diff --git a/modules/services/synergy/default.nix b/modules/services/synergy/default.nix
index 71418a6..f7503da 100644
--- a/modules/services/synergy/default.nix
+++ b/modules/services/synergy/default.nix
@@ -48,6 +48,21 @@ in
           type = types.bool;
           description = "Whether the Synergy client should be started automatically.";
         };
+        tls = {
+          enable = mkEnableOption ''
+            Whether TLS encryption should be used.
+
+            Using this requires a TLS certificate that can be
+            generated by starting the Synergy GUI once and entering
+            a valid product key.
+          '';
+          cert = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            example = "~/.synergy/SSL/Synergy.pem";
+            description = "The TLS certificate to use for encryption.";
+          };
+        };
       };
 
       server = {
@@ -81,6 +96,21 @@ in
           type = types.bool;
           description = "Whether the Synergy server should be started automatically.";
         };
+        tls = {
+          enable = mkEnableOption ''
+            Whether TLS encryption should be used.
+
+            Using this requires a TLS certificate that can be
+            generated by starting the Synergy GUI once and entering
+            a valid product key.
+          '';
+          cert = mkOption {
+            type = types.nullOr types.str;
+            default = null;
+            example = "~/.synergy/SSL/Synergy.pem";
+            description = "The TLS certificate to use for encryption.";
+          };
+        };
       };
     };
 
@@ -92,8 +122,13 @@ in
       launchd.user.agents."synergy-client" = {
         path = [ config.environment.systemPath ];
         serviceConfig.ProgramArguments = [
-          "${cfg.package}/bin/synergyc" "-f" "${cfg.client.serverAddress}"
-        ] ++ optionals (cfg.client.screenName != "") [ "-n" cfg.client.screenName ];
+          "${cfg.package}/bin/synergyc" "-f"
+        ] ++ optionals (cfg.client.tls.enable) [ "--enable-crypto" ]
+          ++ optionals (cfg.client.tls.cert != null) [ "--tls-cert" cfg.client.tls.cert ]
+          ++ optionals (cfg.client.screenName != "") [ "-n" cfg.client.screenName ]
+          ++ [
+          cfg.client.serverAddress
+        ];
         serviceConfig.KeepAlive = true;
         serviceConfig.RunAtLoad = cfg.client.autoStart;
         serviceConfig.ProcessType = "Interactive";
@@ -105,7 +140,9 @@ in
         path = [ config.environment.systemPath ];
         serviceConfig.ProgramArguments = [
           "${cfg.package}/bin/synergys" "-c" "${cfg.server.configFile}" "-f"
-        ] ++ optionals (cfg.server.screenName != "") [ "-n" cfg.server.screenName ]
+        ] ++ optionals (cfg.server.tls.enable) [ "--enable-crypto" ]
+          ++ optionals (cfg.server.tls.cert != null) [ "--tls-cert" cfg.server.tls.cert ]
+          ++ optionals (cfg.server.screenName != "") [ "-n" cfg.server.screenName ]
           ++ optionals (cfg.server.address != "") [ "-a" cfg.server.address ];
         serviceConfig.KeepAlive = true;
         serviceConfig.RunAtLoad = cfg.server.autoStart;