simplify var

var/default.nix

@@ -1,30 +1,93 @@
 {
-  lib ? null,
+  lib ? (import <nixpkgs> { }).lib,
 }:
 let
-  lib' = if builtins.isNull lib then (import <nixpkgs> { }).lib else lib;
-  inputs' = {
-    lib = lib';
-    var = outputs;
-  };
-  load-var = x: import x inputs';
+  hosts = import ./hosts.nix;
 
-  # watch out for cycles
-  outputs = rec {
-    # We list the hosts here manually instead of getting them from the flake.
-    # This way, var can be used standalone
-    nixos-desktops = [
-      "c2"
-      "fw"
-      "solo"
-    ];
-    nixos-servers = [ "roam" ];
-    nixos-hosts = nixos-desktops ++ nixos-servers;
+  # All NixOS hosts managed by this config
+  nixos-managed = hosts.servers // hosts.desktops;
 
-    "lan-dns" = load-var ./lan-dns.nix;
-    "ssh-keys" = load-var ./ssh-keys.nix;
-    "wg" = load-var ./wg.nix;
-    "syncthing" = load-var ./syncthing.nix;
+  # Syncthing device IDs. Generated by bin/gen-syncthing-cert, stored in JSON
+  syncthing-hashes = (lib.importJSON ./syncthing-managed-clients.json).hashes;
+
+  # Non-NixOS syncthing peers
+  syncthing-external = {
+    "supernote".id = "3LHXAND-FXDIDWR-7BYAIX4-3GW2BWY-IHTX7HH-LTEDI5T-W7ETGVC-BUP2NAF";
+    "p9".id = "5QR3JDC-JAI6JGR-ZTT7R42-LLPQIN6-YQ6X47E-PWXGMGU-72RZIRA-PJR7VQZ";
   };
+
+  # Build wg-quick-compatible peer entries from host data
+  mkWgEntry =
+    _name: h:
+    {
+      inherit (h.wg) publicKey persistentKeepalive;
+      ips = [ "${h.wg.ip}/32" ];
+      allowedIPs = if h.wg ? allowedIPs then h.wg.allowedIPs else [ "${h.wg.ip}/32" ];
+    }
+    // lib.optionalAttrs (h.wg ? endpoint) { inherit (h.wg) endpoint; };
+
+  wireguard-network = lib.mapAttrs mkWgEntry nixos-managed;
+  wg-ips = lib.mapAttrs (_: h: h.wg.ip) nixos-managed;
+
+  lan-all-hosts =
+    lib.mapAttrs' (name: ip: {
+      name = "${name}.lan";
+      value = ip;
+    }) wg-ips
+    // {
+      "git.lan" = wg-ips.roam;
+      "syncthing.roam.lan" = wg-ips.roam;
+      "qbt.lan" = wg-ips.roam;
+    };
+
+  syncthing-managed = lib.mapAttrs (_: id: { inherit id; }) syncthing-hashes;
+
+  wg-ip-list = lib.attrValues wg-ips;
+
 in
-outputs
+assert lib.assertMsg (lib.all (h: syncthing-hashes ? ${h}) (
+  lib.attrNames nixos-managed
+)) "Not all NixOS hosts have a syncthing hash. Run bin/gen-syncthing-cert.";
+{
+  desktops = lib.attrNames hosts.desktops;
+  servers = lib.attrNames hosts.servers;
+  hosts = lib.attrNames nixos-managed;
+
+  ssh-keys = rec {
+    by-host = {
+      hd = lib.mapAttrs (_: h: h.ssh.hd) nixos-managed;
+      root = lib.mapAttrs (_: h: h.ssh.root) nixos-managed;
+    };
+    hd = lib.attrValues by-host.hd;
+    root = lib.attrValues by-host.root;
+    desktops = {
+      hd = lib.mapAttrsToList (_: h: h.ssh.hd) hosts.desktops;
+      root = lib.mapAttrsToList (_: h: h.ssh.root) hosts.desktops;
+    };
+  };
+
+  wg = {
+    keyFile = "/var/secrets/wg.key";
+    inherit wireguard-network;
+    ips = wg-ips;
+    peers-for =
+      host:
+      map (lib.filterAttrs (n: _: n != "ips")) (
+        lib.attrValues (lib.filterAttrs (n: _: n != host) wireguard-network)
+      );
+  };
+
+  syncthing = rec {
+    managed = syncthing-managed;
+    devices = syncthing-managed // syncthing-external;
+    device-names = {
+      all = lib.attrNames devices;
+      desktops = lib.attrNames hosts.desktops;
+    };
+  };
+
+  lan-dns = {
+    hosts = lan-all-hosts;
+    hostsFile = lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${v}\t${n}") lan-all-hosts);
+  };
+}