diff --git a/provision/hosts/bulwark/configuration.nix b/provision/hosts/bulwark/configuration.nix
index a8458bc0..d8921395 100644
--- a/provision/hosts/bulwark/configuration.nix
+++ b/provision/hosts/bulwark/configuration.nix
@@ -2,7 +2,6 @@
 {
  imports = [
     ./steam-deck.nix
-    ./syncthing.nix
   ];
 
   # Set networking options
@@ -35,6 +34,15 @@
     };
     services = {
       samba-client.enable = true;
+      syncthing = {
+        enable = true;
+        keyPath = ../../secrets/syncthing/bulwark/key.pem.age;
+        certPath = ../../secrets/syncthing/bulwark/cert.pem.age;
+        devices = {
+          "kestrel" = { id = "5WWL4FE-ARZ4FHP-J33HQCH-CZKEXLN-2RAY4KW-PDI754F-3HVPZYI-VC3ESAF"; };
+        };
+        folders = {};
+      };
     };
     system = {
       ssh.enable = true;
diff --git a/provision/hosts/bulwark/syncthing.nix b/provision/hosts/bulwark/syncthing.nix
deleted file mode 100644
index 4213cf9f..00000000
--- a/provision/hosts/bulwark/syncthing.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{ config, lib, pkgs, user, ... }:
-{
-  networking.firewall.allowedTCPPorts = [ 8384 22000 ];
-  networking.firewall.allowedUDPPorts = [ 22000 21027 ];
-
-  environment.systemPackages = with pkgs; [ 
-    syncthing # File sync program for multiple devices in real-time.
-  ];
-
-  services.syncthing = {
-    enable = true;
-    user = "${user}";
-    dataDir = "/home/${user}/.local/share/syncthing";
-    guiAddress = "0.0.0.0:8384";
-    overrideDevices = true;
-    overrideFolders = true; 
-    settings.devices = {
-      "kestrel" = { id = "KYEWTBL-GL343U7-OIM63LT-2IYGJAP-RCL545L-2KJOIY4-6352W6Y-DZRVGAL"; };
-    };
-    settings.folders = {
-      "Gamecube Saves" = {
-        path = "/home/${user}/.local/share/dolphin-emu/GC";
-        devices = [ "kestrel" ];
-      };
-      "Ryujinx Saves" = {
-        path = "/home/${user}/.config/Ryujinx/bis";
-        devices = [ "kestrel" ];
-      };
-      "Yuzu Saves" = {
-        path = "/home/${user}/.local/share/yuzu/nand/user/save/0000000000000000/705C6CE0127692D598F92E68B640D644";
-        devices = [ "kestrel" ];
-      };
-      "PSP Saves" = {
-        path = "/home/${user}/.config/ppsspp/PSP/SAVEDATA";
-        devices = [ "kestrel" ];
-      };
-      "PSP Save States" = {
-        path = "/home/${user}/.config/ppsspp/PSP/PPSSPP_STATE";
-        devices = [ "kestrel" ];
-      };
-      "Roms Saves" = {
-        path = "/home/${user}/media/roms/saves";
-        devices = [ "kestrel" ];
-      };
-    };
-  };
-}
diff --git a/provision/hosts/kestrel/configuration.nix b/provision/hosts/kestrel/configuration.nix
index 0ae31965..2231f984 100644
--- a/provision/hosts/kestrel/configuration.nix
+++ b/provision/hosts/kestrel/configuration.nix
@@ -1,7 +1,6 @@
 { config, pkgs, user, lib, ... }:
 {
   imports = [ 
-    ./syncthing.nix
     ./backup.nix
   ];
 
@@ -57,6 +56,13 @@
       peripherals.enable = true;
       samba-client.enable = true;
       virt-manager.enable = true;
+      syncthing = {
+        enable = true;
+        keyPath = ../../secrets/syncthing/kestrel/key.pem.age;
+        certPath = ../../secrets/syncthing/kestrel/cert.pem.age;
+        devices = {};
+        folders = {};
+      };
     };
     system = {
       backup.enable = true;
diff --git a/provision/hosts/kestrel/syncthing.nix b/provision/hosts/kestrel/syncthing.nix
deleted file mode 100644
index 83d420f7..00000000
--- a/provision/hosts/kestrel/syncthing.nix
+++ /dev/null
@@ -1,54 +0,0 @@
-{ config, lib, pkgs, user, ... }:
-{
-  networking.firewall.allowedTCPPorts = [ 8384 22000 ];
-  networking.firewall.allowedUDPPorts = [ 22000 21027 ];
-
-  environment.systemPackages = with pkgs; [ 
-    syncthing # File sync program for multiple devices in real-time.
-  ];
-
-  services.syncthing = {
-    enable = true;
-    user = "${user}";
-    dataDir = "/home/${user}/.local/share/syncthing";
-    configDir = "/home/${user}/.config/syncthing";
-    guiAddress = "0.0.0.0:8384";
-    overrideDevices = true;
-    overrideFolders = true; 
-    settings.devices = {
-      "bulwark" = { id = "ZGLQ725-OJSDNTE-MXYLIUD-XDB7REJ-2B2DVNU-PAFF6VC-MUUWRI6-4SNPWAK"; };
-      "torus" = { id = "WCZYHD7-5Y33SSU-74JHAQR-V7LYMDM-SDG2NTN-DJ2VKF2-DUBBUE5-PU5CGQN"; };
-      "shivan" = { id = "KUSOQSH-RKLLA32-T3KAPQP-VNJISLL-QSQCGFZ-ZL7ZULE-MJC67DK-2U6G4Q7"; };
-    };
-    settings.folders = {
-      "Gamecube Saves" = {
-        path = "/home/${user}/.local/share/dolphin-emu/GC";
-        devices = [ "bulwark" ];
-      };
-      "Ryujinx Saves" = {
-        path = "/home/${user}/.config/Ryujinx/bis";
-        devices = [ "bulwark" ];
-      };
-      "Yuzu Saves" = {
-        path = "/home/${user}/.local/share/yuzu/nand/user/save/0000000000000000/705C6CE0127692D598F92E68B640D644";
-        devices = [ "bulwark" ];
-      };
-      "PSP Saves" = {
-        path = "/home/${user}/.config/ppsspp/PSP/SAVEDATA";
-        devices = [ "bulwark" ];
-      };
-      "PSP Save States" = {
-        path = "/home/${user}/.config/ppsspp/PSP/PPSSPP_STATE";
-        devices = [ "bulwark" ];
-      };
-      "General Sync" = {
-        path = "/home/${user}/sync";
-        devices = [ "shivan" ];
-      };
-      "Rom Saves" = {
-        path = "/home/${user}/media/roms/saves";
-        devices = [ "bulwark" ];
-      };
-    };
-  };
-}
diff --git a/provision/modules/services/default.nix b/provision/modules/services/default.nix
index 95f8f298..c65c93f4 100644
--- a/provision/modules/services/default.nix
+++ b/provision/modules/services/default.nix
@@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ./peripherals.nix ./samba-client.nix ./virt-manager.nix ];
+  imports = [ ./peripherals.nix ./samba-client.nix ./syncthing.nix ./virt-manager.nix ];
 }
diff --git a/provision/modules/services/syncthing.nix b/provision/modules/services/syncthing.nix
new file mode 100644
index 00000000..42e4f931
--- /dev/null
+++ b/provision/modules/services/syncthing.nix
@@ -0,0 +1,68 @@
+{ config, lib, pkgs, user, ... }:
+
+let cfg = config.modules.services.syncthing;
+in {
+  options.modules.services.syncthing = with lib; {
+    enable = lib.mkOption {
+      type = types.bool;
+      default = true;
+    };
+    keyPath = mkOption {
+      type = types.path;
+      default = ./key.pem;
+    };
+    certPath = mkOption {
+      type = types.path;
+      default = ./cert.pem;
+    };
+    devices = mkOption {
+      type = types.attrs;
+      default = {}; 
+      description = ''
+        A set of devices and associated IDs.
+      '';
+    };
+    folders = mkOption {
+      type = types.attrs;
+      default = {}; 
+      description = ''
+        A set of folders, each defined by a set of attributes like
+        path, devices, and other configuration options.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      syncthing # File sync program for multiple devices in real-time.
+    ];
+
+    networking.firewall.allowedTCPPorts = [ 8384 22000 ];
+    networking.firewall.allowedUDPPorts = [ 22000 21027 ];
+
+    age.secrets."syncthing/key.pem" = {
+      file = cfg.keyPath;
+      owner = "${user}";
+      group = "users";
+    };
+    age.secrets."syncthing/cert.pem" = {
+      file = cfg.certPath;
+      owner = "${user}";
+      group = "users";
+    };
+
+    services.syncthing = {
+      enable = true;
+      user = "${user}";
+      dataDir = "/home/${user}/.local/share/syncthing";
+      configDir = "/home/${user}/.config/syncthing";
+      guiAddress = "0.0.0.0:8384";
+      overrideDevices = true;
+      overrideFolders = true; 
+      key = "/run/agenix/syncthing/key.pem";
+      cert = "/run/agenix/syncthing/cert.pem";
+      settings.devices = cfg.devices;
+      settings.folders = cfg.folders;
+    };
+  };
+}
diff --git a/provision/secrets/secrets.nix b/provision/secrets/secrets.nix
index caa95c19..bfd27cf6 100644
--- a/provision/secrets/secrets.nix
+++ b/provision/secrets/secrets.nix
@@ -7,14 +7,13 @@ let
 in
 {
   "git/github_personal.age".publicKeys = systems;
+  "git/gitea-runner-1.age".publicKeys = systems;
   "emu/switch/prod.keys.age".publicKeys = systems;
   "emu/switch/title.keys.age".publicKeys = systems;
   "wireguard/kestrel.age".publicKeys = systems;
   "wireguard/torus.age".publicKeys = systems;
   "wireguard/bulwark.age".publicKeys = systems;
   "wireguard/osprey.age".publicKeys = systems;
-  "git/gitea-runner-1.age".publicKeys = systems;
-  "nextcloud/password.age".publicKeys = systems;
   "ssh/kestrel/id_ed25519.age".publicKeys = systems;
   "ssh/kestrel/id_ed25519.pub.age".publicKeys = systems;
   "ssh/torus/id_ed25519.age".publicKeys = systems;
@@ -22,5 +21,10 @@ in
   "borg/torus/password.age".publicKeys = systems;
   "borg/rsync/id_rsa.age".publicKeys = systems;
   "borg/rsync/id_rsa.pub.age".publicKeys = systems;
+  "nextcloud/password.age".publicKeys = systems;
+  "syncthing/kestrel/key.pem.age".publicKeys = systems;
+  "syncthing/kestrel/cert.pem.age".publicKeys = systems;
+  "syncthing/bulwark/key.pem.age".publicKeys = systems;
+  "syncthing/bulwark/cert.pem.age".publicKeys = systems;
 }
 
diff --git a/provision/secrets/syncthing/bulwark/cert.pem.age b/provision/secrets/syncthing/bulwark/cert.pem.age
new file mode 100644
index 00000000..7fa0a312
Binary files /dev/null and b/provision/secrets/syncthing/bulwark/cert.pem.age differ
diff --git a/provision/secrets/syncthing/bulwark/key.pem.age b/provision/secrets/syncthing/bulwark/key.pem.age
new file mode 100644
index 00000000..fab85778
--- /dev/null
+++ b/provision/secrets/syncthing/bulwark/key.pem.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 Fz/sQw 4Obmjc1CCEWuc35rI9Pvkx6ScGnJ9WULezH4IDXQtWw
+yXF2uJJmQQfVvbxChmJzJbDw7lonnkvTcipMIhuhyxI
+-> ssh-ed25519 47GzQA u3C6BOJ5q+DodB+ElYL8DGQ1AkWLegRZxTiOWaX46Fs
+1p30kpogURAvWq+sF53glTldDELIcW2kNwWINwG8Xv8
+-> ssh-ed25519 wcI7nQ BBy4Kj7grypTdC+YoWTVzhl5Fq9r8t65lljxdOX1QCA
+rDCbLA7o9bC2MQcwb7kagaYEnSfiqfGzZD18J92vyA4
+-> ssh-ed25519 QjdSCg QB6m+6Q15r956ioxEtJDeKMXEG8rCWCMEAK5Wgk5Yz8
+1UiMy7C5VXWyBGDuhu2dq/XinGsStN7deM9ySLuYpQ4
+--- wOD9RLQibszEgJMIn5mt91wqx+ozFgWQM+zkk8DGEbk
+p³ê)t’B–càÚ‚ªwÑt	b&?~ DBgƒÌ\jˆÿSÝ³Ýs˜ÀÞ‚t¶#ìŽ-&Šaä«-@ž_´$Â+*üÉšþáS¿oºH4‰sìÕ2Ãú'ñPÔm¹Ìü½r¥ƒ¿´¾>§âÚ.Ø¥0»‘¦’Ú	œ¼ ÿ
+´*µGviÀÄœ6–„°Ù¢«{¸Ìâ½å‘"A~OQË©ËþöŽÕ„êør­A;;´ŽuI’:OL=ï,ÁB.ñÚô˜lN«Û[H;› Ÿ
+k²€ŽWK¢ß}×ß~Ú\¸ÑòRfî.kPµ¸†9X6ç6½5à¦[ÊØ`p²m.¹<ÅØµr‚¬â¨ïLe…aPŸ ¿Ñ(×BGE'ã2¦K¯ÓÅ7§Ó“e™¤Vñïö{‘êœ!ñ¨4G
\ No newline at end of file
diff --git a/provision/secrets/syncthing/kestrel/cert.pem.age b/provision/secrets/syncthing/kestrel/cert.pem.age
new file mode 100644
index 00000000..88bb7320
--- /dev/null
+++ b/provision/secrets/syncthing/kestrel/cert.pem.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 Fz/sQw lJgGhfqiTm8FFj+oH70OpN3fz10SS7oYMIHLzcA9dgc
+thWong+Qe6FKtn2mkjLxk8JuYbKstSQfbZioMVzlNtY
+-> ssh-ed25519 47GzQA m57QSYKzPgZTa/RGkuMBS+iIqtR0eRtQ+d5RZ1tx6Dw
+7xOAxSbjGdqI0X+olwczSlBGLmOnq42TUQV1I43pvTs
+-> ssh-ed25519 wcI7nQ +Jk8L3kDT2PYFRkZ7iEgcSYaYrkOltXnDRgMLQmKshw
+rtoVv+qaqMlmurVleOYZmuJHTB1T3gkwcrEkQE5tV2k
+-> ssh-ed25519 QjdSCg S1Ikef+MsrrIDcbEM2nxrA81u0ES+YyO/TdK27Md0zQ
+hO8ByZCocxg4Hp1itRuuiAp9dV8xEgsmhNNIoEBd1z8
+--- kIkGQGju9h8celXL7cN9etYTtxhnO3VIIK5ZAtg4yGU
+%$BHîÔþFÞj‚û“¦æµÂ>“ˆ“%X¢67v“w!A²üˆBòïK-xÔÇßãkpßQ=W™ž æçë«å¦y¼â¤ï! SJ£à£öîˆÎ¢*æŽQe¦û.sÖÞá¯­ž`Õn&ÚÝ²[5¾åF@£%‰èÝ´ˆP*ë§,ŸJäN•Zñ:þõIäí½YJ÷ü8ŠÞÓøBxÛò/Ñˆ«iŸ'È•—M¸
+º-E)õ¡ÕH¡,¸%c×q[Üq%Ev¿|.ƒ”ÈßÃ?ïWF˜lÂn©»—ŸšhÀÒÓzÔ×k4•ÂîÉ÷wWÂn\]ÀŸà‹Ã…ÄUsÏ¸Æ=w4q³ÛM³õÈ†`ý cJ)D^*R”Q!­©ú7è_ØÇä€«ìëY€ª”ºò[Š5K÷·ãw‚«{j,Úÿv:öÌ€áXÒ9X‹áMŸø_Ñ »‘âƒxH‘°_çùÃ{×
+«K;rðHºÁÂü]Ü¢óbr5À/ƒQÍ¢+¿£aø#Nt¾3!w%‹‹ã˜5mÀÒ/
+×Pvøi[´\Ò©’²ôvî@3o“Ì.ýäÔûõcíæÔåÕÑñf(g¾	÷RbùäÒê`·?:içV˜Ãþjhµ*+µÒ4Õ<g26¿Aµ
+y9ÿ›qr°È—;Ãa±8@Ì=€[zwÂ.øHNÅ	}Â¸Ìl,¸‘3´ÈD;^Û+â0Ó±‰¯Go¡Œe®ç(ÁxdõkfØ‰¦jÐïóƒ“:N¡yŸÓêYõ¥HDIÖ.*Ÿ<¡‹YNÔ)äÐèuôöÀŽÀiÍ¦ðóé]äkÚÙæ+"6NÈøbVþ£ÁçŒØmÁ_!´§Vë€­o	”(ßF•u]«ÒÃo¥ÿáË´£W–Gž‚ÃŽ§£9Q)åÔ#æ_ìž˜[ÀS¯iœîhî‚Úí¤kÇø(Q”}É1-]–Kžˆ‰’\ Ça¦,ÌûYçª)‹@®‰T-ªJËa\ÄÀ©À@ªû‚¡´g»|3ÅúoÙ¾O‰O|^2NpAyù^õ@
\ No newline at end of file
diff --git a/provision/secrets/syncthing/kestrel/key.pem.age b/provision/secrets/syncthing/kestrel/key.pem.age
new file mode 100644
index 00000000..1cb97525
Binary files /dev/null and b/provision/secrets/syncthing/kestrel/key.pem.age differ