diff --git a/desktop/software/default.nix b/desktop/software/default.nix
index 420cfc2..56d5bf0 100644
--- a/desktop/software/default.nix
+++ b/desktop/software/default.nix
@@ -49,6 +49,7 @@ in
         enable = true;
         settings = {
           "identity.fxaccounts.enabled" = true;
+          "identity.sync.tokenserver.uri" = "http://fx-sync.lan/1.0/sync/1.5";
           "webgl.disabled" = false;
           "privacy.resistFingerprinting" = false;
           "privacy.clearOnShutdown.history" = false;
diff --git a/host/roam/default.nix b/host/roam/default.nix
index 6db9704..ecc870c 100644
--- a/host/roam/default.nix
+++ b/host/roam/default.nix
@@ -1,5 +1,4 @@
-{ lib', ... }:
-{
+_: {
   networking.hostName = "roam";
 
   age.identityPaths = [
@@ -8,6 +7,7 @@
 
   imports = [
     ./backup.nix
+    ./firefox-sync.nix
     ./git.nix
     ./hardware-configuration.nix
     ./networking.nix
diff --git a/host/roam/firefox-sync.nix b/host/roam/firefox-sync.nix
new file mode 100644
index 0000000..eee8be3
--- /dev/null
+++ b/host/roam/firefox-sync.nix
@@ -0,0 +1,32 @@
+{
+  pkgs,
+  config,
+  secrets,
+  ...
+}:
+{
+  services.mysql.package = pkgs.mariadb;
+
+  age.secrets.roam-firefox-sync-secret = {
+    file = secrets.roam."firefox-sync-secret.age";
+    mode = "440";
+    owner = "root";
+    group = "root";
+  };
+
+  services.firefox-syncserver = {
+    enable = true;
+    secrets = config.age.secrets.roam-firefox-sync-secret.path;
+    singleNode = {
+      enable = true;
+      hostname = "fx-sync.lan";
+      enableTLS = false;
+    };
+  };
+  services.nginx.virtualHostsPriv."fx-sync.lan" = {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.firefox-syncserver.settings.port}";
+      recommendedProxySettings = true;
+    };
+  };
+}
diff --git a/host/roam/services.nix b/host/roam/services.nix
index d6ad204..5424382 100644
--- a/host/roam/services.nix
+++ b/host/roam/services.nix
@@ -6,16 +6,16 @@
   services = {
     nginx = {
       enable = true;
-      defaultListen = [
-        {
-          addr = var.wg.ips.roam;
-          ssl = true;
-        }
-      ];
-      virtualHosts."roam.lan" = {
+      virtualHosts.default = {
+        serverName = "_";
+        default = true;
+        rejectSSL = true;
+        locations."/".return = "444";
+      };
+      virtualHostsPriv."roam.lan" = {
         locations."/" = { };
       };
-      virtualHostsPub."roam.hdohmen.de" = {
+      virtualHosts."roam.hdohmen.de" = {
         enableACME = true;
         locations."/" = { };
       };
diff --git a/mod/nginx.nix b/mod/nginx.nix
index 5c0d66d..1c0b935 100644
--- a/mod/nginx.nix
+++ b/mod/nginx.nix
@@ -2,14 +2,15 @@
   lib,
   options,
   config,
+  var,
   ...
 }:
 with lib;
 {
-  options.services.nginx.virtualHostsPub = mkOption {
+  options.services.nginx.virtualHostsPriv = mkOption {
     type = options.services.nginx.virtualHosts.type;
     default = { };
-    description = "Declarative vhost config listening to ::0 and 0.0.0.0";
+    description = "Declarative vhost config listening on onet";
   };
 
   config = {
@@ -17,28 +18,13 @@ with lib;
       _: v:
       v
       // {
-        addSSL = true;
         listen = [
           {
-            addr = "0.0.0.0";
-            port = 443;
-            ssl = true;
-          }
-          {
-            addr = "0.0.0.0";
-            port = 80;
-          }
-          {
-            addr = "[::0]";
-            port = 443;
-            ssl = true;
-          }
-          {
-            addr = "[::0]";
+            addr = var.wg.ips.roam;
             port = 80;
           }
         ];
       }
-    ) config.services.nginx.virtualHostsPub;
+    ) config.services.nginx.virtualHostsPriv;
   };
 }
diff --git a/secrets.nix b/secrets.nix
index 7e061e0..26351f3 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -4,6 +4,7 @@ let
   keys = (import ./var { inherit lib; }).ssh-keys.root;
   secrets = [
     "roam/rclone-conf"
+    "roam/firefox-sync-secret"
     "hd-password"
   ];
 in
diff --git a/secrets/roam/firefox-sync-secret.age b/secrets/roam/firefox-sync-secret.age
new file mode 100644
index 0000000..b2d5137
Binary files /dev/null and b/secrets/roam/firefox-sync-secret.age differ
diff --git a/var/lan-dns.nix b/var/lan-dns.nix
index 24f2891..8bb2d5e 100644
--- a/var/lan-dns.nix
+++ b/var/lan-dns.nix
@@ -1,18 +1,14 @@
 { lib, var, ... }:
 let
-  lan-tld = ".lan";
-  lan-base-domain = ".hdohmen.de";
   lan-hosts = lib.mapAttrs' (name: value: {
-    name = "${name}${lan-tld}";
+    name = "${name}.lan";
     inherit value;
   }) var.wg.ips;
+  custom-hosts = {
+    "fx-sync.lan" = var.wg.ips.roam;
+  };
 in
 rec {
   hostsFile = lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${v}\t${n}") hosts);
-  hosts =
-    lan-hosts
-    // lib.mapAttrs' (name: value: {
-      name = "${name}${lan-base-domain}";
-      inherit value;
-    }) lan-hosts;
+  hosts = lan-hosts // custom-hosts;
 }