diff --git a/config/consul.d/server.json b/config/consul.d/server.json
index b49445f..716357e 100644
--- a/config/consul.d/server.json
+++ b/config/consul.d/server.json
@@ -9,8 +9,8 @@
       "verify_incoming": true,
       "verify_outgoing": true,
       "ca_file": "/etc/consul.d/certs/consul-agent-ca.pem",
-      "cert_file": "/etc/consul.d/certs/samfelag-server-consul-0.pem",
-      "key_file": "/etc/consul.d/certs/samfelag-server-consul-0-key.pem"
+      "cert_file": "/etc/consul.d/certs/samfelag-server-consul.pem",
+      "key_file": "/etc/consul.d/certs/samfelag-server-consul-key.pem"
     },
     "internal_rpc": {
       "verify_server_hostname": true
diff --git a/docs/consul.org b/docs/consul.org
index b8efafc..6a416db 100644
--- a/docs/consul.org
+++ b/docs/consul.org
@@ -1,4 +1,16 @@
 #+title: Consul
+* Server setup
+** Create a server keypair
+Decrypt the CA (from the agenix secrets)
+#+begin_src bash
+agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca.pem.age > ~/tmp/consul-agent-ca.pem
+agenix -i ~/.ssh/id_reykjavik -d consul.d/consul-agent-ca-key.pem.age > ~/tmp/consul-agent-ca-key.pem
+#+end_src
+Create the keypair using consul:
+#+begin_src bash
+nix-shell -p consul
+consul tls cert create -server -dc samfelag
+#+end_src
 * ACLs
 ** Policies
 *** Node Policy
diff --git a/hosts/reykjavik/secrets.nix b/hosts/reykjavik/secrets.nix
index c81f98a..afc14d2 100644
--- a/hosts/reykjavik/secrets.nix
+++ b/hosts/reykjavik/secrets.nix
@@ -2,29 +2,11 @@
 
 {
   age.secrets = {
-    # Consul -------------------------------
-    "consul.d/gossip.json" = {
-      file = ../../secrets/consul.d/gossip.json.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
-    "consul.d/consul-agent-ca.pem" = {
-      file = ../../secrets/consul.d/consul-agent-ca.pem.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
     "consul.d/agent-token-reykjavik.json" = {
       file = ../../secrets/consul.d/agent-token-reykjavik.json.age;
       owner = "consul";
       group = "consul";
       mode = "644";
     };
-    # Nomad -------------------------------
-    "nomad.d/consul-token.json" = {
-      file = ../../secrets/nomad.d/consul-token.json.age;
-      mode = "644";
-    };
   };
 }
diff --git a/hosts/thingvellir/default.nix b/hosts/thingvellir/default.nix
index df6ce59..b767002 100644
--- a/hosts/thingvellir/default.nix
+++ b/hosts/thingvellir/default.nix
@@ -45,7 +45,10 @@ with lib;
     # - Server ----------------------------------
     server.consul = {
       enable = true;
+      server = true;
       agent-token = config.age.secrets."consul.d/agent-token-thingvellir.json".path;
+      server-cert = config.age.secrets."consul.d/consul-server-thingvellir.pem".path;
+      server-cert-key = config.age.secrets."consul.d/consul-server-thingvellir-key.pem".path;
     };
     server.nomad = {
       enable = true;
diff --git a/hosts/thingvellir/hardware.nix b/hosts/thingvellir/hardware.nix
index 8d24782..f928552 100644
--- a/hosts/thingvellir/hardware.nix
+++ b/hosts/thingvellir/hardware.nix
@@ -17,6 +17,12 @@
       device = "/dev/disk/by-label/nixos";
       fsType = "ext4";
     };
+
+    "/mnt/vatnajokull" = {
+      device = "vatnajokull:/mnt/raid1";
+      fsType = "nfs";
+      options = [ "x-systemd.automount" "noauto" "noatime" "x-systemd.idle-timeout=600"];
+    };
   };
 
   swapDevices = [
diff --git a/hosts/thingvellir/secrets.nix b/hosts/thingvellir/secrets.nix
index b9b3520..212ae42 100644
--- a/hosts/thingvellir/secrets.nix
+++ b/hosts/thingvellir/secrets.nix
@@ -2,29 +2,23 @@
 
 {
   age.secrets = {
-    # Consul -------------------------------
-    "consul.d/gossip.json" = {
-      file = ../../secrets/consul.d/gossip.json.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
-    "consul.d/consul-agent-ca.pem" = {
-      file = ../../secrets/consul.d/consul-agent-ca.pem.age;
-      owner = "consul";
-      group = "consul";
-      mode = "644";
-    };
     "consul.d/agent-token-thingvellir.json" = {
       file = ../../secrets/consul.d/agent-token-thingvellir.json.age;
       owner = "consul";
       group = "consul";
       mode = "644";
     };
-    # Nomad -------------------------------
-    "nomad.d/consul-token.json" = {
-      file = ../../secrets/nomad.d/consul-token.json.age;
+    "consul.d/consul-server-thingvellir.pem" = {
+      file = ../../secrets/consul.d/consul-server-thingvellir.pem.age;
+      owner = "consul";
+      group = "consul";
       mode = "644";
     };
+    "consul.d/consul-server-thingvellir-key.pem" = {
+      file = ../../secrets/consul.d/consul-server-thingvellir-key.pem.age;
+      owner = "consul";
+      group = "consul";
+      mode = "600";
+    };
   };
 }
diff --git a/modules/server/consul.nix b/modules/server/consul.nix
index 50ab59b..b4f3233 100644
--- a/modules/server/consul.nix
+++ b/modules/server/consul.nix
@@ -19,6 +19,16 @@ in
       description = "Agent token config file (should be secret)";
     };
 
+    server-cert = lib.mkOption {
+      type = lib.types.str;
+      description = "Server certificate (should be secret)";
+    };
+
+    server-cert-key = lib.mkOption {
+      type = lib.types.str;
+      description = "Server certificate key (should be secret)";
+    };
+
   };
   config = lib.mkIf cfg.enable {
     services.consul = {
@@ -30,6 +40,8 @@ in
       };
     };
 
+    # --- Config files ---------------------------------
+
     environment.etc = {
       consul-agent-ca = {
         # Consul agent CA
@@ -62,6 +74,16 @@ in
         target = "consul.d/server.json";
         source = ../../config/consul.d/server.json;
       };
+      consul-server-cert = {
+        # Consul Server Certificate
+        target = "consul.d/certs/samfelag-server-consul.pem";
+        source = cfg.server-cert;
+      };
+      consul-server-cert-key = {
+        # Consul Server Certificate Key
+        target = "consul.d/certs/samfelag-server-consul-key.pem";
+        source = cfg.server-cert-key;
+      };
     } else {
       consul-client-cfg = {
         # Client config
@@ -70,6 +92,23 @@ in
       };
     });
 
+    # --- Secrets ---------------------------------
+
+    age.secrets = {
+      "consul.d/gossip.json" = {
+        file = ../../secrets/consul.d/gossip.json.age;
+        owner = "consul";
+        group = "consul";
+        mode = "644";
+      };
+      "consul.d/consul-agent-ca.pem" = {
+        file = ../../secrets/consul.d/consul-agent-ca.pem.age;
+        owner = "consul";
+        group = "consul";
+        mode = "644";
+      };
+    };
+
     # networking.firewall.allowedTCPPorts = [ 22 ];
   };
 }
diff --git a/modules/server/nomad.nix b/modules/server/nomad.nix
index 72b9091..7c2ae74 100644
--- a/modules/server/nomad.nix
+++ b/modules/server/nomad.nix
@@ -20,6 +20,9 @@ in
       enable = true;
       extraSettingsPaths = [ "/etc/nomad.d" ];
     };
+
+    # --- Config files ---------------------------------
+
     environment.etc = {
       # Common configuration
       nomad-common-cfg = {
@@ -44,6 +47,15 @@ in
       };
     };
 
+    # --- Secrets ---------------------------------
+
+    age.secrets = {
+      "nomad.d/consul-token.json" = {
+        file = ../../secrets/nomad.d/consul-token.json.age;
+        mode = "644";
+      };
+    };
+
     # networking.firewall.allowedTCPPorts = [ 22 ];
   };
 }
diff --git a/secrets/consul.d/agent-token-reykjavik.json.age b/secrets/consul.d/agent-token-reykjavik.json.age
index f292dfa..67b1845 100644
Binary files a/secrets/consul.d/agent-token-reykjavik.json.age and b/secrets/consul.d/agent-token-reykjavik.json.age differ
diff --git a/secrets/consul.d/agent-token-thingvellir.json.age b/secrets/consul.d/agent-token-thingvellir.json.age
index c736977..1a94b60 100644
Binary files a/secrets/consul.d/agent-token-thingvellir.json.age and b/secrets/consul.d/agent-token-thingvellir.json.age differ
diff --git a/secrets/consul.d/consul-agent-ca-key.pem.age b/secrets/consul.d/consul-agent-ca-key.pem.age
new file mode 100644
index 0000000..de605f7
--- /dev/null
+++ b/secrets/consul.d/consul-agent-ca-key.pem.age
@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 GWuf0Q MD7uGzKIk90mRQJVI/HKk9MMbI3HwkwwKEoLc/R8qyQ
+m2K5DUI+O+ufDWl1faCwR+9nA8vxAQW5pptwgEhzMJI
+--- JkkPxFdtVCa3MQqLCpJ7GBajuyQAyHjwr6fbCV81qdA
+6Jèü‚J´Ïå7DÔYb¥@—¨3z´9WnÅC‰R4Hò-´ÄÒš	{Fo -ºZ£J
+J¡âšDaœ´Ž~‘ßÊDLy¡\rºE¯GAÀ‘œ„bªfj`£!Sfi+÷w4‘†£f¨•Aâçç1y‚ìè¸ûÚe»2`¢öL>Â%ƒé€'oóÞÂ"'é”hÔµä;3Z‰å§‘H•ëìPaÐó@´×ÎŠO¶0[¸¯¢ŠVIî‘|5þºcƒåÖSªÈ—ßó#Ú3U2|,+Z«2BºaªX*—Þ0Ÿ q¬¢R‚g¨ðl£ÏãûP‡z†5„D*#È×m¿
\ No newline at end of file
diff --git a/secrets/consul.d/consul-agent-ca.pem.age b/secrets/consul.d/consul-agent-ca.pem.age
index fcb06a4..fffbeef 100644
Binary files a/secrets/consul.d/consul-agent-ca.pem.age and b/secrets/consul.d/consul-agent-ca.pem.age differ
diff --git a/secrets/consul.d/gossip.json.age b/secrets/consul.d/gossip.json.age
index 97d6681..f57e3dc 100644
Binary files a/secrets/consul.d/gossip.json.age and b/secrets/consul.d/gossip.json.age differ
diff --git a/secrets/consul.d/samfelag-server-thingvellir-key.pem.age b/secrets/consul.d/samfelag-server-thingvellir-key.pem.age
new file mode 100644
index 0000000..d090129
--- /dev/null
+++ b/secrets/consul.d/samfelag-server-thingvellir-key.pem.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 GWuf0Q rk/mFir7HPBGZQnjEXkkC1W4dYIykg4nyZO5Bre1X1w
+mSlOb7R0yGvN7tZpn7IJ1u+bdFmkq6aV49CiqsQVgb0
+-> ssh-ed25519 kNjiNQ ceVCk3ZC2MK51rz3sHH18mhehYwoBjexqGpx6VAtkRk
+vpTWwICA+aXfJPWY0Q0w14QgF9iy01aWgb7LJJcUiwc
+--- GePxJgGNDXcySj0cGXLsbdPDC6BuH5kynzaIkKpDCVw
+ô-3À‡\«²aQ¼úJPÿe^ˆyfâÓ“»kI$E®kPƒÝ®{Ž…™4{Ÿ¬ŠH»•(}½UÜ:gõneT°¥v8Ú|È„	½áîiÞr•@,1rMn!e”-‹žv +¼(æAÚ¸mÔú;µßé¤9:y$¦[»	×Õ({jDlß1iR„~6aó=„/cÕH’‚8ýQa.EX½W‹•r©ß¨ÙLS“c4Œž¶#¹="%TÓ(±Â‡±Ö„»ŸCH5qY¢=jvÎ­)%Eö¦orÕÑ›yø<ö}DÂß´Ï1[×ŽluyN'4åæLõóOA?àha´
\ No newline at end of file
diff --git a/secrets/consul.d/samfelag-server-thingvellir.pem.age b/secrets/consul.d/samfelag-server-thingvellir.pem.age
new file mode 100644
index 0000000..0fed769
Binary files /dev/null and b/secrets/consul.d/samfelag-server-thingvellir.pem.age differ
diff --git a/secrets/nomad.d/consul-token.json.age b/secrets/nomad.d/consul-token.json.age
index e7d123a..21adaa9 100644
--- a/secrets/nomad.d/consul-token.json.age
+++ b/secrets/nomad.d/consul-token.json.age
@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 GWuf0Q xVuLRTTmTLzFJKyh9RIdq0ZEgoIc6lQs4TlQ9ypb6As
-TtblfYeBV1RpE8717ShUFh2wLmM5K5PviOVr0EyG4Qk
--> ssh-ed25519 zhVGHw hD2BDVwJMT1nQKvqFU04ih71pFhweIXK9+gk5KzbfGY
-KmyxI4yLdlnbvAbENN9bLHFNpB8Hz6EVCLeQNsaHEho
--> ssh-ed25519 kNjiNQ 0WpE6n5Cu0F/r0LOpWV8DKtx90xssu6rA706/D0I+Q0
-nCSLiH6A5jsne2Z4tLq05EA3FDYThPvavJqtn4LfO5I
---- qtwiXJDiyOdy3XRMZLdwEWdDkpHVn+COhqmHR86cDJM
-ž3…ô0Üàâl½¹Çë’ëÞ¨UÈ»Ç’¥-B©²fuÇZ#.´ñµ^q¢™ÒåTyi8Ç=ÂÈð\ße'ðY„¤ôKÐ¯®É¸)g ´SvýÅ7ÇÔ[®Ì"&ó.H“éÝ·ÖÉþ8ôò]í	¨˜‚xµg_þßÐjÆ#BJ¬²gð+÷GCDÄÃØ.
\ No newline at end of file
+-> ssh-ed25519 GWuf0Q /wrzzNrN9a2vClZgXvEOVVbH2gYBbVZusrctTJBCOgs
+e1++RnaBdjxb4nFRfRyzWbF+WVOMXXdwxM+jFEmW2JA
+-> ssh-ed25519 zhVGHw 0j9Bpte/gSXNP4hvVGLFNVQe5U7gi74T0U6bh9MKyG4
+pePoX2imP6a9KE8jA0pTw9RgtQ+jCoo+Co9GZTmpY64
+-> ssh-ed25519 kNjiNQ WbUvxmW6MSYBUrpzVgabst/j4y9Jra/osVpPkmo6tHM
+2NpznkHXxCR+f9zQ6GXu7Za5QGucGH4Gd7dZneG/R5c
+--- ku5kAmF+qTUAlyzlEX4ANNd+g86+dJ33R50umNUma3A
+‡š`ÔlMq-:UáéŸe+ëÈëúß„•ÂYBÖ¨úp&0›¯ºcëjÃm²O˜«ò©í
+?¥“—ßÕ|…ãè%	ïcyi(	Ö,V{ƒDÁ7â4Z:¾ÔSKÅ«rèôÖê»I%{ÂwýÉa}~ÜWoé¾3d?¾d?—÷,ÈµOi…
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index f059f09..8859936 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -19,6 +19,12 @@ in
   # -- Consul -------------------------------
   "consul.d/gossip.json.age".publicKeys = samfelag-hosts;
   "consul.d/consul-agent-ca.pem.age".publicKeys = samfelag-hosts;
+  "consul.d/consul-agent-ca-key.pem.age".publicKeys = reykjavik;
+
+  # Server certificates
+  "consul.d/samfelag-server-thingvellir-key.pem.age".publicKeys = thingvellir;
+  "consul.d/samfelag-server-thingvellir.pem.age".publicKeys = thingvellir;
+
   # Agent tokens
   "consul.d/agent-token-reykjavik.json.age".publicKeys = reykjavik;
   "consul.d/agent-token-thingvellir.json.age".publicKeys = thingvellir;