diff --git a/hosts/mauville/default.nix b/hosts/mauville/default.nix
index daf2bc3b..b7ff7236 100644
--- a/hosts/mauville/default.nix
+++ b/hosts/mauville/default.nix
@@ -19,6 +19,8 @@ in {
     ./home.nix
   ];
 
+  age.secrets.cloudflare.file = ../../secrets/cloudflare.age;
+
   boot.loader = {
     efi.canTouchEfiVariables = true;
     systemd-boot.enable = true;
@@ -57,6 +59,23 @@ in {
   };
 
   services = {
+    ddclient = {
+      enable = true;
+      domains = [
+        "music.raffauflabs.com"
+        "plex.raffauflabs.com"
+        "podcasts.raffauflabs.com"
+        "raffauflabs.com"
+      ];
+      interval = "10min";
+      passwordFile = config.age.secrets.cloudflare.path;
+      protocol = "cloudflare";
+      ssl = true;
+      use = "web, web=dynamicdns.park-your-domain.com/getip, web-skip='Current IP Address: '";
+      username = "token";
+      zone = "raffauflabs.com";
+    };
+
     fail2ban.enable = true;
 
     nginx = {
diff --git a/secrets/cloudflare.age b/secrets/cloudflare.age
new file mode 100644
index 00000000..d1866799
Binary files /dev/null and b/secrets/cloudflare.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9ddcd924..9b0dda32 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -17,6 +17,7 @@ let
   userKeys = builtins.map (user: builtins.readFile ./publicKeys/${user}.pub) users;
   keys = systemKeys ++ userKeys;
 in {
+  "cloudflare.age".publicKeys = keys;
   "lastFM/apiKey.age".publicKeys = keys;
   "lastFM/secret.age".publicKeys = keys;
   "spotify/clientId.age".publicKeys = keys;