diff --git a/nix/manifest.nix b/nix/manifest.nix
index 8f600de..b21cf84 100644
--- a/nix/manifest.nix
+++ b/nix/manifest.nix
@@ -38,6 +38,9 @@
               "slayment.com"
             ];
           };
+          web-servers = {
+            enableSSL = true;
+          };
           databases = {
             mongodb.enable = true;
             mysql.enable = true;
diff --git a/nix/modules/server/web-servers.nix b/nix/modules/server/web-servers.nix
new file mode 100644
index 0000000..9bcbc4e
--- /dev/null
+++ b/nix/modules/server/web-servers.nix
@@ -0,0 +1,43 @@
+{ lib, config, ... }:
+let
+  inherit (builtins) listToAttrs map;
+  inherit (config.flake.lib.options) mkStrOption mkPathOption;
+  inherit (config.flake.lib.services) mkRootDomain;
+  inherit (config.flake.paths) secrets;
+  inherit (config.flake.admin) email;
+  inherit (lib.types) listOf submodule attrs;
+  inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.modules) mkMerge mkIf;
+  inherit (lib.lists) singleton;
+in
+{
+  flake.modules.nixos.default =
+    { config, ... }:
+    let
+      cfg = config.server.web-servers;
+    in
+    {
+      options.server.web-servers = {
+        enableSSL = mkEnableOption "";
+      };
+      config = mkMerge [
+        (mkIf cfg.enableSSL {
+          sops.secrets."keys/cloudflare".sopsFile = secrets + "/keys.yaml";
+          security.acme = {
+            acceptTerms = true;
+            defaults = {
+              inherit email;
+              dnsProvider = "cloudflare";
+              credentialFiles."CLOUDFLARE_DNS_API_TOKEN_FILE" = config.sops.secrets."keys/cloudflare".path;
+            };
+            certs = {
+              "rrv.sh".extraDomainNames = singleton "*.rrv.sh";
+              "bwfiq.com".extraDomainNames = singleton "*.bwfiq.com";
+              "slayment.com".extraDomainNames = singleton "*.slayment.com";
+              "aenyrathia.wiki".extraDomainNames = singleton "*.aenyrathia.wiki";
+            };
+          };
+        })
+      ];
+    };
+}