diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix
index 1df4b3c..54247d1 100644
--- a/hosts/hainich/configuration.nix
+++ b/hosts/hainich/configuration.nix
@@ -18,6 +18,7 @@
     ./services/hasenloch.nix
     ./services/syncthing.nix
     ./services/monitoring.nix
+    ./services/workadventure.nix
   ];
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;
diff --git a/hosts/hainich/services/workadventure.nix b/hosts/hainich/services/workadventure.nix
new file mode 100644
index 0000000..343b09f
--- /dev/null
+++ b/hosts/hainich/services/workadventure.nix
@@ -0,0 +1,108 @@
+{pkgs, lib, config, ...}:
+
+let
+  wa-container-ip = "fd00::42:16";
+  # this is a static "secret" that is also compiled into workadventure,
+  # so it seems ok to put it into the nix store
+  coturn-auth-secret = "990bc6fc68c720a9159f9c7613b2dcc3cc9ffb4f";
+  # domain on which workadventure is served
+  domain = "turn.hacc.space";
+
+
+  # FUNFACT:
+  # the nixos-container module is sufficiently broken that if you move these
+  # fetchgits into the container config below, Nix will run into infinite recursion!
+  
+  # contains the workadventure module
+  haccpkgssrc = pkgs.fetchgit {
+    url = "https://gitlab.infra4future.de/stuebinm/workadventure-nix-hacc";
+    rev = "23a085b0386595f9e769ef3c182749cecc342ead";
+    sha256 = "199np37dkhk52lsjw0f9x2h9vfi86xs18gk5pfijs6pc1hr11scd";
+  };
+  # contains the hacc assembly map
+  fediventure = pkgs.fetchgit {
+    url = "https://gitlab.infra4future.de/stuebinm/fediventure-simple";
+    rev = "791fe2dce2374e1ff8b1cf4dc54bf9aac2b5c8a8";
+    sha256 = "0jzkwqvzpj6vrgrilm5ijmlbk2dvkmar3dmar5nhfply4m1za1xy";
+  };
+  haccpkgs = (import "${haccpkgssrc}/default.nix") {inherit pkgs lib;};
+
+in
+{
+  # not the most intuitive of container names, but "workadventure" is too long
+  containers.wa-void = {
+    
+    config = {config, pkgs, ...}: {
+        imports = [ "${fediventure}/workadventure.nix" ];
+        networking.firewall.allowedTCPPorts = [ 80 ];
+
+        services.workadventure.instances."workadventure" = {
+          nginx = {
+            default = true;
+            inherit domain;
+          };
+          maps.path = haccpkgs.workadventure-hacc-rc3-map.outPath + "/";
+          frontend.defaultMap = "/main.json";
+          frontend.settings = {
+            stunServer = "stun:turn.hacc.space:3478";
+            turnServer = "turn:95.217.159.23";
+            turnUser = "turn";
+            turnPassword = coturn-auth-secret;
+            jitsiUrl = "meet.ffmuc.net";
+            defaultMapUrl = "/main.json";
+          };
+        };
+      };
+    
+    privateNetwork = true;
+    hostAddress6 = "fd00::42:14";
+    localAddress6 = wa-container-ip;
+
+    autoStart = true;
+
+  };
+  
+  services.coturn = {
+    enable = true;
+    realm = "turn.hacc.space";
+    static-auth-secret = coturn-auth-secret;
+    use-auth-secret = true;
+    no-cli = true;
+    no-tcp-relay = true;
+
+    cert = config.security.acme.certs."turn.hacc.space".directory + "full.pem";
+    pkey = config.security.acme.certs."turn.hacc.space".directory + "key.pem";
+  };
+
+  
+  services.nginx = {
+    virtualHosts."void.hacc.space" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://[${wa-container-ip}]";
+        proxyWebsockets = true;
+      };
+    };
+    # this isn't actually needed, but acme requires a webserver to serve
+    # challanges, so I guess it's easier to just define a virtualHost here
+    virtualHosts."turn.hacc.space" = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+  
+
+  networking.firewall = with config.services.coturn;
+    let 
+      ports = [ listening-port tls-listening-port ];
+    in {
+      allowedTCPPorts = [ 80 ] ++ ports;
+      allowedUDPPorts = ports;
+      allowedUDPPortRanges = [
+        { from = min-port; to = max-port; }
+      ];
+    };
+
+}
+