diff --git a/services/synapse/nginx.nix b/services/synapse/nginx.nix
index 945a713..bc28321 100644
--- a/services/synapse/nginx.nix
+++ b/services/synapse/nginx.nix
@@ -1,14 +1,7 @@
 { config, ... }:
 let
-  cfg = config.machine.synapse;
-
-  clientConfig."m.homeserver".base_url = baseUrl;
-  serverConfig."m.server" = "${cfg.domain}:443";
-  mkWellKnown = data: ''
-    default_type application/json;
-    add_header Access-Control-Allow-Origin *;
-    return 200 '${builtins.toJSON data}';
-  '';
+  inherit (config.machine.synapse) domain port;
+  maxUploadSize = config.services.matrix-synapse.settings.max_upload_size;
 in
 {
   systemd.services.nginx.serviceConfig.SupplementaryGroups = [ "matrix-synapse" ];
@@ -16,16 +9,18 @@ in
   services.nginx = {
     appendHttpConfig = ''
       limit_req_zone $binary_remote_addr zone=matrix:10m rate=50r/s;
+      limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
     '';
-    virtualHosts.${cfg.domain} = {
+    upstreams."matrix-synapse".servers = {
+      "unix:/run/matrix-synapse/matrix-synapse.sock" = { };
+    };
+    virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
 
       locations = {
-        "= /.well-known/matrix/server".extraConfig = mkWellKnown serverConfig;
-        "= /.well-known/matrix/client".extraConfig = mkWellKnown clientConfig;
         "^~ /_matrix" = {
-          proxyPass = "http://127.0.0.1:${toString cfg.port}";
+          proxyPass = "http://127.0.0.1:${toString port}";
           extraConfig = ''
             limit_req zone=matrix burst=100 nodelay;
             proxy_set_header Host $host;
@@ -41,7 +36,7 @@ in
 
         # Health check
         "= /health" = {
-          proxyPass = "http://127.0.0.1:${toString cfg.port}";
+          proxyPass = "http://127.0.0.1:${toString port}";
           extraConfig = ''
             access_log off;
           '';