diff --git a/os/default.nix b/os/default.nix
index 11e4021..e583260 100644
--- a/os/default.nix
+++ b/os/default.nix
@@ -16,6 +16,7 @@
     ./printing
     ./remote-builds
     ./style
+    ./syncthing
     ./wireless
   ];
 }
diff --git a/os/syncthing/default.nix b/os/syncthing/default.nix
new file mode 100644
index 0000000..dcff744
--- /dev/null
+++ b/os/syncthing/default.nix
@@ -0,0 +1,42 @@
+{ pkgs, lib, config, ... }:
+let
+  cfg = config.services.syncthing;
+  service = "syncthing";
+  secretsDir = "/etc/secrets/${service}";
+  password = {
+    path = "syncthing/${config.networking.hostName}";
+    selector = "@";
+    generator = ''(t="$(mktemp -d)" && ${lib.getExe pkgs.syncthing} generate --home="$t" &> /dev/null && cat "$t"/{cert,key}.pem && rm -rf "$t")'';
+  };
+in
+{
+  config = lib.mkIf cfg.enable {
+    services.${service} =  {
+      guiAddress = "127.0.0.1:8385"; # DEBUG
+
+      openDefaultPorts = true;
+      configDir = "/var/lib/${service}";
+      databaseDir = "/var/cache/${service}";
+      dataDir = cfg.databaseDir; # Don't really care
+
+      key = "${secretsDir}/key.pem";
+      cert = "${secretsDir}/cert.pem";
+    };
+    systemd.services.${service} = {
+      serviceConfig.ExecStartPre = [
+        "+${pkgs.writeShellScript "syncthing-create-folders" ''
+        install -Dm700 -o ${cfg.user} -g ${cfg.group} -d ${cfg.configDir}
+        install -Dm700 -o ${cfg.user} -g ${cfg.group} -d ${cfg.databaseDir}
+      ''}"
+      ];
+    };
+    vivarium.passwordFiles = {
+      ${cfg.key}.password = password // {
+        transform = "${lib.getExe pkgs.openssl} pkey";
+      };
+      ${cfg.cert}.password = password // {
+        transform = "${lib.getExe pkgs.openssl} x509";
+      };
+    };
+  };
+}