diff --git a/.sops.yaml b/.sops.yaml
index fd16c44..79cd3e7 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -12,6 +12,7 @@ keys:
   - &nix-cache age1ffpkfl4ged52ym7ynyhjc40t9v2g6pgjp4ue670lxcr6mxy7mdtqt5qjlq
   - &proxy age1yz7k9s5plamjq425memjh00y4sdldgdhpwxqpx9gk9wutttx9scsdg3qd5
   - &saga age10advysga7fpkh7uuv9a7phs77c5khswf5c9q9txvrauxtqr4yu0sk2r75v
+  - &valkyrie age139zg5z02dx3j70tl6sn2l9kq0nfz2ddkffx0grlh7gg28dafhq6qd2sj6f
 creation_rules:
   - path_regex: machines/loki/[^/]+\.yaml$
     key_groups:
@@ -79,3 +80,9 @@ creation_rules:
         - *erwin
         - *erwin_horus
         - *saga
+  - path_regex: machines/valkyrie/[^/]+\.ya?ml$
+    key_groups:
+      - age:
+        - *erwin
+        - *erwin_horus
+        - *valkyrie
diff --git a/machines/valkyrie/configuration.nix b/machines/valkyrie/configuration.nix
index 34d1ee8..e3fd347 100644
--- a/machines/valkyrie/configuration.nix
+++ b/machines/valkyrie/configuration.nix
@@ -7,8 +7,9 @@
     ../../users/root
     ../../users/erwin
 
-    ./kea
     ./blocky
+    ./coredns
+    ./kea
     ./unbound
   ];
 
@@ -82,5 +83,12 @@
     sudo.enable = false;
   };
 
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      coredns-env = { };
+    };
+  };
+
   system.stateVersion = "23.11";
 }
diff --git a/machines/valkyrie/coredns/default.nix b/machines/valkyrie/coredns/default.nix
new file mode 100644
index 0000000..8be3c29
--- /dev/null
+++ b/machines/valkyrie/coredns/default.nix
@@ -0,0 +1,27 @@
+{ pkgs, config, ... }:
+{
+  services.coredns = {
+    enable = true;
+    package = pkgs.coredns.override {
+      externalPlugins = [
+        {
+          name = "tailscale";
+          repo = "github.com/damomurf/coredns-tailscale";
+          version = "98dc7fc4862250aad9f00d1e50ac7b8e69bd2af9";
+        }
+      ];
+    };
+
+    config = ''
+      datarift.nl:5454 {
+        tailscale datarift.nl {
+          authkey {$TS_AUTHKEY}
+        }
+        log
+        errors
+      }
+    '';
+  };
+
+  systemd.services.coredns.serviceConfig.EnvironmentFile = [ config.sops.secrets.coredns-env.path ];
+}
diff --git a/machines/valkyrie/secrets.yaml b/machines/valkyrie/secrets.yaml
new file mode 100644
index 0000000..1b24377
--- /dev/null
+++ b/machines/valkyrie/secrets.yaml
@@ -0,0 +1,39 @@
+coredns-env: ENC[AES256_GCM,data:1tkYhD2VHExWMt2y3G/eSkP5aISkPgqY5soNE6nNfCiewVWYBATqvs/GyBVM6GyXBYudl1myYU11MHheQ3w2T2kRj8PDDr31Ygs=,iv:1JeXTP8OYP990U8ctbZFxmjt92AxKoHLBmdC6P/osV4=,tag:+pN8MrjQTgkcStfwnlSU6A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQNmhVa3hSLzhOSzRtckI0
+            ZzF0NU5PMTZ1NXM3Y21OM3BNVE15SmlLQlVzClZsL2FnOU9hS3VoR1dJeXh5TE82
+            L0hMRlpUcW1NczhpVVh0R01LVVNxWDgKLS0tIHpXNEtRYTU4Y0N3aWJPUUp0WTVW
+            Y0FVS2dWTzlZR2RQZ05YOWhGWHQzdG8KSfliwDisp097xCNWUbxT688514YPdPg7
+            CvUbeyDjQOZJLjzP9kaE1lOLPZ+iM+kq0yJfK/jShhPav+lSJ3uwvQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoRFBBZ2pPS2xZT09ETWpH
+            SXlDc091RTZlc0ZuMWJMcjBvWGpwN05QQkhrCmpwNk90QmhlTHN3RVFzTGdOUjNZ
+            STU5V3BNQndMSHdkdUh6a1hqZzF2eEUKLS0tIGdHQVZTdDVwazRHaUt2aXFBOExO
+            Z3hDalpXcTlQbC9MNEh6YVp1YXdabWMKkx/MaVPRRez1TMPSncDbng4eCMFrBdxq
+            fasCMZh1yii9oPajnZXWQqxa8RtNpkxeYFSp3UCgPjw54K0ycEBfUQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age139zg5z02dx3j70tl6sn2l9kq0nfz2ddkffx0grlh7gg28dafhq6qd2sj6f
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYTNFcWpXZ0FmUkdzWVFC
+            YTRFc0tOU0Y2cElCMmJoZkZkQUlrcm5nQ2lZCk1LYTJLTFhwSy9UNHdHcHYwemMr
+            WEh5Mmk2ZFdlTllLbks5VFptSWF1Vk0KLS0tIHZqcVliY1ZaY2wwd0NtbDFvcVp6
+            MmRsQU43UDUyQ2ZVbWxvRWdBajYwWlEKDNaV/6gjIszP31b8kT+JZxiTWILqbQdR
+            OKdTbC3XIiFBGpslr5QKJzj26dKsgYvmzEHuHgglZdvuX5EDmzTf5w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-22T15:38:55Z"
+    mac: ENC[AES256_GCM,data:M1N8u+mFB3SsQ1PxIoLjVUPyoBoziEX35YDI93MLN81iWT/1IcwR3xmggsYHfoIoFvAQ1yp8Cwp8FSyOT+uvafVJ70npxPJKPZ4PdcxAJWcySIItu0L/PRV2wOvkfeWbfBetCAjl9u+EDZrbJjaKodOkbee5fVakFN6/3q5tseM=,iv:TneZgE0AtEzijzAfSTXg2J2yXUA78OdHrmf4dVRAHUA=,tag:FcmDIvOzDJx3g91/tdYdTw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1