diff --git a/krebs/3modules/syncthing.nix b/krebs/3modules/syncthing.nix
index 939c8fddf..799ed7eda 100644
--- a/krebs/3modules/syncthing.nix
+++ b/krebs/3modules/syncthing.nix
@@ -176,6 +176,7 @@ in
   config = mkIf kcfg.enable {
 
     systemd.services.syncthing = mkIf (kcfg.cert != null || kcfg.key != null) {
+      serviceConfig.PermissionsStartOnly = mkDefault true;
       preStart = ''
         ${optionalString (kcfg.cert != null) ''
           cp ${toString kcfg.cert} ${scfg.configDir}/cert.pem