diff --git a/devices/servivi/modules/nfs.nix b/devices/servivi/modules/nfs.nix
index 154fcd2..31edad7 100644
--- a/devices/servivi/modules/nfs.nix
+++ b/devices/servivi/modules/nfs.nix
@@ -1,14 +1,27 @@
 # TODO: move this to NAS?
-
-{...}: {
+{lib, ...}: let
+  inherit (lib) concatMapStringsSep concatStringsSep;
+in {
   services.nfs.server = {
     enable = true;
     createMountPoints = true;
 
-    exports = ''
-      /export             10.0.0.244(rw,crossmnt,fsid=0,no_root_squash) 10.0.0.159(rw,crossmnt,fsid=0,no_root_squash) 100.64.0.8(rw,crossmnt,fsid=0,no_root_squash) 100.64.0.9(rw,crossmnt,fsid=0,no_root_squash)
-      /export/caddy       10.0.0.244(rw,nohide,no_root_squash) 10.0.0.159(rw,nohide,no_root_squash) 100.64.0.8(rw,nohide,no_root_squash) 100.64.0.9(rw,nohide,no_root_squash)
-      /export/headscale   10.0.0.244(rw,nohide,no_root_squash) 10.0.0.159(rw,nohide,no_root_squash) 100.64.0.8(rw,nohide,no_root_squash) 100.64.0.9(rw,nohide,no_root_squash)
+    exports = let
+      mkExport = dir: opts: ips: "/export${dir} ${
+        concatMapStringsSep " "
+        (ip: ip + "(${concatStringsSep "," opts})")
+        ips
+      }";
+
+      mkRootExport = opts: ips:
+        mkExport "" (opts ++ ["crossmnt" "fsid=0"]) ips;
+
+      allowedIps = ["10.0.0.244" "100.64.0.8" "10.0.0.159" "100.64.0.9"];
+      options = ["rw" "no_root_squash" "no_subtree_check"];
+    in ''
+      ${mkRootExport options allowedIps}
+      ${mkExport "/caddy" options allowedIps}
+      ${mkExport "/headscale" options allowedIps}
     '';
   };
 }