diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix
index 6871931..df44b9b 100644
--- a/nixos/beefcake.nix
+++ b/nixos/beefcake.nix
@@ -1804,6 +1804,29 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
         extraConfig = ''reverse_proxy :5006'';
       };
     }
+    {
+      services.factorio = {
+        enable = true;
+        package = pkgs.factorio-headless.override {
+          versionsJson = ./factorio-versions.json;
+        };
+        admins = ["lytedev"];
+        autosave-interval = 5;
+        game-name = "Flanwheel Online";
+        description = "Space Age 2.0";
+        openFirewall = true;
+        # public = true; # NOTE: cannot be true if requireUserVerification is false
+        port = 34197;
+        requireUserVerification = false; # critical for DRM-free users
+        lan = true; # NOTE: not sure if this interferes with online-ability?
+
+        # contains the game password and account password for "public" servers
+        extraSettingsFile = config.sops.secrets.factorio-server-settings.path;
+      };
+      sops.secrets = {
+        factorio-server-settings = {mode = "0777";};
+      };
+    }
   ];
 
   /*
diff --git a/nixos/factorio-versions.json b/nixos/factorio-versions.json
new file mode 100644
index 0000000..e772fd0
--- /dev/null
+++ b/nixos/factorio-versions.json
@@ -0,0 +1,58 @@
+{
+  "x86_64-linux": {
+    "alpha": {
+      "experimental": {
+        "name": "factorio_alpha_x64-1.1.110.tar.xz",
+        "needsAuth": true,
+        "sha256": "0ndhb94lh47n09a7wshm2inv52fd6rjfa7fk7nk9b7zzh84i7f4x",
+        "tarDirectory": "x64",
+        "url": "https://factorio.com/get-download/1.1.110/alpha/linux64",
+        "version": "1.1.110"
+      },
+      "stable": {
+        "name": "factorio_alpha_x64-1.1.110.tar.xz",
+        "needsAuth": true,
+        "sha256": "0ndhb94lh47n09a7wshm2inv52fd6rjfa7fk7nk9b7zzh84i7f4x",
+        "tarDirectory": "x64",
+        "url": "https://factorio.com/get-download/1.1.110/alpha/linux64",
+        "version": "1.1.110"
+      }
+    },
+    "demo": {
+      "experimental": {
+        "name": "factorio_demo_x64-1.1.110.tar.xz",
+        "needsAuth": false,
+        "sha256": "0dasxgrybl00vrabgrlarsvg0hdg5rvn3y4hsljhqc4zpbf93nxx",
+        "tarDirectory": "x64",
+        "url": "https://factorio.com/get-download/1.1.110/demo/linux64",
+        "version": "1.1.110"
+      },
+      "stable": {
+        "name": "factorio_demo_x64-1.1.110.tar.xz",
+        "needsAuth": false,
+        "sha256": "0dasxgrybl00vrabgrlarsvg0hdg5rvn3y4hsljhqc4zpbf93nxx",
+        "tarDirectory": "x64",
+        "url": "https://factorio.com/get-download/1.1.110/demo/linux64",
+        "version": "1.1.110"
+      }
+    },
+    "headless": {
+      "experimental": {
+        "name": "factorio_headless_x64-1.1.110.tar.xz",
+        "needsAuth": false,
+        "sha256": "0sk4g9y051xjhiwdhj1yz808308zwsbpq3nps1ywvpp56vdycps8",
+        "tarDirectory": "x64",
+        "url": "https://factorio.com/get-download/1.1.110/headless/linux64",
+        "version": "1.1.110"
+      },
+      "stable": {
+        "name": "factorio_headless_x64-1.1.110.tar.xz",
+        "needsAuth": false,
+        "sha256": "0sk4g9y051xjhiwdhj1yz808308zwsbpq3nps1ywvpp56vdycps8",
+        "tarDirectory": "x64",
+        "url": "https://factorio.com/get-download/1.1.110/headless/linux64",
+        "version": "1.1.110"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/nixos/router.nix b/nixos/router.nix
index ff8d685..751b99b 100644
--- a/nixos/router.nix
+++ b/nixos/router.nix
@@ -214,6 +214,7 @@ in {
             udp dport { 80, 443 } accept comment "Allow QUIC to server (see nat prerouting)"
             tcp dport { 22 } accept comment "Allow SSH to server (see nat prerouting)"
             tcp dport { 25565 } accept comment "Allow Minecraft server connections (see nat prerouting)"
+            udp dport { 34197 } accept comment "Allow Factorio server connections (see nat prerouting)"
 
             iifname "${lan}" accept comment "Allow local network to access the router"
             iifname "tailscale0" accept comment "Allow local network to access the router"
@@ -256,6 +257,7 @@ in {
             iifname ${wan} tcp dport {26966} dnat to ${hosts.beefcake.ip}
             iifname ${wan} tcp dport {25565} dnat to ${hosts.bald.ip}
             iifname ${wan} udp dport {25565} dnat to ${hosts.bald.ip}
+            iifname ${wan} udp dport {34197} dnat to ${hosts.beefcake.ip}
           }
 
           chain postrouting {
diff --git a/secrets/beefcake/secrets.yml b/secrets/beefcake/secrets.yml
index dd41417..c6878f3 100644
--- a/secrets/beefcake/secrets.yml
+++ b/secrets/beefcake/secrets.yml
@@ -27,6 +27,7 @@ restic-rascal-passphrase: ENC[AES256_GCM,data:yonKbBh4riGwxc/qcj8F/qrgAtA1sWhYej
 restic-rascal-ssh-private-key: ENC[AES256_GCM,data:ddsOs0XsayyQI9qc6LzwQpdDnfwNpbj8PbBJ5fyuqtlVNYndeLxaYcbZI2ULSUhgR1tN0FS+ggGTHQhVvjwksNvpskUGHNKkSLKH3D/mn5N9tsoeAblN4gZsloZdqXBVzEehumcQMdhh6iy6NkNbuinKrVKDhLV25PrFKuSBEYw9VHU7HAMW5Tfop3RzBXjZWETCDAR2OQa7d1dXsJ0Kw6b9RFmRe5MGQ0J7YhjdTg26JGMMVSeHvr5UbiUJkGA5RvOLEDM2Dfai7Lf8yRPZVxUl+rdRsNvNYEoYGu5rGLUFcuqIbQ+s40dP2uXwWauwkIvHUjEahkbP0httj4Kg3qIJBRPg7OuS+MOwAnLEAs3hl5zeBV396yA9qjWW8nhnbml58/uFFbfXbJWTM3r8cMpFbHKD+Ojo/99fm5Vy3pAMzNzEsHOaT+iyDYyNkV5OH1GyKK9n7kIRLdqmWe7GmaKXlwVvNUPi3RvLX9VXq83a4BuupFyTmaNfPGMs/17830aleV674+QVgKh3VyFtuJy6KBpMXDv16wFo,iv:S2I3h6pmKLxEc29E0zn2b8lscqA//5/ZMTV9q+/tdvs=,tag:ALeCT+nrVPDfS21xC555sA==,type:str]
 restic-ssh-priv-key-benland: ENC[AES256_GCM,data:G+uiYZTvqXhpJb66j6Q6S+otlXeRX0CdYeMHzSMjIbvbI0AVm0yCU7COO5/O8i47NpvrKKS1kVxVEK8ixLRUowkl3hgRXhxsBIPFnpkMD0ENmJttm4HOpi0qIWMwzPYTjkz/slY4HcTFnCfYy1ZpURQdWwZsr1EdAA05bUMTtM22R3uOMzjO8uf72PCWX7yffo8MxsLmWvNVAOhVlrb2H5KQNR/IquFK3TFoZitq5nVDG9tcEFkX+lgA3zsmCHU/2DvvodgeRoltaAFvgjVznNGf4e5p8owHUtSzX52HwGZRiUlMuhpre2gm1r73n8AyZe41II+LX/85fMfZDdyayIGv3AAMBib8H0/AoChexRcdLQEmzOgRrXsgucDJrWSWP6WMBVyamUm79m5ep0fvL1lJftuJqN0uuq9dBrispdso4x+6jk/pDf5pEM/FE6s1rY832BEb7q0PnjyvVogOez+cIihmMpDdnS0A/8TFzg29i3C+93x5vrt3k7atNzR/jN+/GqX2FKLzxWrrIw2d,iv:IP+N8JQu+XRvwTtBnxu54ujzU5UliltXG3mk9HfJaN8=,tag:4oinE9QMaSh8IfUd/ttM3Q==,type:str]
 paperless-superuser-password: ENC[AES256_GCM,data:lypWK73mOYI2hyQAW/4T3cDiVtsts3kKb7LZb9ES3n97Kn5l,iv:jBHUBFbb4GqQ3gnK0h5VCaGj3/kd3/eGa1QFiE7+B9I=,tag:UoQar+x1xVnCV2k+9hYjWA==,type:str]
+factorio-server-settings: ENC[AES256_GCM,data:ZEwi0Ff9vmUi7bdguNV1LgppsQFktvIM+4y7/mUC2cQ37wDWwPvKvKmcaDOxTM7XteIcaLsFg6rttUASSJDiFRGTt5/FNagTn6kfMJEETLZyxQ==,iv:AxSpB4/nFHFtkfO0x8Ra5w2Nd+bqt54Y5NRkIU/Bb5Y=,tag:8tuaqrn0Y2wAnTqUQPqXYA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -51,8 +52,8 @@ sops:
             bGpacHFRSkJYUUMwOEh4cVBXZ1NESmsKa5EhZ7148ojCqZldukLcPLr93HqnpNgq
             rMI0Nyz4Z4lkTVMRpA94zyNTkNwJ02/CYcKi8EJi6jGZnNPUTcnTwg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-13T05:09:18Z"
-    mac: ENC[AES256_GCM,data:rS12xfQ6FQwVa19rdfk6i1DThUOfsrw+IdKGYOMrX8a7sOKPkNxyxyZASfaKopg3BaM8qmoOFUW4B9VWwTh4d+MhruH3DhJO3UuZpOtDv7H8JFmzqg8rlYx0nm+8/+dB0zjgK7m2FP8wn0jfXraaaQ7/HobgLgGtl+NAsXQkrwQ=,iv:+JO3Yq6Kp2CHu20dSRDOJf0ivq5ASHYrKvlCgg1vGxQ=,tag:y6nIISSZFQwRoFNvqaQWbg==,type:str]
+    lastmodified: "2024-10-14T14:32:44Z"
+    mac: ENC[AES256_GCM,data:Jebesyq1m+kEmeXJHQyJOxkJUP79PlfwyzbrWIKYb2E4zrdOdSj8l7ucFJm4l9jFFcZF+CQc/zzlkFPiYxJbeBrM6L7tnV1v3N4t699x3S0oF72tAAewvxVaHtSridP2zVdEhNzaOIP3GXTi677vx1NQy+WyIAHe63vAAyW4F4Q=,iv:p2hfMsuWxSnqB16O+7vOm3LPW/LvWa+1zdFYlJJkgVI=,tag:PYs9/peP0WEsdSDrToJkOw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0