diff --git a/nix/modules/caddy/default.nix b/nix/modules/caddy/default.nix
index bd5f448..3df164a 100644
--- a/nix/modules/caddy/default.nix
+++ b/nix/modules/caddy/default.nix
@@ -4,6 +4,7 @@ let
   caddy = pkgs.caddy.withPlugins {
     plugins = [
       "github.com/noratrieb-mirrors/certmagic-s3@v1.1.3"
+      "github.com/caddy-dns/rfc2136@v1.0.0"
     ];
     hash = "sha256-HdCXbqrrGPZSdHv7bZvGz9T6loVbrfKydTbjTyt5Wt0=";
   };
@@ -47,6 +48,17 @@ in
         insecure true
       }
 
+      acme_dns rfc2136 {
+        key_name "test"
+        key_alg "hmac-sha256"
+        key ""
+        server "dns1.local:53"
+      }
+
+      tls {
+        dns_challenge_override_domain "nilstrieb.dev"
+      }
+
       servers {
         metrics
       }
diff --git a/nix/modules/dns/default.nix b/nix/modules/dns/default.nix
index 815eed0..7d1c858 100644
--- a/nix/modules/dns/default.nix
+++ b/nix/modules/dns/default.nix
@@ -1,6 +1,12 @@
-{ pkgs, lib, networkingConfig, ... }:
+{ pkgs, lib, networkingConfig, config, ... }:
 let metricsPort = 9433; in
 {
+  age.secrets.knot_dns_rfc2136_key_config = {
+    file =
+      ../../secrets/knot_dns_rfc2136_key_config.age;
+    owner = "knot";
+  };
+
   # get the package for the debugging tools
   environment.systemPackages = with pkgs; [ knot-dns ];
 
@@ -21,12 +27,25 @@ let metricsPort = 9433; in
 
   services.knot = {
     enable = true;
+    keyFiles = [ config.age.secrets.knot_dns_rfc2136_key_config.path ];
     settingsFile = pkgs.writeTextFile {
       name = "knot.conf";
       text = ''
         server:
             listen: 0.0.0.0@53
             listen: ::@53
+        
+        key:
+          - id: rfc2136-update
+            algorithm: hmac-sha256
+            secret: QRpeYCJLokRWyzT/tWrxaly5Seb5yTkE6/Ub66edWds=
+        
+        acl:
+          - id: update_acl
+            address: 10.0.0.0/24
+            key: rfc2136-update
+            action: update
+            update-type: [TXT]
 
         zone:
           - domain: noratrieb.dev
@@ -35,6 +54,7 @@ let metricsPort = 9433; in
           - domain: nilstrieb.dev
             storage: /var/lib/knot/zones/
             file: ${import ./nilstrieb.dev.nix { inherit pkgs lib networkingConfig; }}
+            acl: update_acl
         log:
           - target: syslog
             any: info
diff --git a/nix/modules/dns/noratrieb.dev.nix b/nix/modules/dns/noratrieb.dev.nix
index b14b131..a618a6c 100644
--- a/nix/modules/dns/noratrieb.dev.nix
+++ b/nix/modules/dns/noratrieb.dev.nix
@@ -51,6 +51,9 @@ let
         ns1 = dns1;
         ns2 = dns2;
 
+        # --- ACME setup for caddy
+        _acme-challenge.CNAME = [ (cname "_acme-challenge.nilstrieb.dev.") ];
+
         # --- website stuff
         blog = vps1;
         www = vps1;
diff --git a/nix/secrets/backup_s3_secret.age b/nix/secrets/backup_s3_secret.age
index 4dccf37..1c0cfb7 100644
Binary files a/nix/secrets/backup_s3_secret.age and b/nix/secrets/backup_s3_secret.age differ
diff --git a/nix/secrets/caddy_s3_key_secret.age b/nix/secrets/caddy_s3_key_secret.age
index 00e655f..2db341f 100644
Binary files a/nix/secrets/caddy_s3_key_secret.age and b/nix/secrets/caddy_s3_key_secret.age differ
diff --git a/nix/secrets/docker_registry_password.age b/nix/secrets/docker_registry_password.age
index d673c45..311dad5 100644
--- a/nix/secrets/docker_registry_password.age
+++ b/nix/secrets/docker_registry_password.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg kxQujT+O6ZGlzTONdS/18DUVoxNapwtxitQo8GKr2hc
-b7KjCjuvhmWcqNB6BvNruL17Ww6yWkVKjjm/MGd+jlE
---- q3EzroLr8b0T2gKQ4xUR67YOLSwFP1V8UxAnKY0PP24
-�l�0�g1�CXq�i��{T��tg���͇߭�ەߑ�����Es5�hxk-
\ No newline at end of file
+-> ssh-ed25519 qM6TYg py66rUtQIWm6K163vaJaoAseekNA70yQKMDH1FkWYVc
+rP7T1akj7LmzIcJeoK+mq+GfOjWpnWFnSpUhIA9Vihc
+--- UjRtQl6/Gz3QPiLhSyksrsRvFoCjiCKi4D0HdBb1dJY
+��q��(�m�z���h����k���H�9:��M>c�=�ά֦��M���L1
\ No newline at end of file
diff --git a/nix/secrets/forgejo_s3_key_secret.age b/nix/secrets/forgejo_s3_key_secret.age
index 9e4e8f3..fba1c4f 100644
--- a/nix/secrets/forgejo_s3_key_secret.age
+++ b/nix/secrets/forgejo_s3_key_secret.age
@@ -1,5 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg yxVVZ7LOgN9NiKsl1+dN7Rp6Rsf0zlqb25Y6w43styk
-gQ5g7TL8+lyGp0SxdcoRg0nTpu1w6WbZZK0ERyqRpkc
---- 5uKpMbkW4zZ035mNXCuty+64IZ360gly/ezxnwtRX/0
-�ˁ���Sϸ>q!���O߷�����T��CU����Һ���[�*󅬟��\w�݋tc����g?
|B����;��"*�d�W����v�/v�nqe
\ No newline at end of file
+-> ssh-ed25519 qM6TYg DlJpvGP2I1iGodnEufzr0qCAmmU6XiKbnNCRJmjPsHs
+upNAkX1DPfs7AJi+/hUKKcehn7tTcR0knW8W+kP1u/k
+--- ZEI6vM0+n33fVLPssJyEWYW/xNgoa0/2BIZeG3NzBrk
+��-r `
+�gR/n�|�S�\h}�LR���E��@���𚇂�O��jF"V�����v-�q˓��xjf��
�­f=��aI��8���Ѧ�l���	C
\ No newline at end of file
diff --git a/nix/secrets/garage_secrets.age b/nix/secrets/garage_secrets.age
index d9d0ee2..de68b3e 100644
Binary files a/nix/secrets/garage_secrets.age and b/nix/secrets/garage_secrets.age differ
diff --git a/nix/secrets/generic_backup_password.age b/nix/secrets/generic_backup_password.age
index c666d43..1e0c2c4 100644
--- a/nix/secrets/generic_backup_password.age
+++ b/nix/secrets/generic_backup_password.age
@@ -1,14 +1,13 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg IBVFRlOVLHcuS6xa7UVGA1z9NTBtNwGbt94c/yTB8wE
-T+VtsTngND9kAd6DAtksXN4xYs+E8JZSxDeOm+G23tc
--> ssh-ed25519 91VHug nUkRwHgpn2i56NNY0VAuG+r3CX1rjt1M0ZVKj+ijwGo
-ea8Ry6JIJlPOObY+v2Q5MkdcZqCeDLAOxC583WY38Hg
--> ssh-ed25519 XzACZQ 7f+8YcecMvwnOgwxjRMUUUm9Sp4cyKpIZWWMDrrCtzg
-Bqhd2kpuTg3Xchme5wHfg4zkuikeM4H9GdOZVUv+HZk
--> ssh-ed25519 51bcvA DUk4CsGXhdj4uIqzYpoGmtHs5dnjIBUb0c9zj1DEum4
-hGe3j5Ycn/WVV5wgg+vZuh2KhnamHACkHrDWcVgkSjo
--> ssh-ed25519 vT7ExA Zf67OkbMvOpgABZDuXw3U94KqX32VG8nnjo3Xmkbih0
-5K5fnBxkQDaYwuMPhyNU5ZrZLjkgknG7dzMzyuANMuU
---- Jon4j4/xeZqS/6KsWszsVOoVOgJgsPEKxmtC7PcocCA
-�솳���~��
-��N�+jK�߬�/�]Ӡ!䂶��.7\���k~<��f�C�T.�O
��ť*a�
��
\ No newline at end of file
+-> ssh-ed25519 qM6TYg SrZQBYLsUcrDu6ds1fJAyjM+mHPpAW04U6yRqA/TjH8
+LZUTPquz+YNmlRWrXwY2fvXsVwOEM/uhzWcaf7WsY5o
+-> ssh-ed25519 91VHug sVXnaD5sruvFKnPwldWzlH8KUIeZ/toWqYe/F2tfBX0
+CapfF55c1MvBDcDywNpnS4blYwD0HrPyrcncMRbl5lo
+-> ssh-ed25519 XzACZQ WqU7ebK4SnCyxP4zxIdmMDAaH7mk2HpgvUwbFWhoNWs
+wm0ZtnIQCKZW+WJIDtAIdOQkvp5LLyvTQ2vNFC7C26U
+-> ssh-ed25519 51bcvA xtMa2mIZ7GHOFJEcpZjr13vOovJsyo9fMWAnm66pxEg
+DqNSop7GSDMvsDzu9NK5ubf2xWMLX1fFLSiZUA42RUU
+-> ssh-ed25519 vT7ExA 24tU87648MvZgbvt9PNWBUQsQBDyeBd2QV0jiKGMwWs
+mSuA/G6ZjRYhG3TMGt8SQ8aqK8s9s81YBslBwQLr4Fg
+--- sr5nQObjSdkQ+eILGm+p/nnD1XxrcCXwVY70INFlZMU
+�ʛ.�)��uT}nw?��]4^�jk���*y"�#O��N*6}��yI��
�.7�T���S��-��R�
\ No newline at end of file
diff --git a/nix/secrets/grafana_admin_password.age b/nix/secrets/grafana_admin_password.age
index 59a4c17..f208dab 100644
--- a/nix/secrets/grafana_admin_password.age
+++ b/nix/secrets/grafana_admin_password.age
@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 XzACZQ OeTS5wU4ac+Qh7s1PXbdFH3LDlRW1LV+qFtoVGI47XQ
-JsixYPLzpnF45ODQH7nuVowXzwbNQi8lWx1Bp2YFVWc
---- MEG4bfGwoFRm9HizYdqtK7KApYhYH+QjAIEp7CpLznA
-C����/wC
-F��z�?�M���k�r���x�N��'NTz��W��b��{�����Aj3X6m�ݲ�J@��OI�{u���
��?��A,C�d��^
\ No newline at end of file
+-> ssh-ed25519 XzACZQ 8I9FjYxsWRwFE9W5eUEA3CdAG1etcJsYrT/QIFTkf18
+bmwA4zP6sG54vh1l8tAW7i7g5L6y7bB6jj43YaGIC9U
+--- c3xQGTTlsALUeTz+FbECQMUPmp4/PHTaosgDRzOIrk0
+9‡,��$�JE%��2�`�ğ��K:a��]��,�TM>���қx��-yn����|��/���+��O���Z��Q�W��qh^�]�^̀�$?
\ No newline at end of file
diff --git a/nix/secrets/hugochat_db_password.age b/nix/secrets/hugochat_db_password.age
index f5e1cd0..110f671 100644
Binary files a/nix/secrets/hugochat_db_password.age and b/nix/secrets/hugochat_db_password.age differ
diff --git a/nix/secrets/killua_env.age b/nix/secrets/killua_env.age
index 3ac6770..e0ebd1e 100644
Binary files a/nix/secrets/killua_env.age and b/nix/secrets/killua_env.age differ
diff --git a/nix/secrets/knot_dns_rfc2136_key_config.age b/nix/secrets/knot_dns_rfc2136_key_config.age
new file mode 100644
index 0000000..06a17c0
--- /dev/null
+++ b/nix/secrets/knot_dns_rfc2136_key_config.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 LZU5Eg rwUOiYywkv8pql/vl0b4K10Ic2oTijgDY3j2Y4e5elY
+8HAY4fQqjST5LqwZQIw83Z3cLZqnziq/czDpkJ/ncaM
+-> ssh-ed25519 5bWSnQ E6u+2wa3+f3iRxFCSa8evey5D703lNTGrsMT5hJhSGo
+RRuKjTOOunRLD2re/Vy87maIkNLiFa0p0AugeYbGpEk
+--- +5iOAG1dYXmUdxXY0dN8bhFpylZhVn90M0/OSbNTSL0
+(��"`4*��7gY��؝���N�9�T�p��Z���,���<��z�e�tdz몲�����;��A��B�
�.[����*N�	
+�����Z�`jM����+=��Bq=� �E��Q{��ۃ�S~
+��F	�a����IhD:�pA{
+�
\ No newline at end of file
diff --git a/nix/secrets/knot_dns_rfc2136_key_envvar.age b/nix/secrets/knot_dns_rfc2136_key_envvar.age
new file mode 100644
index 0000000..f52b624
Binary files /dev/null and b/nix/secrets/knot_dns_rfc2136_key_envvar.age differ
diff --git a/nix/secrets/loki_env.age b/nix/secrets/loki_env.age
index f55d3a3..2f5e05d 100644
Binary files a/nix/secrets/loki_env.age and b/nix/secrets/loki_env.age differ
diff --git a/nix/secrets/minio_env_file.age b/nix/secrets/minio_env_file.age
index e1d3f36..336a71a 100644
--- a/nix/secrets/minio_env_file.age
+++ b/nix/secrets/minio_env_file.age
@@ -1,8 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg k3jtd2qoiQCsKZYJliH9ySFuO7CVQQ5Sv2ikFYcaD2c
-TSIg6y4C2WaLQJUyNT3HQOj09VmKSkQxlsVlaDc+1tY
--> ssh-ed25519 XzACZQ NZhP9TD5nYxBMgO1O3vDOITeh7qxq4vhjG7AppQmRlM
-I1JiT8ISWLVUgoCphHSbhYvfssfP55NuBI2jclG3DVQ
---- 6UR3wbSTB/f0s8hP/YHaY9HFDpnLAts0yksKCv7p9BA
-���i��g50�2LQ��k�L�
-�vÛB�$5���m��#�{_8����j&+���;Z��-'ƒ�WHS�ыa���f?��56[t8��&Z�_/�3B���_4�n
\ No newline at end of file
+-> ssh-ed25519 qM6TYg t4OIcjhlaEBxFFK/VibGcE0D5zb4LrMv0zS1vxMKxHA
+/OIYeC0s9Jd5R6MaLQPHlgscrSkNwpdK1doADIZwmHE
+-> ssh-ed25519 XzACZQ 7ieKRLiY3EzGlRcAzxnhzDQkUMmpNutUViBeMrSkWkM
+qxeyBVm6aHDH7oQXDShuEqUGY9W8bp2vHfWvJEssfLg
+--- RuCRpuvvN5pIBe4zMaF0X0J5oW2z9ytkSfwKdkQlqo4
+t9͆�������/����/d3������f���Y.h�dg"��,<�Zc�1��EѼ��(��}����ϥ�E֠�}tM��`H�]w��W�?�~(T]~'
\ No newline at end of file
diff --git a/nix/secrets/openolat_db_password.age b/nix/secrets/openolat_db_password.age
index 4073e15..ba64245 100644
Binary files a/nix/secrets/openolat_db_password.age and b/nix/secrets/openolat_db_password.age differ
diff --git a/nix/secrets/pyroscope_s3_secret.age b/nix/secrets/pyroscope_s3_secret.age
index a2c7dd5..65db4ad 100644
Binary files a/nix/secrets/pyroscope_s3_secret.age and b/nix/secrets/pyroscope_s3_secret.age differ
diff --git a/nix/secrets/registry_htpasswd.age b/nix/secrets/registry_htpasswd.age
index de9e94a..fedeb03 100644
Binary files a/nix/secrets/registry_htpasswd.age and b/nix/secrets/registry_htpasswd.age differ
diff --git a/nix/secrets/registry_s3_key_secret.age b/nix/secrets/registry_s3_key_secret.age
index fbd3450..8232f02 100644
Binary files a/nix/secrets/registry_s3_key_secret.age and b/nix/secrets/registry_s3_key_secret.age differ
diff --git a/nix/secrets/restic_backup.age b/nix/secrets/restic_backup.age
index 0465e54..dc88b9b 100644
Binary files a/nix/secrets/restic_backup.age and b/nix/secrets/restic_backup.age differ
diff --git a/nix/secrets/s3_mc_admin_client.age b/nix/secrets/s3_mc_admin_client.age
index 3e366bf..dcd8703 100644
Binary files a/nix/secrets/s3_mc_admin_client.age and b/nix/secrets/s3_mc_admin_client.age differ
diff --git a/nix/secrets/secrets.nix b/nix/secrets/secrets.nix
index 8e25b6b..8209c40 100644
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@@ -28,6 +28,8 @@ in
   "pyroscope_s3_secret.age".publicKeys = [ vps3 ];
   "restic_backup.age".publicKeys = [ vps1 vps2 vps3 vps4 vps5 ];
   "generic_backup_password.age".publicKeys = [ vps1 vps2 vps3 vps4 vps5 ];
+  "knot_dns_rfc2136_key_config.age".publicKeys = [ dns1 dns2 ];
+  "knot_dns_rfc2136_key_envvar.age".publicKeys = [ vps1 vps2 vps3 vps4 vps5 ];
   "wg_private_dns1.age".publicKeys = [ dns1 ];
   "wg_private_dns2.age".publicKeys = [ dns2 ];
   "wg_private_vps1.age".publicKeys = [ vps1 ];
diff --git a/nix/secrets/upload_files_s3_secret.age b/nix/secrets/upload_files_s3_secret.age
index 3bca9a4..f976afd 100644
Binary files a/nix/secrets/upload_files_s3_secret.age and b/nix/secrets/upload_files_s3_secret.age differ
diff --git a/nix/secrets/wg_private_dns1.age b/nix/secrets/wg_private_dns1.age
index a54f3eb..6b10eba 100644
--- a/nix/secrets/wg_private_dns1.age
+++ b/nix/secrets/wg_private_dns1.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 LZU5Eg o+MPatbYPM3sZq0MCqvvxlvKMQwlbajHURPQ+0g0qm8
-UUurAYkPWXCaow746EV4dAQ+qTJnHIehcorUmanBc+o
---- BV+bxd0OIc3J4uT39al2odyn8ScDpq58SiwnW5pvRj4
-��T7W
 �|�fJ��%"c���q�{T�P~f�v,;�:免��-�Ϛ�4��a� �-�u�\L
�_-�VH������%
\ No newline at end of file
+-> ssh-ed25519 LZU5Eg 2I80UG4n18vxvqUJXwKeAPqelD83nX/n8XHi/XVq208
+mDoUzJu9KfUFyzJPoLPU+xhSbGesECEQZSSrc38HA54
+--- J9+vPA8z+/8jcO/V9iVZ3tWJF4TUe+nD6fmjH6f5dmc
+�s�t��	v�@<(x���Eh��]8e��-$�K00�T!œ����<�"5SC�#�F��Z����wab��
\ No newline at end of file
diff --git a/nix/secrets/wg_private_dns2.age b/nix/secrets/wg_private_dns2.age
index 64b2ad2..d713bf5 100644
Binary files a/nix/secrets/wg_private_dns2.age and b/nix/secrets/wg_private_dns2.age differ
diff --git a/nix/secrets/wg_private_vps1.age b/nix/secrets/wg_private_vps1.age
index 6354b7b..b1907ab 100644
--- a/nix/secrets/wg_private_vps1.age
+++ b/nix/secrets/wg_private_vps1.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg yrPEC7nKTt4PKp+tbxOQhhSHkd3Y5U112Tr1Vj8NUjc
-ke3GsnxeaGLvKNknBY8SQZj6zOh2c+CiCf3sZXyapn8
---- 0VBTTW//qOcMYVLZ2jFekgouWeZx4h5JPW1H8Sa4bIs
-��	�&4'_Xr#X��^dr��	TY%u!.v)eY��ޕ�G޿(AP��c���wO�f"�����y�m�q�1�e�U��
\ No newline at end of file
+-> ssh-ed25519 qM6TYg VKztNtIZQAJuwFI/DeAmW4RyaoGxMGpYmBPJRJYLzww
+0zo3XFJ/tE5O+AFMhhJUP1iCpIgC/d1qr8qpJ1viPj0
+--- Wq8DPbQIPnB46bI0allcQdlFZIOGK8Bp1sAywezGVe8
+�`��8vM d�(hy,�V+=�Q��X���#A�q���>	�Z�6��[AQ��[��f&��z��eu*v>d����zĠ
\ No newline at end of file
diff --git a/nix/secrets/wg_private_vps2.age b/nix/secrets/wg_private_vps2.age
index 4d30264..c83e0a1 100644
--- a/nix/secrets/wg_private_vps2.age
+++ b/nix/secrets/wg_private_vps2.age
@@ -1,8 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 91VHug cjq3el2rlJCWS3VwM5Dt22Ot/PoCdU5wJWTMosYQ6VE
-w/IyVNNAObRJxpV162CojPRE8yYbXJj1kaCBoPo3rNk
---- EDM/kgV9ewXhMvrQfHDtPLl7W46VCbZL5ciBO/B+Iu8
-cL>���&�²=�^�$��m T���4�&
-Ƨ��I���)
-c
-�LQi���6�R���S����+T@�0=����
\ No newline at end of file
+-> ssh-ed25519 91VHug YHHrtch+bKHxenRqMPSvqqby7odUGontauTfAfTAhlw
+VDY1jPyeClwpg7Tq604rU+Po+nue7cBRqhIEdc8iiAk
+--- mUabX/gruf9Erp4OeRmCEwd7KR2aTApviipXyCL1P+g
+���	����ɤR�-�Gu����:7�+"S�5��SS�3\�RpM�?s0���$�@����������$��)���
\ No newline at end of file
diff --git a/nix/secrets/wg_private_vps3.age b/nix/secrets/wg_private_vps3.age
index a63f54e..e98d0a5 100644
--- a/nix/secrets/wg_private_vps3.age
+++ b/nix/secrets/wg_private_vps3.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 XzACZQ lm64+fQEWa9hF98cV/x1U3Mz+6zuM23dAV3XkwE7iz4
-7Rgqd13DThp/JLryCe5xTdXwDujaTj4viR2CBTdXYLs
---- pwebssA2O2VjzPFRAQ0/65+qiiF/MijCIIXexwH5mgk
-\��f����v�̤�[��ڟ�I���[�5��*׷90�'�4���+�V�;L��~j����
����;��S��2y�b
\ No newline at end of file
+-> ssh-ed25519 XzACZQ YPlkpgsyOotrVR/rKOrNqPSBcLYF2U+aZWtPzB8RsEs
+zJkNWK8QjKC/DfvjrU8Js1p1ajm1fnrdcNr5g4+rTS4
+--- 7xKrN9yAcMbmvdQwchhkaT8CZTGguUTDPZ2LKxSxppY
+���q�C��k�P�e���@}p�2q�U�n!•W����؂k���Z襟3��ޞе�.�<���Qr��&���0��
\ No newline at end of file
diff --git a/nix/secrets/wg_private_vps4.age b/nix/secrets/wg_private_vps4.age
index dcf6aaf..0bd98e8 100644
--- a/nix/secrets/wg_private_vps4.age
+++ b/nix/secrets/wg_private_vps4.age
@@ -1,7 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 51bcvA mVJPirZJQxHgpX6CkMckYTpJk6HYN7CZYlUPPF1mYDM
-XVZqovyalftEtV//FQM11Za+YAEMAuBTypcPQz1+G3E
---- 7QAtADWyWr8SY3jLLzKxPsedOLyasfLs4lK3nmhkOi0
-]J�����Xt�E����)����hS
������F�
-������$��2"�T���a�`��Į��{���:=
-
\ No newline at end of file
+-> ssh-ed25519 51bcvA kyLCrT3jFu1BszuLMnyP0ej1kL5OvnAu/R6vR+PtYWU
+n70Krz1NA1BHhMrJQprm+LBBhY8AeQwI1PvHbF628OE
+--- VbdM9HH1CM+4f6z/5oSId9DW6Gi1+q3IuCE6qPKg1mM
+�@T�Y�(��Q�LY��GHGnk��	,�]&��
%Uf��M��W��qx���Jk�_k��h(y�k|��
*=�Ik
�
\ No newline at end of file
diff --git a/nix/secrets/wg_private_vps5.age b/nix/secrets/wg_private_vps5.age
index cbd582e..e7eefdb 100644
--- a/nix/secrets/wg_private_vps5.age
+++ b/nix/secrets/wg_private_vps5.age
@@ -1,5 +1,7 @@
 age-encryption.org/v1
--> ssh-ed25519 vT7ExA G9mqOZiAvq+ot4OUevoxvNPIkgWgS8KqMY76uGsxeGs
-AMEwoZoFc+axirDc5q+FM3e76IedkxblC3vVqUjmPL8
---- oXGSsFKfJRPvcU1X3zHN7M6vd0IxBpNowyh4sPesq3A
-��i3������c����M�TN0��}r"Зs����~��OrP����FP`Q���<�%�:7�3�
\ No newline at end of file
+-> ssh-ed25519 vT7ExA 2giKg2lnsURC0VqDT8Ibfn9jvkIJUOwIZkRN0Px8OSo
+g3ZQzVSDVUl/BX3tAktgkFk5lVKgplZa+vtLYSd+RW8
+--- 9ZTtNf9EG2B6oDyWYST8QiNGQHdYgQ5PoHzEHwW2eY8
+�М?��M�-���b�>[�;�^]�v|�.
+�I��y�
l�M���s|�N5�U��j
+��:���ʦ����ET�
\ No newline at end of file
diff --git a/nix/secrets/widetom_bot_token.age b/nix/secrets/widetom_bot_token.age
index e414467..15060a6 100644
--- a/nix/secrets/widetom_bot_token.age
+++ b/nix/secrets/widetom_bot_token.age
@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg oaTrhtYhEl2Za2fhNt0BgnjXPCkzo1Or9jsLLCnJhzA
-Wk99OfMEXXG+cV1LEvC9wf0GeVgT1Z2GA0AtLYCRKD4
---- 4U4dwN+tJ2LFpIjxEaoZ6HHV5QQU4kr0r0pDXKKcTgE
-N��]�n��?�������!�|!��:�����Ml�*��
�'��?E����M@�r_i�vo:Ni�lk��8S(�:�֊�R/0^xi�[x�C�
\ No newline at end of file
+-> ssh-ed25519 qM6TYg Xds9FlVzv4E6ZFFTH6zZwG8ewomPq5R3S3/8jDN7zw0
+l1EWvQR0RK865mVQVuCFuo+02HTzrHHlsY9r+E2/Nfc
+--- n9KSdsLECG7uH0yD5GsWC/1mTDMXi/JLDJ++oUycTEs
+�L�w���-�b�}�T6��k��X�S�Ң�F3�q4��y��hz�?hS�8��b=�1)�P*{�˺
S>�(�V�+�1y�#*�i�BS
\ No newline at end of file
diff --git a/nix/secrets/widetom_config_toml.age b/nix/secrets/widetom_config_toml.age
index 4d13ac2..d5f7e6f 100644
Binary files a/nix/secrets/widetom_config_toml.age and b/nix/secrets/widetom_config_toml.age differ
diff --git a/secrets-git-crypt/knot_dns_rfc2136_key_config b/secrets-git-crypt/knot_dns_rfc2136_key_config
new file mode 100644
index 0000000..61b3a36
Binary files /dev/null and b/secrets-git-crypt/knot_dns_rfc2136_key_config differ
diff --git a/secrets-git-crypt/knot_dns_rfc2136_key_envvar b/secrets-git-crypt/knot_dns_rfc2136_key_envvar
new file mode 100644
index 0000000..5bb8e79
Binary files /dev/null and b/secrets-git-crypt/knot_dns_rfc2136_key_envvar differ