56da6a6 100644
--- a/modules/nixos/services/cloudflare.nix
+++ b/modules/nixos/services/cloudflare.nix
@@ -79,6 +79,7 @@ in
           {
             module = "acme";
             email = "acme@${config.mail.server}";
+            account_key = "{env.ACME_ACCOUNT_KEY}";
             challenges = {
               dns = {
                 provider = {
@@ -93,7 +94,18 @@ in
       }
     ];
     # Allow Caddy to read Cloudflare API key for DNS validation
-    systemd.services.caddy.serviceConfig.EnvironmentFile = config.secrets.cloudflare-api.dest;
+    systemd.services.caddy.serviceConfig.EnvironmentFile = [
+      config.secrets.cloudflare-api.dest
+      config.secrets.letsencrypt-key.dest
+    ];
+
+    # Private key is used for LetsEncrypt
+    secrets.letsencrypt-key = {
+      source = ../../../private/letsencrypt-key.age;
+      dest = "${config.secretsDirectory}/letsencrypt-key";
+      owner = "caddy";
+      group = "caddy";
+    };
 
     # API key must have access to modify Cloudflare DNS records
     secrets.cloudflare-api = {
@@ -105,8 +117,14 @@ in
 
     # Wait for secret to exist
     systemd.services.caddy = {
-      after = [ "cloudflare-api-secret.service" ];
-      requires = [ "cloudflare-api-secret.service" ];
+      after = [
+        "cloudflare-api-secret.service"
+        "letsencrypt-key-secret.service"
+      ];
+      requires = [
+        "cloudflare-api-secret.service"
+        "letsencrypt-key-secret.service"
+      ];
     };
 
     # Allows Nextcloud to trust Cloudflare IPs
diff --git a/private/letsencrypt-key.age b/private/letsencrypt-key.age
new file mode 100644
index 0000000..208ccd7
--- /dev/null
+++ b/private/letsencrypt-key.age
@@ -0,0 +1,21 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE1nSGFPdyBCc2hS
+RUw4Y200allVODI0QTYxdXlHSHRiS1pWWHg5SW9tZ0tGVmc2ajJZCitXeEd0dk9K
+MmRkZlRYd253RWFzNXpUR0xuTXI2dWVhNFZpQnNlU0VFdEUKLT4gc3NoLWVkMjU1
+MTkgWXlTVU1RIHNScVkwd1RmVGhNcFVSRTlxQzlvSUc2cGxNWUc0YVJ5RjRydk9J
+RG1peDQKVU5iN1ZmWEJyOXBiNWdiRFlnNFFKR09vaFB4SWZWK0x3VWJwMDZtYlBj
+MAotPiBzc2gtZWQyNTUxOSBuanZYNUEgSXR5OEk5cWZHUEZ3WmFCUTVFeTBnTG5h
+cmNxVWFLV2JhUTRBaUJGWERncwpYMFBIN0kySXdjOE5YcS85bXRCRnRsK3NyMHY4
+N0JKelFyeHB6T1dEZ2VnCi0+IHNzaC1lZDI1NTE5IENxSU9VQSAyQVJYRXJ1cFVl
+dldaa0Qydlc3MzlFYnN5YUx0amdWZm5PcWovRm1MaVg0CkJsSFZRdGJIZzA1T0Ny
+bUNnL0Zxa05ubHluSVBUenVCZTZpYlA5UUFEMDQKLT4gc3NoLWVkMjU1MTkgejFP
+Y1p3IDFPQU5HZm5mRFl5NnNLVHUvdUlmTEtyS0djNWZaMWg5VDl1ZldNTkVWbXMK
+RkVBTzNUa0d6c3NJUHQrazdKWXNZY3NIRzRndGdRNjFjMXZCSEhIQnIyYwotLS0g
+VzNOa3dXS0hrMWxNUlJ4UzAxNlkzSXM4RWc1RGFzQjFyb1dGZXFnL3RCVQoq002V
+S5MQqBjKKOacO4OWgn5KpmU2D7zJWJjNMxH80L6HFNoyOj4wNa+8TA0Q7MTn3bKN
+YvAuwbDAGjjDt8vZFKOiZB0xAex+H7A1MVvuGIA8xQa6iNBMwj7nWTLif5pCbVk+
+9aAAprcJVDJx4TeFXlNF6XtcQ3J8abwi6TDqNFpfwwBb/wruyzutgvlOiz1XSBX0
+xlCGckq/BCnItLURIb7zhqRMqk/JODPjOKArmP86nCq25Wm+W5JQ8ViQ7LHJyoFj
+zbiwabqeBJZgqoVdVMj8Glz+91RVodn6f9VwQcHINgHxmkd6j2z75AmWZecwD2ic
+pUMnikqIMI0B3zW5H38t2cJv+aIMTl7lH5Hf1P5jEn3NPw==
+-----END AGE ENCRYPTED FILE-----