diff --git a/narwhal/acme_renew/Makefile b/narwhal/acme_renew/Makefile
index fd8cec3..711f7af 100644
--- a/narwhal/acme_renew/Makefile
+++ b/narwhal/acme_renew/Makefile
@@ -33,26 +33,39 @@ SSH_KEY=/srv/certs/ssh/users/dags/id_ed25519
 # target, it will be run each time, but the certificate files will only be
 # updated if a renewal happens
 
+CERT_DOMAINS=-d $(DOMAIN) -d '*.$(DOMAIN)' -d '*.narwhal.$(DOMAIN)' -d '*.caladan.$(DOMAIN)' -d '*.xmpp.$(DOMAIN)'
+
 $(FULLCHAIN): renew_certs
 $(CERT): renew_certs
 $(KEY): renew_certs
 
-GOPASS=doas -u gopass gopass
-LINODE_TOKEN = $(shell $(GOPASS) linode.com/token)
+HETZNER_TOKEN=/srv/secrets/hetzner_token
 
 DOCKER_IMAGE=neilpang/acme.sh
 ACME_DATA_DIR=/mnt/docker_volumes/acmesh/data
 
-RENEW_CMD="/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" --config-home "/acme.sh"
+ACMESH=docker run --rm -it \
+	-v $(ACME_DATA_DIR):/acme.sh \
+	-v $(CERT_PATH):/acme.sh/$(DOMAIN) \
+	-e "HETZNER_Token=$$(cat $(HETZNER_TOKEN))" \
+	$(DOCKER_IMAGE) \
+	/root/.acme.sh/acme.sh 
 
-renew_certs:
+
+RENEW_CMD=--cron --home /root/.acme.sh --config-home /acme.sh
+
+# DNS_ARGS=--dns dns_linode_v4 --dnssleep 900
+DNS_ARGS=--dns dns_hetzner
+ISSUE_CMD=--issue $(DNS_ARGS) $(CERT_DOMAINS) --server letsencrypt
+
+renew_certs: $(HETZNER_TOKEN) $(ACME_DATA_DIR)/account.conf
 	@echo "renewing certs"
-	@docker run --rm -it \
-		-v $(ACME_DATA_DIR):/acme.sh \
-		-v $(CERT_PATH):/acme.sh/$(DOMAIN) \
-		-e "LINODE_V4_API_KEY=$(LINODE_TOKEN)" \
-		$(DOCKER_IMAGE) \
-		$(RENEW_CMD)
+	$(ACMESH) $(RENEW_CMD)
+
+$(ACME_DATA_DIR)/account.conf: $(HETZNER_TOKEN)
+	@echo "issuing certificate and saving acme.sh account configuration"
+	@mkdir -p $(@D)
+	$(ACMESH) $(ISSUE_CMD)
 
 ###############################################################################
 # Sync the certs to remote hosts and trigger DAGs there
@@ -77,7 +90,7 @@ $(FUGU_SYNC): $(FULLCHAIN) $(CERT) $(KEY)
 		dags@fugu:$(CERT_PATH)
 	touch $@
 
-KVMD_PST_DATA = /var/lib/kvmd/pst/data
+KVMD_PST_DATA=/var/lib/kvmd/pst/data
 
 $(PIKVM_SYNC): $(FULLCHAIN) $(CERT) $(KEY)
 	mkdir -p $(@D)
diff --git a/narwhal/acme_renew/justfile b/narwhal/acme_renew/justfile
index 457936e..7fbd3a9 100755
--- a/narwhal/acme_renew/justfile
+++ b/narwhal/acme_renew/justfile
@@ -5,3 +5,18 @@ run:
 
 render:
     make --file ../../common/render-dag.make
+
+acme_data_dir := "/mnt/docker_volumes/acmesh/data"
+domain := "monotremata.xyz"
+certs_path := "/srv/certs/acme"
+linode_token := `cat /srv/secrets/linode_token`
+hetzner_token := `cat /srv/secrets/hetzner_token`
+
+acmesh *args:
+    docker run --rm -it \
+        -v {{acme_data_dir}}:/acme.sh \
+        -v {{certs_path}}/{{domain}}:/acme.sh/{{domain}} \
+        -e "LINODE_V4_API_KEY={{linode_token}}" \
+        -e "HETZNER_Token={{hetzner_token}}" \
+        neilpang/acme.sh \
+        /root/.acme.sh/acme.sh {{args}}
diff --git a/narwhal/ddns/Makefile b/narwhal/ddns/Makefile
index 2f597ea..7d3d19d 100644
--- a/narwhal/ddns/Makefile
+++ b/narwhal/ddns/Makefile
@@ -5,72 +5,34 @@ TTL ?= 300
 WD=/var/lib/dags/ddns
 
 GET_IP_URL = ifconfig.me/ip
-LINODE_API_URL = https://api.linode.com/v4
 HETZNER_API_URL = https://dns.hetzner.com/api/v1
 
 STATE_DIR = $(WD)/$(RECORD_NAME).$(DOMAIN_NAME)
 
 HOST_IP = $(STATE_DIR)/host_ip.txt
 
-UPDATE_RECORD_LINODE = $(STATE_DIR)/updated_record_linode
 UPDATE_RECORD_HETZNER = $(STATE_DIR)/updated_record_hetzner
 
-GOPASS=doas -u gopass gopass
 CURL = curl --silent
 
-LINODE_TOKEN = $(shell cat /srv/secrets/linode_token)
-AUTH_CURL_LINODE = $(CURL) -H "Authorization: Bearer $(LINODE_TOKEN)"
-LINODE_DOMAIN_ID = $(STATE_DIR)/linode_domain_id.txt
-LINODE_RECORD_ID = $(STATE_DIR)/linode_record_id.txt
-
 HETZNER_TOKEN = $(shell cat /srv/secrets/hetzner_token)
 AUTH_CURL_HETZNER = $(CURL) -H 'Auth-API-Token: $(HETZNER_TOKEN)'
 HETZNER_ZONE_ID = $(STATE_DIR)/hetzner_zone_id.txt
 HETZNER_RECORD_ID = $(STATE_DIR)/hetzner_record_id.txt
 HETZNER_UPDATE_BODY = $(STATE_DIR)/hetzner_update_body.json
 
-define get_id_linode
-	jq --raw-output '.["data"][] | select(.["$(1)"] == "$(2)")["id"]'
-endef
-
 define get_id_hetzner
 	jq --raw-output '.["$(1)"][] | select(.["name"] == "$(2)")["id"]'
 endef
 
 .PHONY: all force clean
 
-all: $(UPDATE_RECORD_LINODE) $(UPDATE_RECORD_HETZNER)
-
-# Linode-specific #############################################################
-
-# because the ip state is only updated when the IP changes, we should only need
-# to update the record when that happens
-$(UPDATE_RECORD_LINODE): $(HOST_IP) $(LINODE_DOMAIN_ID) $(LINODE_RECORD_ID)
-	@echo "updating linode record"
-	@$(AUTH_CURL_LINODE) \
-		-H "Content-Type: application/json" \
-		-X PUT -d '{ "target": "'"$$(cat $<)"'" }' \
-		"$(LINODE_API_URL)/domains/$$(cat $(LINODE_DOMAIN_ID))/records/$$(cat $(LINODE_RECORD_ID))"
-	@touch $@
-
-# the domain id should not change and this should only ever need to run once
-$(LINODE_DOMAIN_ID):
-	@echo "fetching linode domain id"
-	@mkdir -p $(@D)
-	@$(AUTH_CURL_LINODE) $(LINODE_API_URL)/domains | \
-	$(call get_id_linode,domain,$(DOMAIN_NAME)) | \
-	tee $@
-
-# the register id should not change and this should only ever need to run once
-$(LINODE_RECORD_ID): $(LINODE_DOMAIN_ID)
-	@echo "fetching linode record id"
-	@mkdir -p $(@D)
-	@$(AUTH_CURL_LINODE) $(LINODE_API_URL)/domains/$$(cat $<)/records | \
-	$(call get_id_linode,name,$(RECORD_NAME)) | \
-	tee $@
+all: $(UPDATE_RECORD_HETZNER)
 
 # Hetzner-specific #############################################################
 
+# because the ip state is only updated when the IP changes, we should only need
+# to update the record when that happens
 $(UPDATE_RECORD_HETZNER): $(HETZNER_UPDATE_BODY) $(HETZNER_RECORD_ID)
 	@echo "updating hetzner record"
 	@mkdir -p $(@D)