diff --git a/modules/core/matrix-secret.nix b/modules/core/matrix-secret.nix
deleted file mode 100644
index 70500ab..0000000
--- a/modules/core/matrix-secret.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-{
-  # ── Generate Matrix registration secret at runtime ──────────
-  systemd.services.matrix-synapse-secret-init = {
-    description = "Generate Matrix Synapse registration secret if missing";
-    wantedBy = [ "multi-user.target" ];
-    before = [ "matrix-synapse.service" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    path = [ pkgs.pwgen pkgs.coreutils ];
-    script = ''
-      SECRET_FILE="/var/lib/matrix-synapse/registration-secret"
-      if [ ! -f "$SECRET_FILE" ]; then
-        mkdir -p /var/lib/matrix-synapse
-        pwgen -s 64 1 > "$SECRET_FILE"
-        chown matrix-synapse:matrix-synapse "$SECRET_FILE"
-        chmod 600 "$SECRET_FILE"
-        echo "Generated Matrix registration secret"
-      else
-        echo "Matrix registration secret already exists, skipping"
-      fi
-    '';
-  };
-}
\ No newline at end of file
diff --git a/modules/modules.nix b/modules/modules.nix
index 0db8221..1fef452 100755
--- a/modules/modules.nix
+++ b/modules/modules.nix
@@ -7,7 +7,6 @@
     ./core/role-logic.nix
     ./core/caddy.nix
     ./core/njalla.nix
-    ./core/matrix-secret.nix
     ./core/sovran-manage-domains.nix
 
     # ── Always on (no flag) ───────────────────────────────────
diff --git a/modules/synapse.nix b/modules/synapse.nix
index 3b810b7..ae6d58f 100755
--- a/modules/synapse.nix
+++ b/modules/synapse.nix
@@ -12,6 +12,31 @@ lib.mkIf config.sovran_systemsOS.services.synapse {
     ];
   };
 
+  # ── Generate registration secret if missing ─────────────────
+  systemd.services.matrix-synapse-secret-init = {
+    description = "Generate Matrix Synapse registration secret if missing";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "matrix-synapse.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ pkgs.pwgen pkgs.coreutils ];
+    script = ''
+      SECRET_FILE="/var/lib/matrix-synapse/registration-secret"
+      if [ ! -f "$SECRET_FILE" ]; then
+        mkdir -p /var/lib/matrix-synapse
+        pwgen -s 64 1 > "$SECRET_FILE"
+        chown matrix-synapse:matrix-synapse "$SECRET_FILE"
+        chmod 600 "$SECRET_FILE"
+        echo "Generated Matrix registration secret"
+      else
+        echo "Matrix registration secret already exists, skipping"
+      fi
+    '';
+  };
+
+  # ── Generate DB password if missing ─────────────────────────
   systemd.services.matrix-synapse-db-init = {
     description = "Generate Matrix Synapse DB password if missing";
     wantedBy = [ "multi-user.target" ];
@@ -35,6 +60,7 @@ lib.mkIf config.sovran_systemsOS.services.synapse {
     '';
   };
 
+  # ── Generate runtime config from domain files ───────────────
   systemd.services.matrix-synapse-runtime-config = {
     description = "Generate Synapse runtime config from domain files";
     before = [ "matrix-synapse.service" ];
@@ -65,6 +91,7 @@ EOF
     '';
   };
 
+  # ── Synapse service ─────────────────────────────────────────
   services.matrix-synapse = {
     enable = true;
     extraConfigFiles = [