diff --git a/hosts/caramel/default.nix b/hosts/caramel/default.nix
index 03f02cf..c7204fb 100644
--- a/hosts/caramel/default.nix
+++ b/hosts/caramel/default.nix
@@ -8,21 +8,27 @@
     wpa_conf.file = ../../secrets/wpa_conf.age;
     wg_caramel.file = ../../secrets/wg_caramel.age;
   };
-  imports = with modules.system; [
-    inputs.home-manager-porcupine.nixosModule
+  imports =
+    (with modules.system; [
+      inputs.home-manager-porcupine.nixosModule
 
-    base
-    home-manager
-    input
-    nix-porcupine
-    security
-    wireguard
+      base
+      home-manager
+      input
+      nix-porcupine
+      security
+      wireguard
 
-    ./filesystem.nix
-    ./kernel.nix
-    ./networking.nix
-    ./packages.nix
+      ./filesystem.nix
+      ./kernel.nix
+      ./networking.nix
+      ./packages.nix
 
-    ../../users/hana
-  ];
+      ../../users/hana
+    ]) ++
+    (with modules.services; [
+      nginx
+      postgres
+      synapse
+    ]);
 }
diff --git a/modules/default.nix b/modules/default.nix
index 51aa449..3473a54 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -14,6 +14,11 @@ let
     }) paths
   );
 in {
+  services = mkAttrsFromPaths [
+    ./services/nginx.nix
+    ./services/postgres.nix
+    ./services/synapse.nix
+  ];
   system = mkAttrsFromPaths [
     ./system/audio.nix
     ./system/base.nix
diff --git a/modules/services/nginx.nix b/modules/services/nginx.nix
new file mode 100644
index 0000000..50e1217
--- /dev/null
+++ b/modules/services/nginx.nix
@@ -0,0 +1,22 @@
+{ ... }: {
+  security.acme.acceptTerms = true;
+  security.acme.email = "me@lava.moe";
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "lava.moe" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."/".extraConfig = ''
+          return 404;
+        '';
+      };
+    };
+  };
+}
diff --git a/modules/services/postgres.nix b/modules/services/postgres.nix
new file mode 100644
index 0000000..28e629b
--- /dev/null
+++ b/modules/services/postgres.nix
@@ -0,0 +1,12 @@
+{ config, ... }:
+let
+  dir = "/persist/postgresql/${config.services.postgresql.package.psqlSchema}";
+  uid = config.ids.uids.postgres;
+  gid = config.ids.gids.postgres;
+in {
+  systemd.tmpfiles.rules = [ "d ${dir} 700 ${uid} ${gid}" ];
+  services.postgresql = {
+    enable = true;
+    dataDir = dir;
+  };
+}
diff --git a/modules/services/synapse.nix b/modules/services/synapse.nix
new file mode 100644
index 0000000..ecd2929
--- /dev/null
+++ b/modules/services/synapse.nix
@@ -0,0 +1,89 @@
+{ config, lib, pkgs, ... }:
+let
+  dom = "lava.moe";
+  sub = "matrix.lava.moe";
+  dir = "/persist/matrix-synapse";
+  uid = config.ids.uids.matrix-synapse;
+  gid = config.ids.gids.matrix-synapse;
+in {
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  systemd.tmpfiles.rules = [ "d ${dir} 700 ${uid} ${gid}" ];
+
+  /*services.postgresql = {
+    ensureDatabases = [ "matrix-synapse" ];
+    ensureUsers = [{
+      name = "matrix-synapse";
+      ensurePermissions = {
+        "DATABASE matrix-synapse" = "ALL PRIVILEGES";
+      };
+    }];
+  };*/
+  # TODO this would be bad if we use postgres for other things too
+  services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
+    CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+    CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+      TEMPLATE template0
+      LC_COLLATE = "C"
+      LC_CTYPE = "C";
+  '';
+
+  services.nginx = {
+    virtualHosts = {
+      ${dom} = {
+        serverAliases = [ sub ];
+        locations."= /.well-known/matrix/server".extraConfig =
+          let
+            server = { "m.server" = "${sub}:443"; };
+          in ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
+        locations."= /.well-known/matrix/client".extraConfig =
+          let
+            client = {
+              "m.homeserver" =  { "base_url" = "https://${sub}"; };
+              "m.identity_server" =  { "base_url" = "https://vector.im"; };
+            };
+          in ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
+      };
+
+      ${sub} = {
+        forceSSL = true;
+        useACMEHost = dom;
+
+        locations."/".extraConfig = ''
+          return 404;
+        '';
+
+        locations."/_matrix" = {
+          proxyPass = "http://[::1]:8008";
+        };
+      };
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    dataDir = dir;
+    server_name = dom;
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "::1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          {
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
+  };
+}