diff --git a/group_vars/all/postgres.yml b/group_vars/all/postgres.yml
index 4c08b977c5849aeb6ce03a7fdf6fd841c883a6ee..3201d12d501f0b909039e251b001aad88bf51348 100644
--- a/group_vars/all/postgres.yml
+++ b/group_vars/all/postgres.yml
@@ -1,11 +1,14 @@
$ANSIBLE_VAULT;1.1;AES256
-35326537366663376136373363653536633264376661306131393766626630383036386634653335
-3632653431353134353236666163326364616465643662300a353761333933363738623561353333
-39383537373232313931303137326333663364363631633465623663626165386138343864353562
-3963343266393437650a643739373531343833336231376139633665613265313432356133623635
-64343262653361363465613766376638323138316561323738313235663661333831306334366438
-64616230623334333836333231363362633362626535656462386366666239346263343436383732
-30333134306131353031656233376335373430333032366365656364633235343066313132663232
-38613335343037613234623537353736353465343763623861343961626538326137643638353238
-63646335623463363336613938616639376263663765353939616461633032373564386132326531
-3939383638323166386661356634613066626466646437326337
+38366233306531663265333439663064393934303134316437626564646233663139313233653463
+3364616531313130316633653163653761626562633064330a643234636263336238666265353065
+37656338643565643930646534653565346531656437333039643333623566653962366262303733
+6138616366346335620a376237613633663836643038373937653738356232353337383861333736
+38336133646230313339393231396563383338646261623664323433373361396665323836643236
+63343038313763643065353530643932366438666236333665623033616332623139636337356532
+38636435336466323630356439373564373630356538393532623031623439376566643863646166
+37303337613963363661633234376537336661323338633036323738346465653331383336373332
+38636234333434373865363634643164353539383535613538323937393763383062616430336238
+38343731316562336633326533623062363161663164373931356336326130636139636432366638
+32306131323237656332356163653834383365326663333431623136353531653139353839313538
+32343033323734623436663164613235636532653138313738393433336262666235626434646161
+6138
diff --git a/playbooks/soyuz.yml b/playbooks/soyuz.yml
index 30fba9bb598f43f0958fde279e8191ebb6a8aa6f..26785807179a8f2d442acc2f6f09a126c5a82117 100644
--- a/playbooks/soyuz.yml
+++ b/playbooks/soyuz.yml
@@ -13,3 +13,4 @@
- { role: nginx, letsencrypt_validation_dir: "/var/lib/letsencrypt", tags: ["nginx"] }
- { role: sudo, tags: ['sudo', 'archusers'] }
- { role: postgres, tags: ['postgres'] }
+ - { role: quassel, quassel_domain: "quassel.archlinux.org", tags: ['quassel'] }
diff --git a/roles/quassel/files/clean-quassel.service b/roles/quassel/files/clean-quassel.service
new file mode 100644
index 0000000000000000000000000000000000000000..4e487c5b2fc22fc9dc28c34312d41ad6abe04612
--- /dev/null
+++ b/roles/quassel/files/clean-quassel.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Clean up Quassel backlog
+Requisite=postgresql.service
+After=postgresql.service
+
+[Service]
+User=quassel
+Group=quassel
+Type=oneshot
+ExecStart=/usr/bin/psql -c "DELETE FROM backlog WHERE time < NOW() - INTERVAL '1 months';"
+ExecStart=/usr/bin/psql -c "CLUSTER backlog USING backlog_bufferid_idx;"
+ExecStart=/usr/bin/psql -c "VACUUM FULL ANALYZE backlog;"
diff --git a/roles/quassel/files/clean-quassel.timer b/roles/quassel/files/clean-quassel.timer
new file mode 100644
index 0000000000000000000000000000000000000000..5eaa146bb0799c305c3f80fe8e317bec68a5d518
--- /dev/null
+++ b/roles/quassel/files/clean-quassel.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Daily Quassel cleanup
+
+[Timer]
+OnCalendar=daily
+AccuracySec=24h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/quassel/files/givemequassel b/roles/quassel/files/givemequassel
new file mode 100755
index 0000000000000000000000000000000000000000..d0f8095c03d460d6dd658a1e12eb755860cb7a71
--- /dev/null
+++ b/roles/quassel/files/givemequassel
@@ -0,0 +1,56 @@
+#!/bin/bash -e
+
+if [[ `/usr/bin/whoami` != quassel ]]; then
+ if [[ -n $BREAK_RECURSION ]]; then
+ echo >&2 "Couldn't become quassel."
+ exit 1
+ fi
+ exec /usr/bin/sudo -u quassel -- env BREAK_RECURSION=1 "$0"
+fi
+
+shopt -s extglob
+export PATH=/usr/bin
+export LC_ALL=C
+
+case $SUDO_USER in
+ (""|root) echo >&2 "You need to run this as the user you want to add."
+ exit 1 ;;
+ (+([a-z])) ;;
+ (*) echo >&2 "Invalid user."
+ exit 1 ;;
+esac
+
+if [[ `users` != *$SUDO_USER* ]]; then
+ echo >&2 "Unknown user."
+ exit 1
+fi
+
+ttyopts=`stty -g`
+trap 'stty $ttyopts' EXIT
+
+stty -echo
+echo >&2 -n "New password for $SUDO_USER's Quassel user: "
+read <&2
+pw="$REPLY"
+echo
+echo >&2 -n "Repeat the password: "
+read <&2
+echo
+if [[ $pw != $REPLY ]]; then
+ echo >&2 "Passwords don't match."
+ exit 1
+fi
+sha1=(`printf %s "$pw" | sha1sum`)
+
+if psql -c "INSERT INTO quasseluser (username, password) VALUES ('$SUDO_USER', '${sha1[0]}')" &>/dev/null; then
+ echo >&2 "Added user '$SUDO_USER'."
+ exit 0
+fi
+
+if psql -c "UPDATE quasseluser SET password = '${sha1[0]}' WHERE username = '$SUDO_USER'" &>/dev/null; then
+ echo >&2 "Updated password for user '$SUDO_USER'."
+ exit 0
+fi
+
+echo >&2 "SQL error."
+exit 1
diff --git a/roles/quassel/files/givemequassel.sudoers b/roles/quassel/files/givemequassel.sudoers
new file mode 100644
index 0000000000000000000000000000000000000000..3811b35e69f568d92f394ff9fdf6bd0b8e94915c
--- /dev/null
+++ b/roles/quassel/files/givemequassel.sudoers
@@ -0,0 +1 @@
+%users ALL = (quassel) NOPASSWD: /usr/local/bin/givemequassel ""
diff --git a/roles/quassel/files/oidentd.conf b/roles/quassel/files/oidentd.conf
new file mode 100644
index 0000000000000000000000000000000000000000..9ada778d0520d96dd39e8ad471b2b33159aa5796
--- /dev/null
+++ b/roles/quassel/files/oidentd.conf
@@ -0,0 +1,6 @@
+user quassel {
+ default {
+ allow spoof
+ allow spoof_all
+ }
+}
diff --git a/roles/quassel/handlers/main.yml b/roles/quassel/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f9ee6636586fd8066c42050e97a27c9130809a35
--- /dev/null
+++ b/roles/quassel/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: daemon reload
+ command: systemctl daemon-reload
diff --git a/roles/quassel/tasks/main.yml b/roles/quassel/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d510ff972864f9a7def5999739424a62ff23605e
--- /dev/null
+++ b/roles/quassel/tasks/main.yml
@@ -0,0 +1,63 @@
+---
+
+- name: install quassel
+ pacman: name=quassel-core,oidentd,python2-pexpect state=present
+
+- name: add quassel postgres db
+ postgresql_db: db=quassel
+ become: yes
+ become_user: postgres
+ become_method: su
+
+- name: add quassel postgres user
+ postgresql_user: db=quassel name=quassel password={{ postgres_users.quassel }}
+ become: yes
+ become_user: postgres
+ become_method: su
+
+- name: initialize quassel
+ become: yes
+ become_user: quassel
+ become_method: sudo
+ expect:
+ command: quasselcore --configdir=/var/lib/quassel --select-backend=PostgreSQL
+ responses:
+ Username: ''
+ Password:
+ - '{{ postgres_users.quassel }}'
+ - ''
+ - ''
+ - ''
+ Hostname: ''
+ Port: ''
+ Database: ''
+ creates: /var/lib/quassel/quasselcore.conf
+
+- name: install quassel cert renewal hook
+ template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/quassel owner=root group=root mode=0755
+
+- name: install quassel units
+ copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=0644
+ with_items:
+ - clean-quassel.timer
+ - clean-quassel.service
+ notify:
+ - daemon reload
+
+- name: add quassel.service.d dir
+ file: state=directory path=/etc/systemd/system/quassel.service.d owner=root group=root mode=0755
+
+- name: install quassel.service snippet
+ template: src=quassel.service.d.j2 dest=/etc/systemd/system/quassel.service.d/local.conf owner=root group=root mode=0644
+
+- name: install givemequassel script
+ copy: src=givemequassel dest=/usr/local/bin/givemequassel owner=root group=root mode=0755
+
+- name: install givemequassel sudoers config
+ copy: src=givemequassel.sudoers dest=/etc/sudoers.d/givemequassel
+
+- name: start and enable quassel
+ service: name={{ item }} enabled=yes state=started
+ with_items:
+ - quassel.service
+ - clean-quassel.timer
diff --git a/roles/quassel/templates/letsencrypt.hook.d.j2 b/roles/quassel/templates/letsencrypt.hook.d.j2
new file mode 100644
index 0000000000000000000000000000000000000000..891624f4509589e66c841f8f9bae829f9e81a44d
--- /dev/null
+++ b/roles/quassel/templates/letsencrypt.hook.d.j2
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+test "$1" = renew || exit 0
+
+for domain in $RENEWED_DOMAINS; do
+ case "$domain" in
+ {{ quassel_domain }})
+ systemctl restart quassel
+ ;;
+ esac
+done
diff --git a/roles/quassel/templates/quassel.service.d.j2 b/roles/quassel/templates/quassel.service.d.j2
new file mode 100644
index 0000000000000000000000000000000000000000..83f07cb54bec8f48d2999ba64354d6c88eb1d907
--- /dev/null
+++ b/roles/quassel/templates/quassel.service.d.j2
@@ -0,0 +1,6 @@
+[Service]
+ExecStartPre=/usr/bin/truncate -s 0 /var/lib/quassel/.oidentd.conf
+ExecStart=
+ExecStart=/usr/bin/quasselcore --configdir=/var/lib/quassel --oidentd --syslog --require-ssl \
+ --ssl-cert=/etc/letsencrypt/live/{{ quassel_domain }}/fullchain.pem \
+ --ssl-key=/etc/letsencrypt/live/{{ quassel_domain }}/privkey.pem