synapse cert logic

modules/servers/synapse.nix

@@ -43,11 +43,6 @@ in
           owner = "matrix-synapse";
           group = "matrix-synapse";
         };
-        "iqQCY4iAWO-ca/pem" = {
-          sopsFile = ../../secrets/certs.yaml;
-          owner = "nginx";
-          group = "nginx";
-        };
         "matrix/key" = {
           sopsFile = ../../secrets/certs.yaml;
           owner = "matrix-synapse";
@@ -102,7 +97,15 @@ in
       };
     })
     (lib.mkIf (cfg.enableProxy && config.my.enableProxy) {
-      my.servers.synapse.useDefaultProxy = false;
+      sops.secrets."iqQCY4iAWO-ca/pem" = {
+        sopsFile = ../../secrets/certs.yaml;
+        owner = "nginx";
+        group = "nginx";
+      };
+      my.servers.synapse = {
+        useDefaultProxy = false;
+        certPath = config.sops.secrets."iqQCY4iAWO-ca/pem".path;
+      };
       services.nginx.virtualHosts = {
         "${cfgE.host}" = {
           enableACME = true;
@@ -128,11 +131,6 @@ in
             "/_matrix".proxyPass = "http://[${config.my.localhost6}]:${toString cfg.port}";
             "/_synapse/client".proxyPass = "http://[${config.my.localhost6}]:${toString cfg.port}";
           };
-          # extraConfig = ''
-          #   ssl_verify_client on;
-          #   ssl_client_certificate ${config.sops.secrets."iqQCY4iAWO-ca/pem".path};
-          #   error_page 403 /403.html;
-          # '';
         };
       };
     })