diff --git a/krebs/3modules/sync-containers.nix b/krebs/3modules/sync-containers.nix
index 7c7db4c3d..d31022d3a 100644
--- a/krebs/3modules/sync-containers.nix
+++ b/krebs/3modules/sync-containers.nix
@@ -92,6 +92,10 @@ in {
 
   config = mkIf (cfg.containers != {}) {
     programs.fuse.userAllowOther = true;
+    # allow syncthing to enter /var/lib/containers
+    system.activationScripts.syncthing-home = ''
+      ${pkgs.coreutils}/bin/chmod a+x /var/lib/containers
+    '';
 
     services.syncthing.declarative.folders = (mapAttrs' (_: ctr: nameValuePair "${(paths ctr.name).${ctr.format}}" ({
       devices = ctr.peers;