diff --git a/modules/system/homelab/tunnels.nix b/modules/system/homelab/tunnels.nix
index 7214d4b..25c06bc 100644
--- a/modules/system/homelab/tunnels.nix
+++ b/modules/system/homelab/tunnels.nix
@@ -1,16 +1,36 @@
-{ homelab, ... }: {
+{ pkgs, lib, homelab, ... }: let
+  routes = {
+    "git.${homelab.domain}"     = "http://localhost:3000";
+    "auth.${homelab.domain}"    = "http://localhost:1411";
+    "dash.${homelab.domain}"    = "http://localhost:5070";
+    "gallery.${homelab.domain}" = "http://localhost:2284";
+  };
+in {
   services.cloudflared = {
     enable = true;
     tunnels.homelab = {
       credentialsFile = "/mnt/data/cloudflared/homelab.json";
       certificateFile = "/mnt/data/cloudflared/cert.pem";
       default = "http_status:404";
-      ingress = {
-        "git.${homelab.domain}"     = "http://localhost:3000";
-        "auth.${homelab.domain}"    = "http://localhost:1411";
-        "dash.${homelab.domain}"    = "http://localhost:5070";
-        "gallery.${homelab.domain}" = "http://localhost:2284";
+      ingress = routes;
+    };
+    
+    systemd.services.cloudflared-dns-route = {
+      description = "Sync Cloudflare Tunnel DNS routes";
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      
+      serviceConfig = {
+        RemainAfterExit = true;
+        Type = "oneshot";
+        User = "root";
       };
+  
+      script = lib.concatMapStringsSep "\n" (domain: ''
+        echo "Ensuring DNS route for ${domain}..."
+        ${pkgs.cloudflared}/bin/cloudflared tunnel --origincert /mnt/data/cloudflared/cert.pem route dns ${homelab.cf-tunnel-id} ${domain} || true
+      '') builtins.attrNames routes;
     };
   };
 }
\ No newline at end of file