diff --git a/hosts/matrix/default.nix b/hosts/matrix/default.nix
index 3e91234..7b5fb53 100644
--- a/hosts/matrix/default.nix
+++ b/hosts/matrix/default.nix
@@ -6,11 +6,8 @@
     ../../services/openssh.nix
     ../../services/nginx.nix
     ./nginx.nix
-    ../../services/postgres.nix
-    ../../services/synapse.nix
-    ../../services/draupnir.nix
-    ../../services/prometheus.nix
-    ../../services/grafana.nix
+    ./synapse.nix
+    ./draupnir.nix
   ];
 
   networking = {
@@ -19,11 +16,15 @@
       allowedTCPPorts = [
         80 # HTTP/1
         443 # HTTP/2
-        8448 # Matrix federation
+        #8448 # Matrix federation
       ];
       allowedUDPPorts = [
         443 # HTTP/3
       ];
+      extraInputRules = ''
+        ip saddr 195.160.173.14/32 tcp dport 9009 accept comment "Allow monitoring to scrape"
+        ip6 saddr 2001:678:760:cccb::14/128 tcp dport 9009 accept comment "Allow monitoring to scrape"
+      '';
     };
   };
 
diff --git a/services/draupnir.nix b/hosts/matrix/draupnir.nix
similarity index 85%
rename from services/draupnir.nix
rename to hosts/matrix/draupnir.nix
index f184c97..cde19c7 100644
--- a/services/draupnir.nix
+++ b/hosts/matrix/draupnir.nix
@@ -4,7 +4,7 @@
   services.draupnir = {
     enable = true;
     settings = {
-      homeserverUrl = "https://matrix.berlin.ccc.de";
+      homeserverUrl = "https://matrix.${config.networking.domain}";
       managementRoom = "!ZYWNuaQBkkenNklCSm:matrix.org"; # #cccb-moderators:berlin.ccc.de
       autojoinOnlyIfManager = true;
       recordIgnoredInvites = true;
@@ -14,3 +14,4 @@
     secrets.accessToken = config.age.secrets.draupnir_access_token.path;
   };
 }
+
diff --git a/hosts/matrix/nginx.nix b/hosts/matrix/nginx.nix
index 183b249..ff0efe7 100644
--- a/hosts/matrix/nginx.nix
+++ b/hosts/matrix/nginx.nix
@@ -8,7 +8,6 @@
     forceSSL = true;
     enableACME = true;
     locations = {
-      #"/.well-known/acme-challenge".root = config.security.acme.defaults.webroot;
       "/".return = "418 \"ðŸ«–\"";
       "~ ^(/_matrix|/_synapse/client)" = {
         recommendedProxySettings = true;
diff --git a/services/synapse.nix b/hosts/matrix/synapse.nix
similarity index 78%
rename from services/synapse.nix
rename to hosts/matrix/synapse.nix
index e0fa15e..5b02be3 100644
--- a/services/synapse.nix
+++ b/hosts/matrix/synapse.nix
@@ -1,21 +1,20 @@
 { config, ... }:
 
-let
-  domain = "berlin.ccc.de";
-in
 {
   services = {
     matrix-synapse = {
       enable = true;
       settings = {
-        server_name = domain;
-        public_baseurl = "https://matrix.${domain}:443/";
+        server_name = config.networking.domain;
+        public_baseurl = "https://matrix.${config.networking.domain}:443/";
         # "/var/lib/matrix-synapse/homeserver.signing.key"
         signing_key_path = config.age.secrets.matrix_signing_key.path;
         registration_shared_secret_path = config.age.secrets.matrix_registration_shared_secret.path;
         database = {
           name = "psycopg2";
           args = {
+            host = "sql.berlin.ccc.de";
+            port = 5432;
             user = "matrix-synapse";
             database = "matrix-synapse";
           };
@@ -42,7 +41,7 @@ in
             type = "metrics";
             tls = false;
             port = 9009;
-            bind_addresses = [ "::1" ];
+            bind_addresses = [ "::" "0.0.0.0" ];
             resources = [
               {
                 compress = false;
@@ -66,19 +65,10 @@ in
           allowed_lifetime_max = "1y";
         };
       };
+      extraConfigFiles = [
+        config.age.secrets.matrix_db_password.path;
+      ];
       enableRegistrationScript = true;
     };
-
-    postgresql = {
-      ensureUsers = [
-        {
-          name = config.services.matrix-synapse.settings.database.args.user;
-          ensureDBOwnership = true;
-        }
-      ];
-      ensureDatabases = [
-        config.services.matrix-synapse.settings.database.args.database
-      ];
-    };
   };
 }
diff --git a/secrets/matrix_db_password.age b/secrets/matrix_db_password.age
new file mode 100644
index 0000000..23f424a
--- /dev/null
+++ b/secrets/matrix_db_password.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 uH+n1w 3XkQvPdRZ3vv+xKVCWUvrBXW7j+ys7qnQ0YYq+q21lU
+i2z2q5Xvwp3ct0j37JWddeYpOxN9RP846cmor9GLus8
+-> ssh-ed25519 EvLbWw hCQX1qI+cEhkFBJp7X/LYkJc8NviNCCaOHWV10dBQng
+Gby2sbypfBeBy4M8EemknYRDuxzom+/IE/GMQTcIzP8
+-> ssh-ed25519 dM+fLQ r9QqteSqxdYC6v0awi6c0oDC+2LBhY8gN5t/6L1M5F0
+iBzdPMfgFfY8oIBaE53GzOK7UpHnZLkolAoOSSE2+VU
+-> ssh-ed25519 jxWM2Q zktiZmBytdfpQkEKkUAGNvJNWYCe8c4IbsZ1lcdEHTs
+h58rbCUi3Mog/eY5goWQLBHtRVdr8uR9JzySCT93a5I
+-> ssh-ed25519 /yCUCg mz90furAJYrwV5BzbPk3h/NuEt1epLx3jt/QVzPWtFg
+dDp5sYa+d0CHvtToGl0p49zF7OZ+1WaNZ5o/hDyzL/M
+-> ssh-ed25519 FGp51g m/DB09M3rkfrjy+fw0LCiT7ltb5t5owVUNaxXQaSLms
+zxIlnt5enT31tpnVkRt46ilwbyAcmjQkVoEt2ckIyMQ
+-> ssh-ed25519 yoCmaA TnkX8JzHM/RKx7kF9rs/RbxjuDmwbMxfU6O+RkSSXjg
+ba+elF9+Q2iBqbc+c0cpm4RDjfyykFiXm/qdDC0DOXg
+--- SyxBhMLhDLQhmbm47HlFxLtImHMQWfXP2E/90ceHnr0
+q¢PãÝ°Pç$ñ…såôˆ+TwðG0	ôx†\\2Jõòô,16ÇæX*ÆfÄ& ù`bÐ?ƒÏ]µw„‚ÛÐ¿ÇïÈï˜†7z2µ@‚–@örÆ9xæYå^èž(ùÔVxv*Yþ¹¤\Gš¦j&CÃL#
\ No newline at end of file