diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..e69de29
diff --git a/configuration.nix b/configuration.nix
index f1c9c01..20226b5 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -16,12 +16,91 @@ in {
     ./hardware-configuration.nix    
   ];
 
- services.gitea = {
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "matrix-synapse" ];
+    package = pkgs.postgresql_15;
+    ensureUsers = [
+      {
+#        name = "synapse";
+        name = "matrix-synapse";
+        ensureDBOwnership = true;
+      }
+    ];
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser  auth-method
+local   all             postgres                                peer
+local   all             all                                     peer
+host    all             all             127.0.0.1/32            md5
+host    synapse         matrix-synapse         ::1/128                 md5
+host    all             all             ::1/128                 md5
+local   replication     all                                     peer
+host    replication     all             127.0.0.1/32            md5
+host    replication     all             ::1/128                 md5
+    '';
+    identMap = ''
+    # ArbitraryMapName systemUser DBUser
+       superuser_map      root      postgres
+       superuser_map      matrix-synapse synapse
+       superuser_map      postgres  postgres
+       # Let other names login as themselves
+       superuser_map      /^(.*)$   \1
+  '';
+  };
+
+  systemd.services.postgresql.postStart = let
+    password_file_path = config.age.secrets.synapse_db_pass.path;
+  in ''
+    $PSQL -tA <<'EOF'
+      DO $$
+      DECLARE password TEXT;
+      BEGIN
+        password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
+        EXECUTE format('ALTER ROLE matrix-synapse WITH PASSWORD '''%s''';', password);
+      END $$;
+    EOF
+  '';
+
+  services.matrix-synapse-next = {
+    enable = true;
+
+    workers.federationSenders = 1;
+    workers.federationReceivers = 1;
+    workers.initialSyncers = 1;
+    workers.normalSyncers = 1;
+    workers.eventPersisters = 2;
+    workers.useUserDirectoryWorker = true;
+
+    enableNginx = true;
+
+    settings = {
+      server_name = root_host;
+      enable_registration = true;
+
+
+      macaroon_secret_key = "supersecretsecretkey";
+      registrations_require_3pid = [ "email" ];
+      database = {
+        name = "psycopg2";
+        args = {
+#          host = "localhost";
+#          user = "synapse";
+          passfile = config.age.secrets.synapse_db_pass_prepared.path;
+#          password = "synapse";
+#          dbname = "synapse";
+        };
+      };
+    };  
+  };
+  services.redis.servers."".enable = true;
+
+  services.gitea = {
     enable = true;
     settings = {
       service.DISABLE_REGISTRATION = true;
       server = {
         HTTP_PORT = gitea_port;
+        ROOT_URL = "https://${gitea_host}/";
         DISABLE_SSH = true;
       };
 #      log.LEVEL = "Debug";
@@ -30,7 +109,18 @@ in {
   };
 
   age.secrets = {
-    duckdns_token.file = ./secrets/duckdns_token.age;
+    synapse_db_pass = {
+      file = ./secrets/synapse_db_pass.age;
+      owner = "postgres";
+      group = "postgres";
+    };
+    synapse_db_pass_prepared = {
+      file = ./secrets/synapse_db_pass_prepared.age;
+      owner = "matrix-synapse";
+      group = "matrix-synapse";
+    };
+
+#    duckdns_token.file = ./secrets/duckdns_token.age;
   };
 
   users.users.grimmauld = {
@@ -69,15 +159,15 @@ in {
     pypy3
   ];
 
-  systemd.services = {
-    dynamic-dns-updater = {
-      path = [
-        pkgs.curl
-      ];
-      script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="'';
-      startAt = "hourly";
-    };
-  };
+#  systemd.services = {
+#    dynamic-dns-updater = {
+#      path = [
+#        pkgs.curl
+#      ];
+#      script = ''curl "https://www.duckdns.org/update?domains=grimmauld&token=$(<${config.age.secrets.duckdns_token.path})&ip="'';
+#      startAt = "hourly";
+#    };
+#  };
 
   security.acme = {
     acceptTerms = true;
@@ -97,7 +187,7 @@ in {
 
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 ];
+    allowedTCPPorts = [ 80 443 puffer_sftp_port 25565 8448 ];
     allowPing = true;
     allowedUDPPortRanges = [
 #      { from = 4000; to = 4007; }
diff --git a/flake.lock b/flake.lock
index ac82061..69cb6ce 100644
--- a/flake.lock
+++ b/flake.lock
@@ -64,6 +64,26 @@
         "type": "github"
       }
     },
+    "nixos-matrix-modules": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1701507532,
+        "narHash": "sha256-Zzv8OFB7iilzDGe6z2t/j8qRtR23TN3N8LssGsvRWEA=",
+        "ref": "refs/heads/master",
+        "rev": "046194cdadc50d81255a9c57789381ed1153e2b1",
+        "revCount": 56,
+        "submodules": true,
+        "type": "git",
+        "url": "https://github.com/dali99/nixos-matrix-modules"
+      },
+      "original": {
+        "submodules": true,
+        "type": "git",
+        "url": "https://github.com/dali99/nixos-matrix-modules"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1703013332,
@@ -80,6 +100,21 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1673743903,
+        "narHash": "sha256-sloY6KYyVOozJ1CkbgJPpZ99TKIjIvM+04V48C04sMQ=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "7555e2dfcbac1533f047021f1744ac8871150f9f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "nixpkgs_2": {
       "locked": {
         "lastModified": 1703255338,
@@ -99,6 +134,7 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "nixos-matrix-modules": "nixos-matrix-modules",
         "nixpkgs": "nixpkgs_2"
       }
     },
diff --git a/flake.nix b/flake.nix
index 9e05f41..b09d14e 100644
--- a/flake.nix
+++ b/flake.nix
@@ -7,9 +7,13 @@
     nixpkgs = {
       url = "github:NixOS/nixpkgs/nixos-unstable";
     };
+    nixos-matrix-modules = {
+      url = "git+https://github.com/dali99/nixos-matrix-modules?submodules=1";
+      flake = true;
+    };
   };
 
-  outputs = { self, nixpkgs, agenix }: let
+  outputs = { nixos-matrix-modules, self, nixpkgs, agenix }: let
     system = "x86_64-linux";
   in {
     nixosConfigurations = {
@@ -18,6 +22,7 @@
         modules = [
           ./configuration.nix
           agenix.nixosModules.default
+          nixos-matrix-modules.nixosModules.default
           { environment.systemPackages = [ agenix.packages.${system}.default ]; }
         ];
       };
diff --git a/result b/result
index 9b342d7..de4f83a 120000
--- a/result
+++ b/result
@@ -1 +1 @@
-/nix/store/xgpf9yaqayh48k3fa25dzck2xlnvcxdd-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc
\ No newline at end of file
+/nix/store/wf6nyixk6236i1h6ws7yn3lnq7plhyd8-nixos-system-grimmauld-nixos-server-24.05.20231222.6df37dc
\ No newline at end of file
diff --git a/secrets/duckdns_token.age b/secrets/duckdns_token.age
deleted file mode 100644
index 7b3aed1..0000000
--- a/secrets/duckdns_token.age
+++ /dev/null
@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-rsa jWbwAg
-qN28qDzdvyx8S8xv1P9nFb1TK14sDnJhF56LVY0G3h6Q8nB02kw3bSJxYBzBs1qO
-US2Ci80+IvxKztMAVsI7Hd5u7nKNahxDRCDUZiszETXNZukCLFFWK9ouy7YBRgaI
-is44FImbdlua7kq1a9Lpuro04DfWhuG7X0/0ZBiPikI5fWRNAMMoP1ZRQqqlBVPj
-fWWSbKa7C0jdBvfzOXSImtU0uuNjCshxsOF4sF7YLY6qlxc8xZdZnyIFRgm6XO7Z
-qyeKNkMe1ufssrmquQI9ZgC1LGc+k9VhRtHoSxq1sFNeBBNF1AL4Lh4CReUr0gC1
-NKSiCMq57hBlhLr8jlEG/p6MQe9vfgyxE9xKvknrdo2ou0N7zPQcWTOuL7EKY8w3
-ZC+1UolK5qzu0MvN77RBTPY72jIG9h6YSLOfDKduOsvWFG9kBJ/QEzuwhdXjd9jy
-nyvGcNKQoWl7ASGB3W0jP3Iv5ED4Qxd2O8F3bgwndhU9tBkej+KL9uK6YEXJcsNz
-5k+J72pdMVtMp4K+XHkdz9fQXedp6M91+gdbEWmvOWUZx67GRq+8aL07nVenJKM6
-ZyOI3F3fjLLC0DmhEyPVD+nq/W6Ljwx/O7fq1uJjQLPRJPNqYcRaokVmpjXiO23w
-qT8yVaQxExD26Rn1CIHQQ4piprHVK25oUaJxkO0NYic
---- dLuM11zSUY2zLMW30ftenkZdhD//0BW4YSJEDEb0XfA
-Ü•ùa’‡
-Æÿ&Ú‡äÛ¢^vÝAf°V‰ãÁ;µ ½ìÿÑCÎ±ÝêÝ¢D`ÙÛÓ’'‚7ÜîðÖmØæ³¶Á“
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 27c5331..45a7a61 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -3,5 +3,7 @@ let
   contabo_nix_pub = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCCsCsjhJleQCBm0gwnUj5R7zewC0SoRvth1qhXtUCeWM3KHkX+CjiHvVaHs+ftYE9uCe5jwVMB+b4UPkNU8EfQeL99iOYtkcn+fEQqjUJe/x/Pn0NxfS1DCvFpI6s3485ysDmagi640XN9S+eIiiMZIqWTsIlUtkEwGF0wuv+xqzbBOlUtIkL2AMpMeFCFovOcpu2JwEAIpDUiW+FanAFImw6rvNmpAtaaFGheYOGJwnpVfdaIeRPqEN3fqtIRBIQVgxt25BGYX83vaIH3Y/OaEKMGUa/4Fe/PRpGJyhCtdae6kcVfx57hs0e7/HezjgfS90HTu2cy6BrJOvGUspCjCbdElddfboE9wtBeNYsgjUOdU926m2M1tTn7Ex6ZMOQRKRlVFac6Yo+CedRTe4u6lkrWcsDdmnajel7uxoW8VMEre/CBCtK+ZlGaDwJjIVNCn7J3KZBKeaB/t/1iSr7/buaXYh5VV1Q0gv0mtvx+D7YLngaTv3sLFpLV8Wk1mgXt9R2hHxcRBKGJYx5RWa8aMHK62RP1GRc5yCzREj2Mc5qUJyd8oirnQYms/BsaDybUJde9IL4REeMzIBYyi/MG/+OAIUSAtdYygABWco+Swv4jP52UODHikcmyejHdFhRngsb4IYzGZXbS5pobkCyqCMJ20v5BG3WNFmujAlXRw==";
 in
 {
-  "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
+  # "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
+  "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
+  "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
 }
diff --git a/secrets/synapse_db_pass.age b/secrets/synapse_db_pass.age
new file mode 100644
index 0000000..1f65228
--- /dev/null
+++ b/secrets/synapse_db_pass.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+uphSCXWnsU8Ffn8E3G3cQFlU+Op480vwqkDZKcvwGo/7aPeSKvcxpDkkvZbBSpeJ
+agOsx9umGm2xJd38ss7vUYiTGZFyXVRVR0ECRLUSjmt4U1fbdIXM1JijKPJBNPFf
+rZWc/+6uXXHFwv0633SyM6swuytmo6jKbdExclY1Q5bwYHfTAUvHaeUW1AFWd24d
+HWJCLXEY3VK7WvcH3nvpzeNvRMbkaOBrcPnt7rqWmKH0F92tFP3mNiOtbHRZgSe8
+aJodlNU390gLqED/BOqKjLxCYvfiVSSRu6ziP/h3VKqmC8HDD8e+nSQwS7qMlgXi
+4i6kgZQr+is1rsU5GMLe+H7jw/ZI+hOxNyutGXi1wd1qgrM1qbCfJmUS8tYUP2kw
+NsD4+h1xz2Hkop+6MKursOPsD6Vw/TFuNKDXyQstbrz8jU8rP5jvkIn6o7PT4rVm
+HyJ4sHlabnmqufyVCtjfZz84fyOjHqeoqeS0ST5zH1VcjGh9pEJiMOK0FoiJlDaQ
+hyzKhREJ/iAlb1EJ9IRu+rVgO9hamj4ZyqE4kFrTfp9/bb5HbH04km+WZByzcenA
+G8aOVUwk/IvC77jjMBKwn8i09DgBbjz5RHD6hXZwHOnPPQctBO8TDRIreQ9IHBsv
+xIpQuRIf1GAiGwbVdGxffwsS38Aw6h2EDzX436NFJmc
+--- AK4cj1yXlOGE07/jrzEfZ1RRwYnabyglA78+X54ON2E
+þå/É³ò¤bæåîŠðm/Õ¨ï(N¸]Mc©Ãð$àïžÚ5²ô&†Ú¬xf¿Áp*È¤qôælÂåt¿¾‚–æœ1¤64‘ÎË›oƒ„(±¬,*ü
\ No newline at end of file
diff --git a/secrets/synapse_db_pass_prepared.age b/secrets/synapse_db_pass_prepared.age
new file mode 100644
index 0000000..184dd2f
--- /dev/null
+++ b/secrets/synapse_db_pass_prepared.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-rsa jWbwAg
+VOENJIUyiW87jYh6c4gt1ll6OHaLhKnIId5Zr7Yhc2XPsgZa6vIws9cVAYhRd46C
+jtNWMdIYATKmqrv7qICrsfQlY1aBeQmINwPCfFOxbu/tmuS7l1KvHccslJTQynEc
+ZNuM7uZCRmrCPORxCZpFQYm5w3/XYNEz0cOwculv9DYTeYKYlL5tmPj6NAmD6Ta/
+OGaMNpT+HVEvsfR+g+bAYE03dZdmCIk+YEJx7NfCIuqpIV4KAF+gWNTyUSG1hIs+
+NzCje2QzOt7wSzvu2u3/Eb8G0oQZFLIxb3xbzels2XZmjseRdjEAW7Un6uivG/vH
+5H7EdBpwWJtr3PyfqkY53YvJc3mdatqiJhs1h7Douo48PYODVO0p6YEqn21gdqhn
+6EpIMp9u2Fj6aVER0IeY19viNJdrfKFLlymWRYnottNtUeR0MV7UvNj03Gpu+/Xy
+HSJmb6y9d8oGaCR3YSlii0FPTpwjOE+TwxCq+aoLQqeBff1Ytt1rEFuunohJfTk+
+krF0dJ0u1+k/vJChcuGBpLtU+XZ+jjAni1CUsV4qjntRuKNlilutgELyzXcbz4PV
+ZiIUxqqwrvRTUXg+NIMZvh6VYGuGgGaJkNxajz9bcuwkhYBtJuEcpsmkBv+TS3hz
+UuhRns+YUaY1Pwsoh5MJcmXsE7QthW5PUKJmnAmt+vk
+--- Ok/G4af2ShLLe1qbQEXjHxISHGOpG2DBojZTvf6tEQQ
+šR•‚^çÑ^ÅA< Q—_ xXŒ{ßh²²¬jƒd›•O9¢}ž<™¾yFÚ›©}ÇÅhATUø ›—‚tFÍB>?µ÷i?·ê¾Ýÿ,CÆ…däpûÑ››ãðu-4"DQ¦ºÑù8b­V
\ No newline at end of file