diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 630f904c7b8afea15cfcab5cd26f7e46877f2846..7b0cd029f6d5ea9891461b8521dfa724ef95acab 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -55,10 +55,12 @@ locals {
     "archlinux.org" = {
       server_type = "cx22"
       domain      = "@"
+      http3       = true
     }
     "aur.archlinux.org" = {
       server_type = "cx52"
       domain      = "aur"
+      http3       = true
     }
     "bbs.archlinux.org" = {
       server_type = "cx22"
@@ -154,6 +156,7 @@ locals {
     "wiki.archlinux.org" = {
       server_type = "cx32"
       domain      = "wiki"
+      http3       = true
     }
     "worker1.buildbot.pkgbuild.com" = {
       server_type = "cx22"
@@ -294,6 +297,7 @@ locals {
     www = {
       ipv4_address = hcloud_server.machine["archlinux.org"].ipv4_address
       ipv6_address = hcloud_server.machine["archlinux.org"].ipv6_address
+      http3        = true
     }
   }
 
diff --git a/tf-stage1/templates.tf b/tf-stage1/templates.tf
index e2a5928d6476c843149f0169e05829b3e59b7492..804abc17fe57256b9f457162fb9581f3a778aa3d 100644
--- a/tf-stage1/templates.tf
+++ b/tf-stage1/templates.tf
@@ -76,6 +76,18 @@ resource "hetznerdns_record" "pkgbuild_com_aaaa" {
   type    = "AAAA"
 }
 
+resource "hetznerdns_record" "pkgbuild_org_https" {
+  for_each = {
+    for k, v in local.pkgbuild_com_a_aaaa : k => v if try(v.http3, false)
+  }
+
+  zone_id = hetznerdns_zone.pkgbuild.id
+  name    = each.key
+  ttl     = lookup(local.pkgbuild_com_a_aaaa[each.key], "ttl", null)
+  value   = "1 . alpn=h2,h3 ipv4hint=${each.value.ipv4_address} ipv6hint=${each.value.ipv6_address}"
+  type    = "HTTPS"
+}
+
 resource "hetznerdns_record" "archlinux_org_txt" {
   for_each = local.archlinux_org_txt
 
@@ -116,6 +128,18 @@ resource "hetznerdns_record" "archlinux_org_aaaa" {
   type    = "AAAA"
 }
 
+resource "hetznerdns_record" "archlinux_org_https" {
+  for_each = {
+    for k, v in local.archlinux_org_a_aaaa : k => v if try(v.http3, false)
+  }
+
+  zone_id = hetznerdns_zone.archlinux.id
+  name    = each.key
+  ttl     = lookup(local.archlinux_org_a_aaaa[each.key], "ttl", null)
+  value   = "1 . alpn=h2,h3 ipv4hint=${each.value.ipv4_address} ipv6hint=${each.value.ipv6_address}"
+  type    = "HTTPS"
+}
+
 resource "hetznerdns_record" "archlinux_org_cname" {
   for_each = local.archlinux_org_cname
 
@@ -221,6 +245,21 @@ resource "hetznerdns_record" "machine_aaaa" {
   type    = "AAAA"
 }
 
+resource "hetznerdns_record" "machine_https" {
+  for_each = {
+    for name, machine in local.machines : name => machine if can(machine.domain) && try(machine.http3, false)
+  }
+
+  zone_id = lookup(local.machines[each.key], "zone", hetznerdns_zone.archlinux.id)
+  name    = each.value.domain
+  ttl     = lookup(local.machines[each.key], "ttl", null)
+  value = (try(local.machines[each.key].ipv4_enabled, true) ?
+    "1 . alpn=h2,h3 ipv4hint=${hcloud_server.machine[each.key].ipv4_address} ipv6hint=${hcloud_server.machine[each.key].ipv6_address}" :
+    "1 . alpn=h2,h3 ipv6hint=${hcloud_server.machine[each.key].ipv6_address}"
+  )
+  type = "HTTPS"
+}
+
 resource "hetznerdns_record" "geo_ns1" {
   for_each = local.geo_domains