diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..3c9fd8e
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,18 @@
+# FEDEO Matrix-Kommunikation
+#
+# Diese Werte werden von docker-compose.yml gelesen, wenn das Profil "matrix"
+# genutzt wird. Für produktive Systeme müssen alle Geheimnisse ersetzt werden.
+
+MATRIX_SERVER_NAME=fedeo.de
+MATRIX_HOMESERVER_HOST=matrix.fedeo.de
+MATRIX_RTC_HOST=call.fedeo.de
+MATRIX_TURN_HOST=turn.fedeo.de
+
+MATRIX_POSTGRES_DB=synapse
+MATRIX_POSTGRES_USER=synapse
+MATRIX_POSTGRES_PASSWORD=change-this-matrix-db-password
+
+MATRIX_TURN_SHARED_SECRET=change-this-turn-secret
+
+LIVEKIT_KEY=fedeo-livekit
+LIVEKIT_SECRET=change-this-livekit-secret
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ab1815e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+.env
+
+# Lokale Runtime-Daten und generierte Konfigurationen
+matrix/postgres/
+matrix/synapse/
diff --git a/docker-compose.yml b/docker-compose.yml
index 7263a44..b57bca1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -71,6 +71,182 @@ services:
       - "traefik.http.routers.fedeo-backend-secure.entrypoints=web-secured" #
       - "traefik.http.routers.fedeo-backend-secure.tls.certresolver=mytlschallenge"
       - "traefik.http.routers.fedeo-backend-secure.middlewares=fedeo-backend-strip"
+  matrix-db:
+    image: postgres:16-alpine
+    restart: unless-stopped
+    profiles:
+      - matrix
+    environment:
+      - POSTGRES_DB=${MATRIX_POSTGRES_DB:-synapse}
+      - POSTGRES_USER=${MATRIX_POSTGRES_USER:-synapse}
+      - POSTGRES_PASSWORD=${MATRIX_POSTGRES_PASSWORD:-change-this-matrix-db-password}
+      - POSTGRES_INITDB_ARGS=--encoding=UTF8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - ./matrix/postgres:/var/lib/postgresql/data
+    networks:
+      - traefik
+
+  matrix-redis:
+    image: redis:7-alpine
+    restart: unless-stopped
+    profiles:
+      - matrix
+    networks:
+      - traefik
+
+  matrix-synapse:
+    image: ghcr.io/element-hq/synapse:latest
+    restart: unless-stopped
+    profiles:
+      - matrix
+    depends_on:
+      - matrix-db
+      - matrix-redis
+    environment:
+      - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
+    volumes:
+      - ./matrix/synapse:/data
+    networks:
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.port=8008"
+      - "traefik.http.services.fedeo-matrix.loadbalancer.server.port=8008"
+      # Matrix Client-Server API
+      - "traefik.http.routers.fedeo-matrix.rule=Host(`${MATRIX_HOMESERVER_HOST:-matrix.fedeo.de}`) && PathPrefix(`/_matrix`)"
+      - "traefik.http.routers.fedeo-matrix.entrypoints=web"
+      - "traefik.http.routers.fedeo-matrix.middlewares=fedeo-matrix-redirect-web-secure"
+      - "traefik.http.routers.fedeo-matrix.service=fedeo-matrix"
+      - "traefik.http.middlewares.fedeo-matrix-redirect-web-secure.redirectscheme.scheme=https"
+      - "traefik.http.routers.fedeo-matrix-secure.rule=Host(`${MATRIX_HOMESERVER_HOST:-matrix.fedeo.de}`) && PathPrefix(`/_matrix`)"
+      - "traefik.http.routers.fedeo-matrix-secure.entrypoints=web-secured"
+      - "traefik.http.routers.fedeo-matrix-secure.tls.certresolver=mytlschallenge"
+      - "traefik.http.routers.fedeo-matrix-secure.service=fedeo-matrix"
+      # Matrix Federation API, nur öffnen wenn Federation gewünscht ist.
+      - "traefik.http.routers.fedeo-matrix-federation.rule=Host(`${MATRIX_HOMESERVER_HOST:-matrix.fedeo.de}`) && PathPrefix(`/_matrix/federation`)"
+      - "traefik.http.routers.fedeo-matrix-federation.entrypoints=web-secured"
+      - "traefik.http.routers.fedeo-matrix-federation.tls.certresolver=mytlschallenge"
+      - "traefik.http.routers.fedeo-matrix-federation.service=fedeo-matrix"
+
+  matrix-well-known:
+    image: nginx:1.27-alpine
+    restart: unless-stopped
+    profiles:
+      - matrix
+    volumes:
+      - ./matrix/well-known:/usr/share/nginx/html/.well-known/matrix:ro
+    networks:
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.port=80"
+      - "traefik.http.services.fedeo-matrix-well-known.loadbalancer.server.port=80"
+      - "traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolalloworiginlist=*"
+      - "traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolallowmethods=GET,OPTIONS"
+      - "traefik.http.middlewares.fedeo-matrix-well-known-cors.headers.accesscontrolallowheaders=Content-Type,Authorization"
+      - "traefik.http.routers.fedeo-matrix-well-known.rule=Host(`${MATRIX_SERVER_NAME:-fedeo.de}`) && PathPrefix(`/.well-known/matrix`)"
+      - "traefik.http.routers.fedeo-matrix-well-known.entrypoints=web-secured"
+      - "traefik.http.routers.fedeo-matrix-well-known.tls.certresolver=mytlschallenge"
+      - "traefik.http.routers.fedeo-matrix-well-known.middlewares=fedeo-matrix-well-known-cors"
+      - "traefik.http.routers.fedeo-matrix-well-known.service=fedeo-matrix-well-known"
+
+  matrix-turn:
+    image: instrumentisto/coturn:4
+    restart: unless-stopped
+    profiles:
+      - matrix
+    command:
+      - --fingerprint
+      - --use-auth-secret
+      - --static-auth-secret=${MATRIX_TURN_SHARED_SECRET:-change-this-turn-secret}
+      - --realm=${MATRIX_SERVER_NAME:-fedeo.de}
+      - --listening-port=3478
+      - --tls-listening-port=5349
+      - --min-port=49160
+      - --max-port=49200
+      - --no-cli
+      - --no-tlsv1
+      - --no-tlsv1_1
+    ports:
+      - "3478:3478/tcp"
+      - "3478:3478/udp"
+      - "5349:5349/tcp"
+      - "49160-49200:49160-49200/udp"
+    networks:
+      - traefik
+
+  matrix-livekit:
+    image: livekit/livekit-server:v1.9
+    restart: unless-stopped
+    profiles:
+      - matrix
+    depends_on:
+      - matrix-redis
+    entrypoint: /bin/sh
+    command:
+      - -ec
+      - |
+        cat >/tmp/livekit.yaml <<EOF
+        port: 7880
+        redis:
+          address: matrix-redis:6379
+        rtc:
+          tcp_port: 7881
+          port_range_start: 50000
+          port_range_end: 50100
+          use_external_ip: true
+        keys:
+          ${LIVEKIT_KEY:-fedeo-livekit}: ${LIVEKIT_SECRET:-change-this-livekit-secret}
+        room:
+          auto_create: false
+        EOF
+        exec livekit-server --config /tmp/livekit.yaml
+    ports:
+      - "7881:7881/tcp"
+      - "50000-50100:50000-50100/udp"
+    networks:
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.port=7880"
+      - "traefik.http.services.fedeo-matrix-livekit.loadbalancer.server.port=7880"
+      - "traefik.http.middlewares.fedeo-matrix-livekit-strip.stripprefix.prefixes=/livekit/sfu"
+      - "traefik.http.routers.fedeo-matrix-livekit.rule=Host(`${MATRIX_RTC_HOST:-call.fedeo.de}`) && PathPrefix(`/livekit/sfu`)"
+      - "traefik.http.routers.fedeo-matrix-livekit.entrypoints=web-secured"
+      - "traefik.http.routers.fedeo-matrix-livekit.tls.certresolver=mytlschallenge"
+      - "traefik.http.routers.fedeo-matrix-livekit.middlewares=fedeo-matrix-livekit-strip"
+      - "traefik.http.routers.fedeo-matrix-livekit.service=fedeo-matrix-livekit"
+
+  matrix-rtc-jwt:
+    image: ghcr.io/element-hq/lk-jwt-service:latest
+    restart: unless-stopped
+    profiles:
+      - matrix
+    depends_on:
+      - matrix-livekit
+      - matrix-synapse
+    environment:
+      - LIVEKIT_URL=wss://${MATRIX_RTC_HOST:-call.fedeo.de}/livekit/sfu
+      - LIVEKIT_KEY=${LIVEKIT_KEY:-fedeo-livekit}
+      - LIVEKIT_SECRET=${LIVEKIT_SECRET:-change-this-livekit-secret}
+      - LIVEKIT_FULL_ACCESS_HOMESERVERS=${MATRIX_SERVER_NAME:-fedeo.de}
+      - LIVEKIT_JWT_BIND=:8080
+    networks:
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik"
+      - "traefik.port=8080"
+      - "traefik.http.services.fedeo-matrix-rtc-jwt.loadbalancer.server.port=8080"
+      - "traefik.http.middlewares.fedeo-matrix-rtc-jwt-strip.stripprefix.prefixes=/livekit/jwt"
+      - "traefik.http.routers.fedeo-matrix-rtc-jwt.rule=Host(`${MATRIX_RTC_HOST:-call.fedeo.de}`) && PathPrefix(`/livekit/jwt`)"
+      - "traefik.http.routers.fedeo-matrix-rtc-jwt.entrypoints=web-secured"
+      - "traefik.http.routers.fedeo-matrix-rtc-jwt.tls.certresolver=mytlschallenge"
+      - "traefik.http.routers.fedeo-matrix-rtc-jwt.middlewares=fedeo-matrix-rtc-jwt-strip"
+      - "traefik.http.routers.fedeo-matrix-rtc-jwt.service=fedeo-matrix-rtc-jwt"
   #  db:
   #    image: postgres
   #    restart: always
diff --git a/matrix/README.md b/matrix/README.md
new file mode 100644
index 0000000..7fe0f8b
--- /dev/null
+++ b/matrix/README.md
@@ -0,0 +1,96 @@
+# Matrix-Stack in der FEDEO Compose
+
+Der Matrix-Stack liegt in derselben `docker-compose.yml` wie FEDEO und ist über das Compose-Profil `matrix` aktivierbar.
+
+## Enthaltene Dienste
+
+- `matrix-db`: PostgreSQL für Synapse
+- `matrix-redis`: Redis für Synapse und LiveKit
+- `matrix-synapse`: Matrix Homeserver
+- `matrix-well-known`: Auslieferung von `.well-known/matrix/client` und `.well-known/matrix/server`
+- `matrix-turn`: coturn für stabile WebRTC-Verbindungen
+- `matrix-livekit`: LiveKit SFU für MatrixRTC-Konferenzen
+- `matrix-rtc-jwt`: MatrixRTC Authorization Service für LiveKit-JWTs
+
+## Vorbereitung
+
+Lege im Repo eine `.env` auf Basis von `.env.example` an und passe mindestens diese Werte an:
+
+- `MATRIX_SERVER_NAME`
+- `MATRIX_HOMESERVER_HOST`
+- `MATRIX_RTC_HOST`
+- `MATRIX_TURN_HOST`
+- `MATRIX_POSTGRES_PASSWORD`
+- `MATRIX_TURN_SHARED_SECRET`
+- `LIVEKIT_KEY`
+- `LIVEKIT_SECRET`
+
+Passe außerdem die Dateien in `matrix/well-known/` an, falls die Domains nicht `fedeo.de`, `matrix.fedeo.de` und `call.fedeo.de` heißen.
+
+## Synapse-Konfiguration erzeugen
+
+Synapse benötigt vor dem ersten Start eine generierte `homeserver.yaml`. Der Befehl bleibt innerhalb derselben Compose:
+
+```bash
+docker compose --profile matrix run --rm \
+  -e SYNAPSE_SERVER_NAME="${MATRIX_SERVER_NAME}" \
+  -e SYNAPSE_REPORT_STATS=no \
+  matrix-synapse generate
+```
+
+Danach `matrix/synapse/homeserver.yaml` prüfen und mindestens diese Punkte setzen:
+
+```yaml
+public_baseurl: "https://matrix.fedeo.de/"
+
+database:
+  name: psycopg2
+  args:
+    user: synapse
+    password: "<MATRIX_POSTGRES_PASSWORD>"
+    database: synapse
+    host: matrix-db
+    cp_min: 5
+    cp_max: 10
+
+redis:
+  enabled: true
+  host: matrix-redis
+
+turn_uris:
+  - "turn:<MATRIX_TURN_HOST>:3478?transport=udp"
+  - "turn:<MATRIX_TURN_HOST>:3478?transport=tcp"
+turn_shared_secret: "<MATRIX_TURN_SHARED_SECRET>"
+turn_user_lifetime: "1h"
+
+experimental_features:
+  msc3266_enabled: true
+  msc4222_enabled: true
+
+max_event_delay_duration: 24h
+rc_message:
+  per_second: 0.5
+  burst_count: 30
+rc_delayed_event_mgmt:
+  per_second: 1
+  burst_count: 20
+```
+
+## Start
+
+```bash
+docker compose --profile matrix up -d
+```
+
+Ohne Profil startet weiterhin nur der bisherige FEDEO-Stack:
+
+```bash
+docker compose up -d
+```
+
+## Hinweise
+
+- Die Matrix-Services sind bewusst im bestehenden Compose-Stack definiert, damit FEDEO nicht in mehrere Deployment-Dateien zerfällt.
+- Die aktuellen Ports für TURN und LiveKit müssen auf der Firewall des Servers freigegeben werden.
+- Federation sollte erst nach einer expliziten Entscheidung geöffnet werden. Für B2B-Kommunikation ist eine Allowlist sinnvoll.
+- Die Werte in `.env.example` sind Platzhalter und nicht produktionssicher.
diff --git a/matrix/well-known/client b/matrix/well-known/client
new file mode 100644
index 0000000..8be3bb0
--- /dev/null
+++ b/matrix/well-known/client
@@ -0,0 +1,11 @@
+{
+  "m.homeserver": {
+    "base_url": "https://matrix.fedeo.de"
+  },
+  "org.matrix.msc4143.rtc_foci": [
+    {
+      "type": "livekit",
+      "livekit_service_url": "https://call.fedeo.de/livekit/jwt"
+    }
+  ]
+}
diff --git a/matrix/well-known/server b/matrix/well-known/server
new file mode 100644
index 0000000..0703b40
--- /dev/null
+++ b/matrix/well-known/server
@@ -0,0 +1,3 @@
+{
+  "m.server": "matrix.fedeo.de:443"
+}