diff --git a/nixos/modules/tahoe.nix b/nixos/modules/tahoe.nix
index e4a83006e129e80a59ca9f8262acf74760b4fc98..17641c47bac6d477637ed6e2eaa23a82f34b9fd9 100644
--- a/nixos/modules/tahoe.nix
+++ b/nixos/modules/tahoe.nix
@@ -115,6 +115,16 @@ in
         # Open up the firewall.
         # networking.firewall.allowedTCPPorts = flip mapAttrsToList cfg.introducers
         #   (node: settings: settings.tub.port);
+
+        # Make systemd open a port for us:
+        systemd.sockets.tahoe-web = {
+          description = "Tahoe Web Server Socket";
+          wantedBy = [ "sockets.target" ];
+          before = [ "multi-user.target" ];
+          socketConfig.Accept = true;
+          socketConfig.ListenStream = settings.tub.port;
+        };
+
         systemd.services = flip mapAttrs' cfg.introducers (node: settings:
           let
             pidfile = "/run/tahoe.introducer-${node}.pid";
@@ -130,6 +140,8 @@ in
             serviceConfig = {
               Type = "simple";
               PIDFile = pidfile;
+              Twisted wants non-blocking sockets:
+              NonBlocking = true;
               # Believe it or not, Tahoe is very brittle about the order of
               # arguments to $(tahoe run). The node directory must come first,
               # and arguments which alter Twisted's behavior come afterwards.