diff --git a/k8s/apps/matrix/app.yaml b/k8s/apps/matrix/app.yaml
new file mode 100644
index 0000000..0cfc6b3
--- /dev/null
+++ b/k8s/apps/matrix/app.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: matrix
+  namespace: argocd
+spec:
+  project: apps
+  destination:
+    namespace: matrix
+    server: https://kubernetes.default.svc
+  source:
+    repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
+    targetRevision: HEAD
+    path: k8s/apps/matrix
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/k8s/apps/matrix/external-secrets.yaml b/k8s/apps/matrix/external-secrets.yaml
new file mode 100644
index 0000000..8e29d72
--- /dev/null
+++ b/k8s/apps/matrix/external-secrets.yaml
@@ -0,0 +1,82 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-postgres-creds
+spec:
+  target:
+    name: matrix-postgres-creds
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        synapse_db_password: |-
+          {{ .synapse_db_password }}
+        mas_db_password: |-
+          {{ .mas_db_password }}
+  data:
+    - secretKey: synapse_db_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: CHANGE_ME
+        property: CHANGE_ME
+    - secretKey: mas_db_password
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: CHANGE_ME
+        property: CHANGE_ME
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: matrix-oidc-config
+spec:
+  target:
+    name: matrix-oidc-config
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        mas-oidc.yaml: |
+          upstream_oauth2:
+            providers:
+              - id: authentik
+                human_name: Authentik
+                issuer: https://idm.hexor.cy/application/o/matrix/
+                client_id: {{ .oauth_client_id }}
+                client_secret: {{ .oauth_client_secret }}
+                scope: "openid profile email"
+                claims_imports:
+                  localpart:
+                    action: require
+                    template: "{{ `{{ user.preferred_username }}` }}"
+                  displayname:
+                    action: suggest
+                    template: "{{ `{{ user.name }}` }}"
+                  email:
+                    action: suggest
+                    template: "{{ `{{ user.email }}` }}"
+                    set_email_verification: always
+  data:
+    - secretKey: oauth_client_id
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: CHANGE_ME
+        property: CHANGE_ME
+    - secretKey: oauth_client_secret
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: CHANGE_ME
+        property: CHANGE_ME
diff --git a/k8s/apps/matrix/kustomization.yaml b/k8s/apps/matrix/kustomization.yaml
new file mode 100644
index 0000000..f61ba3f
--- /dev/null
+++ b/k8s/apps/matrix/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - app.yaml
+  - external-secrets.yaml
+
+helmCharts:
+  - name: matrix-stack
+    repo: oci://ghcr.io/element-hq/ess-helm
+    version: 26.2.3
+    releaseName: matrix-stack
+    namespace: matrix
+    valuesFile: matrix-stack-values.yaml
+    includeCRDs: true
diff --git a/k8s/apps/matrix/matrix-stack-values.yaml b/k8s/apps/matrix/matrix-stack-values.yaml
new file mode 100644
index 0000000..5cc2695
--- /dev/null
+++ b/k8s/apps/matrix/matrix-stack-values.yaml
@@ -0,0 +1,85 @@
+## Matrix server name - appears in @user:matrix.hexor.cy
+serverName: matrix.hexor.cy
+
+## Use letsencrypt cluster issuer for all ingresses
+certManager:
+  clusterIssuer: letsencrypt
+
+## Global ingress settings
+ingress:
+  className: traefik
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+
+## Disable built-in PostgreSQL - using external database
+postgres:
+  enabled: false
+
+## Disable components we don't need yet
+matrixRTC:
+  enabled: false
+hookshot:
+  enabled: false
+haproxy:
+  enabled: false
+
+## Synapse homeserver
+synapse:
+  enabled: true
+  postgres:
+    host: psql.psql.svc
+    port: 5432
+    user: synapse
+    database: synapse
+    sslMode: prefer
+    password:
+      secret: matrix-postgres-creds
+      secretKey: synapse_db_password
+  media:
+    storage:
+      size: 20Gi
+    maxUploadSize: 100M
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Matrix Authentication Service
+matrixAuthenticationService:
+  enabled: true
+  postgres:
+    host: psql.psql.svc
+    port: 5432
+    user: mas
+    database: mas
+    sslMode: prefer
+    password:
+      secret: matrix-postgres-creds
+      secretKey: mas_db_password
+  ## Authentik OIDC upstream provider
+  additional:
+    0-oidc:
+      configSecret: matrix-oidc-config
+      configSecretKey: mas-oidc.yaml
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Element Web client
+elementWeb:
+  enabled: true
+  ingress:
+    host: chat.hexor.cy
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Element Admin panel
+elementAdmin:
+  enabled: true
+  ingress:
+    host: matrix-admin.hexor.cy
+  # nodeSelector:
+  #   kubernetes.io/hostname: nas.homenet
+
+## Well-known delegation on the base domain
+wellKnownDelegation:
+  enabled: true
+  ingress:
+    host: matrix.hexor.cy