diff --git a/machines/dragonwell/caddy.nix b/machines/dragonwell/caddy.nix
index a5868fb..45ab0f0 100644
--- a/machines/dragonwell/caddy.nix
+++ b/machines/dragonwell/caddy.nix
@@ -70,6 +70,9 @@ in {
       "recipes.jolheiser.com".extraConfig = ''
         reverse_proxy localhost:3663
       '';
+      "irc.jolheiser.com".extraConfig = ''
+        reverse_proxy localhost:7658
+      '';
     };
   };
 }
diff --git a/machines/dragonwell/default.nix b/machines/dragonwell/default.nix
index f83dbeb..7c738a4 100644
--- a/machines/dragonwell/default.nix
+++ b/machines/dragonwell/default.nix
@@ -2,7 +2,7 @@ let
   username = "jolheiser";
   key = ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfKqCWtDlS3tgvfT6hQN+ii8UtabIZ+ZNmYN+bLwIa8PHOEW5MbfaqXSlhKkSi4+7SfQDCHphw0SMfhsQ4qMEcoywZ+4niDgKlQEVkl+S/VGbLuPe92NRStkyreZBLPr3Rh7ScNlGHcmHmoV9v7725fMnsMmabGVhpGO84PwNHOfJyv2tx2h6LxFbAV8S44UQu2lc8YLWCK2UvKuRnBerBXLnDQThUUX8UuCFzb786gQzD5XDU0MENbByxiy0XdVGAC+tFXEiSIgFZlFbFYyShgdTP9MzX2MOglEi+ae+1UIFncraW7ptUey7qHFJylpHWWWvE+GTwsg2G50i0FvFj jolheiser@jolheiser'';
 in {
-  imports = [./caddy.nix ./dex.nix ./git-pr.nix ./golink.nix ./gotosocial.nix ./restic.nix ./tandoor.nix ./ugit.nix ./vikunja.nix ./hardware.nix];
+  imports = [./caddy.nix ./dex.nix ./git-pr.nix ./golink.nix ./gotosocial.nix ./restic.nix ./soju.nix ./tandoor.nix ./ugit.nix ./vikunja.nix ./hardware.nix];
 
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
@@ -12,7 +12,7 @@ in {
 
     firewall = {
       enable = true;
-      allowedTCPPorts = [80 443];
+      allowedTCPPorts = [80 443 6697];
     };
   };
 
diff --git a/machines/dragonwell/soju.nix b/machines/dragonwell/soju.nix
new file mode 100644
index 0000000..a750536
--- /dev/null
+++ b/machines/dragonwell/soju.nix
@@ -0,0 +1,31 @@
+{lib, ...}: let
+  baseCertPath = "/var/lib/acme/irc.jolheiser.com";
+in {
+  security.acme = {
+    acceptTerms = true;
+    email = "irc@jolheiser.com";
+    certs."irc.jolheiser.com" = {
+      listenHTTP = ":7658";
+      postRun = "systemctl reload soju";
+      group = "soju";
+    };
+  };
+  services.soju = {
+    enable = true;
+    tlsCertificate = "${baseCertPath}/fullchain.pem";
+    tlsCertificateKey = "${baseCertPath}/key.pem";
+  };
+  systemd.services.soju.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "soju";
+    Group = "soju";
+    ReadOnlyPaths = baseCertPath;
+  };
+  users = {
+    users.soju = {
+      isSystemUser = true;
+      group = "soju";
+    };
+    groups.soju = {};
+  };
+}