diff --git a/rowbot b/rowbot
index b49394f..dea6311 100755
--- a/rowbot
+++ b/rowbot
@@ -141,18 +141,6 @@ unset key file
 
 declare -A config
 
-# connection settings
-
-get_option server irc.libera.chat
-get_option tls no
-
-if [[ ${config[tls]} = no ]]; then
-  get_option port 6667
-else
-  get_option client-cert ""
-  get_option port 6697
-fi
-
 # irc registration settings
 
 get_option nick rowbot-dev
@@ -166,6 +154,14 @@ get_option owner "${USER:-uplime}"
 get_option trigger \`
 get_option dev yes
 
+###
+# bootup sequence
+###
+
+on_first_001_bootup() {
+  log_info "rowbot's pid is %d" "$$"
+}
+
 ###
 # logger
 ###
@@ -227,17 +223,86 @@ on_init_001_log() {
   fi
 }
 
-on_exit_log() {
+on_exit_001_log() {
   if [[ -v log_fd ]] && (( log_fd != 1 )); then
     exec {log_fd}>&-
   fi
 }
 
+###
+# net code
+###
+
+net_recv() {
+  declare -n sock_line=$1
+  IFS= read -r "$1" <&"$in_sock"
+  sock_line=${sock_line%$'\r'}
+  log_debug "received line: %s" "$sock_line"
+}
+
+net_send() {
+  local fmt
+  # As this is a printf wrapper, the format string is provided as an argument.
+  # shellcheck disable=SC2059
+  printf -v fmt "$1" "${@:2}"
+  printf '%s\r\n' "$fmt" >&"$out_sock"
+  log_debug "sending line: %s" "$fmt"
+}
+
+on_init_002_net() {
+  get_option server irc.libera.chat
+  get_option tls no
+
+  if [[ ${config[tls]} = no ]]; then
+    get_option port 6667
+  else
+    get_option client-cert ""
+    get_option port 6697
+  fi
+}
+
+on_first_002_net() {
+  local irc_sock conn_args
+
+  if [[ ${config[tls]} = no ]]; then
+    log_info "rowbot is connecting to irc://%s:%s" "${config[server]}" "${config[port]}"
+    exec {irc_sock}<>/dev/tcp/"${config[server]}"/"${config[port]}"
+    in_sock=$irc_sock out_sock=$irc_sock
+  else
+    if ! has socat; then
+      die "please install socat to use tls with rowbot."
+    fi
+
+    log_info "rowbot is connecting to ircs://%s:%s" "${config[server]}" "${config[port]}"
+    sock_dir=$(mktemp -d)
+    log_debug "socket directory is %s" "$sock_dir"
+    mkfifo "$sock_dir"/rowbot-{in,out}.sock
+
+    # This is a false positive
+    # shellcheck disable=SC2102
+    if [[ -v config[client-cert] ]]; then
+      if [[ ! -f ${config[client-cert]} ]]; then
+        die "client certificate not found: %s" "${config[client-cert]}"
+      fi
+
+      conn_args=OPENSSL:${config[server]}:${config[port]},cert=${config[client-cert]}
+    else
+      conn_args=OPENSSL:${config[server]}:${config[port]}
+    fi
+
+    socat "$conn_args" - <"$sock_dir"/rowbot-in.sock >"$sock_dir"/rowbot-out.sock &
+    tls_pid=$!
+    exec {out_sock}>"$sock_dir"/rowbot-out.sock {in_sock}<"$sock_dir"/rowbot-in.sock
+    log_debug "process %d is handling tls" "$tls_pid"
+  fi
+}
+
 ###
 # cleanup
 ###
 
 cleanup() {
+  log_info "There’s a lot of beauty in ordinary things. Isn’t that kind of the point?"
   run_callbacks on_exit_
 }
 
@@ -247,7 +312,7 @@ trap cleanup EXIT
 # live code reloader
 ###
 
-reload() {
+reload_config() {
   local setting setting_name
   run_callbacks on_before_
 
@@ -259,12 +324,12 @@ reload() {
   exec "${cmd_line[@]}"
 }
 
-hup_reload() {
+reload_hup() {
   log_info "received reload signal (HUP)"
-  reload
+  reload_config
 }
 
-trap hup_reload HUP
+trap reload_hup HUP
 
 ###
 # initialization sequence
@@ -277,5 +342,3 @@ if is_reloaded; then
 else
   run_callbacks on_first_
 fi
-
-declare -p config