diff --git a/host_vars/daniel.adm.crans.org.yml b/host_vars/daniel.adm.crans.org.yml
index fe23407a..c9a80092 100644
--- a/host_vars/daniel.adm.crans.org.yml
+++ b/host_vars/daniel.adm.crans.org.yml
@@ -8,3 +8,27 @@ loc_postgres:
   version: 13
   replica: true
   addresses: "['daniel.adm.crans.org'] + {{ query('ldap', 'ip', 'daniel', 'adm') | ipaddr('address') }}"
+
+loc_certbot:
+  - mail: root@crans.org
+    certname: crans.org
+    domains: "*.adm.crans.org, *.crans.org"
+
+loc_service_certbot:
+  config:
+    "crans.org":
+      zone: _acme-challenge.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.certbot_dns_secret }}"
+        algorithm: HMAC-SHA512
+    "adm.crans.org":
+      zone: _acme-challenge.adm.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_adm_challenge.
+        secret: "{{ vault.certbot_adm_dns_secret }}"
+        algorithm: HMAC-SHA512
diff --git a/host_vars/jack.adm.crans.org.yml b/host_vars/jack.adm.crans.org.yml
index 7a83dd68..0d8a7515 100644
--- a/host_vars/jack.adm.crans.org.yml
+++ b/host_vars/jack.adm.crans.org.yml
@@ -8,3 +8,27 @@ loc_postgres:
   version: 13
   replica: true
   addresses: "['jack.adm.crans.org'] + {{ query('ldap', 'ip', 'jack', 'adm') | ipaddr('address') }}"
+
+loc_certbot:
+  - mail: root@crans.org
+    certname: crans.org
+    domains: "*.adm.crans.org, *.crans.org"
+
+loc_service_certbot:
+  config:
+    "crans.org":
+      zone: _acme-challenge.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.certbot_dns_secret }}"
+        algorithm: HMAC-SHA512
+    "adm.crans.org":
+      zone: _acme-challenge.adm.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_adm_challenge.
+        secret: "{{ vault.certbot_adm_dns_secret }}"
+        algorithm: HMAC-SHA512
diff --git a/host_vars/sam.adm.crans.org.yml b/host_vars/sam.adm.crans.org.yml
index fcc22925..0fa45482 100644
--- a/host_vars/sam.adm.crans.org.yml
+++ b/host_vars/sam.adm.crans.org.yml
@@ -8,3 +8,27 @@ loc_postgres:
   version: 13
   replica: true
   addresses: "['sam.adm.crans.org'] + {{ query('ldap', 'ip', 'sam', 'adm') | ipaddr('address') }}"
+
+loc_certbot:
+  - mail: root@crans.org
+    certname: crans.org
+    domains: "*.adm.crans.org, *.crans.org"
+
+loc_service_certbot:
+  config:
+    "crans.org":
+      zone: _acme-challenge.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.certbot_dns_secret }}"
+        algorithm: HMAC-SHA512
+    "adm.crans.org":
+      zone: _acme-challenge.adm.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_adm_challenge.
+        secret: "{{ vault.certbot_adm_dns_secret }}"
+        algorithm: HMAC-SHA512
diff --git a/hosts b/hosts
index e5d3aa92..34ca2369 100644
--- a/hosts
+++ b/hosts
@@ -38,6 +38,7 @@ jitsi
 mailman
 postfix
 reverseproxy
+virtu
 vsftpd_mirror
 
 [constellation:children]