diff --git a/services/communication/kustomization.yaml b/services/communication/kustomization.yaml
index 5f0f361..6b4f4a0 100644
--- a/services/communication/kustomization.yaml
+++ b/services/communication/kustomization.yaml
@@ -5,6 +5,8 @@ namespace: communication
 resources:
   - namespace.yaml
   - synapse-rendered.yaml
+  - mas-configmap.yaml
+  - mas-deployment.yaml
   - element-rendered.yaml
   - livekit-config.yaml
   - livekit.yaml
diff --git a/services/communication/mas-configmap.yaml b/services/communication/mas-configmap.yaml
new file mode 100644
index 0000000..cc859ba
--- /dev/null
+++ b/services/communication/mas-configmap.yaml
@@ -0,0 +1,56 @@
+# services/communication/mas-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: matrix-authentication-service-config
+  namespace: communication
+data:
+  config.yaml: |
+    http:
+      public_base: "https://matrix.live.bstein.dev/"
+
+    database:
+      uri: "postgresql://mas:@@MAS_DB_PASSWORD@@@postgres-service.postgres.svc.cluster.local:5432/mas?sslmode=prefer"
+
+    secrets:
+      encryption_file: /etc/mas/secrets/encryption
+      keys_dir: /etc/mas/keys
+
+    passwords:
+      enabled: true
+
+    matrix:
+      kind: synapse
+      homeserver: live.bstein.dev
+      endpoint: "http://othrys-synapse-matrix-synapse:8008/"
+      secret_file: /etc/mas/secrets/matrix_shared_secret
+
+    upstream_oauth2:
+      providers:
+        - id: 01KDTTKYCYTAAAQKMAKZZ5CPW3
+          synapse_idp_id: oidc-keycloak
+          issuer: "https://sso.bstein.dev/realms/atlas"
+          human_name: "Keycloak"
+          brand_name: "keycloak"
+          client_id: "othrys-mas"
+          client_secret_file: /etc/mas/secrets/keycloak_client_secret
+          token_endpoint_auth_method: client_secret_post
+          scope: "openid profile email"
+          claims_imports:
+            localpart:
+              action: require
+              template: "{{ user.preferred_username }}"
+              on_conflict: add
+            displayname:
+              action: force
+              template: "{{ user.name }}"
+            email:
+              action: force
+              template: "{{ user.email }}"
+
+    policy:
+      data:
+        client_registration:
+          allow_insecure_uris: true
+          allow_host_mismatch: true
+          allow_missing_client_uri: true
diff --git a/services/communication/mas-deployment.yaml b/services/communication/mas-deployment.yaml
new file mode 100644
index 0000000..711640c
--- /dev/null
+++ b/services/communication/mas-deployment.yaml
@@ -0,0 +1,108 @@
+# services/communication/mas-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: matrix-authentication-service
+  namespace: communication
+  labels:
+    app: matrix-authentication-service
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: matrix-authentication-service
+  template:
+    metadata:
+      labels:
+        app: matrix-authentication-service
+    spec:
+      enableServiceLinks: false
+      nodeSelector:
+        hardware: rpi5
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 50
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values: ["rpi5","rpi4"]
+      containers:
+        - name: mas
+          image: ghcr.io/element-hq/matrix-authentication-service:0.20.0
+          command: ["/bin/sh","-c"]
+          args:
+            - |
+              set -euo pipefail
+              umask 077
+
+              DB_PASS_ESCAPED="$(printf '%s' "${MAS_DB_PASSWORD}" | sed 's/[\\/&]/\\&/g')"
+              sed "s/@@MAS_DB_PASSWORD@@/${DB_PASS_ESCAPED}/g" /etc/mas/config.yaml > /var/run/mas-config.yaml
+
+              exec mas-cli server --config /var/run/mas-config.yaml
+          env:
+            - name: MAS_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mas-db
+                  key: password
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: config
+              mountPath: /etc/mas/config.yaml
+              subPath: config.yaml
+              readOnly: true
+            - name: secrets
+              mountPath: /etc/mas/secrets
+              readOnly: true
+            - name: keys
+              mountPath: /etc/mas/keys
+              readOnly: true
+          resources:
+            requests:
+              cpu: 200m
+              memory: 256Mi
+            limits:
+              cpu: "2"
+              memory: 1Gi
+      volumes:
+        - name: config
+          configMap:
+            name: matrix-authentication-service-config
+            items:
+              - key: config.yaml
+                path: config.yaml
+        - name: secrets
+          secret:
+            secretName: mas-secrets-runtime
+            items:
+              - key: encryption
+                path: encryption
+              - key: matrix_shared_secret
+                path: matrix_shared_secret
+              - key: keycloak_client_secret
+                path: keycloak_client_secret
+        - name: keys
+          secret:
+            secretName: mas-secrets-runtime
+            items:
+              - key: rsa_key
+                path: rsa_key
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: matrix-authentication-service
+  namespace: communication
+spec:
+  selector:
+    app: matrix-authentication-service
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http
+      protocol: TCP