diff --git a/hosts/abacus/syncthing.nix b/hosts/abacus/syncthing.nix
new file mode 100644
index 0000000..ff8c981
--- /dev/null
+++ b/hosts/abacus/syncthing.nix
@@ -0,0 +1,18 @@
+{config, ...}: let
+  inherit (config.networking) domain;
+  virtualHostName = "sync.${domain}";
+in {
+  services.syncthing = {
+    enable = true;
+    systemService = true;
+    openDefaultPorts = true;
+  };
+
+  services.nginx.virtualHosts.${virtualHostName} = {
+    enableACME = true;
+    forceSSL = true;
+    quic = true;
+
+    locations."/".proxyPass = "http://${config.services.syncthing.guiAddress}";
+  };
+}
diff --git a/hosts/vessel/syncthing.nix b/hosts/vessel/syncthing.nix
index 30ab582..81977b2 100644
--- a/hosts/vessel/syncthing.nix
+++ b/hosts/vessel/syncthing.nix
@@ -5,7 +5,7 @@ in {
     enable = true;
     systemService = true;
     openDefaultPorts = true;
-    guiAddress = "0.0.0.0:${builtins.toString guiPort}";
+    guiAddress = "127.0.0.1:${builtins.toString guiPort}";
   };
 
   networking.firewall.allowedTCPPorts = [guiPort];