diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json
index 5b213fd..b73bf07 100644
--- a/config/portunus_seeds.json
+++ b/config/portunus_seeds.json
@@ -26,6 +26,15 @@
 				"portunus": { "is_admin": false },
 				"ldap": { "can_read": false }
 			}
+		},
+		{
+			"name": "search",
+			"long_name": "LDAP search group",
+			"members": ["search"],
+			"permissions": {
+				"portunus": { "is_admin": false },
+				"ldap": { "can_read": true }
+			}
 		}
 	],
 	"users": [
@@ -34,6 +43,12 @@
 			"given_name": "admin",
 			"family_name": "admin",
 			"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] }
+		},
+		{
+			"login_name": "search",
+			"given_name": "search",
+			"family_name": "search",
+			"password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_search"] }
 		}
 	]
 }
diff --git a/flake.lock b/flake.lock
index 714027c..84b48fd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -71,11 +71,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1670146390,
-        "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=",
+        "lastModified": 1673740915,
+        "narHash": "sha256-MMH8zONfqahgHly3K8/A++X34800rajA/XgZ2DzNL/M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "86370507cb20c905800527539fc049a2bf09c667",
+        "rev": "7c65528c3f8462b902e09d1ccca23bb9034665c2",
         "type": "github"
       },
       "original": {
@@ -87,11 +87,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1671215800,
-        "narHash": "sha256-2W54K41A7MefEaWzgL/TsaWlhKRK/RhWUybyOW4i0K8=",
+        "lastModified": 1673800717,
+        "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "9d692a724e74d2a49f7c985132972f991d144254",
+        "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f",
         "type": "github"
       },
       "original": {
@@ -116,11 +116,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1670149631,
-        "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=",
+        "lastModified": 1673752321,
+        "narHash": "sha256-EFfXY1ZHJq4FNaNQA9x0djtu/jiOhBbT0Xi+BT06cJw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "da98a111623101c64474a14983d83dad8f09f93d",
+        "rev": "e18eefd2b133a58309475298052c341c08470717",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index fee070a..335440c 100755
--- a/flake.nix
+++ b/flake.nix
@@ -66,6 +66,7 @@
             ./modules/wiki.nix
             ./modules/stream.nix
             ./modules/nextcloud.nix
+            ./modules/matrix.nix
             {
               fsr.enable_office_bloat = false;
               fsr.domain = "staging.ifsr.de";
diff --git a/modules/ldap.nix b/modules/ldap.nix
index 20a8cc8..a1965a6 100644
--- a/modules/ldap.nix
+++ b/modules/ldap.nix
@@ -29,9 +29,15 @@ in
     members = [ "${ldapUser}" ];
   };
 
-  sops.secrets."portunus_admin" = {
-    owner = "${portunusUser}";
-    group = "${portunusGroup}";
+  sops.secrets = {
+    "portunus_admin" = {
+      owner = "${portunusUser}";
+      group = "${portunusGroup}";
+    };
+    "portunus_search" = {
+      owner = "${portunusUser}";
+      group = "${portunusGroup}";
+    };
   };
 
   services.portunus = {
@@ -40,10 +46,16 @@ in
     group = "${portunusGroup}";
     domain = "${domain}";
     port = 8081;
+
     ldap = {
       user = "${ldapUser}";
       group = "${ldapGroup}";
+
       suffix = "dc=ifsr,dc=de";
+      searchUserName = "search";
+
+      # disables port 389, use 636 with tls
+      # `portunus.domain` resolves to localhost
       tls = true;
     };
 
@@ -60,9 +72,4 @@ in
       };
     };
   };
-
-  networking.firewall.allowedTCPPorts = [
-    80 # http
-    443 # https
-  ];
 }
diff --git a/modules/matrix.nix b/modules/matrix.nix
new file mode 100644
index 0000000..82cfa0f
--- /dev/null
+++ b/modules/matrix.nix
@@ -0,0 +1,141 @@
+{ config, pkgs, lib, ... }:
+let
+  domainServer = "matrix.${config.fsr.domain}";
+  domainClient = "chat.${config.fsr.domain}";
+
+  clientConfig = {
+    "m.homeserver" = {
+      base_url = "https://${domainServer}:443";
+      server_name = domainServer;
+    };
+  };
+  serverConfig = {
+    "m.server" = "${domainServer}:443";
+  };
+
+  mkWellKnown = data: ''
+    add_header Content-Type application/json;
+    add_header Access-Control-Allow-Origin *;
+    return 200 '${builtins.toJSON data}';
+  '';
+
+  # build ldap3 plugin from git because it's very outdated in nixpkgs
+  matrix-synapse-ldap3 = pkgs.python3.pkgs.callPackage ../pkgs/matrix-synapse-ldap3.nix { };
+  # matrix-synapse-ldap3 = config.services.matrix-synapse.package.plugins.matrix-synapse-ldap3;
+in
+{
+  sops.secrets.matrix_ldap_search = {
+    key = "portunus_search";
+    owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+  };
+
+  services = {
+    postgresql = {
+      enable = true;
+      ensureUsers = [{
+        name = "matrix-synapse";
+      }];
+    };
+
+    nginx = {
+      recommendedProxySettings = true;
+      virtualHosts = {
+        # synapse
+        "${domainServer}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          # homeserver discovery
+          locations."= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
+          locations."= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
+
+          # 404 on /
+          locations."/".extraConfig = "return 404;";
+
+          # proxy to synapse
+          locations."/_matrix".proxyPass = "http://[::1]:8008";
+          locations."/_synapse/client".proxyPass = "http://[::1]:8008";
+        };
+
+        # element
+        "${domainClient}" = {
+          enableACME = true;
+          forceSSL = true;
+
+          root = pkgs.element-web.override {
+            conf = {
+              default_server_config = clientConfig;
+              disable_3pid_login = true;
+            };
+          };
+        };
+      };
+    };
+
+    matrix-synapse = {
+      enable = true;
+
+      plugins = [ matrix-synapse-ldap3 ];
+
+      settings = {
+        server_name = domainServer;
+
+        listeners = [{
+          port = 8008;
+          bind_addresses = [ "::1" ];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [{
+            names = [ "client" "federation" ];
+            compress = false;
+          }];
+        }];
+      };
+
+      extraConfigFiles = [
+        (pkgs.writeTextFile {
+          name = "matrix-synapse-extra-config.yml";
+          text = let portunus = config.services.portunus; in ''
+            modules:
+              - module: ldap_auth_provider.LdapAuthProviderModule
+                config:
+                  enabled: true
+                  # have to use fqdn here for tls (still connects to localhost)
+                  uri: ldaps://${portunus.domain}:636
+                  base: ou=users,${portunus.ldap.suffix}
+                  # taken from kaki config
+                  attributes:
+                    uid: uid
+                    mail: uid
+                    name: cn
+                  bind_dn: uid=search,ou=users,${portunus.ldap.suffix}
+                  bind_password_file: ${config.sops.secrets.matrix_ldap_search.path}
+          '';
+        })
+      ];
+    };
+  };
+
+  systemd.services.matrix-synapse.after = [ "matrix-synapse-pgsetup.service" ];
+
+  systemd.services.matrix-synapse-pgsetup = {
+    description = "Prepare Synapse postgres database";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "networking.target" "postgresql.service" ];
+    serviceConfig.Type = "oneshot";
+
+    path = [ pkgs.sudo config.services.postgresql.package ];
+
+    # create database for synapse. will silently fail if it already exists
+    script = ''
+      sudo -u ${config.services.postgresql.superUser} psql <<SQL
+        CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+          ENCODING 'UTF8'
+          TEMPLATE template0
+          LC_COLLATE = "C"
+          LC_CTYPE = "C";
+      SQL
+    '';
+  };
+}
diff --git a/pkgs/matrix-synapse-ldap3.nix b/pkgs/matrix-synapse-ldap3.nix
new file mode 100644
index 0000000..0635ab0
--- /dev/null
+++ b/pkgs/matrix-synapse-ldap3.nix
@@ -0,0 +1,21 @@
+{ isPy3k, buildPythonPackage, pkgs, service-identity, ldap3, twisted, ldaptor, mock }:
+
+buildPythonPackage rec {
+  pname = "matrix-synapse-ldap3";
+  version = "0.2.2";
+
+  format = "pyproject";
+
+  src = pkgs.fetchFromGitHub {
+    owner = "matrix-org";
+    repo = "matrix-synapse-ldap3";
+    rev = "2584736204165f16c176567183f9c350ee253f74";
+    sha256 = "gMsC5FpC2zt5hypPdGgPbWT/Rwz38EoQz3tj5dQ9BQ8=";
+  };
+
+  propagatedBuildInputs = [ service-identity ldap3 twisted ];
+
+  # ldaptor is not ready for py3 yet
+  doCheck = !isPy3k;
+  checkInputs = [ ldaptor mock ];
+}
diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml
index 716bca9..c01f749 100644
--- a/secrets/quitte.yaml
+++ b/secrets/quitte.yaml
@@ -5,6 +5,7 @@ nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6
 hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
 wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str]
 portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str]
+portunus_search: ENC[AES256_GCM,data:WEpw/Ii8UI9TpTSQSU/QVhnhU0huAhhVwRlnWaqD4yg=,iv:kLgoXHIqRDOEzPCgKBqkouJu+Wu8RLxL54P/jykqCC8=,tag:iOxrKhTuHGoTxD86Ae9hnA==,type:str]
 mediawiki:
     postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str]
     initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str]
@@ -24,8 +25,8 @@ sops:
             Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj
             KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-17T17:42:18Z"
-    mac: ENC[AES256_GCM,data:qLBASH8XmcHjTFrxdEqyk7KwXHEGx9hT6Jvqw1JMtZDhP95OjKNRySh5fptG1+Jz1ZIaG5zwDWdzV2/GXGru06dDR8bZYoXCboa0YR1NSESZ9f95n9v1HYQf/oSww8KHTP3METZ/1oS7i1nQdL5FxLFTK+nx77uQ1VxX7Ztl85Y=,iv:jEWOsxeTamGGNVw8OXFQT9o5MIyE7EMPAYEdfQesLZw=,tag:vUZK+H93qUursPwfoTpEJg==,type:str]
+    lastmodified: "2023-01-17T22:50:14Z"
+    mac: ENC[AES256_GCM,data:+I8oEl35XylSZVi4m6vY/Z9wsMqt2BER04gu7aXt9+cjg4X2NBEFE9qjZKB9vVLaC1D1El7UUs4oZcAu1bpJ9IGL5eBy1nT9Ei8cxRRlbh3cDnC6QIOE66fcq/gDJHnT7u3figsO/MKZenIpfKbEA+88iJkGm8/61qjESPGUjpk=,iv:ZDkAjdpFU3IMVJkzKAXNtD5nAn9USbRb0pUXDfKEWto=,tag:b7ybgB85dEBKWADLyWi36g==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:48Z"
           enc: |
diff --git a/secrets/test.yaml b/secrets/test.yaml
index a5e8835..bc0d72f 100644
--- a/secrets/test.yaml
+++ b/secrets/test.yaml
@@ -5,6 +5,7 @@ nextcloud_adminpass: ENC[AES256_GCM,data:G3FcJIAl0HmpCu4JAXQOZPmWCg==,iv:Bgk7j3E
 hedgedoc_session_secret: ENC[AES256_GCM,data:wi2hWcIAU2u2t0hJkSUBI5pp2T29V/M=,iv:Iph099lne6cH6V1gnobcGZl/mfJZiw1bFJMdSTiVsxE=,tag:xGI+S3Uygzmdnmd0l1kCaQ==,type:str]
 wg-seckey: ENC[AES256_GCM,data:wuDmkZgUzzK5,iv:sa2I3qVkXWddcZlItfmKj3K5vT10WE/knoVOaA/HrIQ=,tag:SzGnDifhyol63eQKeJevcA==,type:str]
 portunus_admin: ENC[AES256_GCM,data:2X7cz7nRN2lvubR0e+8=,iv:NRXWAbK6DouyGzW6yiJ8tNYKcXNWbt7uy3eTMmybrRk=,tag:7itZnw28EQCmGBBF9Ctb3A==,type:str]
+portunus_search: ENC[AES256_GCM,data:nqCvit2p8YE8XJ3Z+PEP,iv:k2dC6TTI70M8raOTNnp1TsPiDmF3ssPPhIe6cjMevBA=,tag:CG1uvLQSxSQzVsGYxG7YUw==,type:str]
 mediawiki:
     postgres: ENC[AES256_GCM,data:bna6ksGVOHWor7OqVL/jgeDIxA==,iv:bgkQh+NgPE/hr4N4YOCzSCfs7vaOx4pSWlc8WxI8qMc=,tag:WIjyu1i0M7flGFFovH5jWQ==,type:str]
     initial_admin: ENC[AES256_GCM,data:YRd3O5774NTmshxbQPbFjg==,iv:/Ra3WbZKcnUMf99ujN9qd/+DkOkFKv4cIEfUdmxpqMw=,tag:gj7ZbwIB1HLuPpGTgiz7Vg==,type:str]
@@ -24,8 +25,8 @@ sops:
             MERVUkh2ck9YWnJ5TXJDVmxpem1kTXMKCeOyjV/se1nRXsi15m/3i48hP7As6SEk
             ygtLt+UueHStX/b/OzrXk8IC5dj/mARGIJI5S61IKln6SZFbJGT6cQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-17T20:37:05Z"
-    mac: ENC[AES256_GCM,data:zRn9Y43k9jEYmI9gU5vKPAEcG0N+O7ILFisyttXDHbdaiYJfAWu8556Hkofq1hS6WByB/ZE+BZO9vJ9JFzGxodCDeOTF0XLmFeb5frL7Vb9u2MXvT+z640kwA9VJUoLligoqmVt4O+ba3Tr+wU1qy85vLxyDFeEIj6ATo68E8b0=,iv:LaB6cJx5oXGVNNWvfwIievTm8KmVCAJ1j6RVOwFsyBU=,tag:3H7PnmpU65ub6ysVLsB3bQ==,type:str]
+    lastmodified: "2023-01-17T22:26:52Z"
+    mac: ENC[AES256_GCM,data:0Ngy2Ixk+HUsGbAMvNLCKGn7iCIZeOGjYsyzjwwRt/ATnOVVvcdSi9P1Ib4vcRl4OJJKO9fMVIJFkXutZYPiT2JnnPRWIokr39a7wMMMgljDrxS8Nzry2CJkELRpuu9vd/tkSc6dcmhnK1wraI1YRf23HIuukmLxei9BkS+dB+M=,iv:92za85tuTI6NtCqx+K6/MXME6+2vHpGhBVZrlwqMp0I=,tag:h8aWvsJ0t3SyY0tNtEIxLw==,type:str]
     pgp:
         - created_at: "2022-11-18T16:37:58Z"
           enc: |