diff --git a/hosts/hainich/configuration.nix b/hosts/hainich/configuration.nix
index b36b0ab..56bf605 100644
--- a/hosts/hainich/configuration.nix
+++ b/hosts/hainich/configuration.nix
@@ -20,6 +20,7 @@
     ./services/monitoring.nix
     ./services/workadventure.nix
     ./services/mattermost.nix
+    ./services/thelounge.nix
   ];
   boot.loader.grub.enable = true;
   boot.loader.grub.version = 2;
diff --git a/hosts/hainich/services/thelounge.nix b/hosts/hainich/services/thelounge.nix
new file mode 100644
index 0000000..1ce4c72
--- /dev/null
+++ b/hosts/hainich/services/thelounge.nix
@@ -0,0 +1,69 @@
+{ config, lib, pkgs, ... }:
+
+let
+  # necessary since overlays won't propagate into the
+  # container's config
+  thelounge = pkgs.thelounge-hacked;
+in
+{
+  containers.thelounge = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.100.70";
+    localAddress = "192.168.100.71";
+
+    config = {pkgs, config, ...}: {
+
+      services.thelounge = {
+        enable = true;
+
+        extraConfig = {
+          public = true;
+          # respect X-Forwarded-For
+          reverseProxy = true;
+          defaults = {
+            name = "libera chat";
+            host = "irc.eu.libera.chat";
+            port = 6697;
+            # encrypt things!
+            tls = true;
+            # yes, please do actually check the cert …
+            rejectUnauthorized = true;
+            nick = "Guest%%%%";
+            join = "#thelounge";
+          };
+          lockNetwork = true;
+
+          # don't log messages (default is text / sqlite)
+          messageStorage = [];
+
+          # darker theme
+          #theme = "morning";
+
+          # these three should result in having link previews
+          # which are fetched only by the server, then proxied
+          # (i.e. clients won't directly connect to arbitrary
+          # domains to get previews)
+          prefetch = true;
+          prefetchStorage = true;
+          disableMediaPreview = true;
+
+          leaveMessage = "happy haccing";
+        };
+      };
+
+      # override the package we use
+      systemd.services.thelounge.serviceConfig.ExecStart =
+        pkgs.lib.mkForce "${thelounge}/bin/thelounge start";
+
+      networking.firewall.allowedTCPPorts = [ 9000 ];
+    };
+  };
+
+  services.nginx.virtualHosts."webchat.voc.hacc.space" = {
+    locations."/".proxyPass =
+      "http://${config.containers.thelounge.localAddress}:9000";
+    enableACME = true;
+    forceSSL = true;
+  };
+}
diff --git a/pkgs/default.nix b/pkgs/default.nix
index c077df3..ea59e11 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -35,6 +35,26 @@ let
     });
 
     mattermost = callPackage ./mattermost {};
+
+    # a version of the lounge with some extra css that
+    # hides things the hacc-voc doesn't need
+    thelounge-hacked = pkgs.stdenv.mkDerivation {
+      name = "thelounge-hacked";
+      src = pkgs.thelounge;
+
+      phases = [ "buildPhase" "installPhase" ];
+      buildPhase = ''
+        cp $src/* -r .
+        chmod 777 lib/node_modules/thelounge/public/css/style.css
+        cat ${./thelounge/css-patch.css} >> lib/node_modules/thelounge/public/css/style.css
+      '';
+
+      installPhase = ''
+        mkdir -p $out
+        cp * -r $out
+      '';
+    };
+
     inherit (unstable) bottom;
   };
 
diff --git a/pkgs/thelounge/css-patch.css b/pkgs/thelounge/css-patch.css
new file mode 100644
index 0000000..0d058b6
--- /dev/null
+++ b/pkgs/thelounge/css-patch.css
@@ -0,0 +1,24 @@
+
+/* Hides extra fields on connect screen */
+.connect-row:nth-of-type(4) {
+    display: none !important;
+}
+
+.connect-row:nth-of-type(2) {
+    display: none !important;
+}
+
+.connect-row:nth-of-type(5) {
+    display: none !important;
+}
+
+
+/* Hides side panel button */
+.header > button:first-child {
+    display: none !important;
+}
+
+/* Hides channel options button (includes leave option) */
+.header > button:nth-last-child(2) {
+    display: none !important;
+}