diff --git a/configuration.nix b/configuration.nix
index 2bccf80..729cff8 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -4,7 +4,12 @@
 
 { config, pkgs, ... }:
 
-{
+let
+  fqdn =
+    let
+      join = hostName: domain: hostName + ".${domain}";
+    in join config.networking.hostName config.networking.domain;
+in {
   imports =
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
@@ -22,7 +27,8 @@
   # Enable additional firmware (such as Wi-Fi drivers).
   hardware.enableRedistributableFirmware = true;
 
-  networking.hostName = "levitest"; # Define your hostname.
+  networking.hostName = "bib3"; # Define your hostname.
+  networking.domain = "de";
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
 
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
@@ -32,6 +38,9 @@
   networking.interfaces.eth0.useDHCP = true;
   networking.interfaces.wlan0.useDHCP = true;
 
+  security.acme.email = "webmaster@bib3.de";
+  security.acme.acceptTerms = true;
+
   # Select internationalisation properties.
   # i18n.defaultLocale = "en_US.UTF-8";
   # console = {
@@ -55,18 +64,113 @@
 
   # Enable the OpenSSH daemon.
   services.openssh.enable = true;
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "nextcloud" ];
+    ensureUsers = [
+      { name = "nextcloud";
+        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
+      }
+    ];
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
 
-  # Nginx webserver configuration
   services.nginx = {
     enable = true;
-    virtualHosts."default_server" = {
-      root = "/var/www/default";
+    # only recommendedProxySettings and recommendedGzipSettings are strictly required,
+    # but the rest make sense as well
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+
+    virtualHosts = {
+      "default_server" = {
+        root = "/var/www/default"; 
+      };
+
+      # This host section can be placed on a different host than the rest,
+      # i.e. to delegate from the host being accessible as ${config.networking.domain}
+      # to another host actually running the Matrix homeserver.
+      "${config.networking.domain}" = {
+        locations."= /.well-known/matrix/server".extraConfig =
+          let
+            # use 443 instead of the default 8448 port to unite
+            # the client-server and server-server port for simplicity
+            server = { "m.server" = "${fqdn}:443"; };
+          in ''
+            add_header Content-Type application/json;
+            return 200 '${builtins.toJSON server}';
+          '';
+        locations."= /.well-known/matrix/client".extraConfig =
+          let
+            client = {
+              "m.homeserver" =  { "base_url" = "https://${fqdn}"; };
+              "m.identity_server" =  { "base_url" = "https://vector.im"; };
+            };
+          # ACAO required to allow element-web on any URL to request this json file
+          in ''
+            add_header Content-Type application/json;
+            add_header Access-Control-Allow-Origin *;
+            return 200 '${builtins.toJSON client}';
+          '';
+      };
+
+      # Reverse proxy for Matrix client-server and server-server communication
+      ${fqdn} = {
+        enableACME = true;
+        forceSSL = true;
+
+        # Or do a redirect instead of the 404, or whatever is appropriate for you.
+        # But do not put a Matrix Web client here! See the Element web section below.
+        locations."/".extraConfig = ''
+          return 404;
+        '';
+
+        # forward all Matrix API calls to the synapse Matrix homeserver
+        locations."/_matrix" = {
+          proxyPass = "http://[::1]:8008"; # without a trailing /
+        };
+      };
+
+      "nextcloud.${fqdn}" = {
+        forceSSL = true;
+        enableACME = true;
+      };
     };
   };
 
+  services.matrix-synapse = {
+    enable = true;
+    server_name = config.networking.domain;
+    listeners = [
+      {
+        port = 8008;
+        bind_address = "::1";
+        type = "http";
+        tls = false;
+        x_forwarded = true;
+        resources = [
+          {
+            names = [ "client" "federation" ];
+            compress = false;
+          }
+        ];
+      }
+    ];
+  };
+
   services.nextcloud = {
     enable = true;
-    hostName = "nextcloud." + config.networking.hostName;
+    hostName = "nextcloud." + fqdn;
     nginx.enable = true;
     config = {
       dbtype = "pgsql";
@@ -78,28 +182,11 @@
     };
   };
 
-  services.postgresql = {
-    enable = true;
-    ensureDatabases = [ "nextcloud" ];
-    ensureUsers = [
-      { name = "nextcloud";
-        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
-      }
-    ];
-  };
-
-  # ensure that postgres is running *before* running the nextcloud setup
   systemd.services."nextcloud-setup" = {
     requires = [ "postgresql.service" ];
     after = [ "postgresql.service" ];
   };
 
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
   # Define a user account. Don't forget to set a password with ‘passwd’.
   users.users.loooph = {
     isNormalUser = true;
@@ -122,7 +209,7 @@
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
-    wget vim git htop tmux
+    wget vim git htop tmux openssl
   ];
 
 }