diff --git a/nixos/machines/pennyworth/default.nix b/nixos/machines/pennyworth/default.nix
index 93f15e0..3f0eab3 100644
--- a/nixos/machines/pennyworth/default.nix
+++ b/nixos/machines/pennyworth/default.nix
@@ -90,6 +90,12 @@ in {
     "media.yori.cc" = sslforward "http://${vpn.ips.frumar}:32001";
   };
   networking.firewall.allowedUDPPorts = [ 31790 ]; # wg
+  networking.firewall.allowedTCPPorts = [ 60307 ]; # weechat relay
+  security.acme.certs."pennyworth.yori.cc".postRun = ''
+    cat fullchain.pem key.pem > /home/yorick/.weechat/ssl/relay.pem
+    chown yorick:users /home/yorick/.weechat/ssl/relay.pem
+    chmod 0600 $_
+  '';
   networking.wireguard.interfaces.wg-y.peers = lib.mkForce (lib.mapAttrsToList
     (machine: publicKey: {
       inherit publicKey;