diff --git a/ops/machines/gerrit01/default.nix b/ops/machines/gerrit01/default.nix
index 3b5e02905..4022c5cb1 100644
--- a/ops/machines/gerrit01/default.nix
+++ b/ops/machines/gerrit01/default.nix
@@ -13,6 +13,7 @@ in
     (mod "o11y/alloy.nix")
     (mod "gerrit-autosubmit.nix")
     (mod "monorepo-gerrit.nix")
+    (mod "gerrit-webhook-to-irccat.nix")
     (mod "www/cl.snix.dev.nix")
     (mod "known-hosts.nix")
 
@@ -70,6 +71,11 @@ in
   services.depot = {
     gerrit-autosubmit.enable = true;
     restic.enable = true;
+    gerrit-webhook-to-irccat = {
+      enable = true;
+      irccatUrl = "http://meta01.infra.snix.dev:4722/send";
+      listenAddress = "127.0.0.1:4779";
+    };
   };
 
   services.fail2ban.enable = true;
diff --git a/ops/machines/meta01/default.nix b/ops/machines/meta01/default.nix
index 4bde42356..d1230a1f1 100644
--- a/ops/machines/meta01/default.nix
+++ b/ops/machines/meta01/default.nix
@@ -63,7 +63,7 @@ in
       # FUTUREWORK: disable tcp listener entirely
       # Maybe this is https://github.com/spf13/viper/issues/323#issuecomment-309570752 ?
       tcp.listen = "127.0.0.1:4723";
-      http.listen = "127.0.0.1:4722";
+      http.listen = ":4722";
       http.listeners.generic = { };
       irc = {
         server = "irc.eu.hackint.org:6697";
@@ -83,6 +83,9 @@ in
     # Prometheus, Loki, Tempo
     ip6 saddr { 2a01:4f8:c013:3e62::1 } tcp dport { 9009, 9090, 9190 } accept
     ip saddr { 49.13.70.233 } tcp dport { 9009, 9090, 9190 } accept
+
+    # Gerrit Webhooks
+    ip6 saddr { 2a01:4f8:c17:6188::1 } tcp dport 4722 accept
   '';
 
   age.secrets =