diff --git a/ci/fmt.nix b/ci/fmt.nix
new file mode 100644
index 00000000..0f106fd8
--- /dev/null
+++ b/ci/fmt.nix
@@ -0,0 +1,11 @@
+{
+  nix = {
+    whitelist = [
+      "systems/mediabox/nixos.nix"
+    ];
+    blacklistDirs = [
+      "overlays"
+      "ci"
+    ];
+  };
+}
diff --git a/ci/statix.toml b/ci/statix.toml
new file mode 100644
index 00000000..d30f772e
--- /dev/null
+++ b/ci/statix.toml
@@ -0,0 +1,10 @@
+disabled = [
+	"repeated_keys",
+	"empty_pattern",
+]
+nix_version = '2.4'
+ignore = [
+	'.direnv',
+	'ci',
+	'overlays',
+]
diff --git a/devShell.nix b/devShell.nix
index 2914f250..c4c832f3 100644
--- a/devShell.nix
+++ b/devShell.nix
@@ -35,6 +35,26 @@
     cd "$NF_CONFIG_ROOT/tf"
     exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-lint-tf" -- "$@"
   '';
+  nf-lint-nix = pkgs.writeShellScriptBin "nf-lint-nix" ''
+    cd "$NF_CONFIG_ROOT"
+    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-lint-nix" -- "$@"
+  '';
+  nf-fmt-nix = pkgs.writeShellScriptBin "nf-fmt-nix" ''
+    cd "$NF_CONFIG_ROOT"
+    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-fmt-nix" -- "$@"
+  '';
+  nf-alejandra = pkgs.writeShellScriptBin "alejandra" ''
+    cd "$NF_CONFIG_ROOT"
+    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-alejandra" -- "$@"
+  '';
+  nf-statix = pkgs.writeShellScriptBin "statix" ''
+    cd "$NF_CONFIG_ROOT"
+    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-statix" -- "$@"
+  '';
+  nf-deadnix = pkgs.writeShellScriptBin "deadnix" ''
+    cd "$NF_CONFIG_ROOT"
+    exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-deadnix" -- "$@"
+  '';
   nf-kustomize = pkgs.writeShellScriptBin "kustomize" ''
     exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#pkgs.kustomize" -- "$@"
   '';
@@ -52,6 +72,11 @@ in
       nf-deploy
       nf-tf
       nf-lint-tf
+      nf-lint-nix
+      nf-fmt-nix
+      nf-alejandra
+      nf-statix
+      nf-deadnix
       nf-kustomize
       nf-argocd
     ];
diff --git a/modules/meta/imports.nix b/modules/meta/imports.nix
index 8b6a513e..57f35e65 100644
--- a/modules/meta/imports.nix
+++ b/modules/meta/imports.nix
@@ -18,7 +18,7 @@ with lib; {
   };
   config = {
     network.importing = {
-      nixosImports = mkDefault (map (path: toString path) [
+      nixosImports = mkDefault (map toString [
         (root + "/nixos/systems/HN.nix")
         (root + "/nixos/systems/HN/nixos.nix")
       ]);
diff --git a/modules/meta/packages.nix b/modules/meta/packages.nix
index d5835e2f..2ba9f97c 100644
--- a/modules/meta/packages.nix
+++ b/modules/meta/packages.nix
@@ -7,7 +7,9 @@
   inherit (lib.options) mkOption;
   inherit (lib.types) attrsOf package;
   inherit (lib.meta) getExe;
+  inherit (lib.strings) concatStringsSep concatMapStringsSep;
   cfg = config.outputs.packages;
+  fmt = import ../../ci/fmt.nix;
 in {
   options.outputs.packages = mkOption {
     type = attrsOf package;
@@ -15,13 +17,54 @@ in {
   };
 
   config.outputs.packages = {
-    inherit (pkgs.buildPackages) terraform tflint;
+    inherit (pkgs.buildPackages)
+      terraform tflint
+      alejandra deadnix statix
+    ;
     nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
       exec ${pkgs.runtimeShell} ${../../ci/deploy.sh} "$@"
     '';
+    nf-statix = pkgs.writeShellScriptBin "nf-statix" ''
+      if [[ $# -eq 0 ]]; then
+        set -- check
+      fi
+
+      if [[ ''${1-} = check ]]; then
+        shift
+        set -- check --config ${../../ci/statix.toml} "$@"
+      fi
+
+      exec ${getExe cfg.statix} "$@"
+    '';
+    nf-deadnix = let
+      inherit (fmt.nix) blacklistDirs;
+      excludes = "${getExe pkgs.buildPackages.findutils} ${concatStringsSep " " blacklistDirs} -type f";
+    in pkgs.writeShellScriptBin "nf-deadnix" ''
+      exec ${getExe cfg.deadnix} "$@" \
+        --no-lambda-arg \
+        --exclude $(${excludes})
+    '';
+    nf-alejandra = let
+      inherit (fmt.nix) blacklistDirs;
+      excludes = concatMapStringsSep " " (dir: "--exclude ${dir}") blacklistDirs;
+    in pkgs.writeShellScriptBin "nf-alejandra" ''
+      exec ${getExe cfg.alejandra} \
+        ${excludes} \
+        "$@"
+    '';
     nf-lint-tf = pkgs.writeShellScriptBin "nf-lint-tf" ''
       ${getExe cfg.terraform} fmt "$@" &&
       ${cfg.tflint}/bin/tflint
     '';
+    nf-lint-nix = pkgs.writeShellScriptBin "nf-lint-nix" ''
+      ${getExe cfg.nf-statix} check "$@" &&
+      ${getExe cfg.nf-deadnix} -f "$@"
+    '';
+    nf-fmt-nix = let
+      inherit (fmt.nix) whitelist;
+      includes = concatStringsSep " " whitelist;
+    in pkgs.writeShellScriptBin "nf-fmt-nix" ''
+      exec ${getExe cfg.nf-alejandra} ${includes} "$@"
+    '';
   };
 }
diff --git a/modules/nixos/postgres.nix b/modules/nixos/postgres.nix
index b54fcebc..0047bce8 100644
--- a/modules/nixos/postgres.nix
+++ b/modules/nixos/postgres.nix
@@ -55,7 +55,7 @@
           host ${config.authentication.database} ${config.name} ${formatHost host} ${config.authentication.method}
         '') config.authentication.hosts);
       };
-      authentication.database = mkIf (config.ensureDBOwnership) (
+      authentication.database = mkIf config.ensureDBOwnership (
         mkOptionDefault config.name
       );
     };
diff --git a/nixos/access/proxmox.nix b/nixos/access/proxmox.nix
index 3487e4fd..9b89ed29 100644
--- a/nixos/access/proxmox.nix
+++ b/nixos/access/proxmox.nix
@@ -8,8 +8,8 @@
   inherit (lib.modules) mkIf mkMerge mkDefault;
   inherit (lib.strings) escapeRegex;
   inherit (lib.lists) singleton optional;
-  inherit (config.services) tailscale;
-  inherit (config.services.nginx) virtualHosts;
+  inherit (config.services) nginx tailscale;
+  inherit (nginx) virtualHosts;
   access = config.services.nginx.access.proxmox;
   proxyPass = "https://reisen.local.gensokyo.zone:8006/";
   unencrypted = pkgs.mkSnakeOil {
@@ -111,6 +111,6 @@ in {
   config.sops.secrets.access-proxmox = {
     sopsFile = mkDefault ../secrets/access-proxmox.yaml;
     owner = config.services.nginx.user;
-    group = config.services.nginx.group;
+    inherit (nginx) group;
   };
 }
diff --git a/packages/androidtvremote2.nix b/packages/androidtvremote2.nix
index 0cc07405..7d26b5e4 100644
--- a/packages/androidtvremote2.nix
+++ b/packages/androidtvremote2.nix
@@ -1,5 +1,4 @@
-{ lib
-, buildPythonPackage
+{ buildPythonPackage
 , fetchFromGitHub
 , aiofiles
 , cryptography
diff --git a/systems/hakurei/nixos.nix b/systems/hakurei/nixos.nix
index d58b649b..d1cc1b4c 100644
--- a/systems/hakurei/nixos.nix
+++ b/systems/hakurei/nixos.nix
@@ -89,9 +89,8 @@ in {
       url = "http://${mediabox.networking.access.hostnameForNetwork.local}:32400";
     };
     access.kanidm = assert kanidm.enableServer; {
-      domain = kanidm.server.frontend.domain;
+      inherit (kanidm.server.frontend) domain port;
       host = tei.networking.access.hostnameForNetwork.local;
-      port = kanidm.server.frontend.port;
       ldapPort = kanidm.server.ldap.port;
       ldapEnable = kanidm.server.ldap.enable;
     };
diff --git a/systems/tei/cloudflared.nix b/systems/tei/cloudflared.nix
index d4a79589..4f0f336a 100644
--- a/systems/tei/cloudflared.nix
+++ b/systems/tei/cloudflared.nix
@@ -4,7 +4,7 @@
   lib,
   ...
 }: let
-  inherit (lib.modules) mkIf mkMerge;
+  inherit (lib.modules) mkIf;
   inherit (lib.attrsets) listToAttrs nameValuePair;
   inherit (access) systemFor;
   inherit (config.networking) hostName;
diff --git a/tree.nix b/tree.nix
index 15a91788..e3c3585b 100644
--- a/tree.nix
+++ b/tree.nix
@@ -25,7 +25,7 @@
       "modules/nixos" = {
         functor = {
           external =
-            (with (import (inputs.arcexprs + "/modules")).nixos; [
+            with (import (inputs.arcexprs + "/modules")).nixos; [
               nix
               systemd
               dht22-exporter
@@ -46,7 +46,7 @@
               mosh
               doc-warnings
               inputs.systemd2mqtt.nixosModules.default
-            ]);
+            ];
         };
       };
       "modules/nixos".functor.enable = true;