diff --git a/nixos/modules/nixos/containers/default.nix b/nixos/modules/nixos/containers/default.nix
index 2a7d808..a397bb5 100644
--- a/nixos/modules/nixos/containers/default.nix
+++ b/nixos/modules/nixos/containers/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./backrest
+    ./lego-auto
     ./unifi
   ];
 }
diff --git a/nixos/modules/nixos/containers/lego-auto/default.nix b/nixos/modules/nixos/containers/lego-auto/default.nix
new file mode 100644
index 0000000..0cbec30
--- /dev/null
+++ b/nixos/modules/nixos/containers/lego-auto/default.nix
@@ -0,0 +1,62 @@
+{ lib, config, ... }:
+with lib;
+let
+  app = "lego-auto";
+  image = "ghcr.io/bjw-s/lego-auto:v0.3.0";
+  user = "999"; #string
+  group = "102"; #string
+  port = 9898; #int
+  cfg = config.mySystem.services.${app};
+  appFolder = "/eru/containers/volumes/${app}";
+in
+{
+  options.mySystem.services.${app} = {
+    enable = mkEnableOption "${app}";
+    dnsimpleTokenPath = mkOption {
+      type = types.path;
+      example = "/config/dnsimple-token";
+      description = "Path to the DNSimple token file";
+    };
+    provider = mkOption {
+      type = types.string;
+      example = "dnsimple";
+      description = "DNS provider";
+    };
+    domains = mkOption {
+      type = types.string;
+      example = "gandalf.jahanson.tech";
+      description = "Domains to manage";
+    };
+    email = mkOption {
+      type = types.string;
+      example = "joe@veri.dev";
+      description = "Email address for Let's Encrypt";
+    };
+  };
+
+  # TODO: Add refresh cert path (ex. copy cert to unifi)
+  config = mkIf cfg.enable {
+    virtualisation.oci-containers.containers.${app} = {
+      image = "${image}";
+      user = "${user}:${group}";
+      autoStart = true;
+      extraOptions = [
+        "--dns=1.1.1.1"
+      ];
+      environment = {
+        TZ = "America/Chicago";
+        LA_DATADIR = "/certs";
+        LA_CACHEDIR = "/certs/.cache";
+        LA_EMAIL = "cfg.email";
+        LA_DOMAINS = cfg.domains;
+        LA_PROVIDER = cfg.provider;
+      } // lib.optionalAttrs (cfg.provider == "dnsimple") {
+        DNSIMPLE_OAUTH_TOKEN_FILE = "/config/dnsimple-token";
+      };
+
+      volumes = [
+        "${appFolder}/cert:/cert"
+      ] // optionals (cfg.provider == "dnsimple") [ "${cfg.dnsimpleTokenPath}:/config/dnsimple-token" ];
+    };
+  };
+}