diff --git a/cluster/services/dns/authoritative.nix b/cluster/services/dns/authoritative.nix
index 5082224..27606df 100644
--- a/cluster/services/dns/authoritative.nix
+++ b/cluster/services/dns/authoritative.nix
@@ -43,9 +43,6 @@ in {
   links.localAuthoritativeDNS = {};
 
   age.secrets = {
-    acmeDnsDbCredentials = {
-      file = ./acme-dns-db-credentials.age;
-    };
     acmeDnsDirectKey = {
       file = ./acme-dns-direct-key.age;
     };
@@ -78,8 +75,12 @@ in {
     };
   };
 
+  services.locksmith.waitForSecrets.acme-dns = [
+    "patroni-acmedns"
+  ];
+
   systemd.services.acme-dns.serviceConfig.EnvironmentFile = with config.age.secrets; [
-    acmeDnsDbCredentials.path
+    "/run/locksmith/patroni-acmedns"
     acmeDnsDirectKey.path
   ];
 
diff --git a/cluster/services/dns/default.nix b/cluster/services/dns/default.nix
index 6c2ed43..fa75ceb 100644
--- a/cluster/services/dns/default.nix
+++ b/cluster/services/dns/default.nix
@@ -58,6 +58,16 @@ in
     };
   };
 
+  patroni = {
+    databases.acmedns = {};
+    users.acmedns = {
+      locksmith = {
+        nodes = config.services.dns.nodes.authoritative;
+        format = "envFile";
+      };
+    };
+  };
+
   dns.records = {
     securedns.consulService = "securedns";
     "acme-dns-challenge.internal".consulService = "acme-dns";