diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix
index f6f0a63..ed2d898 100644
--- a/hosts/architect/firewall.nix
+++ b/hosts/architect/firewall.nix
@@ -7,20 +7,12 @@ let
     22    # ssh
     80    # http
     443   # https
-    3478  # turn
+    8448  # matrix
     10022 # gitea
-    40000
-    40001
-    40002
-    40003
   ];
   open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
     1194  # wireguard
     3478  # turn
-    40000
-    40001
-    40002
-    40003
   ];
 in {
   networking = {
diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix
index 12711cd..a009dd6 100644
--- a/hosts/architect/matrix.nix
+++ b/hosts/architect/matrix.nix
@@ -1,4 +1,4 @@
-{ pkgs, config, ... }:
+{ pkgs, config, tmp, ... }:
 
 with import ./network.nix;
 {
@@ -11,7 +11,10 @@ with import ./network.nix;
       registration_shared_secret = "runas!";
       dynamic_thumbnails = true;
       enable_registration = true;
-      app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" ];
+      app_service_config_files = [ 
+        "/var/lib/matrix-synapse/discord-registration.yaml" 
+        "/var/lib/matrix-synapse/telegram-registration.yaml" 
+      ];
       extraConfig = ''
         auto_join_rooms:
           - "#infra:matrix.giugl.io"
@@ -79,7 +82,7 @@ with import ./network.nix;
         enableACME = true;
         forceSSL = true;
 
-        root = pkgs.element-web.override {
+        root = pkgs.unstable.element-web.override {
           conf = {
             default_server_config."m.homeserver" = {
               "base_url" = "https://${matrixdomain}";
@@ -90,6 +93,7 @@ with import ./network.nix;
       };
     };
 
+    # discord bridge
     matrix-appservice-discord = {
       enable = true;
       environmentFile = /secrets/matrix-appservice-discord/tokens.env;
@@ -103,8 +107,56 @@ with import ./network.nix;
         };
       };
     };
+
+    # telegram bridge
+    
+  mautrix-telegram = {
+    enable = true;
+    environmentFile = /secrets/mautrix-telegram/mautrix-telegram.env;
+
+    settings = {
+      homeserver = {
+        address = "https://${matrixdomain}";
+        domain = "${matrixdomain}";
+      };
+
+      appservice = {
+        provisioning.enabled = false;
+        id = "telegram";
+      };
+
+      bridge = {
+        permissions = {
+          "@pepe:${matrixdomain}" = "admin";
+          "${matrixdomain}" = "puppeting";
+        };
+
+        # Animated stickers conversion requires additional packages in the
+        # service's path.
+        # If this isn't a fresh installation, clearing the bridge's uploaded
+        # file cache might be necessary (make a database backup first!):
+        # delete from telegram_file where \
+        #   mime_type in ('application/gzip', 'application/octet-stream')
+        animated_sticker = {
+          target = "gif";
+          args = {
+            width = 256;
+            height = 256;
+            fps = 30;               # only for webm
+            background = "020202";  # only for gif, transparency not supported
+          };
+        };
+      };
+    };
   };
 
+  };
+
+  systemd.services.mautrix-telegram.path = with pkgs; [
+    lottieconverter  # for animated stickers conversion, unfree package
+    ffmpeg           # if converting animated stickers to webm (very slow!)
+  ];
+
   networking.extraHosts = ''
         127.0.0.1 ${matrixdomain} ${matrixwebdomain}
         ${architect-lan} ${matrixdomain} ${matrixwebdomain}
diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix
index be3e4e5..7d3957c 100644
--- a/hosts/architect/network.nix
+++ b/hosts/architect/network.nix
@@ -35,6 +35,8 @@ rec {
   germano-wg       = "10.3.0.19";
   flavio-wg        = "10.3.0.20";
   tommy-wg         = "10.3.0.21";
+  alain-wg         = "10.3.0.22";
+  dima-wg          = "10.3.0.23";
   eleonora-wg      = "10.3.0.100";
   broccolino-wg    = "10.3.0.200";
   hotpottino-wg    = "10.3.0.201";
diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix
index 65b332f..a6ca9e8 100644
--- a/hosts/architect/nextcloud.nix
+++ b/hosts/architect/nextcloud.nix
@@ -12,6 +12,8 @@ with import ./network.nix;
       enable = true;
       hostName = "${nextclouddomain}";
       https = true;
+      package = pkgs.unstable.nextcloud22;
+
       caching.redis = true;
 
       autoUpdateApps.enable = true;
diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix
index 07290b6..253ce92 100644
--- a/hosts/architect/plex.nix
+++ b/hosts/architect/plex.nix
@@ -1,6 +1,22 @@
+{ pkgs, ...}:
+
 with import ./network.nix;
 {
-  services.plex.enable = true;
+  services.plex = {
+    enable = true;
+    package = pkgs.plex.overrideAttrs (x: let
+        # see https://www.plex.tv/media-server-downloads/ for 64bit rpm
+        version = "1.24.1.4931-1a38e63c6";
+        sha1 = "7d0751f7efaa7b5fc9ac2a3cdb130712db6b6d89";
+      in {
+        name = "plex-${version}";
+        src = pkgs.fetchurl {
+          url = "https://downloads.plex.tv/plex-media-server-new/${version}/debian/plexmediaserver_${version}_amd64.deb";
+          inherit sha1;
+        };
+      }
+    );
+  };
 
   services.nginx = {
     enable = true;
diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix
index ee2c6a1..6be1324 100644
--- a/hosts/architect/wireguard.nix
+++ b/hosts/architect/wireguard.nix
@@ -165,6 +165,18 @@ with import ./network.nix;
           allowedIPs = [tommy-wg];
           publicKey = "tytknU7wql1d0A2provX3RP7CNcEIajfgBJKoSyVLgo=";
         }
+
+        {
+          # alain
+          allowedIPs = [alain-wg];
+          publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
+        }
+
+        {
+          # dima
+          allowedIPs = [dima-wg];
+          publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
+        }
       ];
     };
   };