diff --git a/flake.lock b/flake.lock
index 3661bf58..bb1b1820 100644
--- a/flake.lock
+++ b/flake.lock
@@ -420,11 +420,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690416313,
-        "narHash": "sha256-/S50kHmLtgvxc3Lilg9krgztsXrPLTbqP79zIRsBPgU=",
+        "lastModified": 1690502759,
+        "narHash": "sha256-xFMXitaPZGWsmqsQsOMrI8NJMxFStsheJYuZf+3QXh0=",
         "owner": "nix-community",
         "repo": "neovim-nightly-overlay",
-        "rev": "366ec83684016e34f0add181ad2bcb63266628a5",
+        "rev": "954343774b0dcba5f58d19162581b5ce5bbb685f",
         "type": "github"
       },
       "original": {
@@ -501,11 +501,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1690498399,
-        "narHash": "sha256-tQaPJ+F5pAIABp6c5kRU+z878YqiiJDvumxnlHDn2Eo=",
+        "lastModified": 1690510391,
+        "narHash": "sha256-Df5Rd40afsqFzaZ/kUWNoVxHFKmuGO4UI/bbxwlRcDY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "503744f5a81076af222f439db28664a8de6ca7f7",
+        "rev": "f68a459f743733d53a0f5f9ce4b7b70eea5f8722",
         "type": "github"
       },
       "original": {
@@ -839,11 +839,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690404004,
-        "narHash": "sha256-GRu8eVuDZH6YLcwBru1URagnCdfQ0Gzd+x1m/E5zcrA=",
+        "lastModified": 1690511403,
+        "narHash": "sha256-IwgDo+JVK+mp/BC8B+erF3fJcrLDR1HK8pFkC01Fe8s=",
         "owner": "thexyno",
         "repo": "blog",
-        "rev": "7b039a0287b8e616ff9dfc6c3a1e2086f01f6cd0",
+        "rev": "00e56ff917492bfa7da771fd973f7289960bf2de",
         "type": "github"
       },
       "original": {
diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix
index de905e29..decf9ec4 100644
--- a/hosts/picard/default.nix
+++ b/hosts/picard/default.nix
@@ -9,6 +9,7 @@
     [
       # Include the results of the hardware scan.
       ./hardware-configuration.nix
+      ./xynospace-matrix.nix
     ];
 
   documentation.enable = false;
diff --git a/hosts/picard/xynospace-matrix.nix b/hosts/picard/xynospace-matrix.nix
new file mode 100644
index 00000000..23e45768
--- /dev/null
+++ b/hosts/picard/xynospace-matrix.nix
@@ -0,0 +1,127 @@
+{ config, pkgs, lib, ... }:
+let
+  fqdn = "matrix.xyno.space";
+  serverName = "xyno.space";
+  localAddress = "192.168.100.11";
+  hostAddress = "192.168.100.10";
+  stateVer = config.system.stateVersion;
+in
+{
+  ragon.agenix.secrets."matrixSecrets" = { owner = "matrix-synapse"; };
+  services.postgresql.enable = true;
+  services.postgresql.initialScript = lib.mkForce (pkgs.writeText "synapse-init.sql" ''
+    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse-xynospace"
+      TEMPLATE template0
+      LC_COLLATE = "C"
+      LC_CTYPE = "C";
+    CREATE ROLE "matrix-synapse-xynospace" WITH LOGIN PASSWORD 'synapse';
+    CREATE DATABASE "matrix-synapse-xynospace" WITH OWNER "matrix-synapse-xynospace"
+      TEMPLATE template0
+      LC_COLLATE = "C"
+      LC_CTYPE = "C";
+  '');
+  networking.nat.enable = true;
+  networking.nat.internalInterfaces = [ "ve-+" ];
+  networking.nat.externalInterface = "ens3";
+  networking.firewall.trustedInterfaces = [ "ve-+" ];
+
+  containers.xynospace-matrix = let ms = config.age.secrets.matrixSecrets.path; in {
+    config = { config, pkgs, ... }: {
+      system.stateVersion = stateVer;
+      networking.firewall.allowedTCPPorts = [ 8008 ];
+      services.matrix-synapse = {
+        enable = true;
+        settings.server_name = serverName;
+        extraConfigFiles = [ ms ];
+        settings.database.args.user = "matrix-synapse-xynospace";
+        settings.database.name = "psycopg2";
+        settings.database.args.database = "matrix-synapse-xynospace";
+        settings.database.args.host = hostAddress;
+        settings.database.args.password = "synapse";
+        settings.listeners = [
+          {
+            port = 8008;
+            bind_addresses = [ localAddress ];
+            type = "http";
+            tls = false;
+            x_forwarded = true;
+            resources = [
+              {
+                names = [ "client" "federation" ];
+                compress = false;
+              }
+            ];
+          }
+        ];
+      };
+    };
+    inherit localAddress hostAddress;
+    privateNetwork = true;
+    autoStart = true;
+
+    bindMounts = {
+      "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = true; };
+      "/run/agenix.d" = { hostPath = "/run/agenix.d"; isReadOnly = true; };
+    };
+
+  };
+  services.nginx.virtualHosts = {
+    "${serverName}" = {
+      forceSSL = true;
+      enableACME = true;
+
+      locations."= /.well-known/matrix/server".extraConfig =
+        let
+          # use 443 instead of the default 8448 port to unite
+          # the client-server and server-server port for simplicity
+          server = { "m.server" = "${fqdn}:443"; };
+        in
+        ''
+          add_header Content-Type application/json;
+          return 200 '${builtins.toJSON server}';
+        '';
+      locations."= /.well-known/matrix/client".extraConfig =
+        let
+          client = {
+            "m.homeserver" = { "base_url" = "https://${fqdn}"; };
+            "m.identity_server" = { "base_url" = "https://vector.im"; };
+            "org.matrix.msc3575.proxy" = { "url" = "https://slidingsync.ragon.xyz"; };
+          };
+          # ACAO required to allow element-web on any URL to request this json file
+        in
+        ''
+          add_header Content-Type application/json;
+          add_header Access-Control-Allow-Origin *;
+          return 200 '${builtins.toJSON client}';
+        '';
+    };
+    # Reverse proxy for Matrix client-server and server-server communication
+    "${fqdn}" = {
+      forceSSL = true;
+      enableACME = true;
+
+      # Or do a redirect instead of the 404, or whatever is appropriate for you.
+      # But do not put a Matrix Web client here! See the Element web section below.
+      locations."/".extraConfig = ''
+        return 404;
+      '';
+
+      # forward all Matrix API calls to the synapse Matrix homeserver
+      locations."/_matrix" = {
+        proxyPass = "http://${localAddress}:8008"; # without a trailing /
+      };
+      locations."/synapse" = {
+        proxyPass = "http://${localAddress}:8008"; # without a trailing /
+      };
+    };
+  };
+  ragon.persist.extraDirectories = [
+    "/var/lib/nixos-containers"
+  ];
+  services.postgresql.authentication = ''
+    host all all ${localAddress}/32 md5
+  '';
+  services.postgresql.settings.listen_addresses = lib.mkForce "localhost,${hostAddress}";
+
+}
diff --git a/nixos-modules/services/synapse.nix b/nixos-modules/services/synapse.nix
index a11faf0a..bcecb39f 100644
--- a/nixos-modules/services/synapse.nix
+++ b/nixos-modules/services/synapse.nix
@@ -83,20 +83,20 @@ in
         LC_CTYPE = "C";
     '';
     services.nginx.virtualHosts = {
-      "${cfg.elementFqdn}" = {
-        useACMEHost = "${domain}";
-        forceSSL = true;
+      #"${cfg.elementFqdn}" = {
+      #  useACMEHost = "${domain}";
+      #  forceSSL = true;
 
-        root = pkgs.element-web.override {
-          conf = {
-            default_server_config."m.homeserver" = {
-              "base_url" = "https://${fqdn}";
-              "server_name" = "${domain}";
-            };
-            default_theme = "dark";
-          }; # TODO make this less shit
-        };
-      };
+      #  root = pkgs.element-web.override {
+      #    conf = {
+      #      default_server_config."m.homeserver" = {
+      #        "base_url" = "https://${fqdn}";
+      #        "server_name" = "${domain}";
+      #      };
+      #      default_theme = "dark";
+      #    }; # TODO make this less shit
+      #  };
+      #};
 
       "${cfg.serverName}" = {
         forceSSL = true;