diff --git a/configuration.nix b/configuration.nix
index 6bcd45e..79f0159 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -71,6 +71,8 @@
     ./services/mollysocket.nix
 
     ./services/harmonia.nix
+
+    ./services/ddns-updater.nix
   ];
 
   # Hosts entries for CI/CD deploy targets
diff --git a/modules/age-secrets.nix b/modules/age-secrets.nix
index d3d8912..cd43825 100644
--- a/modules/age-secrets.nix
+++ b/modules/age-secrets.nix
@@ -46,6 +46,20 @@
       group = "caddy";
     };
 
+    # Njalla API token (NJALLA_API_TOKEN=...) for Caddy DNS-01 challenge
+    njalla-api-token-env = {
+      file = ../secrets/njalla-api-token-env.age;
+      mode = "0400";
+      owner = "caddy";
+      group = "caddy";
+    };
+
+    # ddns-updater config.json with Njalla provider credentials
+    ddns-updater-config = {
+      file = ../secrets/ddns-updater-config.age;
+      mode = "0400";
+    };
+
     jellyfin-api-key = {
       file = ../secrets/jellyfin-api-key.age;
       mode = "0400";
diff --git a/secrets/ddns-updater-config.age b/secrets/ddns-updater-config.age
new file mode 100644
index 0000000..1fe9a46
Binary files /dev/null and b/secrets/ddns-updater-config.age differ
diff --git a/secrets/njalla-api-token-env.age b/secrets/njalla-api-token-env.age
new file mode 100644
index 0000000..d491b1c
Binary files /dev/null and b/secrets/njalla-api-token-env.age differ
diff --git a/services/caddy/caddy.nix b/services/caddy/caddy.nix
index f77644f..6481c8d 100644
--- a/services/caddy/caddy.nix
+++ b/services/caddy/caddy.nix
@@ -56,9 +56,19 @@ in
     enable = true;
     email = "titaniumtown@proton.me";
 
-    # Enable on-demand TLS for old domain redirects
-    # Certs are issued dynamically when subdomains are accessed
+    # Build with Njalla DNS provider for DNS-01 ACME challenges (wildcard certs)
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/caddy-dns/njalla@v0.0.0-20250823094507-f709141f1fe6" ];
+      hash = "sha256-rrOAR6noTDpV/I/hZXxhz0OXVJKu0mFQRq87RUrpmzw=";
+    };
+
     globalConfig = ''
+      # Wildcard cert for *.${newDomain} via DNS-01 challenge
+      acme_dns njalla {
+        api_token {env.NJALLA_API_TOKEN}
+      }
+
+      # On-demand TLS for old domain redirects
       on_demand_tls {
         ask http://localhost:9123/check
       }
@@ -106,6 +116,9 @@ in
     };
   };
 
+  # Inject Njalla API token for DNS-01 challenge
+  systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.njalla-api-token-env.path;
+
   systemd.tmpfiles.rules = [
     "d ${config.services.caddy.dataDir} 700 ${config.services.caddy.user} ${config.services.caddy.group}"
   ];
diff --git a/services/ddns-updater.nix b/services/ddns-updater.nix
new file mode 100644
index 0000000..9b145c9
--- /dev/null
+++ b/services/ddns-updater.nix
@@ -0,0 +1,14 @@
+{
+  config,
+  ...
+}:
+{
+  services.ddns-updater = {
+    enable = true;
+    environment = {
+      PERIOD = "5m";
+      # ddns-updater reads config from this path at runtime
+      CONFIG_FILEPATH = config.age.secrets.ddns-updater-config.path;
+    };
+  };
+}