diff --git a/modules/syncthings.nix b/modules/syncthings.nix
index 39cc679..b46fdb9 100644
--- a/modules/syncthings.nix
+++ b/modules/syncthings.nix
@@ -4,6 +4,7 @@ with lib;
 
 let
   cfg = config.services.syncthings;
+  enabledInstances = filterAttrs (n: v: v.enable) cfg.instances;
   opt = options.services.syncthings;
   defaultUser = "syncthing";
   defaultGroup = defaultUser;
@@ -574,19 +575,23 @@ in {
               '';
             };
 
-            openDefaultPorts = mkOption {
+            openPorts = mkOption {
               type = types.bool;
               default = false;
               example = true;
-              description = lib.mdDoc ''
-                Whether to open the default ports in the firewall: TCP/UDP 22000 for transfers
-                and UDP 21027 for discovery.
+              description = mdDoc "Whether to open the transfer port and discovery port in the firewall.";
+            };
 
-                If multiple users are running Syncthing on this machine, you will need
-                to manually open a set of ports for each instance and leave this disabled.
-                Alternatively, if you are running only a single instance on this machine
-                using the default ports, enable this.
-              '';
+            transferPort = mkOption {
+              type = types.port;
+              example = 22000;
+              description = mdDoc "The TCP/UDP port for transfers.";
+            };
+
+            discoveryPort = mkOption {
+              type = types.port;
+              example = 21027;
+              description = mdDoc "The UDP port for discovery.";
             };
 
             package = mkOption {
@@ -605,9 +610,8 @@ in {
 
   ###### implementation
 
-  config = mkIf cfg.enable {
-
-    networking.firewall = mkIf cfg.openDefaultPorts {
+  config = mkIf (enabledInstances != {}) {
+    networking.firewall = {
       allowedTCPPorts = [ 22000 ];
       allowedUDPPorts = [ 21027 22000 ];
     };