diff --git a/hosts/common/ids.nix b/hosts/common/ids.nix
index aefa1a2a..7146e97e 100644
--- a/hosts/common/ids.nix
+++ b/hosts/common/ids.nix
@@ -21,6 +21,10 @@
   sane.ids.freshrss.uid = 2401;
   sane.ids.freshrss.gid = 2401;
   sane.ids.mediawiki.uid = 2402;
+  sane.ids.signald.uid = 2403;
+  sane.ids.signald.gid = 2403;
+  sane.ids.mautrix-signal.uid = 2404;
+  sane.ids.mautrix-signal.gid = 2404;
 
   sane.ids.colin.uid = 1000;
   sane.ids.guest.uid = 1100;
diff --git a/hosts/servo/services/matrix/default.nix b/hosts/servo/services/matrix/default.nix
index bf830d52..3d7021ac 100644
--- a/hosts/servo/services/matrix/default.nix
+++ b/hosts/servo/services/matrix/default.nix
@@ -6,6 +6,7 @@
   imports = [
     ./discord-puppet.nix
     # ./irc.nix
+    ./signal.nix
   ];
 
   sane.persist.sys.plaintext = [
diff --git a/hosts/servo/services/matrix/signal.nix b/hosts/servo/services/matrix/signal.nix
new file mode 100644
index 00000000..df78f94d
--- /dev/null
+++ b/hosts/servo/services/matrix/signal.nix
@@ -0,0 +1,35 @@
+# config options:
+# - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
+{ config, pkgs, ... }:
+{
+  services.signald.enable = true;
+  services.mautrix-signal.enable = true;
+  services.mautrix-signal.environmentFile =
+    config.sops.secrets.mautrix_signal_env.path;
+
+  services.mautrix-signal.settings.signal.socket_path = "/run/signald/signald.sock";
+  services.mautrix-signal.settings.homeserver.domain = "uninsane.org";
+  services.mautrix-signal.settings.bridge.permissions."@colin:uninsane.org" = "admin";
+  services.matrix-synapse.settings.app_service_config_files = [
+    # auto-created by mautrix-signal service
+    "/var/lib/mautrix-signal/signal-registration.yaml"
+  ];
+
+  systemd.services.mautrix-signal.serviceConfig = {
+    # allow communication to signald
+    SupplementaryGroups = [ "signald" ];
+    ReadWritePaths = [ "/run/signald" ];
+  };
+
+  sane.persist.sys.plaintext = [
+    { user = "mautrix-signal"; group = "mautrix-signal"; directory = "/var/lib/mautrix-signal"; }
+  ];
+
+  sops.secrets.mautrix_signal_env = {
+    sopsFile = ../../../../secrets/servo/mautrix_signal_env.bin;
+    format = "binary";
+    mode = "0440";
+    owner = config.users.users.mautrix-signal.name;
+    group = config.users.users.matrix-synapse.name;
+  };
+}
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 1ca1035c..d0ae9590 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -4,6 +4,7 @@
     ./duplicity.nix
     ./dyn-dns.nix
     ./kiwix-serve.nix
+    ./mautrix-signal.nix
     ./nixserve.nix
     ./trust-dns.nix
   ];
diff --git a/modules/services/mautrix-signal.nix b/modules/services/mautrix-signal.nix
new file mode 100644
index 00000000..4381dfb4
--- /dev/null
+++ b/modules/services/mautrix-signal.nix
@@ -0,0 +1,174 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  dataDir = "/var/lib/mautrix-signal";
+  registrationFile = "${dataDir}/signal-registration.yaml";
+  cfg = config.services.mautrix-signal;
+  settingsFormat = pkgs.formats.json {};
+  settingsFile =
+    settingsFormat.generate "mautrix-signal-config.json" cfg.settings;
+in
+{
+  options = {
+    services.mautrix-signal = {
+      enable = mkEnableOption (lib.mdDoc "Mautrix-Signal, a Matrix-Signal puppeting bridge");
+
+      settings = mkOption rec {
+        apply = recursiveUpdate default;
+        inherit (settingsFormat) type;
+        default = {
+          # defaults based on this upstream example config:
+          # - <https://github.com/mautrix/signal/blob/master/mautrix_signal/example-config.yaml>
+          homeserver = {
+            address = "http://localhost:8008";
+            software = "standard";
+            # domain = "SETME";
+          };
+
+          appservice = rec {
+            address = "http://${hostname}:${toString port}";
+            hostname = "localhost";
+            port = 29328;
+
+            database = "sqlite:///${dataDir}/mautrix-signal.db";
+            database_opts = {};
+            bot_username = "signalbot";
+          };
+
+          bridge = {
+            username_template = "signal_{userid}";
+            permissions."*" = "relay";
+            double_puppet_server_map = {};
+            login_shared_secret_map = {};
+          };
+
+          logging = {
+            version = 1;
+
+            formatters.precise.format = "[%(levelname)s@%(name)s] %(message)s";
+
+            handlers.console = {
+              class = "logging.StreamHandler";
+              formatter = "precise";
+            };
+
+            # log to console/systemd instead of file
+            root = {
+              level = "INFO";
+              handlers = ["console"];
+            };
+          };
+        };
+        example = literalExpression ''
+          {
+            homeserver = {
+              address = "http://localhost:8008";
+              domain = "mydomain.example";
+            };
+
+            bridge.permissions = {
+              "@admin:mydomain.example" = "admin";
+              "mydomain.example" = "user";
+            };
+          }
+        '';
+        description = lib.mdDoc ''
+          {file}`config.yaml` configuration as a Nix attribute set.
+          Configuration options should match those described in
+          [example-config.yaml](https://github.com/mautrix/signale/blob/master/mautrix_signal/example-config.yaml).
+        '';
+      };
+
+      environmentFile = mkOption {
+        type = types.nullOr types.path;
+        default = null;
+        description = lib.mdDoc ''
+          File containing environment variables to be passed to the mautrix-signal service,
+          in which secret tokens can be specified securely by defining values for e.g.
+          `MAUTRIX_SIGNAL_APPSERVICE_AS_TOKEN`,
+          `MAUTRIX_SIGNAL_APPSERVICE_HS_TOKEN`
+
+          These environment variables can also be used to set other options by
+          replacing hierarchy levels by `.`, converting the name to uppercase
+          and prepending `MAUTRIX_SIGNAL_`.
+          For example, the first value above maps to
+          {option}`settings.appservice.as_token`.
+
+          The environment variable values can be prefixed with `json::` to have
+          them be parsed as JSON. For example, `login_shared_secret_map` can be
+          set as follows:
+          `MAUTRIX_SIGNAL_BRIDGE_LOGIN_SHARED_SECRET_MAP=json::{"example.com":"secret"}`.
+        '';
+      };
+
+      serviceDependencies = mkOption {
+        type = with types; listOf str;
+        default = optional config.services.matrix-synapse.enable "matrix-synapse.service";
+        defaultText = literalExpression ''
+          optional config.services.matrix-synapse.enable "matrix-synapse.service"
+        '';
+        description = lib.mdDoc ''
+          List of Systemd services to require and wait for when starting the application service.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.groups.mautrix-signal = {};
+
+    users.users.mautrix-signal = {
+      group = "mautrix-signal";
+      isSystemUser = true;
+    };
+
+    systemd.services.mautrix-signal = {
+      description = "Mautrix-Signal, a Matrix-Signal puppeting bridge.";
+
+      wantedBy = [ "multi-user.target" ];
+      wants = [ "network-online.target" ] ++ cfg.serviceDependencies;
+      after = [ "network-online.target" ] ++ cfg.serviceDependencies;
+      path = [ pkgs.ffmpeg ];  # voice messages need `ffmpeg`
+
+      # environment.HOME = dataDir;
+
+      preStart = ''
+        # generate the appservice's registration file if absent
+        if [ ! -f '${registrationFile}' ]; then
+          ${pkgs.mautrix-signal}/bin/mautrix-signal \
+            --generate-registration \
+            --no-update \
+            --base-config='${pkgs.mautrix-signal}/${pkgs.mautrix-signal.pythonModule.sitePackages}/mautrix_signal/example-config.yaml' \
+            --config='${settingsFile}' \
+            --registration='${registrationFile}'
+        fi
+      '';
+
+      serviceConfig = {
+        Type = "simple";
+        Restart = "always";
+
+        User = "mautrix-signal";
+
+        ProtectSystem = "strict";
+        ProtectHome = true;
+        ProtectKernelTunables = true;
+        ProtectKernelModules = true;
+        ProtectControlGroups = true;
+
+        PrivateTmp = true;
+        WorkingDirectory = pkgs.mautrix-signal;
+        StateDirectory = baseNameOf dataDir;
+        UMask = "0027";
+        EnvironmentFile = cfg.environmentFile;
+
+        ExecStart = ''
+          ${pkgs.mautrix-signal}/bin/mautrix-signal \
+            --config='${settingsFile}' \
+            --no-update
+        '';
+      };
+    };
+  };
+}
diff --git a/secrets/servo/mautrix_signal_env.bin b/secrets/servo/mautrix_signal_env.bin
new file mode 100644
index 00000000..cbf6049b
--- /dev/null
+++ b/secrets/servo/mautrix_signal_env.bin
@@ -0,0 +1,32 @@
+{
+	"data": "ENC[AES256_GCM,data:5n4FNKyblSOQCC17LmLNfF49+z6ZxX9bAv/xTsyQTR+NglhEtUa+JFziu2Il0w2pscAO37sBvE9SvsM9jNG0v4GxlxlLrgEuam6Tf7Ch71lDdxDXJWMTR032WqMF7q6rYbflw8D4fkpQ9yDbgDJUErrds1JvbNhcv6oqoJ/TuhiQZLakNTprtRkw4gCDJDsyDakhv440EK80o/O1CnO+xnSmBj6mLxljQ0EeFzwhjVr1UlhWJ4wQC8TNAAvYN5gILYP0U11kROI=,iv:JZougqWF29K9mDE0kwe03FGad1CglSlxQt5xM9l7wK8=,tag:DQXUPqMvvnqP2kyYikI2ZQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1tnl4jfgacwkargzeqnhzernw29xx8mkv73xh6ufdyde6q7859slsnzf24x",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2M01sL1JsODFvVWRHOVZX\nTk1wQlRkclFVZnlKK2lBOUQ1M053SUZxUVYwCjVkVmoxdkRvd3YvQmxvMmd6Ly9k\nWlZGc3M1Yi9lZ3ZRUFJiYWNlRjZ6M2cKLS0tIElTRnplV25wTmFkSVU1clRNa0NZ\nNW5IaDJWYVNCdDNhYTFSU0J6RUJQN28K4XJGpANIuIfHZuk4cinpsPeZ8mMI2jBH\nT2JGyRNm9Jyr3muV8oC/I22fAKLev8f9Svc+o/VAO4R6ZTWmTwk+dA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1j2pqnl8j0krdzk6npe93s4nnqrzwx978qrc0u570gzlamqpnje9sc8le2g",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkQnpqLy83eW9HaExkYWxL\nMHRKY3FsemZQcmVwVWx0a0YvRCtCclZrT1ZRCjJ6UVVjSm85TnVTaHFMRlg0YkNa\nOEQ4eUNyV0lEalVXbi9TVDZLUEVvaXcKLS0tICtvaHhHdmRIY2NNTFBZZ2taS0lX\nak45eW5oT2tIWVNRNmkxbUQ5K2lublUKkLfW5vRfjTpfTOeirLXRik9SJDm92pUX\nXcv9L5klKUb0O3+T0pwb9rYFfhk4eGSxS6ZFQnGrLv0lLTRZq6eocw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1z8fauff34cdecr6sjkre260luzxcca05kpcwvhx988d306tpcejsp63znu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhM25NNlRaNDJYZlJkMjVh\nelZPekdjSHJ4ZnZEbnBCZGV4OVN2RVJCOHpNCnVFWFBNTkd4SkJ0SkdvcUdYUzRF\ncnpPUUQyWEpMU0FqQyszTXp0ZFhQeFkKLS0tIDFua2dscEtxQmdUTm14OWlqMjBI\nSXY5cTJEajd3WmNMNlB1eGtQN3RHUEEK3+zoziFJq/rzpnz8ROL5oGqnHUpJTXG8\nhCQEIOA6dO6PjoXUKd6B8bVPzlDLO5daPh0TS5NGiMlZ8qQe706Syw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tzlyex2z6t88tg9h82943e39shxhmqeyr7ywhlwpdjmyqsndv3qq27x0rf",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByc1EzcmVzeHYyTkQ3N2Uw\nTERtdENyeGNONVpjU0FKRE1wR0RlSnhNUjM0ClU4MGwvQjFhM2xXYkNITjFMUHdF\naU50YWVjU08zWXhweXVOWU13enpMQlUKLS0tIDdIRm5GV2IxU1AxcFZldDBBeTBt\nZnRJV25IbGo5R1RySmx4ampnNzdYU0EK7PF9BEGfX6T+1Wit9MG+02sGZTXRUR0M\noVC+oHsCAojhnMP17xyDosnJQqwrNKFwKMQbH7mqBW5Ku4hGy56cGQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-01-16T11:17:12Z",
+		"mac": "ENC[AES256_GCM,data:SqOusB8Hd713NYDOkRq2Ju6q4ClN0zOeeCTCAAv+EorKHN7vgz15LuCNWj7iLX4EWrWufzHhG7JFtm6q5h64hxlfzisx3JCtMLRlb40PkDip+2gShH7X4eWcdsRw7/a40e2Qnp/hiXrhH11P1pMqbn6drUPmLy307CyRzThVrcw=,iv:gFcF4i4dqk4rOus4ZKUojD/AAkIuWzGDfqEQTej83Co=,tag:AYknOJm7QTEBR6OzN8dsiw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
\ No newline at end of file