diff --git a/hosts/by-name/servo/services/cryptocurrencies/clightning.nix b/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
new file mode 100644
index 000000000..4e1079e5f
--- /dev/null
+++ b/hosts/by-name/servo/services/cryptocurrencies/clightning.nix
@@ -0,0 +1,22 @@
+# clightning is an implementation of Bitcoin's Lightning Network.
+# as such, this assumes that `services.bitcoin` is enabled.
+
+{ config, ... }:
+{
+  sane.persist.sys.byStore.ext = [
+    { user = "clightning"; group = "clightning"; path = "/var/lib/clightning"; }
+  ];
+
+  # see bitcoin.nix for how to generate this
+  services.bitcoind.mainnet.rpc.users.clightning.passwordHMAC =
+    "befcb82d9821049164db5217beb85439$2c31ac7db3124612e43893ae13b9527dbe464ab2d992e814602e7cb07dc28985";
+
+  # sane.services.clightning.enable = true;
+  sane.services.clightning.extraConfigFiles = config.sops.secrets."lightning-config";
+  sops.secrets."lightning-config" = {
+    mode = "0600";
+    owner = "clightning";
+    group = "clightning";
+  };
+  sane.services.clightning.proxy = "TODO";
+}
diff --git a/hosts/by-name/servo/services/cryptocurrencies/default.nix b/hosts/by-name/servo/services/cryptocurrencies/default.nix
index 50ac814a1..b46d5720c 100644
--- a/hosts/by-name/servo/services/cryptocurrencies/default.nix
+++ b/hosts/by-name/servo/services/cryptocurrencies/default.nix
@@ -2,6 +2,7 @@
 {
   imports = [
     ./bitcoin.nix
+    ./clightning.nix
     ./monero.nix
   ];
 }
diff --git a/modules/services/clightning.nix b/modules/services/clightning.nix
index 76628cd2c..26675a5f5 100644
--- a/modules/services/clightning.nix
+++ b/modules/services/clightning.nix
@@ -34,7 +34,7 @@ in
       enable = mkEnableOption "clightning, a Lightning Network implementation in C";
       package = mkPackageOption pkgs "clightning" { };
       bitcoindName = mkOption {
-        type = str;
+        type = types.str;
         default = "mainnet";
         description = ''
           name of bitcoind config to attach to.
@@ -125,6 +125,7 @@ in
       after = [ "bitcoind-${cfg.bitcoindName}.service" ];
 
       serviceConfig = {
+        # TODO: hardening
         ExecStart = "${cfg.package}/bin/lightningd --lightning-dir=${cfg.dataDir}";
         User = cfg.user;
         Restart = "on-failure";
diff --git a/secrets/servo/lightning-config.bin b/secrets/servo/lightning-config.bin
new file mode 100644
index 000000000..20557bc4b
--- /dev/null
+++ b/secrets/servo/lightning-config.bin
@@ -0,0 +1,32 @@
+{
+	"data": "ENC[AES256_GCM,data:q5byWGXbW0hl/UnAoq5bbM0WRYMGwq/bVFE85kdoAjy3Ef+ONt6TuFe62z2SJzf+gvaPFj5ArcdWViJXSw8FYw==,iv:8RTiIuceL0zqjV6dk1r7j+FvzyWrD1AJOnIU1Z3V6sw=,tag:cSEQUO5DLfYaWO4GWF5slw==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMZXJ3THRvNzZIMENBQUNI\nRVEzdFZoMEYwWUx5TjhhWVJ5ampJbXdaV1NBCjV4aWJuOCtUVGRHdFlEbVVJSVlX\nVDQ4QUpyU1dJa3UwZVVRQkVSYk9Xek0KLS0tIGd1cFoyZDJoRXhpeTBIMmo1ZDlB\ndzJWT2MzOVQxc1BOZDU1UDlvN0dFNVUKoSwT/LfaSqkQRedWfiTfKietxvUUjg8I\ngT0o2MHWIWhfxWsChKeprmj7l0o8L4rgegXJ9Tr58w0Koe5YzWhNhg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUVmlpaXhjbDZhTHVvZ2dw\nSXdIaEovejJoWisxZUZacjFhUHlaWlMxOVdJCjRIeHFRZXJwZEpJWnBMOXRTenMx\nNGY1TTlNVFBXdVNMVVk0SmMxK2NCUVEKLS0tIDkwdjBwZU13WXpiZWFnTkFXY2Rp\naGdOUnRtZjBvWm42Rkgzd200Vm1xYzgKgVxpJnLin0jvGh+BV0zldo3zKM8KJ5Ee\nupxmVyFWgEH4vyZdN0aJh3N9T1huG4Zrd7p+1yoxN0zX3xbL3aU3Hw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCV2U2cDlwMzNUZ0JlVUE2\naWM0aTlJeXFnN2tDaHUvTzQyOGhOb21JSlRZClZBd0lsTmFuT1M1N1AxNm5DK2NC\nVGFiTGVjT0E0L2wxVktkdXR4NUc2R2MKLS0tIEdWeUI3REI5ekhYTXROUmRITkpw\ndFE4QTVzdWtzMlZWNFdZMWo0WlZuOVEKuooLzZZ2gnlPaYTo3kDaDUcR+a2hFO0c\nkzoctqU1qPiXUJi/6u1OQAglNZ0SXgiNMy8e02iA8Xc/oL+IDVTQUw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2RGJJNlNUQTIzY0FyRVFY\nSm1zRmtpa20zaXRzZDIwR0FpK3VoT3FpL1ZZCnYrcEVZUHpVQnJmZ2d2WGdYdHNE\nQW0wOUlYeHpMRVo1TGdTRENITExxdncKLS0tIHFuMHIwNjdpVitSTEtsWkNiNjVH\nbGVRK1Racm93RVVnMkI1RThLS3Y3SGcKJVFfcTLMPu2GjkQhGm9gSS7eqzzAVW4e\nLoMh52PZog2/1NrT3KKEqxQ1/XyRcqv1T1oU/xvV6EE9+nj2LEuWog==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-01-02T18:22:52Z",
+		"mac": "ENC[AES256_GCM,data:mbnyvMMJgiDTsUTIlIbsyYHB90e3ItLkDs090YukiMzWLD2q1F2u0IfzFaZp+Dn9KMYGd1MD8eRVdT8CtyfdduS5R6C++FAT7Fa7TrFrp921bbJgmdjvsKdcV77eriqoUp2fLghAjaiLJrxJcvDDJTzcPvq5QTCHpCHKfA8enPI=,iv:iHJJL7OE0PzP1ju+gXJyCfaFDZgmWPKwuyNkTYwS4qU=,tag:wXL4JOuBoTecgWlHfcdXtA==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
\ No newline at end of file