diff --git a/external-hosts/fairphone/default.nix b/external-hosts/fairphone/default.nix
new file mode 100644
index 0000000..a8646b8
--- /dev/null
+++ b/external-hosts/fairphone/default.nix
@@ -0,0 +1,29 @@
+{ self, ... }:
+{
+  imports = [ self.nixosModules.default ];
+
+  nixpkgs.hostPlatform = "aarch64-linux";
+
+  custom = {
+    networking = {
+      overlay = {
+        address = "10.254.250.74";
+        role = "client";
+      };
+      underlay.useDhcp = true;
+    };
+
+    services = {
+      nebula = {
+        publicKeyPath = toString ./keys/nebula.pub;
+        certificatePath = toString ./keys/nebula.crt;
+      };
+
+      syncthing = {
+        enable = true;
+        deviceId = "6ROH65D-E65I5F6-URI4OUZ-RCHFC3B-PMBSIHH-5DNLJPS-SYSUWQY-HKYGHQG";
+        folders = [ "Documents" ];
+      };
+    };
+  };
+}
diff --git a/external-hosts/fairphone/keys/nebula.crt b/external-hosts/fairphone/keys/nebula.crt
new file mode 100644
index 0000000..b1e8d52
--- /dev/null
+++ b/external-hosts/fairphone/keys/nebula.crt
@@ -0,0 +1,6 @@
+-----BEGIN NEBULA CERTIFICATE V2-----
+MIG9oFeACWZhaXJwaG9uZaEHBAUK/vpKGKMTDAZjbGllbnQMCXN5bmN0aGluZ4UE
+aYZd9oYEayh99IcgFUP+GVuq3tcsxWoMTgOEhDMlEFpe1AjCbmBFMjtzRWiCIElb
+0YB49Bb2JcLlgcwZlPGgzNBIxclJSjQWFW00pdEXg0DPZt5bCLCfd1nPUk6ty6R7
+UU+YZkx6A0p26wH8TeOVUIoD/9MxpPgEtewH3CPBZQhKFnmpWzDYgF3/WJY/LkQP
+-----END NEBULA CERTIFICATE V2-----
diff --git a/external-hosts/fairphone/keys/nebula.pub b/external-hosts/fairphone/keys/nebula.pub
new file mode 100644
index 0000000..fd518a0
--- /dev/null
+++ b/external-hosts/fairphone/keys/nebula.pub
@@ -0,0 +1,3 @@
+-----BEGIN NEBULA X25519 PUBLIC KEY-----
+SVvRgHj0FvYlwuWBzBmU8aDM0EjFyUlKNBYVbTSl0Rc=
+-----END NEBULA X25519 PUBLIC KEY-----
diff --git a/flake-parts/hosts.nix b/flake-parts/hosts.nix
index ffa40f8..cf0d0bb 100644
--- a/flake-parts/hosts.nix
+++ b/flake-parts/hosts.nix
@@ -6,21 +6,33 @@
 }:
 let
   mkHost =
-    hostName:
+    hostDir:
     inputs.nixpkgs.lib.nixosSystem {
       specialArgs = { inherit inputs self; };
       modules =
-        (lib.singleton { networking = { inherit hostName; }; })
+        (lib.singleton {
+          networking.hostName = hostDir |> lib.baseNameOf |> lib.unsafeDiscardStringContext;
+        })
         ++ (
-          "${self}/hosts/${hostName}"
+          hostDir
           |> builtins.readDir
           |> lib.attrNames
-          |> lib.filter (file: file |> lib.hasSuffix ".nix")
-          |> lib.map (file: "${self}/hosts/${hostName}/${file}")
+          |> lib.filter (lib.hasSuffix ".nix")
+          |> lib.map (file: "${hostDir}/${file}")
         );
     };
+
+  mkHosts =
+    baseDir:
+    baseDir
+    |> builtins.readDir
+    |> lib.filterAttrs (_: type: type == "directory")
+    |> lib.mapAttrs (hostName: _: mkHost "${baseDir}/${hostName}");
 in
 {
-  flake.nixosConfigurations =
-    "${self}/hosts" |> self.lib.listDirectoryNames |> self.lib.genAttrs mkHost;
+  flake = {
+    nixosConfigurations = mkHosts "${self}/hosts";
+    externalConfigurations = mkHosts "${self}/external-hosts";
+    allHosts = self.nixosConfigurations // self.externalConfigurations;
+  };
 }
diff --git a/flake-parts/sops-config.nix b/flake-parts/sops-config.nix
index 1d9f167..0f4bf47 100644
--- a/flake-parts/sops-config.nix
+++ b/flake-parts/sops-config.nix
@@ -18,14 +18,14 @@
           };
 
           hostCreationRules =
-            self.nixosConfigurations
+            self.allHosts
             |> lib.attrValues
             |> lib.map (host: host.config.custom.sops)
             |> lib.filter (sops: sops.enable)
             |> lib.map mkCreationRule;
 
           userCreationRules =
-            self.nixosConfigurations
+            self.allHosts
             |> lib.attrValues
             |> lib.filter (host: host.config |> lib.hasAttr "home-manager")
             |> lib.map (host: host.config.home-manager.users.seb.custom.sops)
diff --git a/justfile b/justfile
index 0eb077f..20e4e8b 100644
--- a/justfile
+++ b/justfile
@@ -16,7 +16,7 @@ repair:
     nix-store --verify --check-contents --repair
 
 repl host='$(hostname)':
-    nix repl .#nixosConfigurations.{{ host }}
+    nix repl .#allHosts.{{ host }}
 
 [group('rebuild')]
 rebuild mode:
diff --git a/modules/system/networking/default.nix b/modules/system/networking/default.nix
index 6e7280d..5b790a4 100644
--- a/modules/system/networking/default.nix
+++ b/modules/system/networking/default.nix
@@ -18,7 +18,7 @@ in
     nodes = lib.mkOption {
       type = lib.types.anything;
       default =
-        self.nixosConfigurations
+        self.allHosts
         |> lib.attrValues
         |> lib.map (host: host.config.custom.networking)
         |> lib.map (
diff --git a/modules/system/networking/overlay.nix b/modules/system/networking/overlay.nix
index df79c58..910f3aa 100644
--- a/modules/system/networking/overlay.nix
+++ b/modules/system/networking/overlay.nix
@@ -57,7 +57,7 @@ in
     dnsServers = lib.mkOption {
       type = lib.types.anything;
       default =
-        self.nixosConfigurations
+        self.allHosts
         |> lib.attrValues
         |> lib.filter (host: host.config.custom.services.dns.enable)
         |> lib.map (host: host.config.custom.networking.overlay.address);
diff --git a/modules/system/services/dns.nix b/modules/system/services/dns.nix
index 5847a97..f4c204f 100644
--- a/modules/system/services/dns.nix
+++ b/modules/system/services/dns.nix
@@ -27,7 +27,7 @@ in
                 netCfg.nodes
                 |> lib.map (node: "\"${node.hostName}.${node.overlay.domain}. A ${node.overlay.address}\"");
               serviceRecords =
-                self.nixosConfigurations
+                self.allHosts
                 |> lib.attrValues
                 |> lib.concatMap (
                   host:
diff --git a/modules/system/services/sshd.nix b/modules/system/services/sshd.nix
index 2996290..14f35c7 100644
--- a/modules/system/services/sshd.nix
+++ b/modules/system/services/sshd.nix
@@ -41,7 +41,7 @@ in
     };
 
     users.users.seb.openssh.authorizedKeys.keyFiles =
-      self.nixosConfigurations
+      self.allHosts
       |> lib.attrValues
       |> lib.filter (host: host.config.networking.hostName != netCfg.hostName)
       |> lib.filter (host: host.config |> lib.hasAttr "home-manager")
diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix
index a745d10..bdccc4c 100644
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@@ -87,7 +87,7 @@ in
         settings =
           let
             hosts =
-              self.nixosConfigurations
+              self.allHosts
               |> lib.filterAttrs (_: host: host.config.networking.hostName != config.networking.hostName)
               |> lib.filterAttrs (_: host: host.config.custom.services.syncthing.enable);
           in
diff --git a/modules/system/web-services/gatus.nix b/modules/system/web-services/gatus.nix
index 475c688..aa8d3f4 100644
--- a/modules/system/web-services/gatus.nix
+++ b/modules/system/web-services/gatus.nix
@@ -173,7 +173,7 @@ in
       web-services.gatus.endpoints =
         let
           defaultEndpoints =
-            self.nixosConfigurations
+            self.allHosts
             |> lib.mapAttrs (
               _: host:
               host.config.custom.services.caddy.virtualHosts |> lib.attrValues |> lib.map (vHost: vHost.domain)
diff --git a/profiles/core.nix b/profiles/core.nix
index 39ff2cc..6fb7510 100644
--- a/profiles/core.nix
+++ b/profiles/core.nix
@@ -112,12 +112,4 @@
       sshd.enable = true;
     };
   };
-
-  services.syncthing.settings = {
-    devices."fairphone" = {
-      id = "6ROH65D-E65I5F6-URI4OUZ-RCHFC3B-PMBSIHH-5DNLJPS-SYSUWQY-HKYGHQG";
-      addresses = "tcp://10.254.250.74:22000";
-    };
-    folders."Documents".devices = [ config.services.syncthing.settings.devices."fairphone".name ];
-  };
 }
diff --git a/scripts/nebula/recert-all-hosts.nix b/scripts/nebula/recert-all-hosts.nix
index d143bda..f7526b6 100644
--- a/scripts/nebula/recert-all-hosts.nix
+++ b/scripts/nebula/recert-all-hosts.nix
@@ -9,7 +9,7 @@ pkgs.writeShellApplication {
   ];
 
   text = ''
-    hosts="$(nix eval .#nixosConfigurations --apply 'builtins.attrNames' --json | jq -r '.[]')"
+    hosts="$(nix eval .#allHosts --apply 'builtins.attrNames' --json | jq -r '.[]')"
 
     if ! declare -px BW_SESSION >/dev/null 2>&1; then
       BW_SESSION="$(bw unlock --raw || bw login --raw)"
diff --git a/scripts/nebula/recert-host.nix b/scripts/nebula/recert-host.nix
index 0db5bf2..1aff425 100644
--- a/scripts/nebula/recert-host.nix
+++ b/scripts/nebula/recert-host.nix
@@ -14,11 +14,11 @@ pkgs.writeShellApplication {
     fi
 
     host="$1"
-    address="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.networking.overlay.cidr")"
-    groups="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.groups" --apply 'builtins.concatStringsSep ","')"
+    address="$(nix eval --raw ".#allHosts.$host.config.custom.networking.overlay.cidr")"
+    groups="$(nix eval --raw ".#allHosts.$host.config.custom.services.nebula.groups" --apply 'builtins.concatStringsSep ","')"
     ca_cert='modules/system/services/nebula/ca.crt'
-    host_pub="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.publicKeyPath")"
-    host_cert="$(nix eval --raw ".#nixosConfigurations.$host.config.custom.services.nebula.certificatePath")"
+    host_pub="$(nix eval --raw ".#allHosts.$host.config.custom.services.nebula.publicKeyPath")"
+    host_cert="$(nix eval --raw ".#allHosts.$host.config.custom.services.nebula.certificatePath")"
     host_cert="''${host_cert#*-source/}"
 
     if [[ $# -eq 2 ]]; then