diff --git a/README.md b/README.md
index 2aab043..1c3a86f 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,5 @@
+see TODO.md for my aspirations
+
 ## usage
 
 ### install
diff --git a/TODO.md b/TODO.md
new file mode 100644
index 0000000..07e96f9
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,19 @@
+- add other remote
+- fully automate remote provisioning (remote keys)
+- fix ipv6 on remotes
+- modularize home manager
+- add services?
+    - 0x0
+    - forgejo
+    - matrix homeserver
+    - matrix webclient
+    - radicale
+    - rocket.chat or something better than zulip
+    - tor relay
+    - wireguard as vpn
+- add home functionality
+    - better term emulator
+    - switch browser?
+        - chromium: much better sandboxing
+        - ladybird: be an early tester, contribute
+        - glide: sexier tridactyl implementation
diff --git a/modules/nixos/matrix-conduit.nix b/modules/nixos/matrix-conduit.nix
new file mode 100644
index 0000000..595d48c
--- /dev/null
+++ b/modules/nixos/matrix-conduit.nix
@@ -0,0 +1,13 @@
+{config, ...}: {
+  services.matrix-conduit = {
+    enable = true;
+    settings.global = {
+      server_name = "${config.networking.domain}";
+      address = "localhost";
+      database_backend = "rocksdb";
+      allow_registration = true;
+      allow_federation = true;
+    };
+    secretFile = config.age.secrets.conduit-secretFile.path;
+  };
+}
diff --git a/pub-keys.nix b/pub-keys.nix
index 1dc9073..9a67abe 100644
--- a/pub-keys.nix
+++ b/pub-keys.nix
@@ -1,6 +1,7 @@
 {
   age.secrets = {
     andromeda-pw.file = ./secrets/andromeda-pw.age;
+    conduit-secretFile.file = ./secrets/conduit-secretFile.age;
     "dkim-galaxious.de.mail.key".file = ./secrets/dkim-galaxious.de.mail.key.age;
     mtgmonkey-pw.file = ./secrets/mtgmonkey-pw.age;
     mailserver-acc-test-pw.file = ./secrets/mailserver-acc-test-pw.age;
diff --git a/secrets/conduit-secretFile.age b/secrets/conduit-secretFile.age
new file mode 100644
index 0000000..ef3d864
--- /dev/null
+++ b/secrets/conduit-secretFile.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 mT2fyg x0n1JToeD7bRsDYJpv0HFzQYB9YxxiSqt+dG6elG1Eg
+vspLec9Vm6fvJnlDGjzezThc1qeIYyWncBxYwsE/6rg
+-> ssh-ed25519 UHxfvA nOlZo53SINXJs8tt/vdoiGjMnIW/lYZVdI8TJfAFqxE
+XlxvrHDFlm8c7odfNbBw0/QeYuCj5e4VValql5JNNgg
+-> ssh-ed25519 yXDKAA Rf+obXBUKxOcMqrb6rlOSfZGyjkj1PnRvHUSDToj6Tw
+XV/3FmC48Wcg9r3C5soRKBwOcBgat2ueAa8pU1MUYLE
+--- l/eEq13iyiddR9Rgf47Mv8JxPfjINwCnU4pd3KyxMVQ
+^P%ÔÏ¦‚Û}ÌÝM¤Ñù&ß¢Ù‡óQ¬?d^ØYú	Ã~øTuÃï±oÍfž´·7¬nÙ'!'Í“ã††µ]dÍ‡0>vÆÇŸ¸Ü.Ÿ€E]˜šÔ‡|‰>d— *wDÉ‹¿­à›­)cHêÁ@Wv*šWkõéN¤ÎRßF	I@¶ê;9=u¬–Í’¬°°Ï„Œ,—‘©)Ÿ>bÁÝ:O«Jð=´WIÁÝêÀx
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 10b449b..2b18560 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,6 +8,11 @@ in {
   "andromeda-pw.age".publicKeys = [andromeda lenovo];
   "mtgmonkey-pw.age".publicKeys = [andromeda lenovo];
 
+  # contains the following env
+  # CONDUIT_JWT_SECRET
+  # CONDUIT_TURN_SECRET
+  "conduit-secretFile.age".publicKeys = [andromeda lenovo _109-199-104-83];
+
   # dkim private keys
   "dkim-galaxious.de.mail.key.age".publicKeys = [andromeda lenovo _109-199-104-83];