diff --git a/k8s/flux/gotk-sync.yaml b/k8s/flux/gotk-sync.yaml
index e60cb44..4338f86 100644
--- a/k8s/flux/gotk-sync.yaml
+++ b/k8s/flux/gotk-sync.yaml
@@ -6,7 +6,7 @@ metadata:
   namespace: flux-system
 spec:
   interval: 5m
-  url: https://gitea.n0ball.tw/admin/infra.git
+  url: http://192.168.51.203/admin/infra.git
   ref:
     branch: main
   secretRef:
@@ -31,6 +31,25 @@ spec:
 ---
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
+metadata:
+  name: infrastructure-config
+  namespace: flux-system
+spec:
+  interval: 5m
+  path: ./k8s/infrastructure-config
+  prune: true
+  dependsOn:
+    - name: infrastructure
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
 metadata:
   name: pg-init
   namespace: flux-system
@@ -59,6 +78,7 @@ spec:
   prune: true
   dependsOn:
     - name: infrastructure
+    - name: infrastructure-config
     - name: pg-init
   sourceRef:
     kind: GitRepository
diff --git a/k8s/infrastructure-config/cert-manager/clusterissuer.yaml b/k8s/infrastructure-config/cert-manager/clusterissuer.yaml
new file mode 100644
index 0000000..6183562
--- /dev/null
+++ b/k8s/infrastructure-config/cert-manager/clusterissuer.yaml
@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: n0ball-tw-issuer
+spec:
+  acme:
+    server: https://acme-v2.api.letsencrypt.org/directory
+    email: admin@n0ball.tw
+    privateKeySecretRef:
+      name: letsencrypt-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token
+        selector:
+          dnsZones:
+            - "n0ball.tw"
diff --git a/k8s/infrastructure-config/cert-manager/wildcard-cert.yaml b/k8s/infrastructure-config/cert-manager/wildcard-cert.yaml
new file mode 100644
index 0000000..0ab2e28
--- /dev/null
+++ b/k8s/infrastructure-config/cert-manager/wildcard-cert.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: n0ball-tw-wildcard
+  namespace: kube-system
+spec:
+  secretName: n0ball-tw-tls
+  issuerRef:
+    name: n0ball-tw-issuer
+    kind: ClusterIssuer
+  dnsNames:
+    - "*.n0ball.tw"
+    - "n0ball.tw"
diff --git a/k8s/infrastructure-config/kustomization.yaml b/k8s/infrastructure-config/kustomization.yaml
new file mode 100644
index 0000000..f284cd3
--- /dev/null
+++ b/k8s/infrastructure-config/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cert-manager/clusterissuer.yaml
+  - cert-manager/wildcard-cert.yaml
diff --git a/k8s/infrastructure/kustomization.yaml b/k8s/infrastructure/kustomization.yaml
index 96afdbc..66c3f14 100644
--- a/k8s/infrastructure/kustomization.yaml
+++ b/k8s/infrastructure/kustomization.yaml
@@ -4,8 +4,6 @@ resources:
   - helmrepositories.yaml
   - longhorn/helmrelease.yaml
   - cert-manager/helmrelease.yaml
-  - cert-manager/clusterissuer.yaml
-  - cert-manager/wildcard-cert.yaml
   - observability
   - openldap/helmrelease.yaml
   - keycloak/helmrelease.yaml