diff --git a/manifests/setup.pp b/manifests/setup.pp
index 832edf49e9fb61bfd17676d271dd34da3562854b..a356e8e8b31321f1e48c09a9ae3c8106e91686fb 100644
--- a/manifests/setup.pp
+++ b/manifests/setup.pp
@@ -76,6 +76,30 @@ class irc_bouncer::setup {
     args => ['saslauthd'],
   }
 
+
+  class { '::letsencrypt::plugin::dns2136':
+    server              => 'ns-master.lysator.liu.se',
+    keyname             => 'verdigris.lysator.liu.se',
+    key_algorithm       => 'HMAC-SHA256',
+    key_secret          => 'YHR7/5gOkdPF64GwWRu6Ge8jcjz8siqCWIy/G8FsVzw=',
+    propagation_seconds => 10,
+    manage_package      => true,
+  }
+  -> letsencrypt::certonly { $servername:
+    ensure  => 'present',
+    domains => [ $servername, ],
+    plugin  => 'dns-rfc2136'
+  }
+
+  # Allow world to read our certificates so znc can access them.
+  # In theory slightly unsafe, but noone else should have filesystem
+  # access.
+  file { ['/etc/letsencrypt/live',
+          '/etc/letsencrypt/archive', ]:
+    ensure => directory,
+    mode   => '0755',
+  }
+
   # exec { 'znc make pem':
   #   command => 'znc --datadir=/var/lib/znc --makepem',
   #   path    => '/usr/bin:/bin',