diff --git a/flake.nix b/flake.nix
index d899b5c..87d2c79 100644
--- a/flake.nix
+++ b/flake.nix
@@ -48,12 +48,18 @@
     }@inputs:
     let
       inherit (nixpkgs) lib;
-      lib' = import ./lib.nix { inherit lib; };
+      var = import ./var { inherit lib; };
+      lib' = import ./lib.nix { inherit lib var; };
+
       pkgs_25-05 = import nixpkgs_25-05 { system = "x86_64-linux"; };
 
       specialArgs = rec {
-        inherit inputs lib' pkgs_25-05;
-        var = import ./var { inherit lib; };
+        inherit
+          inputs
+          lib'
+          pkgs_25-05
+          var
+          ;
         secrets = lib'.walk-dir ./secrets;
       };
       overlays = _: {
diff --git a/lib.nix b/lib.nix
index 8ed2303..45e7b38 100644
--- a/lib.nix
+++ b/lib.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ lib, var, ... }:
 with builtins;
 rec {
   walk-dir =
@@ -16,4 +16,7 @@ rec {
         else
           throw "Items of type ${value} are unsupported.";
     }) dir;
+
+  is-desktop = x: builtins.elem x var.desktops;
+  is-server = x: builtins.elem x var.servers;
 }
diff --git a/mod/syncthing.nix b/mod/syncthing.nix
index 5b78211..69364d8 100644
--- a/mod/syncthing.nix
+++ b/mod/syncthing.nix
@@ -9,44 +9,47 @@ let
   cfg = config.services.syncthing;
   this = config.networking.hostName;
 
-  is-managed = builtins.elem this var.syncthing-managed-clients.managed_clients;
+  is-managed = var.syncthing.managed ? ${this};
   is-server = this == "roam";
 
-  devices = [
-    "roam"
-    "fw"
-  ];
+  devices = lib.attrNames var.syncthing.all;
+  desktop-devices = (lib.intersectLists var.desktops devices);
 
-  devices-without-this = lib.remove this devices;
-  type-encrypt = if is-server then "receiveencrypted" else "sendreceive";
-  devices-encrypt =
-    if is-server then
-      devices-without-this
-    else
-      lib.remove "roam" devices-without-this
-      ++ [
-        {
-          name = "roam";
-          encryptionPasswordFile = config.age.secrets.syncthing-password.path;
-        }
-      ];
+  folders = folders-all // (if config.hd.desktop.enable then folders-desktop else { });
 
-  folders = {
+  folders-all = {
     documents = {
       id = "documents-hd";
       path = if is-server then "/data/sync/documents-hd" else "/home/hd/Documents";
-      type = type-encrypt;
-      devices = devices-encrypt;
+      type = if is-server then "receiveencrypted" else "sendreceive";
+      # all clients (desktops + servers) that have are a synthing peer but
+      # with untrusted servers
+      devices =
+        desktop-devices
+        ++ (
+          if this != "roam" then
+            [
+              {
+                name = "roam";
+                encryptionPasswordFile = config.age.secrets.syncthing-password.path;
+              }
+            ]
+          else
+            [ ]
+        );
       versioning = {
         type = "simple";
         params.keep = "10";
       };
     };
+  };
+
+  folders-desktop = {
     supernote-note = rec {
       id = "supernote-note";
       path = if is-server then "/data/sync/${id}" else "/home/hd/Documents/Supernote/Notizen";
       type = "sendreceive";
-      devices = devices-without-this ++ [ "supernote" ];
+      devices = desktop-devices ++ [ "supernote" ];
       versioning = {
         type = "simple";
         params.keep = "10";
@@ -74,7 +77,7 @@ in
     {
       inherit folders;
       settings = {
-        devices = var.syncthing;
+        devices = var.syncthing.all;
       };
       key = lib.optionalAttrs is-managed config.age.secrets.syncthing-key.path;
       cert = lib.optionalAttrs is-managed "${../pki/syncthing + "/${this}.cert"}";
diff --git a/var/default.nix b/var/default.nix
index f773fcc..252d05d 100644
--- a/var/default.nix
+++ b/var/default.nix
@@ -9,12 +9,18 @@ let
   };
   load-var = x: import x inputs';
   # watch out for cycles
-  outputs = {
+  outputs = rec {
     "lan-dns" = load-var ./lan-dns.nix;
     "ssh-keys" = load-var ./ssh-keys.nix;
     "wg" = load-var ./wg.nix;
     "syncthing" = load-var ./syncthing.nix;
-    "syncthing-managed-clients" = lib'.importJSON ./syncthing-managed-clients.json;
+    desktops = [
+      "c2"
+      "fw"
+      "solo"
+    ];
+    servers = [ "roam" ];
+    clients = desktops ++ servers;
   };
 in
 outputs
diff --git a/var/syncthing.nix b/var/syncthing.nix
index cb9cb6f..e4cd69a 100644
--- a/var/syncthing.nix
+++ b/var/syncthing.nix
@@ -1,6 +1,6 @@
 { var, lib, ... }:
 let
-  inherit (var.syncthing-managed-clients) managed_clients hashes;
+  inherit (lib.importJSON ./syncthing-managed-clients.json) managed_clients hashes;
   unmanaged = {
     "supernote".id = "3LHXAND-FXDIDWR-7BYAIX4-3GW2BWY-IHTX7HH-LTEDI5T-W7ETGVC-BUP2NAF";
   };
@@ -15,4 +15,7 @@ assert (
     [ ] == (lib.intersectLists managed_clients (builtins.attrNames unmanaged))
   ) "Syncthing clients must either be unmanaged or declaratively configured."
 );
-unmanaged // builtins.mapAttrs (_: v: { id = v; }) hashes
+rec {
+  managed = builtins.mapAttrs (_: v: { id = v; }) hashes;
+  all = unmanaged // managed;
+}