diff --git a/modules/services/server/matrix.nix b/modules/services/server/matrix.nix
index 6b4b46d..1e756e8 100644
--- a/modules/services/server/matrix.nix
+++ b/modules/services/server/matrix.nix
@@ -4,17 +4,76 @@
 
 { config, lib, pkgs, ... }:
 
-{
+let
+  fqdn = "matrix.${config.networking.domain}";
+  clientConfig = {
+    "m.homeserver".base_url = "https://${fqdn}";
+    "m.identity_server" = {};
+  };
+  serverConfig."m.server" = "${config.services.matrix-synapse.settings.server_name}:443";
+  mkWellKnown = data: ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+in {
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "${config.networking.domain}" = { 
+        enableACME = true;
+        forceSSL = true;
+        locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig; 
+        locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig; 
+      };
+      "${fqdn}" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/".extraConfig = '' 
+          return 404;
+        '';
+        locations."/_matrix".proxyPass = "http://[::1]:8008"; 
+        locations."/_synapse/client".proxyPass = "http://[::1]:8008"; 
+      };
+    };
+  };
+
   services.matrix-synapse = {
     enable = true;
     settings = {
-        server_name = "kabtop.de";
-        public_baseurl = "https://kabtop.de:8448";
+        server_name = config.networking.domain;
+        listeners = [
+          { port = 8008;
+            bind_addresses = [ "::1" ];
+            type = "http";
+            tls = false;
+            x_forwarded = true;
+            resources = [ {
+              names = [ "client" "federation" ];
+              compress = true;
+            } ];
+          }
+        ];
         database.args.user = "synapse";
         database.args.database = "synapsedb";
         extraConfigFiles = [
             config.age.secrets."services/matrix/synapse.yml".path
         ];
     };
+  };
 
+  security.acme.certs.${config.services.matrix-synapse.server_name} = {
+    /* insert here the right configuration to obtain a certificate */
+    postRun = "systemctl restart synapse.service";
+    group = "synapse";
+  };
+
+  age.secrets."services/matrix/synapse.yml" = {
+     file = ../../../secrets/services/matrix/synapse.age;
+     owner = "synapse";
+  };
 }
diff --git a/secrets/services/matrix/synapse.age b/secrets/services/matrix/synapse.age
index e27dc49..1895380 100644
Binary files a/secrets/services/matrix/synapse.age and b/secrets/services/matrix/synapse.age differ