diff --git a/flake.lock b/flake.lock
index 19efcc9..176684a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -52,17 +52,17 @@
         ]
       },
       "locked": {
-        "lastModified": 1722725362,
-        "narHash": "sha256-JKonFnKwiN7VRXhn3pUhoN6TGDoyHepWbMfVd35wTew=",
+        "lastModified": 1736029622,
+        "narHash": "sha256-4+LgwpKEgSztPFzKIKwJrOH/4FTCsLCkWGc7LhXPcSY=",
         "owner": "teidesu",
         "repo": "desu-deploy",
-        "rev": "a77b8e790324df51471cf40924acff9643972dfa",
+        "rev": "d373e8ab554a95d222e3ced87e751dabbd3cfc57",
         "type": "github"
       },
       "original": {
         "owner": "teidesu",
         "repo": "desu-deploy",
-        "rev": "a77b8e790324df51471cf40924acff9643972dfa",
+        "rev": "d373e8ab554a95d222e3ced87e751dabbd3cfc57",
         "type": "github"
       }
     },
diff --git a/flake.nix b/flake.nix
index 1ccb296..6312b51 100755
--- a/flake.nix
+++ b/flake.nix
@@ -45,7 +45,7 @@
     disko.url = "github:nix-community/disko";
     disko.inputs.nixpkgs.follows = "nixpkgs";
 
-    desu-deploy.url = "github:teidesu/desu-deploy/a77b8e790324df51471cf40924acff9643972dfa";
+    desu-deploy.url = "github:teidesu/desu-deploy/d373e8ab554a95d222e3ced87e751dabbd3cfc57";
     desu-deploy.inputs.nixpkgs.follows = "nixpkgs";
   };
 
@@ -121,9 +121,10 @@
           ];
         };
 
-        madoka = mkNixosSystem {
+        madoka = mkNixosSystem rec {
           system = "x86_64-linux";
           modules = [
+            desu-deploy.nixosModules.${system}.default
             ./hosts/madoka/configuration.nix
           ];
         };
diff --git a/hosts/homura/configuration.nix b/hosts/homura/configuration.nix
index e11391e..5d23f6d 100644
--- a/hosts/homura/configuration.nix
+++ b/hosts/homura/configuration.nix
@@ -18,9 +18,6 @@
   users.users.root.openssh.authorizedKeys.keyFiles = [
     (abs "ssh/teidesu.pub")
   ];
-
-  virtualisation.docker.enable = true;
-  virtualisation.oci-containers.backend = "docker";
   
   system.stateVersion = "23.11";
   
diff --git a/hosts/madoka/configuration.nix b/hosts/madoka/configuration.nix
index c3a66b3..33259dd 100644
--- a/hosts/madoka/configuration.nix
+++ b/hosts/madoka/configuration.nix
@@ -4,7 +4,9 @@
   imports = [
     (modulesPath + "/profiles/minimal.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
+    (abs "lib/desu")
     ./hardware-configuration.nix
+    ./services/license-servers.nix
   ];
 
   boot.tmp.cleanOnBoot = true;
@@ -20,6 +22,14 @@
   ];
 
   system.stateVersion = "23.11";
+
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers.backend = "docker";
+
+  services.desu-deploy = {
+    enable = true;
+    key = builtins.readFile (abs "ssh/desu-deploy.pub");
+  };
   
   networking.hostName = "madoka";
 }
\ No newline at end of file
diff --git a/hosts/madoka/services/license-servers.nix b/hosts/madoka/services/license-servers.nix
new file mode 100644
index 0000000..821d1b1
--- /dev/null
+++ b/hosts/madoka/services/license-servers.nix
@@ -0,0 +1,66 @@
+{ config, ... }:
+
+let 
+  UID = 1100;
+in {
+  desu.secrets.license-servers-env.owner = "license-servers";
+  desu.secrets.forgejo-packages-token = {};
+  desu.secrets.cloudflare-email.owner = "acme";
+  desu.secrets.cloudflare-token.owner = "acme";
+
+  users.groups.acme.gid = 993;
+  users.users.license-servers = {
+    isNormalUser = true;
+    extraGroups = [ "acme" ];
+    uid = UID;
+  };
+
+  virtualisation.oci-containers.containers.license-servers = {
+    image = "git.stupid.fish/zachem/license-servers:latest";
+    login = {
+      registry = "https://git.stupid.fish";
+      username = "teidesu";
+      passwordFile = config.desu.secrets.forgejo-packages-token.path;
+    };
+    environment = {
+      PUBLIC_HOSTNAME = "license.stupid.fish";
+
+      TLS_KEY_FILE = "/mnt/acme/key.pem";
+      TLS_CERT_FILE = "/mnt/acme/cert.pem";
+    };
+    environmentFiles = [
+      config.desu.secrets.license-servers-env.path
+    ];
+    user = builtins.toString UID;
+    extraOptions = [
+      "--group-add=${builtins.toString config.users.groups.acme.gid}"
+      "--mount=type=bind,source=/srv/license-servers/certs,target=/app/certs"
+      "--mount=type=bind,source=/var/lib/acme/license.stupid.fish,target=/mnt/acme"
+    ];
+    ports = [
+      "80:80"
+      "443:443"
+    ];
+  };
+
+  systemd.services.docker-license-servers.requires = [ "acme-finished-license.stupid.fish.target" ];
+
+  systemd.tmpfiles.rules = [
+    "d /srv/license-servers/certs 0700 ${builtins.toString UID} ${builtins.toString UID} -"
+  ];
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults = {
+    email = "alina@tei.su";
+    dnsProvider = "cloudflare";
+    credentialFiles = {
+      "CLOUDFLARE_EMAIL_FILE" = config.desu.secrets.cloudflare-email.path;
+      "CLOUDFLARE_API_KEY_FILE" = config.desu.secrets.cloudflare-token.path;
+    };
+  };
+  security.acme.certs = {
+    "license.stupid.fish" = {};
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
\ No newline at end of file