diff --git a/bin/gen-tls-cert b/bin/gen-tls-cert
deleted file mode 100755
index 20b468b..0000000
--- a/bin/gen-tls-cert
+++ /dev/null
@@ -1,38 +0,0 @@
-#!/bin/sh
-tmp=$(mktemp -d)
-trap 'rm -rf -- "$tmp"' EXIT
-
-# ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
-openssl req -x509 -nodes \
-    -newkey RSA:2048 \
-    -keyout "$tmp/ca.key" \
-    -days 365 \
-    -out "$tmp/ca.cert" \
-    -subj '/CN=hd_root'
-
-rm secrets/tlskey.age
-openssl req -nodes \
-    -newkey rsa:2048 \
-    -keyout - \
-    -out "$tmp/server.csr" \
-    -subj '/CN=lan' \
-    | agenix -e secrets/tlskey.age
-
-cat > "$tmp/extfile" << EOF
-subjectAltName=DNS:roam.lan,DNS:*.roam.lan,DNS:git.lan
-authorityKeyIdentifier=keyid,issuer
-basicConstraints=CA:FALSE
-keyUsage=digitalSignature,keyEncipherment
-extendedKeyUsage=serverAuth
-EOF
-
-openssl x509 -req \
-    -CA "$tmp/ca.cert" \
-    -CAkey "$tmp/ca.key" \
-    -in "$tmp/server.csr" \
-    -out pki/server.cert \
-    -days 365 \
-    -CAcreateserial \
-    -extfile "$tmp/extfile"
-
-mv "$tmp/ca.cert" pki/ca.cert
diff --git a/packages/default.nix b/packages/default.nix
index 05752dc..268ef00 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -1,7 +1,15 @@
 { inputs, system }:
 let
   pkgs = inputs.nixpkgs.legacyPackages.${system};
+  inherit (inputs.nixpkgs) lib;
+  var = import ../var { inherit lib; };
+
+  agenix-pkg = inputs.agenix.packages.${system}.default;
+
+  san = builtins.concatStringsSep "," (map (d: "DNS:" + d) (builtins.attrNames var.lan-dns.hosts));
 in
 {
   supernote-tool = pkgs.callPackage ./supernote-tool.nix { };
+  gen-tls-cert = pkgs.callPackage ./gen-tls-cert.nix { inherit agenix-pkg san; };
+  gen-syncthing-cert = pkgs.callPackage ./gen-syncthing-cert.nix { inherit agenix-pkg; };
 }
diff --git a/packages/gen-syncthing-cert.nix b/packages/gen-syncthing-cert.nix
new file mode 100644
index 0000000..26c5440
--- /dev/null
+++ b/packages/gen-syncthing-cert.nix
@@ -0,0 +1,14 @@
+# Generates Syncthing TLS certs for managed hosts that don't have one.
+{
+  pkgs,
+  agenix-pkg,
+}:
+pkgs.writeShellApplication {
+  name = "gen-syncthing-cert";
+  runtimeInputs = [
+    pkgs.jq
+    pkgs.syncthing
+    agenix-pkg
+  ];
+  text = builtins.readFile ../bin/gen-syncthing-cert;
+}
diff --git a/packages/gen-tls-cert.nix b/packages/gen-tls-cert.nix
new file mode 100644
index 0000000..e2aa6e7
--- /dev/null
+++ b/packages/gen-tls-cert.nix
@@ -0,0 +1,57 @@
+# Generates a self-signed CA and a server TLS cert covering all `.lan` domains
+# defined in var/default.nix.
+{
+  pkgs,
+  agenix-pkg,
+  san,
+}:
+pkgs.writeShellApplication {
+  name = "gen-tls-cert";
+  runtimeInputs = [
+    pkgs.openssl
+    agenix-pkg
+  ];
+  text = ''
+    # ref https://stackoverflow.com/questions/59738140/why-is-firefox-not-trusting-my-self-signed-certificate
+    tmp=$(mktemp -d)
+    trap 'rm -rf -- "$tmp"' EXIT
+
+    openssl req -x509 -nodes \
+        -newkey ed25519 \
+        -keyout "$tmp/ca.key" \
+        -days 365 \
+        -out "$tmp/ca.cert" \
+        -subj '/CN=hd_root'
+
+    rm secrets/tlskey.age
+    openssl req -nodes \
+        -newkey ed25519 \
+        -keyout - \
+        -out "$tmp/server.csr" \
+        -subj '/CN=lan' \
+        | agenix -e secrets/tlskey.age
+
+    # SAN list is derived from var/default.nix (lan-dns.hosts).
+    san="${san}"
+    echo "SAN: $san"
+
+    cat > "$tmp/extfile" << EOF
+    subjectAltName=$san
+    authorityKeyIdentifier=keyid,issuer
+    basicConstraints=CA:FALSE
+    keyUsage=digitalSignature,keyEncipherment
+    extendedKeyUsage=serverAuth
+    EOF
+
+    openssl x509 -req \
+        -CA "$tmp/ca.cert" \
+        -CAkey "$tmp/ca.key" \
+        -in "$tmp/server.csr" \
+        -out pki/server.cert \
+        -days 365 \
+        -CAcreateserial \
+        -extfile "$tmp/extfile"
+
+    mv "$tmp/ca.cert" pki/ca.cert
+  '';
+}
diff --git a/pki/ca.cert b/pki/ca.cert
index aa19f71..5cb4084 100644
--- a/pki/ca.cert
+++ b/pki/ca.cert
@@ -1,19 +1,9 @@
 -----BEGIN CERTIFICATE-----
-MIIDBTCCAe2gAwIBAgIUOp5TCMV734ZH8n7S9qMstDeLUgAwDQYJKoZIhvcNAQEL
-BQAwEjEQMA4GA1UEAwwHaGRfcm9vdDAeFw0yNjAxMzExMjA3MzhaFw0yNzAxMzEx
-MjA3MzhaMBIxEDAOBgNVBAMMB2hkX3Jvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCry5pMvP7Bm3nypYbD4E1RR5Gyu2CkatkRSRBK39NvfkX7GOLJ
-9bWDRDNUj6bw97ZyhCbw7ySV3KI5XfWfy9HWqJtEca3qGg0AwOxuke4Bhl11mb52
-RvU3y8qYLw5imvqKoX5iARmf+o6mk9cu0IFOTypRjgVEeTPM+i65qvwPs+estAl9
-bW7MrxN07hIzDvDWaXnYkIL+3TOXHq+zldD/5f5L17F3XHGUK2yKXBahcdcL2gdj
-eXCb6mXdNmp6dD6CXVSY8EBFjoJyYHAfn13c3f29lIItQU2r8wWt/irNpf5pl7r2
-qyrzDB4q4L5QGhKkZhs05rU6YTReLPKAAl2XAgMBAAGjUzBRMB0GA1UdDgQWBBRk
-r8YAWbZlBTwJQhL2gAyzEk/dhTAfBgNVHSMEGDAWgBRkr8YAWbZlBTwJQhL2gAyz
-Ek/dhTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA1LDP92xo4
-iOIvXZ0uVqR95/2QaB0zARvqP6nJ9XtfyyeDj8fF/iPz0/2FO8Svkba/5ZlEpr19
-49PQ1ufkCVhJTh1aCkJLjmiyYeBZXFRjbw7Tr3O9f9Pe8Ud01nwHyaLl3GHaacL1
-DGjSIpEbkS6zxDxfwhzqXnqKvT37Gcy+hpmMkRX7a3RyYg696azAd+bTjxKpCqmC
-iL0YrH4cnQ8sbKklKNxjjRVAjzWQ7BhPcIXABauNgIOvHHDe7NWcAEMMca5Fcmja
-tRsMLlfwyBM4YgRi9dq66C+LU+LuzBF5L0WTcwf8mXJDieE53A/4D0fig7+nkJrM
-8sWed8nJa0FF
+MIIBODCB66ADAgECAhQ4YPfjqFPYvxNpArFa8DXX/5AGYTAFBgMrZXAwEjEQMA4G
+A1UEAwwHaGRfcm9vdDAeFw0yNjA0MTMwNzM4MjlaFw0yNzA0MTMwNzM4MjlaMBIx
+EDAOBgNVBAMMB2hkX3Jvb3QwKjAFBgMrZXADIQA30s20SD69tXyipehHTavLJE2O
+oXkLP2IXOn5YUUpq0aNTMFEwHQYDVR0OBBYEFIgaWzsBNlRO30Bh21lazfWI7p95
+MB8GA1UdIwQYMBaAFIgaWzsBNlRO30Bh21lazfWI7p95MA8GA1UdEwEB/wQFMAMB
+Af8wBQYDK2VwA0EAKlQ0gkZ94OgOcu9Y/UU2zEjioduIL9A5dfsHAYd0Qp2RZPuE
+QjA/82pBPyrz0ZrDFcSOV2Ii13ZyDc6Spev3CA==
 -----END CERTIFICATE-----
diff --git a/pki/server.cert b/pki/server.cert
index 35c78dd..7cb87e0 100644
--- a/pki/server.cert
+++ b/pki/server.cert
@@ -1,20 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIDSTCCAjGgAwIBAgIUFoZzGii77TrKqg6r5NgmrqGNb8UwDQYJKoZIhvcNAQEL
-BQAwEjEQMA4GA1UEAwwHaGRfcm9vdDAeFw0yNjAxMzExMjA3MzlaFw0yNzAxMzEx
-MjA3MzlaMA4xDDAKBgNVBAMMA2xhbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAJmkEtAdsqVR8zVVoGgVL351Z5spsDbkjYGqM83XN6Edkx33c64FuoOY
-MpD/NqoC7eReQGJ3Oz6cjF+Oe35gO1jyJsQmsjCFVyzyihDjtczGAE6SoaS67kaq
-w2K54myAGo2ESKkzU776gZM0/V44tJuJVWBumxWHmajSgsAdBCGIUKSJJolJvt90
-ghyuoTLS9u1B2wtNvhvWHEwpzCOV3LwWraroDHYXL2tKTMrpqpj6lev/8t9gIPCM
-/q2oN0ILSPyScpuQHP0/Aky9kPycw3EdiTNPqh2UnI/2pw0LNHa3F3dp/f47kqSd
-DlXLkveKPgJLRIbxCJGdgvoacGMce0MCAwEAAaOBmjCBlzAoBgNVHREEITAfgghy
-b2FtLmxhboIKKi5yb2FtLmxhboIHZ2l0LmxhbjAfBgNVHSMEGDAWgBRkr8YAWbZl
-BTwJQhL2gAyzEk/dhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAK
-BggrBgEFBQcDATAdBgNVHQ4EFgQUNLp+qukOiO3z/cfjk4fBalMnOswwDQYJKoZI
-hvcNAQELBQADggEBAFoDA+AHIdBUtpTa1bVXSy4Y53Kn2OMopA47qxY+sgXS0UGx
-2fz7dyhy68AG3V5VnVKpnNAjJdeZdQww3N7KNmjsoI+p5mS+AHucLcMLJaqFaA0t
-+jyLepQFdeh2/VkmbIwFQW+T/oBoCP4i4tkmaa/9mKSkbEOAadcucg7viqmRKN/b
-DJNMkhiahpCATpxRno8ybUzn907UTKBQOseZMW53ecKkgcPQOF6apsM7+/jXkOrO
-D9QeVWCdLLAnpLlubqbuGxPjI0RbLHXwKFayRwKEMj3Gn9njqcZfkVM3QJHc8Pn9
-eADOacl+F1jPO2nTTOQ9tZzfyHW4Gd5tpWqpEb8=
+MIIBsTCCAWOgAwIBAgIUGpf4cVZ+bxPjhAFAyl8jQ1sNQa8wBQYDK2VwMBIxEDAO
+BgNVBAMMB2hkX3Jvb3QwHhcNMjYwNDEzMDczODI5WhcNMjcwNDEzMDczODI5WjAO
+MQwwCgYDVQQDDANsYW4wKjAFBgMrZXADIQAhLd5unI9G7uHqr6BsqDCMJLw/N8JF
+xYUpaCdkqkKhg6OBzjCByzBcBgNVHREEVTBTggZjMi5sYW6CBmZ3LmxhboIHZ2l0
+LmxhboIHcWJ0LmxhboIIcm9hbS5sYW6CB3Jzcy5sYW6CCHNvbG8ubGFughJzeW5j
+dGhpbmcucm9hbS5sYW4wHwYDVR0jBBgwFoAUiBpbOwE2VE7fQGHbWVrN9Yjun3kw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYD
+VR0OBBYEFBlYz2gpphVvl3ofllfEX++VXFOqMAUGAytlcANBAJoI695qXQ2fjG3q
+2iK8FfjBEdvkrp6VK8xV12WjxZi19X5FhbY9FvRj/ZeM8yhUFKH9uBWjkqd8LuX2
+iHM7vQ0=
 -----END CERTIFICATE-----
diff --git a/secrets/tlskey.age b/secrets/tlskey.age
index 6e17a67..e6a628f 100644
Binary files a/secrets/tlskey.age and b/secrets/tlskey.age differ