diff --git a/modules/scripts/update-dns.nix b/modules/scripts/update-dns.nix
index 77d483b..e7716bb 100644
--- a/modules/scripts/update-dns.nix
+++ b/modules/scripts/update-dns.nix
@@ -17,7 +17,8 @@
       };
     };
     services.cloudflare-dyndns = {
-      inherit (config.my.scripts.update-dns) enable;
+      # inherit (config.my.scripts.update-dns) enable;
+      enable = false;
       ipv4 = true;
       ipv6 = false;
       proxied = false;
diff --git a/modules/servers/synapse.nix b/modules/servers/synapse.nix
index 24bc9dd..97eb6dd 100644
--- a/modules/servers/synapse.nix
+++ b/modules/servers/synapse.nix
@@ -78,6 +78,15 @@ in
           extraConfig = ''
             ssl_verify_client on;
             ssl_client_certificate ${config.sops.secrets."iqQCY4iAWO-ca/pem".path};
+            set $client_requires_cert 1;
+            if ($remote_addr ~ "^10\.100\.0\.[0-9]+$") {
+              set $client_requires_cert 0;
+            }
+            if ($client_requires_cert = 1) {
+              if ($ssl_client_verify != SUCCESS) {
+                return 403;
+              }
+            }
             error_page 403 /403.html;
           '';
         };