diff --git a/hosts/nuc/modules/authentik/default.nix b/hosts/nuc/modules/authentik/default.nix
index 6913f98..5ee7e45 100644
--- a/hosts/nuc/modules/authentik/default.nix
+++ b/hosts/nuc/modules/authentik/default.nix
@@ -12,7 +12,15 @@ in
   services.authentik = {
     enable = true;
     environmentFile = config.age.secrets.authentik-core.path;
+    settings = {
+      cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
+    };
   };
+  systemd.services.authentik-worker.serviceConfig.LoadCredential = [
+    "${domain}.pem:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.crt"
+    "${domain}.key:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.key"
+  ];
+
   services.authentik-ldap = {
     enable = true;
     environmentFile = config.age.secrets.authentik-ldap.path;
diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix
index 07591f4..161c056 100644
--- a/hosts/nuc/modules/matrix/default.nix
+++ b/hosts/nuc/modules/matrix/default.nix
@@ -72,6 +72,9 @@ in
           reverse_proxy /client/* unix//run/matrix-sliding-sync/server.sock
           reverse_proxy /_matrix/client/unstable/org.matrix.msc3575/sync* unix//run/matrix-sliding-sync/server.sock
           reverse_proxy 127.0.0.1:8008
+          handle /_synapse/metrics* {
+            respond 404
+          }
         '';
 
         # element