diff --git a/roles/matrix.nix b/roles/matrix.nix
new file mode 100644
index 0000000..1511149
--- /dev/null
+++ b/roles/matrix.nix
@@ -0,0 +1,100 @@
+# NixOps configuration for the hosts running a Matrix server (synapse)
+
+{ config, pkgs, lib, ... }:
+
+{
+
+  services = {
+
+    matrix-synapse = {
+      enable = true;                                   # Enable the synapse server
+      server_name = "chat.mcwhirter.io";               # Server's public domain name
+      public_baseurl = "https://chat.mcwhirter.io/";   # services.matrix-synapse.public_baseurl
+      web_client = true;                               # Whether to serve a web client
+      create_local_database = true;                    # Whether to create a local database
+      enable_registration = false;                     # Toggle user registration
+      listeners = [ {
+        bind_address = "::1";                          # Listen on localhost only
+        port = 8008;                                   # Port to listen on
+        resources = [
+          {
+            compress = true;
+            names = [ "client" "webclient" ];
+          } {
+            compress = false;
+            names = [ "federation" ];
+        } ];
+        tls = true;
+        type = "http";
+        x_forwarded = true;
+      } ];
+      tls_certificate_path = "/var/lib/acme/chat.mcwhirter.io/fullchain.pem";
+      tls_private_key_path = "/var/lib/acme/chat.mcwhirter.io/key.pem";
+    };
+
+    nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+      virtualHosts = {
+        "chat.mcwhirter.io" = {
+          forceSSL = true;
+          enableACME = true;
+          serverAliases = [
+            "chat.mcwhirter.io"
+          ];
+          root = pkgs.riot-web;   # Install RIOT web in the nginx root
+          locations = {
+            "/_matrix" = {
+              proxyPass = "https://[::1]:8008";
+            };
+            "/.well-known/matrix/server".extraConfig =
+              let
+                # use 443 instead of the default 8448 port to unite
+                # the client-server and server-server port for simplicity
+                server = { "m.server" = "chat.mcwhirter.io:443"; };
+              in ''
+                add_header Content-Type application/json;
+                return 200 '${builtins.toJSON server}';
+              '';
+            "= /.well-known/matrix/client".extraConfig =
+              let
+                client = {
+                  "m.homeserver" =  { "base_url" = "https://chat.mcwhirter.io"; };
+                  "m.identity_server" =  { "base_url" = "https://vector.im"; };
+                };
+              # ACAO required to allow riot-web on any URL to request this json file
+              in ''
+                add_header Content-Type application/json;
+                add_header Access-Control-Allow-Origin *;
+                return 200 '${builtins.toJSON client}';
+              '';
+          };
+        };
+      };
+    };
+  };
+
+  security.acme.certs = {
+    "chat.mcwhirter.io" = {
+      group = "matrix-synapse";
+      allowKeysForGroup = true;
+      postRun = "systemctl reload nginx.service; systemctl restart matrix-synapse.service";
+      email = "acme@mcwhirter.io";
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    riot-web   # A glossy Matrix collaboration client for the web
+  ];
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      443   # HTTPS
+    ];
+  };
+
+}