diff --git a/modules/matrix-homeserver/default.nix b/modules/matrix-homeserver/default.nix
index c9544cccc2c068f56afe79c62db9797d8ca0f338..0b66dcf81fad2daa07c07997d265e4e5b5d95e63 100644
--- a/modules/matrix-homeserver/default.nix
+++ b/modules/matrix-homeserver/default.nix
@@ -68,21 +68,25 @@ in {
       default = settingsFormat.generate "synapse-homeserver.yaml" cfg.settings;
       defaultText = ''settingsFormat.generate "synapse-homeserver.yaml" config.queezle.matrix-homeserver.configuration'';
       description = ''
-        Path to the config file. By default generated from queezle.matrix-homeserver.configuration.
+        Path to the config file. By default generated from queezle.matrix-homeserver.settings.
       '';
     };
 
-    secretsConfigFile = mkOption {
-      type = types.path;
-      default = "/etc/secrets/matrix-synapse/secrets.yaml";
+    extraConfigFiles = mkOption {
+      type = types.attrsOf types.path;
+      default = {};
+      example = { secrets = "/path/to/matrix-synapse/secrets.yaml"; };
       description = ''
-        A path to a file containing the 'registration_shared_secret' and other
-        secrets. Should only be readable by root (i.e. not in the Nix store).
+        Extra config files to include, e.g. as a way to include secrets without
+        publishing them to the nix store.
+        This is the recommended way to include the 'registration_shared_secret'
+        and other secrets.
+        Files will be read as root.
       '';
     };
 
     dataDir = mkOption {
-      type = types.str;
+      type = types.path;
       default = "/var/lib/matrix-synapse";
       description = ''
         The directory where matrix-synapse stores its stateful data such as
@@ -112,6 +116,7 @@ in {
       '';
     };
 
+    # .well-known configuration. Can be enabled on the same or on another another host.
     well-known = {
       enable = mkEnableOption ".well-known for queezles matrix homeserver";
 
@@ -121,6 +126,7 @@ in {
       };
     };
 
+    # Heisenbridge IRC bouncer. Has to run un the same host as synapse.
     heisenbridge = {
       enable = mkEnableOption "heisenbridge";
 
diff --git a/modules/matrix-homeserver/heisenbridge.nix b/modules/matrix-homeserver/heisenbridge.nix
index e0c9391c05654fb1dea6b2084eb71c8f82bf4552..0b6e1e698006e59ac9cf1e2bc2e36ac801fa8b3f 100644
--- a/modules/matrix-homeserver/heisenbridge.nix
+++ b/modules/matrix-homeserver/heisenbridge.nix
@@ -14,8 +14,8 @@ in {
     systemd.services.heisenbridge-generate = {
       description = "generate heisenbridge config";
       # Appconfig-file needs to exist before synapse is started
-      wantedBy = [ "matrix-synapse.service" ];
       before = [ "matrix-synapse.service" ];
+      wantedBy = [ "matrix-synapse.service" ];
 
       unitConfig = {
         # Only run once
@@ -57,7 +57,6 @@ in {
       serviceConfig = {
         Type = "exec";
         ExecStart =
-            # is a script to load environment variable
           let startScript = pkgs.writeShellScriptBin "heisenbridge" ''
             exec ${cfg.heisenbridge.package}/bin/heisenbridge --config $CREDENTIALS_DIRECTORY/config
           '';
@@ -74,12 +73,12 @@ in {
         Group = "heisenbridge";
 
         ProtectHome = true;
-        PrivateDevices = true;
         ProtectProc = "invisible";
         ProtectKernelTunables = true;
         ProtectControlGroups = true;
         ProtectKernelLogs = true;
         RestrictRealtime = true;
+        PrivateDevices = true;
       };
     };
   };
diff --git a/modules/matrix-homeserver/matrix-synapse.nix b/modules/matrix-homeserver/matrix-synapse.nix
index 369aee23158736252b878d3809ca427d9ab1f0be..496d8d1d3565ed49f0d9633ad5d8cc37b7b331b1 100644
--- a/modules/matrix-homeserver/matrix-synapse.nix
+++ b/modules/matrix-homeserver/matrix-synapse.nix
@@ -43,21 +43,15 @@ in {
 
       serviceConfig = {
         Type = "notify";
-        # Running as script to access environment variable
-        # Exec is used to preserve main process pid for systemd
-        ExecStart =
-          let startScript = pkgs.writeShellScriptBin "synapse" ''
-            exec ${cfg.package}/bin/homeserver --config-path ${cfg.configFile} --config-path $CREDENTIALS_DIRECTORY/secrets --keys-directory ${cfg.dataDir}
-          '';
-          in "${startScript}/bin/synapse";
+        ExecStart = ''
+          ${cfg.package}/bin/homeserver --config-path ${cfg.configFile} --config-directory ''${CREDENTIALS_DIRECTORY} --keys-directory ${cfg.dataDir}
+        '';
 
         User = "matrix-synapse";
         Group = "matrix-synapse";
         WorkingDirectory = cfg.dataDir;
 
-        LoadCredential = [
-          "secrets:${cfg.secretsConfigFile}"
-        ];
+        LoadCredential = mapAttrsToList (name: path: "${name}:${path}") cfg.extraConfigFiles;
 
         ExecReload = "${pkgs.util-linux}/bin/kill -HUP $MAINPID";
         Restart = "on-failure";
diff --git a/modules/matrix-homeserver/settings.nix b/modules/matrix-homeserver/settings.nix
index 620aa444f5fc57e01db6b2e10efba9914b1165da..2bdf726e38d9a92516ec6d2c574271deb4b6a013 100644
--- a/modules/matrix-homeserver/settings.nix
+++ b/modules/matrix-homeserver/settings.nix
@@ -8,6 +8,10 @@ in {
   # Allow to get more events during get and sync operation if requested by client
   filter_timeline_limit = 1000;
 
+  # Should be at least 1.1 to prevent TLS downgrade attacks
+  # But 1.2 should be supported by all homeservers, as well as the usual reverse proxies
+  federation_client_minimum_tls_version = 1.2;
+
   caches = {
     global_factor = 4.0;
   };