diff --git a/ci/fmt-nix.sh b/ci/fmt-nix.sh
index 2beeb9fa..eecc8140 100644
--- a/ci/fmt-nix.sh
+++ b/ci/fmt-nix.sh
@@ -1,4 +1,4 @@
 #!/usr/bin/env bash
 set -eu
 
-exec nf-alejandra "${NF_NIX_WHITELIST_FILES[@]}" "$@"
+exec nf-alejandra "${NF_NIX_WHITELIST_DIRS[@]}" "${NF_NIX_WHITELIST_FILES[@]}" "$@"
diff --git a/ci/fmt.nix b/ci/fmt.nix
index fe1abddc..3e282a82 100644
--- a/ci/fmt.nix
+++ b/ci/fmt.nix
@@ -1,27 +1,17 @@
 {
   nix = {
     whitelist = [
-      "systems/default.nix"
-      "systems/ct/default.nix"
-      "systems/ct/nixos.nix"
-      "systems/hakurei/default.nix"
-      "systems/kuwubernetes/default.nix"
-      "systems/kuwubernetes/nixos.nix"
-      "systems/mediabox/default.nix"
-      "systems/mediabox/nixos.nix"
-      "systems/reimu/default.nix"
-      "systems/tei/default.nix"
-      "systems/tei/nixos.nix"
-      "systems/tei/cloudflared.nix"
-      "systems/tewi/default.nix"
-      "systems/tewi/nixos.nix"
       "overlays/default.nix"
+      "ci/fmt.nix"
       "devShells.nix"
       "shell.nix"
       "lib.nix"
       "outputs.nix"
       "tree.nix"
     ];
+    whitelistDirs = [
+      "systems"
+    ];
     blacklistDirs = [
       "overlays"
       "ci"
diff --git a/devShells.nix b/devShells.nix
index e515516b..51f568de 100644
--- a/devShells.nix
+++ b/devShells.nix
@@ -10,9 +10,16 @@
     subdir ? null,
     exe ? null,
   }: let
-    subcommand = if exe == null then "run" else "shell";
-    exeArg = if exe == null then "--" else "-c ${exe}";
-  in pkgs.writeShellScriptBin name ''
+    subcommand =
+      if exe == null
+      then "run"
+      else "shell";
+    exeArg =
+      if exe == null
+      then "--"
+      else "-c ${exe}";
+  in
+    pkgs.writeShellScriptBin name ''
       ${optionalString (subdir != null) ''cd "$NF_CONFIG_ROOT${subdir}"''}
       exec nix ${subcommand} ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#${attr}" ${exeArg} "$@"
     '';
diff --git a/lib.nix b/lib.nix
index 355428a9..a64dedfe 100644
--- a/lib.nix
+++ b/lib.nix
@@ -29,9 +29,9 @@
       nibble0 + (fixedWidthString 1 "0" (toHexStringLower nibble1));
   in "${part0 (part 0)}${part 1}:${part 2}ff:fe${part 3}:${part 4}${part 5}";
 
-  userIs = group: user: builtins.elem group (user.extraGroups ++ [ user.group ]);
+  userIs = group: user: builtins.elem group (user.extraGroups ++ [user.group]);
 
-  mkWinPath = replaceStrings [ "/" ] [ "\\" ];
+  mkWinPath = replaceStrings ["/"] ["\\"];
 in {
   inherit tree nixlib inputs;
   std = inputs.self.lib.Std.Std.compat;
@@ -40,5 +40,5 @@ in {
     inherit mkWinPath userIs eui64 toHexStringLower hexCharToInt;
     inherit (inputs.arcexprs.lib) unmerged;
   };
-  generate = import ./generate.nix { inherit inputs tree; };
+  generate = import ./generate.nix {inherit inputs tree;};
 }
diff --git a/packages/default.nix b/packages/default.nix
index ad6fc8db..e2b56373 100644
--- a/packages/default.nix
+++ b/packages/default.nix
@@ -16,6 +16,7 @@
   '';
   exportsFmtNix = ''
     NF_NIX_BLACKLIST_DIRS=(${string.concatMapSep " " string.escapeShellArg fmt.nix.blacklistDirs})
+    NF_NIX_WHITELIST_DIRS=(${string.concatMapSep " " string.escapeShellArg fmt.nix.whitelistDirs})
     NF_NIX_WHITELIST_FILES=(${string.concatMapSep " " string.escapeShellArg fmt.nix.whitelist})
   '';
   output = {
@@ -110,6 +111,7 @@
     nf-alejandra = pkgs.writeShellScriptBin "nf-alejandra" ''
       ${exports}
       ${exportsFmtNix}
+      export PATH="${makeBinPath [ packages.alejandra ]}:$PATH"
       source ${../ci/alejandra.sh}
     '';
     nf-lint-tf = pkgs.writeShellScriptBin "nf-lint-tf" ''
diff --git a/systems/aya/nixos.nix b/systems/aya/nixos.nix
index 7e8c365c..4b15fd8f 100644
--- a/systems/aya/nixos.nix
+++ b/systems/aya/nixos.nix
@@ -1,7 +1,4 @@
-{
-  meta,
-  ...
-}: {
+{meta, ...}: {
   imports = let
     inherit (meta) nixos;
   in [
@@ -28,11 +25,11 @@
       enable = true;
       rejectLocaladdrs = true;
       serviceSettings = rec {
-        wants = [ "localaddrs.service" ];
+        wants = ["localaddrs.service"];
         after = wants;
       };
     };
-    interfaces.eth1 = { };
+    interfaces.eth1 = {};
   };
   systemd.network.networks.eth0 = {
     name = "eth0";
diff --git a/systems/ct/nixos.nix b/systems/ct/nixos.nix
index 8c79d7ad..aaf83f84 100644
--- a/systems/ct/nixos.nix
+++ b/systems/ct/nixos.nix
@@ -1,7 +1,4 @@
-{
-  meta,
-  ...
-}: {
+{meta, ...}: {
   imports = with meta; [
     nixos.reisen-ct
   ];
diff --git a/systems/hakurei/reisen-ssh.nix b/systems/hakurei/reisen-ssh.nix
index 8667f830..62783273 100644
--- a/systems/hakurei/reisen-ssh.nix
+++ b/systems/hakurei/reisen-ssh.nix
@@ -32,15 +32,15 @@ in {
   };
 
   services.openssh = {
-    ports = mkAfter [ sshPort ];
+    ports = mkAfter [sshPort];
   };
   # required for kbd or password authentication
   security.pam.services.sshd.unixAuth = mkForce true;
 
-  networking.firewall.allowedTCPPorts = [ sshPort ];
+  networking.firewall.allowedTCPPorts = [sshPort];
 
   sops.secrets = {
-    tf-proxmox-passwd = { };
+    tf-proxmox-passwd = {};
     tf-proxmox-identity = {
       owner = username;
     };
diff --git a/systems/litterbox/nixos.nix b/systems/litterbox/nixos.nix
index e4112cf9..857ed206 100644
--- a/systems/litterbox/nixos.nix
+++ b/systems/litterbox/nixos.nix
@@ -1,7 +1,4 @@
-{
-  meta,
-  ...
-}: {
+{meta, ...}: {
   imports = let
     inherit (meta) nixos;
   in [
diff --git a/systems/mediabox/nixos.nix b/systems/mediabox/nixos.nix
index fb84d0da..7d0777a4 100644
--- a/systems/mediabox/nixos.nix
+++ b/systems/mediabox/nixos.nix
@@ -62,8 +62,7 @@ in {
             "music/raw"
           ];
       };
-    in
-      [libraryDir];
+    in [libraryDir];
   };
 
   hardware.opengl = {
diff --git a/systems/reimu/nixos.nix b/systems/reimu/nixos.nix
index 1fa1a8e9..ca227936 100644
--- a/systems/reimu/nixos.nix
+++ b/systems/reimu/nixos.nix
@@ -1,7 +1,4 @@
-{
-  meta,
-  ...
-}: {
+{meta, ...}: {
   imports = let
     inherit (meta) nixos;
   in [