diff --git a/services/syncplay.nix b/services/syncplay.nix
index a0b1082b..423db435 100644
--- a/services/syncplay.nix
+++ b/services/syncplay.nix
@@ -3,14 +3,26 @@
 {
   users.users.syncplay = { isSystemUser = true; };
 
+  users.groups."sync-cert".members = [ "nginx" "syncplay" ];
+  security.acme = { certs."sync.kittywit.ch" = { group = "sync-cert"; }; };
+
+  services.nginx.virtualHosts."sync.kittywit.ch" = {
+    enableACME = true;
+    forceSSL = true;
+  };
+
+  deploy.tf.dns.records.kittywitch_sync = {
+    tld = "kittywit.ch.";
+    domain = "sync";
+    cname.target = "athame.kittywit.ch.";
+  };
+
   services.syncplay = {
     enable = true;
     user = "syncplay";
-    group = "kittywit-ch";
+    group = "sync-cert";
     certDir = "/var/lib/acme/sync.kittywit.ch/";
   };
 
-  security.acme.certs."sync.kittywit.ch".postRun = ''
-    cp key.pem privkey.pem
-  '';
+  security.acme.certs."sync.kittywit.ch".postRun = "cp key.pem privkey.pem\nchown acme:voice-cert privkey.pem";
 }