diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..b4996f0
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,12 @@
+keys:
+  - &poby age1qeyrh6e40nek3da4mnj298cy2l3aswe7432us30d2p93akcvp9zqext63j
+  - &yggdrasil age10zgc2lj0j8zfetrysupdumftrq2esmud2xru2hn5228rk6v45p2sa2t4k0
+  - &midgard age1g2fpds2u6rz02pejpr05uu7r596fz5gvwz4jg7sahjktp67n39psukvng9
+
+creation_rules:
+  - path_regex: secrets/[^/]+\.yaml$
+    key_groups:
+      - age:
+          - *poby
+          - *yggdrasil
+          - *midgard
diff --git a/flake.nix b/flake.nix
index a00f130..d9936cd 100644
--- a/flake.nix
+++ b/flake.nix
@@ -43,6 +43,7 @@
           ./modules/users.nix
           ./modules/ssh.nix
           ./modules/tailscale.nix
+          ./modules/secrets.nix
 
           disko.nixosModules.disko
           sops-nix.nixosModules.sops
diff --git a/hosts/yggdrasil/default.nix b/hosts/yggdrasil/default.nix
index 270ce67..17331e9 100644
--- a/hosts/yggdrasil/default.nix
+++ b/hosts/yggdrasil/default.nix
@@ -2,6 +2,7 @@
   imports = [
     ./hardware-configuration.nix
     ./disko.nix
+    ../../services/ingress.nix
   ];
 
   networking.hostName = "yggdrasil";
diff --git a/modules/secrets.nix b/modules/secrets.nix
new file mode 100644
index 0000000..e938209
--- /dev/null
+++ b/modules/secrets.nix
@@ -0,0 +1,9 @@
+{...}: {
+  sops = {
+    defaultSopsFile = ../secrets/ingress.yaml;
+
+    age.sshKeyPaths = [
+      "/etc/ssh/ssh_host_ed25519_key"
+    ];
+  };
+}
diff --git a/secrets/ingress.yaml b/secrets/ingress.yaml
new file mode 100644
index 0000000..88b15de
--- /dev/null
+++ b/secrets/ingress.yaml
@@ -0,0 +1,35 @@
+cloudflare:
+    caddy_env: ENC[AES256_GCM,data:MaLxUa/oooLT9VlTQl81q6Q5yOxWuiXbo9Lcrww4sfk2CmbP/Oj0pxqtb7I9c7ge2UNtidnatAFUqLfHXlW3Zt9iENceQVxW3/86,iv:I+qNH4obhnXMpVxhcJgakzsWNj1lMyoN/6UCQ12id2M=,tag:BTD5nvHp1Aj7D7MtxmaoMA==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6Vy9wMVZwNldSazA1S3cz
+            TVJuQkhOaDBHN1hJV3NaMHNrSGMzL3VSNmhFCkJVZmxvdzdrTHoxbjBYbHBqa3h6
+            anQ2enRuU2tpQnBpUUx6L0ErTWhkMUUKLS0tIG4zLzFqMzJ6bG82by9YNzRtQnI4
+            RXhQYUFMYU9RR1RoRUVnNWlpdGJ5MlEKxlbHUBR/MoDV/nyWeX32m112/BXr32wH
+            l+50eSrbbpLjD6WSG0i3D7Dxoq5yzkHxGeO40/zZyMsc4OjdqboeqQ==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1qeyrh6e40nek3da4mnj298cy2l3aswe7432us30d2p93akcvp9zqext63j
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2bFVUclVDM0lUanYwU3lh
+            QWZWZmVkQTBnWWx0Z3NaK3NOYTBRaFdtbFdZCmJGdE83Zk50ckRPY2tWT3l4TXoy
+            ZGJPMkI3dzMxRzRkaG1acTBNWUZWQ2MKLS0tIE16WmxmS1EydTJ1bm1CNmwzeG5q
+            ZFhtVjVqaUJoRUJ5OXBCQThVUU5HbDAK9P1OnxXycp7Fv4XKIunZpNHR4Os0ocKI
+            N826u7XI8mEtO2ml6uIe9SITl09c36g32w21oIFHvk6X/rLLmAHA2w==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age10zgc2lj0j8zfetrysupdumftrq2esmud2xru2hn5228rk6v45p2sa2t4k0
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArcGoxekJNTUJJQXlxUjlz
+            NGU2dWZwcHNLbWNXOE5IU3lsNXNMN3dpa2cwCnR2bm9BVFRPRjN6TjQxZVh1NEV2
+            TW9NNEkzemZRM3NyajlFQ2ZFamptNzAKLS0tIGFzZVgyNVJmNmxudEd2d0JiU0hk
+            QVUyKzRLMzJWVEJvVDdpYVRSblRVNU0K9W/w/HlX3OlmZsLDkyfhmsZ7nBhVAczj
+            TdZcEc0hUy/9cIv0v8p6acz2XNgBUYXCF3ORJMOsvH/pLbyoEj3rng==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1g2fpds2u6rz02pejpr05uu7r596fz5gvwz4jg7sahjktp67n39psukvng9
+    lastmodified: "2026-05-22T03:50:15Z"
+    mac: ENC[AES256_GCM,data:Lj/Ff7GjrZLlojVFiNqVWCwmNXD40T43y/fF2G7N1dWrlSafwzG+lOk35uXYn2n+HdrKD8Y2VTywgHX7gZupYOLQjkttrLnKy0/4s2PHpWyaHjE1g/GlIDjRz2VvVGO3w8A6GICNtbMO1HvwT93XFja1dyaRQ9RZ2XmY46FBE2s=,iv:p5NlMSsRCwos3aeCdf7KYuh4bPVWfVEuWpHSINMOC2Y=,tag:7GpIySJIaSj1+KyXYKutVA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.13.0
diff --git a/services/ingress.nix b/services/ingress.nix
new file mode 100644
index 0000000..c4e4eed
--- /dev/null
+++ b/services/ingress.nix
@@ -0,0 +1,37 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  sops.secrets."cloudflare/caddy_env" = {
+    owner = config.services.caddy.user;
+    group = config.services.caddy.group;
+    mode = "0400";
+    restartUnits = [
+      "caddy.service"
+    ];
+  };
+
+  services.caddy = {
+    enable = true;
+    enableReload = true;
+
+    package = pkgs.caddy.withPlugins {
+      plugins = [
+        "github.com/caddy-dns/cloudflare@v0.2.4"
+      ];
+      hash = "sha256-vNSHU7txQLs0m0UChuszURXjEoMj4r1902+1ei0/DaI=";
+    };
+
+    environmentFile = config.sops.secrets."cloudflare/caddy_env".path;
+
+    globalConfig = ''
+      email smg981024@gmail.com
+      acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+    '';
+
+    virtualHosts."http://yggdrasil.tail6fc192.ts.net:8080".extraConfig = ''
+      respond "yggdrasil caddy ingress ok"
+    '';
+  };
+}