diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix
index 49e3cb9..eeb331a 100644
--- a/modules/hosts/nixos/nixnuc/default.nix
+++ b/modules/hosts/nixos/nixnuc/default.nix
@@ -73,17 +73,24 @@ in {
 
   networking = {
     # Open ports in the firewall.
-    firewall.allowedTCPPorts = [
-      22 # ssh
-      80 # http to local Nginx
-      443 # https to local Nginx
-      3000 # PsiTransfer in oci-container
-      8080 # Tandoor in docker compose
-      8888 # Atuin
-      8090 # Wallabag in docker compose
-      13378 # Audiobookshelf in oci-container
-    ];
-    # firewall.allowedUDPPorts = [ ... ];
+    firewall = {
+      allowedTCPPorts = [
+        22    # ssh
+        80    # http to local Nginx
+        443   # https to local Nginx
+        3000  # PsiTransfer in oci-container
+        8080  # Tandoor in docker compose
+        8384  # Syncthing gui
+        8888  # Atuin
+        8090  # Wallabag in docker compose
+        13378 # Audiobookshelf in oci-container
+        22000 # Syncthing transfers
+      ];
+      allowedUDPPorts = [
+        21027 # Syncthing discovery
+        22000 # Syncthing transfers
+      ];
+    };
     # Or disable the firewall altogether.
     # firewall.enable = false;
 
@@ -404,6 +411,12 @@ in {
       "/orico/jellyfin/staging/downloaded-files"
       "/var/backup/postgresql"
     ];
+    syncthing = {
+      enable = true;
+      dataDir = "/orico/syncthing";
+      openDefaultPorts = true;
+      guiAddress = "0.0.0.0:8384";
+    };
     tandoor-recipes = {
       enable = true;
       address = "0.0.0.0";
diff --git a/modules/system/common/secrets.yaml b/modules/system/common/secrets.yaml
index bb0f545..e35a489 100644
--- a/modules/system/common/secrets.yaml
+++ b/modules/system/common/secrets.yaml
@@ -81,8 +81,8 @@ sops:
             dDQybkwzOUtraGk1U21VeHBkNUpLeGsKgBP+mn2AZmKf6v15JnOE4YeSUpsKMAgP
             DbbDSJBf3zgwcUECglSB9pM09ZkxM/WA8+sBPNt7/pepUfpKWfoiIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-06-15T21:02:47Z"
-    mac: ENC[AES256_GCM,data:vZie4+27bytMtLHLO3cR5X6XsvVjoLWXbZ9gSyeJAg//TYDdojfCKtLatBb22oVyjjeoFKKqcHwVPv888Kpc8SwFIY7C0YxgmFbHXZMkUk4EWsolGPJ4V3p2GdWSRJkn/B9fM0TjvWiHASvtDNUNw03Rs6PT8fP0YTSzomKGR+U=,iv:5UY3+wj8h/uW/l3gkBPub+bWWt2kKabH5jErjmNp4sM=,tag:2DrAzNOS+dd3bNCs42PPbw==,type:str]
+    lastmodified: "2024-09-11T17:22:16Z"
+    mac: ENC[AES256_GCM,data:WbuN9UpP0OP69ta29VW2LlCFfyTWI3v8IiwUu3tLOxtY3gjdJLZTpaG2hBR985qjLYL3MT7eR7eWp4p99DAKupVBvA6tJl8/+N9+0W/dapcec+qv7u9wRHcFjP9wtggq66vUdGqH8IIHYuGlIhAvCbDouoXuLoFIcB2i2lYNB4Q=,iv:u+KsBgHxLgwSgFLYtY0F6HjCUbSCvNAatIIwrCGGyJg=,tag:bHO4vovTLPVK2vsQvliwzQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1