diff --git a/infra/matrix/conduit.toml b/infra/matrix/conduit.toml
new file mode 100644
index 00000000..90aca3d3
--- /dev/null
+++ b/infra/matrix/conduit.toml
@@ -0,0 +1,53 @@
+# Conduit Configuration Scaffold
+# Copy to conduit.toml, replace placeholders, and deploy
+#
+# Issue: #166 - Matrix/Conduit for human-to-fleet encrypted communication
+
+[database]
+# SQLite is default; use PostgreSQL for production scale
+backend = "rocksdb"
+path = "/var/lib/matrix-conduit/"
+
+[global]
+# The domain name of your homeserver (MUST match DNS)
+server_name = "YOUR_DOMAIN_HERE"  # e.g., "matrix.timmy.foundation"
+
+# The port Conduit listens on internally (mapped via docker-compose)
+port = 6167
+
+# Public base URL (what clients connect to)
+public_baseurl = "https://YOUR_DOMAIN_HERE/"
+
+# Enable/disable registration (disable after initial admin setup)
+allow_registration = false
+
+# Registration token for initial admin creation
+registration_token = "GENERATE_A_STRONG_TOKEN_PLEASE"
+
+# Enable federation (required for multi-homeserver fleet)
+allow_federation = true
+
+# Federation port (usually 8448)
+federation_port = 8448
+
+# Maximum upload size for media
+max_request_size = 104_857_600  # 100MB
+
+# Enable presence (who's online) - can be resource intensive
+allow_presence = true
+
+# Logging
+log = "info,rocket=off,_=off"
+
+[admin]
+# Enable admin commands via CLI
+enabled = true
+
+[well_known]
+# Configure /.well-known/matrix/client and /.well-known/matrix/server
+# This allows clients to auto-discover the homeserver
+client = "https://YOUR_DOMAIN_HERE/"
+server = "YOUR_DOMAIN_HERE:8448"
+
+# TLS is handled by the reverse proxy (Caddy/Nginx)
+# Conduit runs HTTP internally; proxy terminates TLS