diff --git a/matrix/docker-compose.yml b/matrix/docker-compose.yml
new file mode 100644
index 00000000..ac3e914c
--- /dev/null
+++ b/matrix/docker-compose.yml
@@ -0,0 +1,60 @@
+version: '3.8'
+# Matrix Conduit deployment for Timmy Fleet
+# Parent: timmy-config#166
+# Generated: 2026-04-05
+
+services:
+  conduit:
+    image: matrixconduit/matrix-conduit:v0.7.0
+    container_name: conduit-homeserver
+    restart: unless-stopped
+    volumes:
+      - ./matrix-data:/data
+      - ./media:/media
+      - ./conduit-config.toml:/etc/conduit/config.toml:ro
+    environment:
+      - CONDUIT_CONFIG=/etc/conduit/config.toml
+    networks:
+      - matrix
+      - traefik-public
+    labels:
+      # Client API (HTTPS)
+      - "traefik.enable=true"
+      - "traefik.http.routers.matrix-client.rule=Host(`matrix.tactical.local`)"
+      - "traefik.http.routers.matrix-client.tls=true"
+      - "traefik.http.routers.matrix-client.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.matrix-client.entrypoints=websecure"
+      - "traefik.http.services.matrix-client.loadbalancer.server.port=6167"
+      
+      # Federation (TCP 8448) - direct or via Traefik TCP entrypoint
+      # Option A: Direct host port mapping
+      # Option B: Traefik TCP router (requires Traefik federation entrypoint)
+      - "traefik.tcp.routers.matrix-federation.rule=HostSNI(`*`)"
+      - "traefik.tcp.routers.matrix-federation.entrypoints=federation"
+      - "traefik.tcp.services.matrix-federation.loadbalancer.server.port=8448"
+    # Port mappings (only needed if NOT using Traefik for federation)
+    # ports:
+    #   - "8448:8448"
+
+  # Element web client (optional - can use app.element.io instead)
+  element:
+    image: vectorim/element-web:latest
+    container_name: element-web
+    restart: unless-stopped
+    volumes:
+      - ./element-config.json:/app/config.json:ro
+    networks:
+      - traefik-public
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.element.rule=Host(`chat.tactical.local`)"
+      - "traefik.http.routers.element.tls=true"
+      - "traefik.http.routers.element.tls.certresolver=letsencrypt"
+      - "traefik.http.routers.element.entrypoints=websecure"
+      - "traefik.http.services.element.loadbalancer.server.port=80"
+
+networks:
+  matrix:
+    internal: true
+  traefik-public:
+    external: true  # Connects to timmy-home Traefik