diff --git a/fogcutter/podman/.gitignore b/fogcutter/podman/.gitignore
new file mode 100644
index 0000000..7becd36
--- /dev/null
+++ b/fogcutter/podman/.gitignore
@@ -0,0 +1 @@
+firefly.env
diff --git a/fogcutter/podman/firefly.sh b/fogcutter/podman/firefly.sh
new file mode 100755
index 0000000..1f61488
--- /dev/null
+++ b/fogcutter/podman/firefly.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+
+set -e
+
+up () {
+  loginctl enable-linger $USER
+  podman network create pew-net || true
+
+  # Exposed on port 8080 in pew-net
+  # env options: https://raw.githubusercontent.com/firefly-iii/firefly-iii/main/.env.example
+  # Create firefly.env with APP_KEY
+  podman create \
+    --name firefly \
+    --env-file=firefly.env \
+    --env SITE_OWNER=paulsw.pw@gmail.com \
+    --env TZ=US/Eastern \
+    --env TRUSTED_PROXIES=** \
+    --env DB_CONNECTION=mysql \
+    --env DB_HOST=firefly-mariadb \
+    --env DB_PORT=3306 \
+    --env DB_DATABASE=firefly \
+    --env DB_USERNAME=firefly \
+    --env DB_PASSWORD=firefly \
+    --env APP_URL=https://ff.seaturtle.pw \
+    --volume /bigdata/k8s-config/firefly/data:/var/www/html/storage/upload:rw \
+    --network pew-net \
+    jc5x/firefly-iii:version-5.4.6
+
+  podman generate systemd firefly --restart-policy=always --name > $HOME/.config/systemd/user/firefly.service
+  systemctl --user daemon-reload
+  systemctl start --user firefly || systemctl restart --user firefly
+  systemctl enable --user firefly
+
+  # Exposed on port 3306 in pew-net
+  podman create \
+    --name firefly-mariadb \
+    --env MYSQL_RANDOM_ROOT_PASSWORD=notnullvalue \
+    --env MYSQL_PASSWORD=firefly \
+    --env MYSQL_DATABASE=firefly \
+    --env MYSQL_USER=firefly \
+    --volume /bigdata/k8s-config/firefly/mariadb:/var/lib/mysql:rw \
+    --network pew-net \
+    mariadb:10.5.6
+
+  podman generate systemd firefly-mariadb --restart-policy=always --name > $HOME/.config/systemd/user/firefly-mariadb.service
+  systemctl --user daemon-reload
+  systemctl start --user firefly-mariadb || systemctl restart --user firefly-mariadb
+  systemctl enable --user firefly-mariadb
+}
+
+down () {
+  systemctl stop --user firefly || true
+  systemctl disable --user firefly || true
+  podman rm firefly || true
+  systemctl stop --user firefly-mariadb || true
+  systemctl disable --user firefly-mariadb || true
+  podman rm firefly-mariadb || true
+}
+
+logs () {
+  podman logs -f firefly
+}
+
+logsm () {
+  podman logs -f firefly-mariadb
+}
+
+$@
diff --git a/fogcutter/podman/matrix.sh b/fogcutter/podman/matrix.sh
new file mode 100755
index 0000000..4a29238
--- /dev/null
+++ b/fogcutter/podman/matrix.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -e
+
+up () {
+  loginctl enable-linger $USER
+  podman network create pew-net || true
+
+  # Exposed on port 8008 in pew-net
+  podman create \
+    --name synapse \
+    --env TZ=US/Eastern \
+    --volume /bigdata/k8s-config/matrix/synapse:/data:rw \
+    --network pew-net \
+    matrixdotorg/synapse:v1.26.0
+
+  podman generate systemd synapse --restart-policy=always --name > $HOME/.config/systemd/user/synapse.service
+  systemctl --user daemon-reload
+  systemctl start --user synapse || systemctl restart --user synapse
+  systemctl enable --user synapse
+
+  # Exposed on port 80 in pew-net
+  podman create \
+    --name riot-web \
+    --volume /bigdata/k8s-config/matrix/riot-web/config.json:/app/config.json:ro \
+    --network pew-net \
+    vectorim/element-web:v1.7.20
+
+  podman generate systemd riot-web --restart-policy=always --name > $HOME/.config/systemd/user/riot-web.service
+  systemctl --user daemon-reload
+  systemctl start --user riot-web || systemctl restart --user riot-web
+  systemctl enable --user riot-web
+}
+
+down () {
+  systemctl stop --user synapse || true
+  systemctl disable --user synapse || true
+  podman rm synapse || true
+  systemctl stop --user riot-web || true
+  systemctl disable --user riot-web || true
+  podman rm riot-web || true
+}
+
+logs () {
+  podman logs -f synapse
+}
+
+logsr () {
+  podman logs -f riot-web
+}
+
+$@
diff --git a/fogcutter/podman/nginx.sh b/fogcutter/podman/nginx.sh
index 84d886d..146555d 100755
--- a/fogcutter/podman/nginx.sh
+++ b/fogcutter/podman/nginx.sh
@@ -14,7 +14,7 @@ up () {
     --env GUID=1000 \
     --env TZ=US/Eastern \
     --env URL=seaturtle.pw \
-    --env SUBDOMAINS=airsonic,git,jf,nc,plex \
+    --env SUBDOMAINS=airsonic,ff,git,jf,m,matrix,nc,plex \
     --env VALIDATION=http \
     --env EMAIL=paulsw.pw@gmail.com \
     --volume /bigdata/files:/files:ro \
@@ -24,6 +24,7 @@ up () {
     --volume /bigdata/k8s-config/nginx/site-confs:/config/nginx/site-confs:ro \
     --publish 127.0.0.1:80:80 \
     --publish 443:443 \
+    --publish 8448:8448 \
     --network pew-net \
     linuxserver/swag:1.10.1-ls29