diff --git a/hosts/sombrero/modules/syncthing/default.nix b/hosts/sombrero/modules/syncthing/default.nix
index 9649045..a190816 100644
--- a/hosts/sombrero/modules/syncthing/default.nix
+++ b/hosts/sombrero/modules/syncthing/default.nix
@@ -27,8 +27,8 @@ in
 
         dataDir = "/home/alex/backup/sync";
 
-        cert = "/home/alex/backup/sync/hosts/sombrero/syncthing/cert.pem";
-        key = "/home/alex/backup/sync/hosts/sombrero/syncthing/key.pem";
+        cert = config.age.secrets.syncthing-cert.path;
+        key = config.age.secrets.syncthing-key.path;
 
         guiAddress = "0.0.0.0:8384";
 
@@ -144,5 +144,12 @@ in
         };
       };
     };
+
+    age = {
+      secrets = {
+        "syncthing-cert".file = ../../../../secrets/sombrero/syncthing-cert.age;
+        "syncthing-key".file = ../../../../secrets/sombrero/syncthing-key.age;
+      };
+  };
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 5dc4477..f6d6960 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -15,4 +15,7 @@ in {
   "pinwheel/netrc.age".publicKeys = [ pinwheel alex ];
   "pinwheel/work-ovpn.age".publicKeys = [ pinwheel alex ];
   "pinwheel/work-ovpn-userpass.age".publicKeys = [ pinwheel alex ];
+
+  "sombrero/syncthing-cert.age".publicKeys = [ sombrero alex ];
+  "sombrero/syncthing-key.age".publicKeys = [ sombrero alex ];
 }
diff --git a/secrets/sombrero/syncthing-cert.age b/secrets/sombrero/syncthing-cert.age
new file mode 100644
index 0000000..899f988
Binary files /dev/null and b/secrets/sombrero/syncthing-cert.age differ
diff --git a/secrets/sombrero/syncthing-key.age b/secrets/sombrero/syncthing-key.age
new file mode 100644
index 0000000..cdc5431
Binary files /dev/null and b/secrets/sombrero/syncthing-key.age differ