diff --git a/hosts.ini b/hosts.ini
index 850d8a0..3ec182c 100644
--- a/hosts.ini
+++ b/hosts.ini
@@ -20,3 +20,6 @@
 
 [ntfyserver]
 192.168.0.3 static_ip=192.168.0.3
+
+[matrix]
+192.168.0.2 static_ip=192.168.0.2
diff --git a/nas.yml b/nas.yml
index 8fbc90a..4de40a8 100644
--- a/nas.yml
+++ b/nas.yml
@@ -76,3 +76,9 @@
   roles:
     - restic
   tags: restic
+
+- hosts: nas
+  become: yes
+  roles:
+    - matrix
+  tags: matrix
diff --git a/roles/matrix-web/meta/main.yml b/roles/matrix-web/meta/main.yml
new file mode 100644
index 0000000..1dbd0f6
--- /dev/null
+++ b/roles/matrix-web/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: caddy
diff --git a/roles/matrix-web/tasks/main.yml b/roles/matrix-web/tasks/main.yml
new file mode 100644
index 0000000..6ca04ab
--- /dev/null
+++ b/roles/matrix-web/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Ensure Caddyfile is present
+  template:
+    src: 'matrix.Caddyfile.j2'
+    dest: '/etc/caddy/matrix.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: caddy-reload
diff --git a/roles/matrix-web/templates/matrix.Caddyfile.j2 b/roles/matrix-web/templates/matrix.Caddyfile.j2
new file mode 100644
index 0000000..f3a189a
--- /dev/null
+++ b/roles/matrix-web/templates/matrix.Caddyfile.j2
@@ -0,0 +1,3 @@
+matrix.rustybever.be {
+    reverse_proxy {{ hostvars[groups['matrix'][0]].static_ip }}:8004
+}
diff --git a/roles/matrix/files/compose.yml b/roles/matrix/files/compose.yml
new file mode 100644
index 0000000..bd92daa
--- /dev/null
+++ b/roles/matrix/files/compose.yml
@@ -0,0 +1,12 @@
+services:
+  conduit:
+    image: 'matrixconduit/matrix-conduit:next'
+    restart: 'always'
+
+    environment:
+      CONDUIT_CONFIG: '/etc/matrix-conduit/conduit.toml'
+    ports:
+      - '8004:6167'
+    volumes:
+      - '/mnt/data1/matrix/conduit:/var/lib/matrix-conduit'
+      - '/etc/matrix/conduit.toml:/etc/matrix-conduit/conduit.toml'
diff --git a/roles/matrix/files/conduit.toml b/roles/matrix/files/conduit.toml
new file mode 100644
index 0000000..d2f386b
--- /dev/null
+++ b/roles/matrix/files/conduit.toml
@@ -0,0 +1,57 @@
+# =============================================================================
+#  This is the official example config for Conduit.
+#  If you use it for your server, you will need to adjust it to your own needs.
+#  At the very least, change the server_name field!
+# =============================================================================
+
+
+[global]
+# The server_name is the pretty name of this server. It is used as a suffix for user
+# and room ids. Examples: matrix.org, conduit.rs
+
+# The Conduit server needs all /_matrix/ requests to be reachable at
+# https://your.server.name/ on port 443 (client-server) and 8448 (federation).
+
+# If that's not possible for you, you can create /.well-known files to redirect
+# requests. See
+# https://matrix.org/docs/spec/client_server/latest#get-well-known-matrix-client
+# and
+# https://matrix.org/docs/spec/server_server/r0.1.4#get-well-known-matrix-server
+# for more information
+
+# YOU NEED TO EDIT THIS
+server_name = "rustybever.be"
+
+# This is the only directory where Conduit will save its data
+database_path = "/var/lib/matrix-conduit/"
+database_backend = "rocksdb"
+
+# The port Conduit will be running on. You need to set up a reverse proxy in
+# your web server (e.g. apache or nginx), so all requests to /_matrix on port
+# 443 and 8448 will be forwarded to the Conduit instance running on this port
+# Docker users: Don't change this, you'll need to map an external port to this.
+port = 6167
+
+# Max size for uploads
+max_request_size = 20_000_000 # in bytes
+
+# Enables registration. If set to false, no users can register on this server.
+allow_registration = false
+
+allow_federation = true
+allow_check_for_updates = false
+
+# Enable the display name lightning bolt on registration.
+enable_lightning_bolt = false
+
+# Servers listed here will be used to gather public keys of other servers.
+# Generally, copying this exactly should be enough. (Currently, Conduit doesn't
+# support batched key requests, so this list should only contain Synapse
+# servers.)
+trusted_servers = ["matrix.org"]
+
+#max_concurrent_requests = 100 # How many requests Conduit sends to other servers at the same time
+#log = "warn,state_res=warn,rocket=off,_=off,sled=off"
+
+# address = "127.0.0.1" # This makes sure Conduit can only be reached using the reverse proxy
+address = "0.0.0.0" # If Conduit is running in a container, make sure the reverse proxy (ie. Traefik) can reach it.
diff --git a/roles/matrix/files/matrix.backup.sh b/roles/matrix/files/matrix.backup.sh
new file mode 100644
index 0000000..6907d7b
--- /dev/null
+++ b/roles/matrix/files/matrix.backup.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Conduit
+
+data_dir='/mnt/data1/matrix/conduit'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"
diff --git a/roles/matrix/handlers/main.yml b/roles/matrix/handlers/main.yml
new file mode 100644
index 0000000..9ad0b93
--- /dev/null
+++ b/roles/matrix/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: conduit-restart
+  ansible.builtin.shell:
+    chdir: '/etc/matrix'
+    cmd: 'docker compose restart conduit'
diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml
new file mode 100644
index 0000000..315692a
--- /dev/null
+++ b/roles/matrix/tasks/main.yml
@@ -0,0 +1,64 @@
+---
+- name: Ensure data directory is present
+  ansible.builtin.file:
+    path: '/mnt/data1/matrix'
+    state: directory
+    mode: '0755'
+    owner: 'root'
+    group: 'root'
+
+- name: Ensure data subvolumes are present
+  community.general.btrfs_subvolume:
+    name: '/matrix/{{ item }}'
+  with_items:
+    - 'conduit'
+
+- name: Ensure subvolume permissions are correct
+  ansible.builtin.file:
+    path: "/mnt/data1/matrix/{{ item.dir }}"
+    state: directory
+    mode: '0755'
+    owner: {{ item.owner }}
+    group: {{ item.group }}
+  loop:
+    - dir: 'conduit'
+      owner: 1000
+      group: 1000
+
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/matrix'
+    state: directory
+    mode: '0755'
+
+- name: Ensure Conduit config file is present
+  ansible.builtin.copy:
+    src: 'conduit.toml'
+    dest: '/etc/matrix/conduit.toml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: conduit-restart
+
+- name: Ensure compose file is present
+  ansible.builtin.copy:
+    src: 'compose.yml'
+    dest: '/etc/matrix/compose.yml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  register: res
+
+- name: Ensure stack is deployed
+  ansible.builtin.shell:
+    chdir: '/etc/matrix'
+    cmd: 'docker compose up -d --remove-orphans'
+  when: 'res.changed'
+
+- name: Ensure backup script is present
+  ansible.builtin.copy:
+    src: 'matrix.backup.sh'
+    dest: '/etc/backups/matrix.backup.sh'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
diff --git a/web.yml b/web.yml
index 2672558..b80973d 100644
--- a/web.yml
+++ b/web.yml
@@ -22,3 +22,9 @@
   roles:
     - ntfy-server-web
   tags: ntfy
+
+- hosts: web
+  become: yes
+  roles:
+    - matrix-web
+  tags: matrix