diff --git a/flake.nix b/flake.nix
index cca58cc..71fd11d 100644
--- a/flake.nix
+++ b/flake.nix
@@ -65,6 +65,7 @@
         ./nixos/services/prometheus.nix
         ./nixos/services/grafana.nix
         ./nixos/services/synapse.nix
+        ./nixos/services/whatsapp.nix
         ./nixos/services/nextcloud.nix
       ] [];
 
diff --git a/nixos/services/synapse.nix b/nixos/services/synapse.nix
index 8875e72..9e727ec 100644
--- a/nixos/services/synapse.nix
+++ b/nixos/services/synapse.nix
@@ -1,7 +1,6 @@
 {
   pkgs,
   config,
-  lib,
   ...
 }: let
   fqdn = "${hostname}.${domain}";
diff --git a/nixos/services/whatsapp.nix b/nixos/services/whatsapp.nix
index 36c18e4..6e1e2d0 100644
--- a/nixos/services/whatsapp.nix
+++ b/nixos/services/whatsapp.nix
@@ -1,5 +1,78 @@
-{
+{config, ...}: let
+  inherit (config) sops;
+  inherit (sops) templates placeholder;
+
+  toAppRegistration = {
+    port,
+    id,
+    as_token,
+    hs_token,
+    sender_localpart,
+    rate_limited ? false,
+    ...
+  } @ conf:
+    builtins.toJSON ({
+        namespaces = {
+          users = [
+            {
+              exclusive = true;
+              regex = "^@${id}_.*:tristans.cloud$";
+            }
+            {
+              exclusive = true;
+              regex = "^@${id}bot:tristans.cloud$";
+            }
+          ];
+        };
+        url = "http://localhost:${toString port}";
+      }
+      // conf);
+in {
+  sops.secrets = {
+    "mautrix-whatsapp/as_token" = {};
+    "mautrix-whatsapp/hs_token" = {};
+  };
+  sops.templates = {
+    "mautrix-whatsapp/appservice.yaml" = {
+      owner = "matrix-synapse";
+      content = toAppRegistration {
+        id = "whatsapp";
+        port = config.services.mautrix-whatsapp.settings.appservice.port;
+        as_token = placeholder."mautrix-whatsapp/as_token";
+        hs_token = placeholder."mautrix-whatsapp/hs_token";
+        sender_localpart = "Gx8tLTHsxVlrdD3qibaPdaP9t7GhfciV";
+        "de.sorunome.msc2409.push_ephemeral" = true;
+      };
+    };
+    # "mautrix-whatsapp/env".content = ''
+    #   MAUTRIX_WHATSAPP_APPSERVICE_AS_TOKEN=${placeholder."mautrix-whatsapp/as_token"}
+    #   MAUTRIX_WHATSAPP_APPSERVICE_HS_TOKEN=${placeholder."mautrix-whatsapp/hs_token"}
+    # '';
+  };
+
   services.mautrix-whatsapp = {
     enable = true;
+    # environmentFile = templates."mautrix-whatsapp/env".path;
+    settings = {
+      homeserver = {
+        address = "http://localhost:8008";
+        domain = "tristans.cloud";
+      };
+      bridge = {
+        permissions = {
+          "tristans.cloud" = "user";
+          "@tristan:tristans.cloud" = "admin";
+        };
+        encryption = {
+          allow = true;
+        };
+        personal_filtering_spaces = true;
+      };
+    };
   };
+
+  services.matrix-synapse.settings.app_service_config_files = [
+    templates."mautrix-whatsapp/appservice.yaml".path
+    # "/var/lib/mautrix-whatsapp/whatsapp-registration.yaml"
+  ];
 }
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index 9bacbbd..0377671 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -10,6 +10,9 @@ synapse:
     oidc_client_secret: ENC[AES256_GCM,data:GXEHHAf5pi/34DY8rUtb1r+0w9HdH2LfeYzREq9BssbspORGd2lOGW22kpUWQzMP/LN8qqx0+EDxlnUuz6MbKofdDPO53Ghrkv7eKsgHdI4g8NbneOEIe4Uurjsg+ibn2EIAWP6HsdwDoLPpS260HyciHJz15i8OpyPatv+bhUc=,iv:pigc8d/LPwy/mBrlUzOFR1nIUrulYZ67nq4bI4Mn+MI=,tag:5fQj8XiXmlC0/T4Muht7bA==,type:str]
     signing_key: ENC[AES256_GCM,data:AuXyep/aoKn0EoXFgphhlwyvqiwnmRAbGsjzQtCHOVe1Nsdd1aZZdmANt3NXbNJbtjbowIYGbYTizQ==,iv:jKfEBdXSIrg1WQRvWxi+CUiO2mXOfULkg/i3YSD4d9k=,tag:EZJnoZVyrjb0fcRbvyuiPg==,type:str]
     sliding_sync_secret: ENC[AES256_GCM,data:EureGgSONw+29RnTBcG7+Hpjs3mOk1Zr75glc582Tr9ITFfMczAdfY0FlWQgDxiPnl3o2GqlvdQ2CwDmpVGUVQ==,iv:JUKLrxrYQmCF15o+PwY1PzNW1h9FrGxdbSFGCzm3RdA=,tag:/TMv9LcCRLoTw3MDmpE0oQ==,type:str]
+mautrix-whatsapp:
+    as_token: ENC[AES256_GCM,data:x1iIfwaRdSzC7wo684FY5ZCytj+uQSS2k8UZ/Sm/0gy7jnjsb6Eyl0I5tdNf7mYk2gdTtfmc+dVThOP3aGIZXQ==,iv:hvVr1MZfpLewomTW5pUhOvrQ2fEkQy4LNnfqslkeFgQ=,tag:5eUZLn5Bd2D5GWyIx9xevw==,type:str]
+    hs_token: ENC[AES256_GCM,data:y8q41zg1NFco0fs7Q/yZVIPCdrUsB8/CRiffBpAVWsH0vCCHQvBs6VUGZmZwJVySkxSfFqBdCc/TF38SPwhxCg==,iv:sJ0cldlCTpGRMYT0u9ZGFVI70m3VBCZqn/l4cwUDyAI=,tag:D0QE2TQxLNnEv6/ECCLnRw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -25,8 +28,8 @@ sops:
             NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG
             A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-26T17:54:36Z"
-    mac: ENC[AES256_GCM,data:ACq2ZewsSYkONXBOrUWRm+Thywc4DCtmPESSUcx8qVPV+x0C7+wq8ShHlfPmIWfXwOEtNHYLWIHMFegDlRn/B5SVkok46XUq+s62tKEZI+5tI7MfM7FVFaJGFq7/Y7AFOF7uuhPYaWrSvNTTvegbBKVGAeAJXGXXrbVO1V+dw2c=,iv:mf4Cxj82iAfdJjlDZdtE31MhcP+Z/I/vWSwY2bBb2SM=,tag:Hiwd93LgGeqKo4pGiTDiOw==,type:str]
+    lastmodified: "2024-02-26T19:50:48Z"
+    mac: ENC[AES256_GCM,data:ZmySnwEMEStfSWgKbw7eVULLkYdpH4d4RMV0mDlfE0dXdF8eOtjfBK/NyLCP84VMIWJWFzc/KihOuSWEpzjtoZVJAHi/c/sh87OpigjG4X3RFIJFV7IhKyielyhd5SInQV/yMa0IOPN5MnK40h59+ofRlVZ2371PdYkns6EVUoo=,iv:1PMwsRz78iMCs6QJfnfCUXCofOonEl+je/6e/4GZW+g=,tag:FOqWXMkWOf4C6VhV7ODwMg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1