diff --git a/flake.lock b/flake.lock
index cfadb71..6ad590c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -180,11 +180,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1708806879,
-        "narHash": "sha256-MSbxtF3RThI8ANs/G4o1zIqF5/XlShHvwjl9Ws0QAbI=",
+        "lastModified": 1709204054,
+        "narHash": "sha256-U1idK0JHs1XOfSI1APYuXi4AEADf+B+ZU4Wifc0pBHk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "4ee704cb13a5a7645436f400b9acc89a67b9c08a",
+        "rev": "2f3367769a93b226c467551315e9e270c3f78b15",
         "type": "github"
       },
       "original": {
@@ -296,11 +296,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1708807242,
-        "narHash": "sha256-sRTRkhMD4delO/hPxxi+XwLqPn8BuUq6nnj4JqLwOu0=",
+        "lastModified": 1709150264,
+        "narHash": "sha256-HofykKuisObPUfj0E9CJVfaMhawXkYx3G8UIFR/XQ38=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "73de017ef2d18a04ac4bfd0c02650007ccb31c2a",
+        "rev": "9099616b93301d5cf84274b184a3a5ec69e94e08",
         "type": "github"
       },
       "original": {
diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix
index 025f6e0..670f0ea 100644
--- a/hosts/nuc/default.nix
+++ b/hosts/nuc/default.nix
@@ -11,6 +11,7 @@
       ./modules/hydra
       # ./modules/prometheus
       ./modules/matrix
+      ./modules/mautrix-telegram
       ./modules/seafile
       ./modules/uptime-kuma
       ./modules/vaultwarden
diff --git a/hosts/nuc/modules/mautrix-telegram/default.nix b/hosts/nuc/modules/mautrix-telegram/default.nix
new file mode 100644
index 0000000..b54feae
--- /dev/null
+++ b/hosts/nuc/modules/mautrix-telegram/default.nix
@@ -0,0 +1,74 @@
+{ config, lib, pkgs, ... }:
+let
+  homeserverDomain = config.services.matrix-synapse.settings.server_name;
+  registrationFileSynapse = "/var/lib/matrix-synapse/telegram-registration.yaml";
+  registrationFileMautrix = "/var/lib/mautrix-telegram/telegram-registration.yaml";
+  settingsFile = builtins.head (builtins.match ".*--config='(.*)' \\\\.*" config.systemd.services.mautrix-telegram.preStart);
+in
+{
+  services.postgresql = {
+    enable = true;
+    ensureUsers = [{
+      name = "mautrix-telegram";
+      ensureDBOwnership = true;
+    }];
+    ensureDatabases = [ "mautrix-telegram" ];
+  };
+
+  age.secrets.mautrix-telegram = {
+    file = ../../../../secrets/nuc/mautrix-telegram/env.age;
+    owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+  };
+
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    # The registration file is automatically generated after starting the
+    # appservice for the first time.
+    registrationFileSynapse
+  ];
+
+  systemd.tmpfiles.rules = [
+    # copy registration file over to synapse
+    "C ${registrationFileSynapse} - - - - ${registrationFileMautrix}"
+    "Z /var/lib/matrix-synapse/ - matrix-synapse matrix-synapse - -"
+  ];
+
+  services.mautrix-telegram = {
+    enable = true;
+
+    environmentFile = config.age.secrets.mautrix-telegram.path;
+
+    settings = {
+      homeserver = {
+        address = "http://[::1]:8008";
+        domain = homeserverDomain;
+      };
+
+      appservice = rec {
+        # Use postgresql instead of sqlite
+        database = "postgresql:///mautrix-telegram?host=/run/postgresql";
+        port = 8082;
+        address = "http://localhost:${toString port}";
+      };
+
+      bridge = {
+        relaybot.authless_portals = false;
+        permissions = {
+          "@rouven:${homeserverDomain}" = "admin";
+        };
+        relay_user_distinguishers = [ ];
+      };
+    };
+  };
+
+  # If we don't explicitly set {a,h}s_token, mautrix-telegram will try to read them from the registrationFile
+  # and write them to the settingsFile in /nix/store, which obviously fails.
+  systemd.services.mautrix-telegram.serviceConfig.ExecStart =
+    lib.mkForce (pkgs.writeShellScript "start" ''
+      export MAUTRIX_TELEGRAM_APPSERVICE_AS_TOKEN=$(grep as_token ${registrationFileMautrix} | cut -d' ' -f2-)
+      export MAUTRIX_TELEGRAM_APPSERVICE_HS_TOKEN=$(grep hs_token ${registrationFileMautrix} | cut -d' ' -f2-)
+
+      ${pkgs.mautrix-telegram}/bin/mautrix-telegram --config='${settingsFile}'
+    '');
+}
+
diff --git a/hosts/nuc/modules/seafile/default.nix b/hosts/nuc/modules/seafile/default.nix
index 5676a07..d2608c8 100644
--- a/hosts/nuc/modules/seafile/default.nix
+++ b/hosts/nuc/modules/seafile/default.nix
@@ -9,6 +9,7 @@ in
     initialAdminPassword = "unused garbage";
     ccnetSettings.General.SERVICE_URL = "https://${domain}";
     ccnetSettings.General.FILE_SERVER_ROOT = "https://${domain}/seafhttp";
+    seafileSettings.fileserver.port = 8083;
   };
   services.nginx.virtualHosts."${domain}" = {
     enableACME = true;
diff --git a/secrets.nix b/secrets.nix
index f5a7f64..afcde6c 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -18,6 +18,7 @@ in
   # nuc
   "secrets/nuc/matrix/shared.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/matrix/sync.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/mautrix-telegram/env.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
diff --git a/secrets/nuc/mautrix-telegram/env.age b/secrets/nuc/mautrix-telegram/env.age
new file mode 100644
index 0000000..212d341
Binary files /dev/null and b/secrets/nuc/mautrix-telegram/env.age differ
diff --git a/users/rouven/modules/packages.nix b/users/rouven/modules/packages.nix
index eb3fbba..429861a 100644
--- a/users/rouven/modules/packages.nix
+++ b/users/rouven/modules/packages.nix
@@ -64,7 +64,7 @@
 
     # fancy tools
     just
-    (himalaya.override { buildFeatures = [ "pgp-commands" ]; })
+    himalaya
     # strace but with colors
     (strace.overrideAttrs (_: {
       patches = [