diff --git a/hosts/oparic-local-dev/configuration.nix b/hosts/oparic-local-dev/configuration.nix
index a4ee2ea..3b3b5de 100644
--- a/hosts/oparic-local-dev/configuration.nix
+++ b/hosts/oparic-local-dev/configuration.nix
@@ -96,5 +96,26 @@
   sops.defaultSopsFile = ../../secrets/hosts/oparic-local-dev.yaml;
   sops.age.keyFile = "/var/lib/sops/age/keys.txt";
 
+  sops.secrets.caddy_cloudflare_api_key = {
+    owner = "caddy";
+  };
+  # Caddy 反向代理 + Cloudflare DNS challenge 通配符证书
+  services.caddy = {
+    enable = true;
+    package = pkgs.caddy.withPlugins {
+      plugins = [ "github.com/caddy-dns/cloudflare@v0.2.4" ];
+      hash = "sha256-VHm9POg2KixGsMsAcfFFDMK9x6niRJ1iJV9kkSwkSjc=";
+    };
+    virtualHosts."*.testing.oparic.luo.ee" = {
+      extraConfig = ''
+        tls {
+          dns cloudflare {file.${config.sops.secrets.caddy_cloudflare_api_key.path}}
+        }
+        reverse_proxy localhost:40000
+      '';
+    };
+  };
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
   system.stateVersion = "23.11";
 }
diff --git a/secrets/hosts/oparic-local-dev.yaml b/secrets/hosts/oparic-local-dev.yaml
new file mode 100644
index 0000000..97d8de5
--- /dev/null
+++ b/secrets/hosts/oparic-local-dev.yaml
@@ -0,0 +1,25 @@
+caddy_cloudflare_api_key: ENC[AES256_GCM,data:AXil/BHboMREDOXfgV/F0BIWYE9+Rq/kdpQhtOkh+yTOLsF9mmP89HQV7VFiOWjXGMvvAlU=,iv:CmqMVBLv55lwt371FJ/1qXY2On1Ilhdm3mzM6cKCw/o=,tag:36poStmxIS9cXk5a7tsNSw==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSjk0cDFsY1JFRFR5WE1Q
+            ZXlJRTJCNjIyT29XYXkranJqbjAySVA0aEE0CmVEWGo5bVhvd1c5MEVDTjZ2NWpp
+            VEtTd2Z4bGZLd3R4YnhVKzZLS3pnckkKLS0tIEorcW5aejFtMnlEZjhTNmhZWXdt
+            RFM1MEFjT29BOUptT0lNazdQK1BNeUEK29JlPkRvbz7HRyB0s+0JHv7fd3i9uMKF
+            SBEoPrIXWuoNUKmCuZlqJVNIWPEV2v3/tpFWbL9sXN/6qoGpt30csw==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1nlta6ek2fsre42g38ytwg3fxtra4h444psd7g986md0gzmvv6d5qqlwwjy
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsVmhxemI1S05zTW9sMzFB
+            WHVsaEpuNFU5cFZuWWI0Vnd2NFFQb1pvWWwwCmtHU2Y2ZFY2TTVIL1oxckVHbWxt
+            aVFTVW4wa3JWa2hNcjVmYm51VGZYNlkKLS0tIG44OGJWL0tab2diWkt4M1hEUmFS
+            ZXlBbjUramhvMXYxQlVSMEh4OEh5eDgKTJMgvoo2Wgn/FsoXsA0mCweUhmqhAGp/
+            nIvGJsDz88QS+nVGybLkekl6LM+UR+sRy7fttDzX49Oxre7ovkSVyw==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1mgxmpfpy6qg374kyq66cc5yw68qfw0mlk89rcdy3lkzw9q93jvwqg73395
+    lastmodified: "2026-05-17T04:26:09Z"
+    mac: ENC[AES256_GCM,data:XVocfoUXqh7ntKfM64sveo36xHgIX/4zM1dN1ML7Iu4qEsOB1YvHfS80z8KtJxY6ZTWl/XjqeT8YzQ2TSgpPAnND6DQ5dUiXz3G5jqZ8Foa6SQGdfqD5Yk6yBW+GRPHQUIhxBbJLeNtacRQRAC3vBuMdTqX7W/C9leLEt73B1WQ=,iv:XhwXnIXLqBfGRk9lymCGGby+SzYY0dDByPZL8AWk+xg=,tag:ryfQteA2Ul2rP8Y1NgdaOQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.13.0