diff --git a/gitops/home-kubernetes/cert-manager/clusterissuer_dns01-prod.yaml b/gitops/home-kubernetes/cert-manager/clusterissuer_dns01-prod.yaml
new file mode 100644
index 0000000..fe6e9cc
--- /dev/null
+++ b/gitops/home-kubernetes/cert-manager/clusterissuer_dns01-prod.yaml
@@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod-dns
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: kacerr.cz@gmail.com
+    privateKeySecretRef:
+      name: letsencrypt-dns-account-key
+    solvers:
+    - dns01:
+        rfc2136:
+          nameserver: dns-update-proxy.cert-manager.svc.cluster.local:53
+          tsigKeyName: acme-update-key
+          tsigAlgorithm: HMACSHA512
+          tsigSecretSecretRef:
+            name: acme-update-key
+            key: acme-update-key
+      selector:
+        dnsZones:
+          - "lab.home.hrajfrisbee.cz"
\ No newline at end of file
diff --git a/gitops/home-kubernetes/cert-manager/deployment_dns-updater-proxy.yaml b/gitops/home-kubernetes/cert-manager/deployment_dns-updater-proxy.yaml
new file mode 100644
index 0000000..d750010
--- /dev/null
+++ b/gitops/home-kubernetes/cert-manager/deployment_dns-updater-proxy.yaml
@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dns-update-proxy
+  namespace: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dns-update-proxy
+  template:
+    metadata:
+      labels:
+        app: dns-update-proxy
+    spec:
+      containers:
+      - name: socat-tcp
+        image: alpine/socat
+        args:
+        - TCP-LISTEN:53,fork,reuseaddr
+        - TCP:87.236.195.209:5353
+        ports:
+        - containerPort: 53
+          protocol: TCP
+      - name: socat-udp
+        image: alpine/socat
+        args:
+        - -T5
+        - UDP-RECVFROM:53,fork,reuseaddr
+        - UDP:87.236.195.209:5353
+        ports:
+        - containerPort: 53
+          protocol: UDP
diff --git a/gitops/home-kubernetes/cert-manager/externalsecret_acme-key.yaml b/gitops/home-kubernetes/cert-manager/externalsecret_acme-key.yaml
new file mode 100644
index 0000000..cb70e7f
--- /dev/null
+++ b/gitops/home-kubernetes/cert-manager/externalsecret_acme-key.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: acme-update-key
+  namespace: cert-manager
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend  # or your store
+    kind: ClusterSecretStore
+  target:
+    name: acme-update-key
+    creationPolicy: Owner
+  data:
+    - secretKey: acme-update-key
+      remoteRef:
+        key: k8s_home/cert-manager
+        property: acme-update-key
diff --git a/gitops/home-kubernetes/cert-manager/helmrelease.yaml b/gitops/home-kubernetes/cert-manager/helmrelease.yaml
index 1328503..57ce34a 100644
--- a/gitops/home-kubernetes/cert-manager/helmrelease.yaml
+++ b/gitops/home-kubernetes/cert-manager/helmrelease.yaml
@@ -19,6 +19,8 @@ spec:
   upgrade:
     crds: CreateReplace
   values:
+    global:
+      logLevel: 6
     crds:
       enabled: false
     config:
diff --git a/gitops/home-kubernetes/cert-manager/service_dns-updater-proxy.yaml b/gitops/home-kubernetes/cert-manager/service_dns-updater-proxy.yaml
new file mode 100644
index 0000000..e8142fe
--- /dev/null
+++ b/gitops/home-kubernetes/cert-manager/service_dns-updater-proxy.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: dns-update-proxy
+  namespace: cert-manager
+spec:
+  selector:
+    app: dns-update-proxy
+  ports:
+  - name: dns-tcp
+    port: 53
+    targetPort: 53
+    protocol: TCP
+  - name: dns-udp
+    port: 53
+    targetPort: 53
+    protocol: UDP
\ No newline at end of file