From 2ef113bc0e6ceb60f023228e8b82538a76b897bc Mon Sep 17 00:00:00 2001
From: Danilo Reyes <danilo.reyes.251@proton.me>
Date: Thu, 5 Feb 2026 06:30:45 -0600
Subject: [PATCH] synapse cert logic

---
 modules/servers/synapse.nix | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/modules/servers/synapse.nix b/modules/servers/synapse.nix
index fc17e5f..445a394 100644
--- a/modules/servers/synapse.nix
+++ b/modules/servers/synapse.nix
@@ -43,11 +43,6 @@ in
           owner = "matrix-synapse";
           group = "matrix-synapse";
         };
-        "iqQCY4iAWO-ca/pem" = {
-          sopsFile = ../../secrets/certs.yaml;
-          owner = "nginx";
-          group = "nginx";
-        };
         "matrix/key" = {
           sopsFile = ../../secrets/certs.yaml;
           owner = "matrix-synapse";
@@ -102,7 +97,15 @@ in
       };
     })
     (lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
-      my.servers.synapse.useDefaultProxy = false;
+      sops.secrets."iqQCY4iAWO-ca/pem" = {
+        sopsFile = ../../secrets/certs.yaml;
+        owner = "nginx";
+        group = "nginx";
+      };
+      my.servers.synapse = {
+        useDefaultProxy = false;
+        certPath = config.sops.secrets."iqQCY4iAWO-ca/pem".path;
+      };
       services.nginx.virtualHosts = {
         "${cfgE.host}" = {
           enableACME = true;
@@ -128,11 +131,6 @@ in
             "/_matrix".proxyPass = "http://[${config.my.localhost6}]:${toString cfg.port}";
             "/_synapse/client".proxyPass = "http://[${config.my.localhost6}]:${toString cfg.port}";
           };
-          # extraConfig = ''
-          #   ssl_verify_client on;
-          #   ssl_client_certificate ${config.sops.secrets."iqQCY4iAWO-ca/pem".path};
-          #   error_page 403 /403.html;
-          # '';
         };
       };
     })