diff --git a/flake.lock b/flake.lock
index 377c660..13e152b 100644
--- a/flake.lock
+++ b/flake.lock
@@ -55,6 +55,26 @@
         "type": "github"
       }
     },
+    "dicebot": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1776661561,
+        "narHash": "sha256-D8oHASAaW9xTYiysrBz3gsG+Gz+OC25ILOM9sq0pt1M=",
+        "ref": "refs/heads/main",
+        "rev": "86e4751dcc86aa3fa1fa1cdd648bac9be790e6b5",
+        "revCount": 1,
+        "type": "git",
+        "url": "https://forgejo.ellie.town/wizzy/dicebot.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://forgejo.ellie.town/wizzy/dicebot.git"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -182,6 +202,7 @@
     "root": {
       "inputs": {
         "continuwuity": "continuwuity",
+        "dicebot": "dicebot",
         "disko": "disko",
         "nixpkgs": "nixpkgs_2",
         "sops-nix": "sops-nix"
diff --git a/flake.nix b/flake.nix
index 082c2be..a5605fe 100644
--- a/flake.nix
+++ b/flake.nix
@@ -15,6 +15,11 @@
     continuwuity = {
       url = "git+https://forgejo.ellis.link/continuwuation/continuwuity";
     };
+
+    dicebot = {
+      url = "git+https://forgejo.ellie.town/wizzy/dicebot.git";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
@@ -23,6 +28,7 @@
       disko,
       sops-nix,
       continuwuity,
+      dicebot,
       ...
     }:
     let
@@ -35,7 +41,7 @@
     {
       nixosConfigurations.home-server = nixpkgs.lib.nixosSystem {
         inherit system;
-        specialArgs = { inherit continuwuity; };
+        specialArgs = { inherit continuwuity dicebot; };
 
         modules = [
           disko.nixosModules.disko
@@ -56,6 +62,7 @@
           ./services/website.nix
           ./services/wireguard-inner.nix
           ./services/matrix.nix
+          ./services/dicebot.nix
           ./services/ergo.nix
           ./services/forgejo.nix
           ./services/forgejo-runner.nix
diff --git a/services/dicebot.nix b/services/dicebot.nix
new file mode 100644
index 0000000..b5f7a22
--- /dev/null
+++ b/services/dicebot.nix
@@ -0,0 +1,62 @@
+{ config, dicebot, ... }:
+
+let
+  dicebotPkg = dicebot.packages.x86_64-linux.default;
+in
+{
+  sops.secrets."dicebot/password" = {
+    sopsFile = ./secrets/dicebot.yaml;
+  };
+
+  # Assemble the env file from the sops-decrypted password. systemd reads
+  # EnvironmentFile at start time, so the secret never touches /nix/store.
+  sops.templates."dicebot.env" = {
+    content = ''
+      DICEBOT_PASSWORD=${config.sops.placeholder."dicebot/password"}
+    '';
+    owner = "dicebot";
+  };
+
+  users.users.dicebot = {
+    isSystemUser = true;
+    group = "dicebot";
+    home = "/var/lib/dicebot";
+  };
+  users.groups.dicebot = { };
+
+  systemd.services.dicebot = {
+    description = "Matrix dice-rolling bot";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      DICEBOT_HOMESERVER = "http://10.10.0.2:8008";
+      DICEBOT_USERNAME = "@dicebot:ellie.town";
+      DICEBOT_ALLOW_LIST = "@.*:ellie\\.town";
+      DICEBOT_STATE_DIR = "/var/lib/dicebot";
+      RUST_LOG = "info,headjack=info";
+    };
+
+    serviceConfig = {
+      ExecStart = "${dicebotPkg}/bin/dicebot";
+      EnvironmentFile = config.sops.templates."dicebot.env".path;
+      User = "dicebot";
+      Group = "dicebot";
+      StateDirectory = "dicebot";
+      StateDirectoryMode = "0700";
+      Restart = "on-failure";
+      RestartSec = "10s";
+
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateTmp = true;
+      NoNewPrivileges = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      RestrictSUIDSGID = true;
+      LockPersonality = true;
+    };
+  };
+}
diff --git a/services/secrets/dicebot.yaml b/services/secrets/dicebot.yaml
new file mode 100644
index 0000000..f8e46ae
--- /dev/null
+++ b/services/secrets/dicebot.yaml
@@ -0,0 +1,17 @@
+dicebot:
+    password: ENC[AES256_GCM,data:hZvsxbxTUaHk6UFQlhvJuvvfkVcvCmx9Iw==,iv:lXSag76kLJ3l7uvv0zPBhXG090FsBzMGdJCBeTh4TX8=,tag:1kpYwiy1UHgaP0a0yq4MJA==,type:str]
+sops:
+    age:
+        - recipient: age126v48dgev6pu3uhe7dtpdhax2yes2ff9u42ke2k2h97e90z8d4psedau7u
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpOHpZOGhhSzFDVzdMS09h
+            UnJXR3didFVsUHBqd1lzMExJYmdTVEJCdlRjCitBQVRBMmtkVFFZRFN2dlVlUG9h
+            ZXg5RGkyRnQ4aTg2djVab0RHdnBwV3cKLS0tIEJLUkZva3Q5aGtNTURJOHhwbnZ5
+            UHFPejQ0QWZkV0N6RUVna0FjU3pLdEUKJAsgu2KwPICpDz75yHALUkOykMs+DGQf
+            +BG37m/berZhD+iXldSG7c2uIzQfK9SLYDmaxn+tuqdkXa5OfFuPEQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-20T05:14:16Z"
+    mac: ENC[AES256_GCM,data:1I8HbOnlO6DeQsuhKff+LGV5CCdisFMynsludXB3zHCG4MMpjZf7uhMsVbPLANtBCzz5pgU6lthcoA7oBAlNrGEyoRN0P6W7lrQerMrUDs9acFX1BHZt5+i9Y3FtXxKwCxAgbPhRFRUBYWLRYS8WDMWxQ+5Te27ETWrkF9XP+4k=,iv:XunfIVyxIyiLgvuc2faQnriuqVVIjdjjdmYd9AalwAU=,tag:cgJMMP35XMdTlC+fVW7L2A==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1