diff --git a/configuration/default.nix b/configuration/default.nix
index 76a1bf7..f15ecca 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -7,6 +7,7 @@
     ./services/nextcloud.nix
     ./services/webserver.nix
     ./services/starbound.nix
+    ./services/conduit.nix
     ./ids.nix
   ];
 
@@ -38,7 +39,7 @@
     useDHCP = false;
     interfaces.eth0.useDHCP = true;
 
-    firewall.allowedTCPPorts = [ 80 443 2222 2221 25565 21025 ];
+    firewall.allowedTCPPorts = [ 80 443 2222 2221 8448 25565 21025 ];
   };
 
   time.timeZone = "Europe/London";
diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix
new file mode 100644
index 0000000..4b3069b
--- /dev/null
+++ b/configuration/services/conduit.nix
@@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.lists) flatten;
+
+  domain = config.services.nginx.domain;
+  server_name = "matrix.${domain}";
+in {
+  services.matrix-conduit = {
+    enable = true;
+    settings.global = {
+      inherit server_name;
+      address = "127.0.0.1";
+      database_backend = "rocksdb";
+    };
+  };
+
+  services.nginx = {
+    virtualHosts."${server_name}" = {
+      listen = flatten (map (port: [
+        {
+          inherit port;
+          addr = "0.0.0.0";
+          ssl = true;
+        }
+        {
+          inherit port;
+          addr = "[::0]";
+          ssl = true;
+        }
+      ]) [443 8448]);
+
+      locations."/_matrix/" = {
+        proxyPass = "http://127.0.0.1:6167";
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+      };
+      onlySSL = true;
+      enableACME = true;
+
+      extraConfig = ''
+        merge_slashes off;
+      '';
+    };
+  };
+}