diff --git a/flake.nix b/flake.nix
index 625c49e..ce925d0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -36,7 +36,7 @@
 
       specialArgs = rec {
         inherit inputs lib';
-        var = (lib'.walk-dir ./var)._map (f: import f { inherit lib var; });
+        var = import ./var { inherit lib; };
         secrets = lib'.walk-dir ./secrets;
       };
       overlays = _: {
diff --git a/lib.nix b/lib.nix
index 213614f..8ed2303 100644
--- a/lib.nix
+++ b/lib.nix
@@ -1,7 +1,7 @@
 { lib, ... }:
 with builtins;
-let
-  walk-dir-inner =
+rec {
+  walk-dir =
     path:
     let
       dir = readDir path;
@@ -12,18 +12,8 @@ let
         if value == "regular" then
           path + "/${filename}"
         else if value == "directory" then
-          walk-dir-inner (path + "/${filename}")
+          walk-dir (path + "/${filename}")
         else
           throw "Items of type ${value} are unsupported.";
     }) dir;
-
-  helper-attrs = subpaths: {
-    _map = f: lib.mapAttrsRecursive (_: f) subpaths;
-  };
-
-  with-helper-attrs =
-    x: if isAttrs x then lib.mapAttrs (_: with-helper-attrs) x // helper-attrs x else x;
-in
-{
-  walk-dir = p: with-helper-attrs (walk-dir-inner p);
 }
diff --git a/secrets.nix b/secrets.nix
index 1fa71b9..7e061e0 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -1,9 +1,7 @@
 let
-  keys =
-    let
-      k = import ./var/ssh-keys.nix { };
-    in
-    k.root; # ++ k.hd;
+  pkgs = import <nixpkgs> { };
+  inherit (pkgs) lib;
+  keys = (import ./var { inherit lib; }).ssh-keys.root;
   secrets = [
     "roam/rclone-conf"
     "hd-password"
diff --git a/secrets/hd-password.age b/secrets/hd-password.age
index a6d79af..c9a29c4 100644
--- a/secrets/hd-password.age
+++ b/secrets/hd-password.age
@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 ydxpSQ M0sDsl0um+whNdnXrl5RMp8BAXdVe1n8K41L6HXizG4
-hIV5u4+ZPujJsNwet9UC2wnAFgpFe+b4BGtsNhah/34
--> ssh-ed25519 gbs8eg lNj3bYYZXf28MzvjOJ052zOg7xOROf3MjUWR35ZJfWw
-Pxqa+IqRVAhoJdV/Muzt74rfoYBxE4YLh7y8KWwHaG0
--> ssh-ed25519 FTMbvw 7deJR8NLmOWT/RKUa+JbdZ7KYcLNqYxuYS9y/eOYoE8
-haM8XoJVYTUVEEEuMbCdQxuOeZZT8ILtaGWG/uRDo+0
---- MKr7VcEMTYpu+gNelWf7vIZvU/TpyH/N61shLABcitA
-�Ϻ�a�̓UJm!y�a�ُΌnx��E8��Kw��*	Z%MV:�ò���� A�֚K�;���&��
-�~G��;��jy�J[��6��zK��/4Ҳ�?���
\ No newline at end of file
+-> ssh-ed25519 ydxpSQ NpAWr39/EtAvLrm1ZAA7r4Cx2G4axqVCmBXDupKWyHI
+jtH6IB4w4oQiSyQ22YYQvHXn2BIpCxVKw+dj5VQ+RIg
+-> ssh-ed25519 gbs8eg iXE23gxJJlJhoV5/vc3P/xM8l5poODWZt9cmu027SSM
+OqRXi1L4yRG6b5MU8L12m7GHpKK7L6QXallzYBe971M
+-> ssh-ed25519 FTMbvw NE+q2JXrQjuqt4Q5KRh5/s53xoz/gcx9k/QzYk1NUmU
+un55OQzaIA5XDsU8AukomS3gyJvEtuspxRvumqZd74w
+--- tXcyFIzu77Mm0VIygP1slKtqsJQk3arctl2LimSkNbA
+�5"m���n��U��6T�Y���{"29�	|��^0��l��F��T'̌&�D�0L�i�G�L#':���N���N�A/}�����'2,�7(���t�H�A�aR���K
\ No newline at end of file
diff --git a/secrets/roam/rclone-conf.age b/secrets/roam/rclone-conf.age
index 2c67c31..1f47041 100644
Binary files a/secrets/roam/rclone-conf.age and b/secrets/roam/rclone-conf.age differ
diff --git a/var/default.nix b/var/default.nix
new file mode 100644
index 0000000..0413eb8
--- /dev/null
+++ b/var/default.nix
@@ -0,0 +1,11 @@
+{ lib, ... }@inp:
+let
+  files = [
+    "lan-dns"
+    "ssh-keys"
+    "wg"
+  ];
+  import_file = name: { ${name} = import ./${name}.nix (inp // { inherit var; }); };
+  var = lib.foldl' (a: b: a // b) { } (map import_file files);
+in
+var
diff --git a/var/ssh-keys.nix b/var/ssh-keys.nix
index 51c08b0..1561f05 100644
--- a/var/ssh-keys.nix
+++ b/var/ssh-keys.nix
@@ -1,16 +1,17 @@
-_: rec {
-  # this is only used for forcing password entry on colmena apply
-  root-by-host = {
-    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
-    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o";
-    "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ";
-  };
-  root = builtins.attrValues root-by-host;
+{ lib, ... }:
+let
+  mkKeys = k: { by-host = k; } // builtins.mapAttrs (_: lib.attrValues) k;
+in
 
-  hd-by-host = {
+mkKeys {
+  hd = {
     "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEG+dd4m98aKEWfFa/7VZUlJNX0axvIlHVihT8w7RLyY";
     "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIsoj2+esEebRwDV2PuNRt9Vz28oolOy+Hc2THwrWTAB";
     "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEDlh8hY01wwmNtfa1eK3mVBIcytdh4n/kV05gP9z1Lc";
   };
-  hd = builtins.attrValues hd-by-host;
+  root = {
+    "solo" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFsl8pLaGeCL3kacGWf8pzoLQr501ga/2OzvI2wWbTZJ";
+    "c2" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJAZaswaiA+oQ9NviADYFf7BJQHNlmdxQuocIdoJmv3o";
+    "roam" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID++uLcQOx/to3sEo5Nk97CenGf0Y6/dMsBbLouVTgIQ";
+  };
 }