{
  lib ? (import <nixpkgs> { }).lib,
}:
let
  hosts = import ./hosts.nix;

  # All NixOS hosts managed by this config
  nixos-managed = hosts.servers // hosts.desktops;

  # Syncthing device IDs. Generated by bin/gen-syncthing-cert, stored in JSON
  syncthing-hashes = (lib.importJSON ./syncthing-managed-clients.json).hashes;

  # Non-NixOS syncthing peers
  syncthing-external = {
    "supernote".id = "3LHXAND-FXDIDWR-7BYAIX4-3GW2BWY-IHTX7HH-LTEDI5T-W7ETGVC-BUP2NAF";
    "p9".id = "5QR3JDC-JAI6JGR-ZTT7R42-LLPQIN6-YQ6X47E-PWXGMGU-72RZIRA-PJR7VQZ";
  };

  # Build wg-quick-compatible peer entries from host data
  mkWgEntry =
    _name: h:
    {
      inherit (h.wg) publicKey persistentKeepalive;
      ips = [ "${h.wg.ip}/32" ];
      allowedIPs = if h.wg ? allowedIPs then h.wg.allowedIPs else [ "${h.wg.ip}/32" ];
    }
    // lib.optionalAttrs (h.wg ? endpoint) { inherit (h.wg) endpoint; };

  wireguard-network = lib.mapAttrs mkWgEntry nixos-managed;
  wg-ips = lib.mapAttrs (_: h: h.wg.ip) nixos-managed;

  lan-all-hosts =
    lib.mapAttrs' (name: ip: {
      name = "${name}.lan";
      value = ip;
    }) wg-ips
    // {
      "git.lan" = wg-ips.roam;
      "syncthing.roam.lan" = wg-ips.roam;
      "qbt.lan" = wg-ips.roam;
      "rss.lan" = wg-ips.roam;
    };

  syncthing-managed = lib.mapAttrs (_: id: { inherit id; }) syncthing-hashes;

  wg-ip-list = lib.attrValues wg-ips;

in
assert lib.assertMsg (lib.all (h: syncthing-hashes ? ${h}) (
  lib.attrNames nixos-managed
)) "Not all NixOS hosts have a syncthing hash. Run bin/gen-syncthing-cert.";
{
  desktops = lib.attrNames hosts.desktops;
  servers = lib.attrNames hosts.servers;
  hosts = lib.attrNames nixos-managed;

  ssh-keys = rec {
    by-host = {
      hd = lib.mapAttrs (_: h: h.ssh.hd) nixos-managed;
      root = lib.mapAttrs (_: h: h.ssh.root) nixos-managed;
    };
    hd = lib.attrValues by-host.hd;
    root = lib.attrValues by-host.root;
    desktops = {
      hd = lib.mapAttrsToList (_: h: h.ssh.hd) hosts.desktops;
      root = lib.mapAttrsToList (_: h: h.ssh.root) hosts.desktops;
    };
  };

  wg = {
    keyFile = "/var/secrets/wg.key";
    inherit wireguard-network;
    ips = wg-ips;
    peers-for =
      host:
      map (lib.filterAttrs (n: _: n != "ips")) (
        lib.attrValues (lib.filterAttrs (n: _: n != host) wireguard-network)
      );
  };

  syncthing = rec {
    managed = syncthing-managed;
    devices = syncthing-managed // syncthing-external;
    device-names = {
      all = lib.attrNames devices;
      desktops = lib.attrNames hosts.desktops;
    };
  };

  lan-dns = {
    hosts = lan-all-hosts;
    hostsFile = lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${v}\t${n}") lan-all-hosts);
  };
}