style: alejandra $(fd -e nix)

2026-02-09 04:19:19 -08:00 · 2024-03-13 15:08:42 -07:00 · 2024-03-13 15:08:42 -07:00 · e63304937d
commit e63304937d
parent 97d9eecd3c
91 changed files with 1422 additions and 1102 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,3 +6,4 @@
 .terraform
 .DS_Store
 .envrc.conf
+.idea
--- a/docs/derivation.nix
+++ b/docs/derivation.nix
@ -12,13 +12,15 @@
      (hasSuffix ".adoc" path || baseNameOf path == "docinfo.html")
      || type == "directory";
  };
-in stdenvNoCC.mkDerivation {
+in
+  stdenvNoCC.mkDerivation {
    pname = "genso-docs";
    version = "dev";
    inherit src;

    ASCIIDOCTOR_OPTS = [
-    "-a" "docinfo=shared"
+      "-a"
+      "docinfo=shared"
    ];

    nativeBuildInputs = [asciidoctor];
--- a/generate.nix
+++ b/generate.nix
@ -10,14 +10,13 @@
  templateUsers = filterAttrs (_: userIs "peeps") templateSystem.config.users.users;
  mkNodeUsers = users: let
    nodeUsers = mapAttrsToList (_: mkNodeUser) templateUsers;
-  in sortOn (user: user.uid) nodeUsers;
+  in
+    sortOn (user: user.uid) nodeUsers;
  mkNodeUser = user: {
    inherit (user) name uid;
    authorizedKeys = user.openssh.authorizedKeys.keys;
  };
-  mkNode = {
-    name,
-  }: {
+  mkNode = {name}: {
    users = mkNodeUsers templateUsers;
  };
 in {
--- a/modules/nixos/access.nix
+++ b/modules/nixos/access.nix
@ -38,7 +38,9 @@ in {
      default = {};
    };
    localaddrs = {
-      enable = mkEnableOption "localaddrs" // {
+      enable =
+        mkEnableOption "localaddrs"
+        // {
          default = networking.firewall.interfaces.local.nftables.enable;
        };
      stateDir = mkOption {
@ -88,7 +90,8 @@ in {
    localaddrs = {
      nftablesInclude = mkBefore (''
          define localrange6 = 2001:568::/29
-      '' + optionalString cfg.localaddrs.enable ''
+        ''
+        + optionalString cfg.localaddrs.enable ''
          include "${cfg.localaddrs.stateDir}/*.nft"
        '');
      reloadScript = let
@ -111,7 +114,8 @@ in {
      interfaces.local = {
        nftables.conditions = [
          "ip saddr { ${concatStringsSep ", " cfg.cidrForNetwork.local.v4} }"
-          (mkIf networking.enableIPv6
+          (
+            mkIf networking.enableIPv6
            "ip6 saddr { $localrange6, ${concatStringsSep ", " cfg.cidrForNetwork.local.v6} }"
          )
        ];
--- a/modules/nixos/cloudflared.nix
+++ b/modules/nixos/cloudflared.nix
@ -1,4 +1,10 @@
-{ pkgs, config, utils, lib, ... }: let
+{
+  pkgs,
+  config,
+  utils,
+  lib,
+  ...
+}: let
  inherit (lib.attrsets) mapAttrsToList mapAttrs' nameValuePair filterAttrsRecursive;
  inherit (lib.lists) singleton;
  inherit (lib.modules) mkIf mkMerge mkForce;
@ -11,7 +17,9 @@ in {
      tunnelModule = {config, ...}: {
        options = {
          extraTunnel = {
-            enable = mkEnableOption "extra tunnels" // {
+            enable =
+              mkEnableOption "extra tunnels"
+              // {
                default = config.extraTunnel.ingress != {};
              };
            ingress = mkOption {
@ -21,26 +29,32 @@ in {
          };
        };
      };
-    in mkOption {
+    in
+      mkOption {
        type = attrsOf (submodule tunnelModule);
      };
  };
  config.systemd.services = let
    filterConfig = filterAttrsRecursive (_: v: ! builtins.elem v [null [] {}]);
-    mapIngress = hostname: ingress: {
+    mapIngress = hostname: ingress:
+      {
        inherit hostname;
-    } // filterConfig (filterConfig ingress);
-  in mkIf cfg.enable (mapAttrs' (uuid: tunnel: let
+      }
+      // filterConfig (filterConfig ingress);
+  in
+    mkIf cfg.enable (mapAttrs' (uuid: tunnel: let
      RuntimeDirectory = "cloudflared-tunnel-${uuid}";
      configPath = "/run/${RuntimeDirectory}/config.yml";
      settings = {
        tunnel = uuid;
        credentials-file = tunnel.credentialsFile;
-      ingress = mapAttrsToList mapIngress tunnel.ingress
+        ingress =
+          mapAttrsToList mapIngress tunnel.ingress
          ++ mapAttrsToList mapIngress tunnel.extraTunnel.ingress
          ++ singleton {service = tunnel.default;};
      };
-  in nameValuePair "cloudflared-tunnel-${uuid}" (mkMerge [
+    in
+      nameValuePair "cloudflared-tunnel-${uuid}" (mkMerge [
        {
          after = mkIf config.services.tailscale.enable ["tailscale-autoconnect.service"];
          serviceConfig = {
@ -60,5 +74,6 @@ in {
            ];
          };
        })
-  ])) cfg.tunnels);
+      ]))
+    cfg.tunnels);
 }
--- a/modules/nixos/github-runner.nix
+++ b/modules/nixos/github-runner.nix
@ -58,8 +58,10 @@ in {
    };
  };
  config = {
-    systemd.services = mapAttrs' (name: runner: nameValuePair "github-runner-${name}" (
+    systemd.services = mapAttrs' (name: runner:
+      nameValuePair "github-runner-${name}" (
        unmerged.merge runner.serviceSettings
-    )) enabledRunners;
+      ))
+    enabledRunners;
  };
 }
--- a/modules/nixos/home-assistant.nix
+++ b/modules/nixos/home-assistant.nix
@ -17,27 +17,41 @@ in {
      default = config.networking.domain;
    };
    homekit = {
-      enable = mkEnableOption "homekit" // {
+      enable =
+        mkEnableOption "homekit"
+        // {
          default = cfg.config.homekit or [] != [];
        };
-      openFirewall = mkEnableOption "homekit ports" // {
+      openFirewall =
+        mkEnableOption "homekit ports"
+        // {
          default = cfg.openFirewall;
        };
    };
-    googleAssistant.enable = mkEnableOption "Google Assistant" // {
+    googleAssistant.enable =
+      mkEnableOption "Google Assistant"
+      // {
        default = cfg.config.google_assistant or {} != {};
      };
-    androidTv.enable = mkEnableOption "Android TV" // {
+    androidTv.enable =
+      mkEnableOption "Android TV"
+      // {
        default = elem "androidtv" cfg.extraComponents;
      };
-    brother.enable = mkEnableOption "brother" // {
+    brother.enable =
+      mkEnableOption "brother"
+      // {
        default = elem "brother" cfg.extraComponents;
      };
    cast = {
-      enable = mkEnableOption "Chromecast" // {
+      enable =
+        mkEnableOption "Chromecast"
+        // {
          default = elem "cast" cfg.extraComponents;
        };
-      openFirewall = mkEnableOption "Chromecast ports" // {
+      openFirewall =
+        mkEnableOption "Chromecast ports"
+        // {
          default = cfg.openFirewall;
        };
    };
@ -59,7 +73,8 @@ in {
          to = 60999;
        }
      ];
-    in mkIf cfg.enable {
+    in
+      mkIf cfg.enable {
        interfaces.local = {
          allowedTCPPorts = mkIf (!cfg.homekit.openFirewall) homekitTcp;
          allowedUDPPortRanges = mkIf (!cfg.cast.openFirewall) castUdpRanges;
@ -73,7 +88,8 @@ in {
      enable = mkDefault true;
      publish.enable = let
        homekitNames = map (homekit: toLower homekit.name) cfg.config.homekit or [];
-      in mkIf (elem config.networking.hostName homekitNames) false;
+      in
+        mkIf (elem config.networking.hostName homekitNames) false;
    };

    systemd.services.home-assistant = mkIf (cfg.enable && cfg.mutableUiConfig) {
@ -101,7 +117,8 @@ in {
          use_x_forwarded_for = "true";
          trusted_proxies = let
            inherit (config.networking.access) cidrForNetwork;
-          in cidrForNetwork.loopback.all
+          in
+            cidrForNetwork.loopback.all
            ++ cidrForNetwork.local.all
            ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all
            ++ [
@ -157,30 +174,40 @@ in {
    package = let
      inherit (cfg.package) python;
      # https://github.com/pysnmp/pysnmp/issues/51
-      needsPyasn1pin = if lib.versionOlder python.pkgs.pysnmplib.version "6.0"
+      needsPyasn1pin =
+        if lib.versionOlder python.pkgs.pysnmplib.version "6.0"
        then true
        else lib.warn "pyasn1 pin likely no longer needed" false;
      pyasn1prefix = "${python.pkgs.pysnmp-pyasn1}/${python.sitePackages}";
      home-assistant = pkgs.home-assistant.override {
        packageOverrides = self: super: {
          brother = super.brother.overridePythonAttrs (old: {
-            dontCheckRuntimeDeps = if old.dontCheckRuntimeDeps or false
+            dontCheckRuntimeDeps =
+              if old.dontCheckRuntimeDeps or false
              then lib.warn "brother override no longer needed" true
              else true;
          });
          mpd2 = super.mpd2.overridePythonAttrs (old: {
-            patches = old.patches or [ ] ++ [
+            patches =
+              old.patches
+              or []
+              ++ [
                ../../packages/mpd2-skip-flaky-test.patch
              ];
-            disabledTests = unique (old.disabledTests or [ ] ++ [
+            disabledTests = unique (old.disabledTests
+              or []
+              ++ [
                "test_idle_timeout"
              ]);
          });
        };
      };
-    in home-assistant.overrideAttrs (old: {
+    in
+      home-assistant.overrideAttrs (old: {
        makeWrapperArgs = old.makeWrapperArgs ++ optional (cfg.brother.enable && needsPyasn1pin) "--prefix PYTHONPATH : ${pyasn1prefix}";
-      disabledTests = unique (old.disabledTests or [ ] ++ [
+        disabledTests = unique (old.disabledTests
+          or []
+          ++ [
            "test_check_config"
          ]);
      });
@ -192,11 +219,15 @@ in {
      isHassDrv = drv: context: hasSuffix "-${cfg.package.name}.drv" drv && context.outputs or [] == ["out"];
      drvs = filterAttrs isHassDrv (builtins.getContext ExecStart);
      isImpure = builtins ? currentSystem;
-    in mkIf cfg.enable (mkOptionDefault (
-      if isImpure then import (head (attrNames drvs))
+    in
+      mkIf cfg.enable (mkOptionDefault (
+        if isImpure
+        then import (head (attrNames drvs))
        else removeSuffix "/bin/hass" (head (splitString " " ExecStart))
      ));
-    extraPackages = python3Packages: with python3Packages; mkMerge [
+    extraPackages = python3Packages:
+      with python3Packages;
+        mkMerge [
          [
            psycopg2
            securetar
--- a/modules/nixos/jackett.nix
+++ b/modules/nixos/jackett.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.options) mkOption;
 in {
  options.services.jackett = with lib.types; {
--- a/modules/nixos/kanidm.nix
+++ b/modules/nixos/kanidm.nix
@ -66,7 +66,8 @@ in {
            name = "kanidm-cert";
            inherit (cfg.server.unencrypted) domain;
          };
-        in mkOptionDefault cert;
+        in
+          mkOptionDefault cert;
      };
      clientSettings = mkIf cfg.enableServer {
        uri = mkDefault cfg.serverSettings.origin;
--- a/modules/nixos/lidarr.nix
+++ b/modules/nixos/lidarr.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.options) mkOption;
 in {
  options.services.lidarr = with lib.types; {
--- a/modules/nixos/mediatomb.nix
+++ b/modules/nixos/mediatomb.nix
@ -26,14 +26,21 @@
      paths = let
        paths = map (path: "${config.path}/${path}") config.subdirectories;
        path = singleton config.path;
-      in mkOptionDefault (if config.subdirectories != null then paths else path);
+      in
+        mkOptionDefault (
+          if config.subdirectories != null
+          then paths
+          else path
+        );
      recursive = mkDefault true;
      hidden-files = mkDefault false;
    };
  };
 in {
  options.services.mediatomb = with lib.types; {
-    confine = mkEnableOption "containment" // {
+    confine =
+      mkEnableOption "containment"
+      // {
        default = true;
      };
    mediaDirectories = mkOption {
@ -47,9 +54,13 @@ in {
  };
  config.systemd.services.mediatomb = mkIf cfg.enable {
    confinement.enable = mkIf cfg.confine (mkDefault true);
-    bindsTo = map (dir: mkIf (dir.mountPoint != null)
+    bindsTo =
+      map (
+        dir:
+          mkIf (dir.mountPoint != null)
          "${utils.escapeSystemdPath dir.mountPoint}.mount"
-    ) cfg.mediaDirectories;
+      )
+      cfg.mediaDirectories;
    unitConfig.RequiresMountsFor = mkMerge (
      map (dir: dir.paths) cfg.mediaDirectories
    );
--- a/modules/nixos/mosquitto.nix
+++ b/modules/nixos/mosquitto.nix
@ -13,7 +13,8 @@ in {
          openFirewall = mkEnableOption "firewall";
        };
      };
-    in mkOption {
+    in
+      mkOption {
        type = listOf (submodule listenerModule);
      };
  };
--- a/modules/nixos/network/namespace.nix
+++ b/modules/nixos/network/namespace.nix
@ -19,7 +19,12 @@
  enabledNamespaces = filter (ns: ns.enable) (attrValues networking.namespaces);
  ip = "${pkgs.iproute2}/bin/ip";
  ip-n = namespace: "${ip} -n ${escapeShellArg namespace.name}";
-  namespaceInterfaceModule = { config, namespace, name, ... }: {
+  namespaceInterfaceModule = {
+    config,
+    namespace,
+    name,
+    ...
+  }: {
    options = with lib.types; {
      name = mkOption {
        type = str;
@ -63,7 +68,11 @@
      };
    };
  };
-  groupModule = { config, namespace, ... }: {
+  groupModule = {
+    config,
+    namespace,
+    ...
+  }: {
    options = with lib.types; {
      id = mkOption {
        type = int;
@ -100,7 +109,11 @@
      };
    };
  };
-  namespaceModule = { config, name, ... }: let
+  namespaceModule = {
+    config,
+    name,
+    ...
+  }: let
    linkGroupServices = optional (config.linkGroup != null) "${config.linkGroup.serviceName}.service";
    interfaceServices = mapAttrsToList (_: interface: "${interface.serviceName}.service") config.interfaces;
    submoduleArgs = {...}: {
@ -108,7 +121,9 @@
    };
  in {
    options = with lib.types; {
-      enable = mkEnableOption "network namespace" // {
+      enable =
+        mkEnableOption "network namespace"
+        // {
          default = true;
        };
      resolvConf = mkOption {
@ -187,7 +202,8 @@
            submoduleArgs
          ];
          idOrModule = coercedTo int (id: {inherit id;}) module;
-        in nullOr idOrModule;
+        in
+          nullOr idOrModule;
        default = null;
      };
      interfaces = mkOption {
@ -312,7 +328,8 @@
          addrs6 = access.cidrForNetwork.local.v6 ++ optionals tailscale.enable access.cidrForNetwork.tail.v6;
          daddr4 = ''{ ${concatStringsSep ", " addrs4} }'';
          daddr6 = ''{ ${concatStringsSep ", " addrs6} }'';
-        in mkIf config.nftables.rejectLocaladdrs (mkMerge [
+        in
+          mkIf config.nftables.rejectLocaladdrs (mkMerge [
            ''ct state { established, related } accept''
            ''
              ip daddr ${daddr4} ip protocol tcp reject with tcp reset
@ -363,7 +380,10 @@
          bindsTo = ["${config.unitName}.service"];
          partOf = ["${config.unitName}.target"];
          wants = linkGroupServices ++ interfaceServices;
-          after = bindsTo ++ wants ++ [
+          after =
+            bindsTo
+            ++ wants
+            ++ [
              (mkIf config.nftables.enable "${config.nftables.serviceName}.service")
            ];
          stopIfChanged = false;
@ -407,13 +427,19 @@
      };
    };
  };
-  serviceModule = { config, name, ... }: let
+  serviceModule = {
+    config,
+    name,
+    ...
+  }: let
    cfg = config.networkNamespace;
    hasNs = cfg.name != null;
    ns = networking.namespaces.${cfg.name};
  in {
    options.networkNamespace = with lib.types; {
-      enable = mkEnableOption "netns" // {
+      enable =
+        mkEnableOption "netns"
+        // {
          default = cfg.name != null;
        };
      bindResolvConf = mkOption {
@ -446,9 +472,7 @@
            path = mkDefault (
              ns.path
            );
-            bindResolvConf = mkDefault (
-              "${ns.configPath}/resolv.conf"
-            );
+            bindResolvConf = mkDefault "${ns.configPath}/resolv.conf";
          })
        ];
      }
@ -483,19 +507,25 @@ in {
  };
  config = {
    systemd = {
-      services = listToAttrs (concatMap (ns:
+      services = listToAttrs (concatMap (
+          ns:
            singleton (nameValuePair ns.unitName (unmerged.merge ns.serviceSettings))
            ++ optional (ns.linkGroup != null) (nameValuePair ns.linkGroup.serviceName (unmerged.merge ns.linkGroup.serviceSettings))
            ++ mapAttrsToList (_: interface: nameValuePair interface.serviceName (unmerged.merge interface.serviceSettings)) ns.interfaces
            ++ optional ns.dhcpcd.enable (nameValuePair ns.dhcpcd.serviceName (unmerged.merge ns.dhcpcd.serviceSettings))
            ++ optional ns.nftables.enable (nameValuePair ns.nftables.serviceName (unmerged.merge ns.nftables.serviceSettings))
-      ) enabledNamespaces);
-      targets = listToAttrs (map (ns: nameValuePair ns.unitName (
+        )
+        enabledNamespaces);
+      targets = listToAttrs (map (ns:
+        nameValuePair ns.unitName (
          unmerged.merge ns.targetSettings
-      )) enabledNamespaces);
+        ))
+      enabledNamespaces);
    };
-    environment.etc = mkMerge (map (ns:
+    environment.etc = mkMerge (map (
+        ns:
          mapAttrs' (name: file: nameValuePair "${ns.configDir}/${name}" (unmerged.merge file)) ns.configFiles
-    ) enabledNamespaces);
+      )
+      enabledNamespaces);
  };
 }
--- a/modules/nixos/network/networks.nix
+++ b/modules/nixos/network/networks.nix
@ -11,12 +11,16 @@
  networkModule = {config, ...}: {
    options = with lib.types; {
      mdns = {
-        enable = mkEnableOption "SLAAC" // {
+        enable =
+          mkEnableOption "SLAAC"
+          // {
            default = config.matchConfig.Type or null == "ether" && services.resolved.enable;
          };
      };
      slaac = {
-        enable = mkEnableOption "SLAAC" // {
+        enable =
+          mkEnableOption "SLAAC"
+          // {
            default = config.matchConfig.Type or null == "ether" && networking.enableIPv6;
          };
        postfix = mkOption {
--- a/modules/nixos/nftables.nix
+++ b/modules/nixos/nftables.nix
@ -1,6 +1,8 @@
-{ lib, config, ... }:
-
-let
+{
+  lib,
+  config,
+  ...
+}: let
  inherit (lib) types;
  inherit (lib.options) mkOption mkEnableOption;
  inherit (lib.modules) mkIf;
@ -13,9 +15,11 @@ let
  doDocker = config.virtualisation.docker.enable && cfg.generateDockerRules;

  mkPorts = cond: ports: ranges: action: let
-    portStrings = (map (range: "${toString range.from}-${toString range.to}") ranges)
+    portStrings =
+      (map (range: "${toString range.from}-${toString range.to}") ranges)
      ++ (map toString ports);
-  in optionalString (portStrings != []) ''
+  in
+    optionalString (portStrings != []) ''
      ${cond} dport { ${concatStringsSep "," portStrings} } ${action}
    '';

@ -39,10 +43,13 @@ let
        ${mkPorts "udp" fwcfg.allowedUDPPorts fwcfg.allowedUDPPortRanges "accept"}

        ${
-          concatStringsSep "\n" (mapAttrsToList (name: ifcfg: concatMapStringsSep "\n" (cond:
+      concatStringsSep "\n" (mapAttrsToList (name: ifcfg:
+        concatMapStringsSep "\n" (
+          cond:
            mkPorts "${cond} tcp" ifcfg.allowedTCPPorts ifcfg.allowedTCPPortRanges "accept"
            + mkPorts "${cond} udp" ifcfg.allowedUDPPorts ifcfg.allowedUDPPortRanges "accept"
-          ) (optionals ifcfg.nftables.enable ifcfg.nftables.conditions)) fwcfg.interfaces)
+        ) (optionals ifcfg.nftables.enable ifcfg.nftables.conditions))
+      fwcfg.interfaces)
    }

        # DHCPv6
@ -85,13 +92,22 @@ let
    ''}
    ${cfg.extraConfig}
  '';
-  interfaceModule = { config, name, ... }: {
+  interfaceModule = {
+    config,
+    name,
+    ...
+  }: {
    options = {
      nftables = {
-        enable = mkEnableOption "nftables firewall" // {
+        enable =
+          mkEnableOption "nftables firewall"
+          // {
            default =
-            config.allowedTCPPorts != [ ] || config.allowedTCPPortRanges != [ ]
-            || config.allowedUDPPorts != [ ] || config.allowedUDPPortRanges != [ ];
+              config.allowedTCPPorts
+              != []
+              || config.allowedTCPPortRanges != []
+              || config.allowedUDPPorts != []
+              || config.allowedUDPPortRanges != [];
          };
        conditions = mkOption {
          type = types.listOf types.str;
@ -100,7 +116,6 @@ let
      };
    };
  };
-
 in {
  options = {
    networking.nftables = {
--- a/modules/nixos/nginx/local.nix
+++ b/modules/nixos/nginx/local.nix
@ -37,16 +37,23 @@
          cidrForNetwork.loopback.all
          ++ cidrForNetwork.local.all
          ++ optionals tailscale.enable cidrForNetwork.tail.all;
-        allows = concatMapStringsSep "\n" mkAllow allowAddresses + optionalString localaddrs.enable ''
+        allows =
+          concatMapStringsSep "\n" mkAllow allowAddresses
+          + optionalString localaddrs.enable ''
            include ${localaddrs.stateDir}/*.nginx.conf;
          '';
-      in mkBefore ''
+      in
+        mkBefore ''
          ${allows}
          deny all;
        '';
    };
  };
-  locationModule = { config, virtualHost, ... }: {
+  locationModule = {
+    config,
+    virtualHost,
+    ...
+  }: {
    imports = [
      localModule
    ];
--- a/modules/nixos/nginx/vouch.nix
+++ b/modules/nixos/nginx/vouch.nix
@ -2,8 +2,7 @@
  config,
  lib,
  ...
-}:
-let
+}: let
  inherit (lib.options) mkOption mkEnableOption;
  inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
  inherit (config) networking;
@ -49,15 +48,20 @@ let
        vouch = mkIf vouch-proxy.enable {
          proxyOrigin = let
            inherit (vouch-proxy.settings.vouch) listen port;
-            host = if listen == "0.0.0.0" || listen == "[::]" then "localhost" else listen;
-          in mkDefault "http://${host}:${toString port}";
+            host =
+              if listen == "0.0.0.0" || listen == "[::]"
+              then "localhost"
+              else listen;
+          in
+            mkDefault "http://${host}:${toString port}";
          authUrl = mkDefault vouch-proxy.authUrl;
          url = mkDefault vouch-proxy.url;
          doubleProxy = mkDefault false;
        };
      }
      {
-        vouch.proxyOrigin = mkIf (tailscale.enable && !vouch-proxy.enable) (mkDefault
+        vouch.proxyOrigin = mkIf (tailscale.enable && !vouch-proxy.enable) (
+          mkDefault
          "http://login.tail.${networking.domain}"
        );
      }
@ -96,7 +100,8 @@ let
                  set $vouch_url $vouch_scheme://${config.vouch.tailDomain};
                }
              '';
-            in mkMerge [
+            in
+              mkMerge [
                (mkBefore ''
                  set $vouch_url ${config.vouch.url};
                  set $vouch_scheme $scheme;
--- a/modules/nixos/nginx/websocket.nix
+++ b/modules/nixos/nginx/websocket.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.modules) mkIf;
  inherit (lib.options) mkOption mkEnableOption;
  wsModule = {config, ...}: {
--- a/modules/nixos/plex.nix
+++ b/modules/nixos/plex.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.options) mkOption;
 in {
  options.services.plex = with lib.types; {
--- a/modules/nixos/policyrouting.nix
+++ b/modules/nixos/policyrouting.nix
@ -1,8 +1,9 @@
-{ config, lib, ... }:
-
-with lib;
-
-let
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
  cfg = config.networking.policyrouting;

  ruleOpts = {...}: {
@ -15,9 +16,7 @@ let
      };
    };
  };
-
-in
-{
+in {
  options = {
    networking.policyrouting = {
      enable = mkEnableOption "Declarative Policy-Routing";
@ -38,14 +37,23 @@ in

  config = mkIf cfg.enable {
    networking.policyrouting.rules = [
-      { rule = "lookup main"; prio = 32000; }
+      {
+        rule = "lookup main";
+        prio = 32000;
+      }
    ];
    networking.localCommands = ''
      set -x
      ip -6 rule flush
      ip -4 rule flush
-      ${concatMapStringsSep "\n" ({ prio, rule }: "ip -6 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules6)}
-      ${concatMapStringsSep "\n" ({ prio, rule }: "ip -4 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules4)}
+      ${concatMapStringsSep "\n" ({
+        prio,
+        rule,
+      }: "ip -6 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules6)}
+      ${concatMapStringsSep "\n" ({
+        prio,
+        rule,
+      }: "ip -4 rule add ${rule} prio ${toString prio}") (cfg.rules ++ cfg.rules4)}
    '';
  };
 }
--- a/modules/nixos/postgres.nix
+++ b/modules/nixos/postgres.nix
@ -10,14 +10,19 @@
  inherit (config) networking;
  cfg = config.services.postgresql;
  formatHost = host:
-    if hasInfix "/" host then host
-    else if hasInfix ":" host then "${host}/128"
-    else if hasInfix "." host then "${host}/32"
+    if hasInfix "/" host
+    then host
+    else if hasInfix ":" host
+    then "${host}/128"
+    else if hasInfix "." host
+    then "${host}/32"
    else throw "unsupported IP address ${host}";
  ensureUserModule = {config, ...}: {
    options = with lib.types; {
      authentication = {
-        enable = mkEnableOption "TCP connections" // {
+        enable =
+          mkEnableOption "TCP connections"
+          // {
            default = config.authentication.hosts != [];
          };
        hosts = mkOption {
@ -47,13 +52,15 @@
      authentication = {
        hosts = let
          inherit (networking.access) cidrForNetwork;
-        in mkMerge [
+        in
+          mkMerge [
            (mkIf config.authentication.tailscale.allow cidrForNetwork.tail.all)
            (mkIf config.authentication.local.allow (cidrForNetwork.loopback.all ++ cidrForNetwork.local.all))
          ];
        authentication = mkMerge (map (host: ''
            host ${config.authentication.database} ${config.name} ${formatHost host} ${config.authentication.method}
-        '') config.authentication.hosts);
+          '')
+          config.authentication.hosts);
      };
      authentication.database = mkIf config.ensureDBOwnership (
        mkOptionDefault config.name
@ -70,9 +77,11 @@ in {
    enableTCPIP = mkIf (any (user: user.authentication.enable) cfg.ensureUsers) (
      mkDefault true
    );
-    authentication = mkMerge (map (user:
+    authentication = mkMerge (map (
+        user:
          mkIf user.authentication.enable user.authentication.authentication
-    ) cfg.ensureUsers);
+      )
+      cfg.ensureUsers);
  };
  config.networking.firewall.interfaces.local = mkIf cfg.enable {
    allowedTCPPorts = mkIf (any (user: user.authentication.local.allow) cfg.ensureUsers) [cfg.port];
--- a/modules/nixos/prowlarr.nix
+++ b/modules/nixos/prowlarr.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.options) mkOption;
 in {
  options.services.prowlarr = with lib.types; {
--- a/modules/nixos/radarr.nix
+++ b/modules/nixos/radarr.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.options) mkOption;
 in {
  options.services.radarr = with lib.types; {
--- a/modules/nixos/readarr.nix
+++ b/modules/nixos/readarr.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.options) mkOption;
 in {
  options.services.readarr = with lib.types; {
--- a/modules/nixos/samba.nix
+++ b/modules/nixos/samba.nix
@ -11,9 +11,12 @@
  inherit (config.services) samba-wsdd;
  cfg = config.services.samba;
  settingValue = value:
-    if builtins.isList value then concatMapStringsSep ", " settingValue value
-    else if value == true then "yes"
-    else if value == false then "no"
+    if builtins.isList value
+    then concatMapStringsSep ", " settingValue value
+    else if value == true
+    then "yes"
+    else if value == false
+    then "no"
    else toString value;
 in {
  options.services.samba = with lib.types; let
@ -64,7 +67,11 @@ in {
      };
    };
    idmap = let
-      idmapModule = { config, name, ... }: {
+      idmapModule = {
+        config,
+        name,
+        ...
+      }: {
        options = {
          backend = mkOption {
            type = str;
@ -167,7 +174,8 @@ in {
            "map to guest" = mkOptionDefault "Bad User";
            "guest account" = mkOptionDefault cfg.guest.user;
          })
-      ] ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains);
+        ]
+        ++ mapAttrsToList (_: idmap: mapAttrs' (key: value: nameValuePair "idmap config ${idmap.domain} : ${key}" (mkOptionDefault value)) idmap.settings) cfg.idmap.domains);
      extraConfig = mkMerge (mapAttrsToList (key: value: ''${key} = ${settingValue value}'') cfg.settings);
      shares.${cfg.usershare.templateShare} = mkIf cfg.usershare.enable {
        "-valid" = false;
--- a/modules/nixos/sonarr.nix
+++ b/modules/nixos/sonarr.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.options) mkOption;
 in {
  options.services.sonarr = with lib.types; {
--- a/modules/nixos/steam/account-switch.nix
+++ b/modules/nixos/steam/account-switch.nix
@ -76,7 +76,8 @@ in {
        inherit owner;
        inherit (shared) group mode;
      };
-      setupFiles = singleton {
+      setupFiles =
+        singleton {
          ${cfg.rootDir} = toplevel;
          ${cfg.binDir} = toplevel;
          ${cfg.binDir + "/users"} = shared;
@ -84,11 +85,14 @@ in {
          ${cfg.sharedDataDir} = shared;
          ${cfg.workingDir} = toplevel;
          ${cfg.sharedWorkingDir} = shared;
-      } ++ map (owner: {
+        }
+        ++ map (owner: {
          ${cfg.dataDir + "/${owner}"} = personal owner;
          ${cfg.workingDir + "/${owner}"} = personal owner;
-      }) cfg.users;
-      userBinFiles = listToAttrs (map (user: nameValuePair "${cfg.binDir}/users/${user}.bat" {
+        })
+        cfg.users;
+      userBinFiles = listToAttrs (map (user:
+        nameValuePair "${cfg.binDir}/users/${user}.bat" {
          inherit (toplevel) owner group;
          mode = "0755";
          type = "copy";
@ -99,7 +103,8 @@ in {
              setx GENSO_STEAM_USER ${user}
            '';
          };
-      }) cfg.users);
+        })
+      cfg.users);
    in {
      enable = mkIf (cfg.enable || cfg.setup) true;
      files = mkMerge [
--- a/modules/nixos/steam/beatsaber.nix
+++ b/modules/nixos/steam/beatsaber.nix
@ -14,7 +14,11 @@
  inherit (lib.meta) getExe;
  inherit (config.services.steam) accountSwitch;
  cfg = config.services.steam.beatsaber;
-  versionModule = { config, name, ... }: {
+  versionModule = {
+    config,
+    name,
+    ...
+  }: {
    options = with lib.types; {
      version = mkOption {
        type = str;
@ -23,7 +27,8 @@
    };
  };

-  mkSharePath = path: mkWinPath (
+  mkSharePath = path:
+    mkWinPath (
      "%GENSO_SMB_SHARED_MOUNT%"
      + "/${accountSwitch.sharePath}"
      + "/${removePrefix (accountSwitch.rootDir + "/") path}"
@ -102,7 +107,9 @@
 in {
  options.services.steam.beatsaber = with lib.types; {
    enable = mkEnableOption "beatsaber scripts";
-    setup = mkEnableOption "beatsaber data" // {
+    setup =
+      mkEnableOption "beatsaber data"
+      // {
        default = accountSwitch.setup;
      };
    group = mkOption {
@ -140,10 +147,12 @@ in {
        mkbeatsabersh
      ];
    };
-    systemd.services = mkIf cfg.setup (listToAttrs (map (user: nameValuePair "steam-setup-beatsaber-${user}" {
+    systemd.services = mkIf cfg.setup (listToAttrs (map (user:
+      nameValuePair "steam-setup-beatsaber-${user}" {
        script = mkMerge (mapAttrsToList (_: version: ''
            ${getExe mkbeatsaber} ${version.version} ${user}
-      '') cfg.versions);
+          '')
+          cfg.versions);
        path = [
          pkgs.coreutils
        ];
@ -157,7 +166,8 @@ in {
          RemainAfterExit = mkOptionDefault true;
          User = mkOptionDefault user;
        };
-    }) cfg.users));
+      })
+    cfg.users));
    services.tmpfiles = let
      toplevel = {
        owner = mkDefault "admin";
@ -187,29 +197,41 @@ in {
        "AppData"
        "UserData"
      ];
-      setupFiles = [
+      setupFiles =
+        [
          {
            "${accountSwitch.sharedDataDir}/BeatSaber" = toplevel;
            "${accountSwitch.binDir}/beatsaber" = shared;
          }
          (listToAttrs (
-          map (folder:
+            map (
+              folder:
                nameValuePair "${accountSwitch.sharedDataDir}/BeatSaber/${folder}" shared
-          ) sharedFolders
+            )
+            sharedFolders
          ))
-      ] ++ concatMap (owner:
+        ]
+        ++ concatMap (
+          owner:
            singleton {
              "${accountSwitch.dataDir}/${owner}/BeatSaber" = personal owner;
              "${accountSwitch.dataDir}/${owner}/BeatSaber/AppData" = personal owner;
              "${accountSwitch.dataDir}/${owner}/BeatSaber/UserData" = personal owner;
-        } ++ mapAttrsToList (_: version: {
+            }
+            ++ mapAttrsToList (_: version: {
              "${accountSwitch.dataDir}/${owner}/BeatSaber/${version.version}" = personal owner;
-        }) cfg.versions
-      ) accountSwitch.users
+            })
+            cfg.versions
+        )
+        accountSwitch.users
        ++ mapAttrsToList (_: version: {
          "${accountSwitch.sharedDataDir}/BeatSaber/${version.version}" = shared;
-      }) cfg.versions;
-      versionBinFiles = mapAttrs' (_: version: nameValuePair
+        })
+        cfg.versions;
+      versionBinFiles =
+        mapAttrs' (
+          _: version:
+            nameValuePair
            "${accountSwitch.binDir}/beatsaber/${replaceStrings ["."] ["_"] version.version}.bat"
            {
              inherit (bin) owner group mode type;
@ -221,8 +243,10 @@ in {
                '';
              };
            }
-      ) cfg.versions;
-      binFiles = {
+        )
+        cfg.versions;
+      binFiles =
+        {
          "${accountSwitch.binDir}/beatsaber/mount.bat" = {
            inherit (bin) owner group mode type;
            src = pkgs.writeTextFile {
@ -257,7 +281,8 @@ in {
              executable = true;
            };
          };
-      } // versionBinFiles;
+        }
+        // versionBinFiles;
    in {
      enable = mkIf (cfg.enable || cfg.setup) true;
      files = mkMerge [
--- a/modules/nixos/tmpfiles.nix
+++ b/modules/nixos/tmpfiles.nix
@ -18,9 +18,15 @@
  systemdFiles = filter (file: file.systemd.enable) files;
  setupFiles = filter (file: !file.systemd.enable) files;
  bindFiles = filter (file: file.type == "bind") files;
-  fileModule = { config, name, ... }: {
+  fileModule = {
+    config,
+    name,
+    ...
+  }: {
    options = with lib.types; {
-      enable = mkEnableOption "file" // {
+      enable =
+        mkEnableOption "file"
+        // {
          default = true;
        };
      mkdirParent = mkEnableOption "mkdir";
@ -33,7 +39,10 @@
      };
      type = mkOption {
        type = enum ["directory" "symlink" "link" "copy" "bind"];
-        default = if config.src != null then "symlink" else "directory";
+        default =
+          if config.src != null
+          then "symlink"
+          else "directory";
      };
      mode = mkOption {
        type = str;
@ -191,12 +200,17 @@
  };
 in {
  options.services.tmpfiles = with lib.types; {
-    enable = mkEnableOption "extended tmpfiles" // {
+    enable =
+      mkEnableOption "extended tmpfiles"
+      // {
        default = cfg.files != {};
      };
    user = mkOption {
      type = str;
-      default = if config.proxmoxLXC.privileged or true then "root" else "admin";
+      default =
+        if config.proxmoxLXC.privileged or true
+        then "root"
+        else "admin";
    };
    files = mkOption {
      type = attrsOf (submodule fileModule);
@ -211,13 +225,17 @@ in {
      services.tmpfiles = {
        path = [pkgs.coreutils pkgs.acl];
        script = mkMerge (
-          [ ''
+          [
+            ''
              EXITCODE=0
-          '' ]
+            ''
+          ]
          ++ map (file: file.setup.script) setupFiles
-          ++ [ ''
+          ++ [
+            ''
              exit $EXITCODE
-          '' ]
+            ''
+          ]
        );
        wantedBy = [
          "sysinit.target"
--- a/modules/nixos/users.nix
+++ b/modules/nixos/users.nix
@ -13,20 +13,25 @@
  userMatchBlock = user: let
    inherit (user.openssh) matchBlock;
    criteria = mapAttrsToList toSshdCriteria matchBlock.criteria;
-  in mkAfter ''
+  in
+    mkAfter ''
      Match ${concatStringsSep " " criteria}
      ${matchBlock.settingsConfig}
    '';
  userModule = {config, ...}: let
    toSshdValue = value:
-      if value == true then "yes"
-      else if value == false then "no"
+      if value == true
+      then "yes"
+      else if value == false
+      then "no"
      else toString value;
    toSshdConf = key: value: "${key} ${toSshdValue value}";
  in {
    options = with lib.types; {
      openssh.matchBlock = {
-        enable = mkEnableOption "match block" // {
+        enable =
+          mkEnableOption "match block"
+          // {
            default = config.openssh.matchBlock.settings != {};
          };
        criteria = mkOption {
--- a/modules/nixos/vouch.nix
+++ b/modules/nixos/vouch.nix
@ -5,8 +5,17 @@
  lib,
  ...
 }: let
-  inherit (lib) mkIf mkMerge mkDefault mkOptionDefault mkOption mkEnableOption types
-    getExe;
+  inherit
+    (lib)
+    mkIf
+    mkMerge
+    mkDefault
+    mkOptionDefault
+    mkOption
+    mkEnableOption
+    types
+    getExe
+    ;
  nixosConfig = config;
  cfg = config.services.vouch-proxy;
  settingsFormat = pkgs.formats.json {};
@ -98,7 +107,8 @@ in {
          };
        };
      };
-    in mkOption {
+    in
+      mkOption {
        type = submodule settingsModule;
        default = {};
      };
@ -116,10 +126,12 @@ in {
      cfg.settings
      cfg.extraSettings
    ];
-    settingsPath = if cfg.enableSettingsSecrets
+    settingsPath =
+      if cfg.enableSettingsSecrets
      then "/run/vouch-proxy/vouch-config.json"
      else settingsFormat.generate "vouch-config.json" settings;
-  in mkMerge [
+  in
+    mkMerge [
      {
        services.vouch-proxy = {
          settingsPath = mkOptionDefault settingsPath;
@ -135,7 +147,8 @@ in {
              preprocess = pkgs.writeShellScript "vouch-proxy-prestart" (
                utils.genJqSecretsReplacementSnippet settings cfg.settingsPath
              );
-          in mkIf cfg.enableSettingsSecrets [
+            in
+              mkIf cfg.enableSettingsSecrets [
                "${preprocess}"
              ];
            ExecStart = [
--- a/nixos/access/freeipa.nix
+++ b/nixos/access/freeipa.nix
@ -3,8 +3,7 @@
  meta,
  lib,
  ...
-}:
-let
+}: let
  inherit (lib.options) mkOption mkEnableOption;
  inherit (lib.modules) mkIf mkMerge mkBefore mkDefault;
  inherit (lib.strings) optionalString concatStringsSep;
@ -56,7 +55,9 @@ in {
      type = str;
    };
    preread = {
-      enable = mkEnableOption "ssl preread" // {
+      enable =
+        mkEnableOption "ssl preread"
+        // {
          default = true;
        };
      port = mkOption {
@ -65,7 +66,9 @@ in {
      };
    };
    kerberos = {
-      enable = mkEnableOption "proxy kerberos" // {
+      enable =
+        mkEnableOption "proxy kerberos"
+        // {
          default = true;
        };
      ports = {
@ -86,7 +89,10 @@ in {
    proxyPass = mkOption {
      type = str;
      default = let
-        scheme = if access.port == 443 then "https" else "http";
+        scheme =
+          if access.port == 443
+          then "https"
+          else "http";
      in "${scheme}://${access.host}:${toString access.port}";
    };
    domain = mkOption {
@ -174,7 +180,8 @@ in {
            proxy_pass ${access.host}:${toString access.kerberos.ports.kpasswd};
          }
        '';
-      in mkMerge [
+      in
+        mkMerge [
          (mkIf access.preread.enable preread)
          (mkIf access.kerberos.enable kerberos)
        ];
--- a/nixos/access/freepbx.nix
+++ b/nixos/access/freepbx.nix
@ -12,7 +12,9 @@
  freepbx = config.lib.access.systemFor "freepbx";
 in {
  options.services.nginx.access.freepbx = with lib.types; {
-    global.enable = mkEnableOption "global access" // {
+    global.enable =
+      mkEnableOption "global access"
+      // {
        default = access.useACMEHost != null;
      };
    host = mkOption {
@ -94,7 +96,8 @@ in {
      };
      "${access.domain}@ucp" = {
        serverName = access.domain;
-        listen = concatMap (addr: [
+        listen =
+          concatMap (addr: [
            {
              inherit addr;
              port = access.ucpPort;
@ -104,7 +107,8 @@ in {
              port = access.ucpSslPort;
              ssl = true;
            })
-        ]) nginx.defaultListenAddresses;
+          ])
+          nginx.defaultListenAddresses;
        proxy.websocket.enable = true;
        local.enable = mkDefault (!access.global.enable);
        addSSL = mkDefault (access.useACMEHost != null);
@ -116,7 +120,8 @@ in {
        inherit extraConfig;
      };
      ${access.localDomain} = {
-        listen = concatMap (addr: [
+        listen =
+          concatMap (addr: [
            {
              inherit addr;
              port = nginx.defaultHTTPListenPort;
@ -135,7 +140,8 @@ in {
              port = access.ucpSslPort;
              ssl = true;
            })
-        ]) nginx.defaultListenAddresses;
+          ])
+          nginx.defaultListenAddresses;
        serverAliases = mkIf tailscale.enable [access.tailDomain];
        useACMEHost = mkDefault access.useACMEHost;
        addSSL = mkDefault (access.useACMEHost != null);
--- a/nixos/access/global.nix
+++ b/nixos/access/global.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.modules) mkDefault;
 in {
  networking = {
--- a/nixos/access/invidious.nix
+++ b/nixos/access/invidious.nix
@ -34,10 +34,12 @@ in {
      url = mkOptionDefault "http://localhost:${toString cfg.port}";
    };
    virtualHosts = let
-      invidiousDomains = [
+      invidiousDomains =
+        [
          access.domain
          access.localDomain
-      ] ++ optional tailscale.enable access.tailDomain;
+        ]
+        ++ optional tailscale.enable access.tailDomain;
      contentSecurityPolicy' = "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; manifest-src 'self'; media-src 'self' blob: https://*.googlevideo.com:443 https://*.youtube.com:443; child-src 'self' blob:; frame-src 'self'; frame-ancestors 'none'";
      contentSecurityPolicy = replaceStrings ["'self'"] ["'self' ${concatStringsSep " " invidiousDomains}"] contentSecurityPolicy';
      extraConfig = ''
--- a/nixos/access/kanidm.nix
+++ b/nixos/access/kanidm.nix
@ -3,8 +3,7 @@
  meta,
  lib,
  ...
-}:
-let
+}: let
  inherit (lib.options) mkOption;
  inherit (lib.modules) mkIf mkMerge mkDefault mkOptionDefault;
  inherit (config) networking;
--- a/nixos/access/kitchencam.nix
+++ b/nixos/access/kitchencam.nix
@ -65,7 +65,8 @@ in {
        };
      };
      streamListen = {config, ...}: {
-        listen = concatMap (addr: [
+        listen =
+          concatMap (addr: [
            (mkIf config.addSSL {
              inherit addr;
              port = nginx.defaultSSLListenPort;
@ -79,24 +80,31 @@ in {
              inherit addr;
              port = access.streamPort;
            }
-        ]) nginx.defaultListenAddresses;
+          ])
+          nginx.defaultListenAddresses;
      };
    in {
-      ${access.domain} = mkMerge [ {
+      ${access.domain} = mkMerge [
+        {
          vouch.enable = true;
          kTLS = mkDefault true;
          inherit (access) useACMEHost;
          addSSL = mkDefault (access.useACMEHost != null);
          inherit locations;
-      } streamListen ];
-      ${access.localDomain} = mkMerge [ {
+        }
+        streamListen
+      ];
+      ${access.localDomain} = mkMerge [
+        {
          serverAliases = mkIf config.services.tailscale.enable [access.tailDomain];
          inherit (virtualHosts.${access.domain}) useACMEHost;
          addSSL = mkDefault addSSL;
          kTLS = mkDefault true;
          local.enable = true;
          inherit locations;
-      } streamListen ];
+        }
+        streamListen
+      ];
    };
  };
  config.networking.firewall.allowedTCPPorts = [
--- a/nixos/access/ldap.nix
+++ b/nixos/access/ldap.nix
@ -2,8 +2,7 @@
  config,
  lib,
  ...
-}:
-let
+}: let
  inherit (lib.options) mkOption mkEnableOption;
  inherit (lib.modules) mkIf mkMerge;
  inherit (lib.strings) concatMapStringsSep optionalString;
@ -18,7 +17,9 @@ let
      cidrForNetwork.loopback.all
      ++ cidrForNetwork.local.all
      ++ optionals tailscale.enable cidrForNetwork.tail.all;
-    allows = concatMapStringsSep "\n" mkAllow allowAddresses + optionalString localaddrs.enable ''
+    allows =
+      concatMapStringsSep "\n" mkAllow allowAddresses
+      + optionalString localaddrs.enable ''
        include ${localaddrs.stateDir}/*.nginx.conf;
      '';
  in ''
@ -61,7 +62,8 @@ in {
          proxy_ssl on;
          proxy_ssl_verify off;
        '';
-      in mkIf access.enable (mkMerge [
+      in
+        mkIf access.enable (mkMerge [
          ''
            server {
              listen 0.0.0.0:389;
--- a/nixos/access/plex.nix
+++ b/nixos/access/plex.nix
@ -70,10 +70,12 @@ in {
      plex-external = mkIf (access.externalPort != null) {
        serverName = mkDefault access.domain;
        default = mkDefault true;
-        listen = map (addr: {
+        listen =
+          map (addr: {
            inherit addr;
            port = access.externalPort;
-        }) nginx.defaultListenAddresses;
+          })
+          nginx.defaultListenAddresses;
        locations."/" = location;
        inherit extraConfig;
      };
--- a/nixos/access/proxmox.nix
+++ b/nixos/access/proxmox.nix
@ -14,7 +14,8 @@
  proxyPass = "https://reisen.local.${config.networking.domain}:8006/";
  unencrypted = mkSnakeOil {
    name = "prox-local-cert";
-    domain = singleton "prox.local.${config.networking.domain}"
+    domain =
+      singleton "prox.local.${config.networking.domain}"
      ++ optional tailscale.enable "prox.tail.${config.networking.domain}";
  };
  sslHost = {config, ...}: {
@ -91,7 +92,8 @@ in {
    ${access.domain} = {
      inherit locations extraConfig;
    };
-    ${access.localDomain} = mkMerge [ {
+    ${access.localDomain} = mkMerge [
+      {
        inherit (virtualHosts.${access.domain}) useACMEHost;
        local.enable = mkDefault true;
        forceSSL = mkDefault true;
@ -99,8 +101,11 @@ in {
          proxy.websocket.enable = true;
          inherit proxyPass extraConfig;
        };
-    } sslHost ];
-    ${access.tailDomain} = mkIf tailscale.enable (mkMerge [ {
+      }
+      sslHost
+    ];
+    ${access.tailDomain} = mkIf tailscale.enable (mkMerge [
+      {
        inherit (virtualHosts.${access.domain}) useACMEHost;
        addSSL = mkDefault true;
        local.enable = mkDefault true;
@ -108,7 +113,9 @@ in {
          proxy.websocket.enable = true;
          inherit proxyPass extraConfig;
        };
-    } sslHost ]);
+      }
+      sslHost
+    ]);
  };

  config.sops.secrets.access-proxmox = {
--- a/nixos/access/unifi.nix
+++ b/nixos/access/unifi.nix
@ -10,7 +10,9 @@
 in {
  options.services.nginx.access.unifi = with lib.types; {
    global = {
-      enable = mkEnableOption "global access" // {
+      enable =
+        mkEnableOption "global access"
+        // {
          default = access.useACMEHost != null;
        };
      management = mkEnableOption "global management port access";
@ -59,11 +61,13 @@ in {
      };
    in {
      "${access.domain}@management" = mkIf access.global.management {
-        listen = map (addr: {
+        listen =
+          map (addr: {
            inherit addr;
            port = access.managementPort;
            ssl = true;
-        }) nginx.defaultListenAddresses;
+          })
+          nginx.defaultListenAddresses;
        serverName = access.domain;
        default = mkDefault true;
        forceSSL = mkDefault true;
--- a/nixos/access/vouch.nix
+++ b/nixos/access/vouch.nix
@ -35,8 +35,12 @@ in {
    access.vouch = mkIf cfg.enable {
      url = let
        inherit (cfg.settings.vouch) listen;
-        host = if listen == "0.0.0.0" || listen == "[::]" then "localhost" else listen;
-      in mkOptionDefault "http://${host}:${toString cfg.port}";
+        host =
+          if listen == "0.0.0.0" || listen == "[::]"
+          then "localhost"
+          else listen;
+      in
+        mkOptionDefault "http://${host}:${toString cfg.port}";
    };
    virtualHosts = let
      locations = {
@ -49,12 +53,15 @@ in {
        "/validate" = {config, ...}: {
          proxyPass = mkDefault (access.url + "/validate");
          recommendedProxySettings = mkDefault false;
-          extraConfig = if config.local.trusted then ''
+          extraConfig =
+            if config.local.trusted
+            then ''
              if ($http_x_host = ''') {
                set $http_x_host $host;
              }
              proxy_set_header Host $http_x_host;
-          '' else ''
+            ''
+            else ''
              proxy_set_header Host $host;
            '';
        };
--- a/nixos/access/zigbee2mqtt.nix
+++ b/nixos/access/zigbee2mqtt.nix
@ -2,8 +2,7 @@
  config,
  lib,
  ...
-}:
-let
+}: let
  inherit (lib.options) mkOption;
  inherit (lib.modules) mkIf mkDefault mkOptionDefault;
  cfg = config.services.zigbee2mqtt;
--- a/nixos/acme.nix
+++ b/nixos/acme.nix
@ -8,14 +8,26 @@
  inherit (lib.lists) head optional;
  cfg = config.security.acme;
  mkHash = with builtins; val: substring 0 20 (hashString "sha256" val);
-  mkAccountHash = { server ? null, keyType, email }: mkHash "${toString server} ${keyType} ${email}";
+  mkAccountHash = {
+    server ? null,
+    keyType,
+    email,
+  }:
+    mkHash "${toString server} ${keyType} ${email}";
  mkHost = server: head (splitString "/" (removePrefix "https://" server));
-  mkAccountDir = { server ? null, email, keyType }: concatStringsSep "/" ([
+  mkAccountDir = {
+    server ? null,
+    email,
+    keyType,
+  }:
+    concatStringsSep "/" ([
        accountDirRoot
        (mkAccountHash {inherit server email keyType;})
-  ] ++ optional (server != null) (
+      ]
+      ++ optional (server != null) (
        mkHost server
-  ) ++ [
+      )
+      ++ [
        cfg.defaults.email
      ]);
  accountDirRoot = "/var/lib/acme/.lego/accounts";
@ -42,9 +54,12 @@ in {
      group = "nginx";
    };
  in {
-    acme_account_key = mkMerge [ acmeSecret {
+    acme_account_key = mkMerge [
+      acmeSecret
+      {
        path = accountDir + "/keys/${cfg.defaults.email}.key";
-    } ];
+      }
+    ];
    acme_cloudflare_email = acmeSecret;
    acme_cloudflare_token = acmeSecret;
  };
--- a/nixos/avahi.nix
+++ b/nixos/avahi.nix
@ -38,7 +38,8 @@ in {
        fi
      done < <(journalctl -o cat -feu ${daemon} | grep -F 'Host name conflict, retrying with ')
    '';
-  in mkIf (cfg.enable && cfg.publish.enable) {
+  in
+    mkIf (cfg.enable && cfg.publish.enable) {
      avahi-daemon = {
        serviceConfig = {
          inherit RestartSec;
--- a/nixos/base/access.nix
+++ b/nixos/base/access.nix
@ -28,8 +28,7 @@

  users.users.root = {
    hashedPassword = "$6$i28yOXoo$/WokLdKds5ZHtJHcuyGrH2WaDQQk/2Pj0xRGLgS8UcmY2oMv3fw2j/85PRpsJJwCB2GBRYRK5LlvdTleHd3mB.";
-    openssh.authorizedKeys.keys = with pkgs.lib;
-      (concatLists (mapAttrsToList
+    openssh.authorizedKeys.keys = with pkgs.lib; (concatLists (mapAttrsToList
      (name: user:
        if elem "wheel" user.extraGroups
        then user.openssh.authorizedKeys.keys
--- a/nixos/base/kitty.nix
+++ b/nixos/base/kitty.nix
@ -1,5 +1,7 @@
-{ config, pkgs, ... }:
-
 {
+  config,
+  pkgs,
+  ...
+}: {
  environment.systemPackages = [pkgs.buildPackages.buildPackages.kitty.terminfo];
 }
--- a/nixos/base/nix.nix
+++ b/nixos/base/nix.nix
@ -1,4 +1,10 @@
-{ config, options, lib, inputs, ... }: let
+{
+  config,
+  options,
+  lib,
+  inputs,
+  ...
+}: let
  inherit (lib.modules) mkIf mkDefault;
  hasSops = options ? sops;
 in {
@ -25,7 +31,8 @@ in {
        experimental-features = lib.optional (lib.versionAtLeast config.nix.package.version "2.4") "nix-command flakes";
        substituters = [
          "https://gensokyo-infrastructure.cachix.org"
-          "https://arc.cachix.org" "https://kittywitch.cachix.org"
+          "https://arc.cachix.org"
+          "https://kittywitch.cachix.org"
          "https://nix-community.cachix.org"
        ];
        trusted-public-keys = [
@ -47,7 +54,11 @@ in {
        options = mkDefault "--delete-older-than 7d";
      };
    };
-    ${if hasSops then "sops" else null}.secrets.github-access-token-public = {
+    ${
+      if hasSops
+      then "sops"
+      else null
+    }.secrets.github-access-token-public = {
      sopsFile = mkDefault ../secrets/nix.yaml;
      group = mkDefault "users";
      mode = mkDefault "0644";
--- a/nixos/base/nixpkgs.nix
+++ b/nixos/base/nixpkgs.nix
@ -1,7 +1,4 @@
-{
-  inputs,
-  ...
-}: {
+{inputs, ...}: {
  nixpkgs = {
    overlays = [
      inputs.arcexprs.overlays.default
--- a/nixos/base/packages.nix
+++ b/nixos/base/packages.nix
@ -1,11 +1,16 @@
-{ config, lib, pkgs, ... }:
-
 {
-  environment.systemPackages = with pkgs; [
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment.systemPackages = with pkgs;
+    [
      neofetch
      smartmontools
      hddtemp
      lm_sensors
      gnupg
-  ] ++ (lib.optional config.programs.gnupg.agent.enable pinentry-curses);
+    ]
+    ++ (lib.optional config.programs.gnupg.agent.enable pinentry-curses);
 }
--- a/nixos/base/shell.nix
+++ b/nixos/base/shell.nix
@ -1,6 +1,4 @@
-{ config, ... }:
-
-{
+{config, ...}: {
  programs.zsh = {
    enable = true;
    enableCompletion = true;
--- a/nixos/base/urxvt.nix
+++ b/nixos/base/urxvt.nix
@ -1,6 +1,4 @@
-{ pkgs, ... }:
-
-{
+{pkgs, ...}: {
  environment.systemPackages = [
    pkgs.buildPackages.rxvt-unicode-unwrapped.terminfo
  ];
--- a/nixos/bazarr.nix
+++ b/nixos/bazarr.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.modules) mkDefault;
 in {
  services.bazarr = {
--- a/nixos/ddclient.nix
+++ b/nixos/ddclient.nix
@ -15,12 +15,15 @@ in {
    zone = mkDefault config.networking.domain;
    use = "no";
    domains = [];
-    extraConfig = mkMerge [ (mkIf config.networking.enableIPv6 ''
+    extraConfig = mkMerge [
+      (mkIf config.networking.enableIPv6 ''
        usev6=webv6, webv6=https://ipv6.nsupdate.info/myip
-    '') ''
+      '')
+      ''
        usev4=webv4, webv4=https://ipv4.nsupdate.info/myip
        max-interval=1d
-    '' ];
+      ''
+    ];
    passwordFile = config.sops.secrets.dyndns_cloudflare_token.path;
  };
  systemd.services.ddclient = mkIf cfg.enable rec {
@ -33,7 +36,8 @@ in {
        prestart-domains = pkgs.writeShellScript "ddclient-prestart-domains" ''
          cat ${config.sops.secrets.dyndns_ddclient_domains.path} >> /run/${RuntimeDirectory}/ddclient.conf
        '';
-      in mkAfter [ "!${prestart-domains}" ];
+      in
+        mkAfter ["!${prestart-domains}"];
      TimeoutStartSec = 90;
      LogFilterPatterns = [
        "~WARNING"
--- a/nixos/deluge.nix
+++ b/nixos/deluge.nix
@ -42,19 +42,23 @@ in {
    parent = builtins.dirOf downloadDir;
    hasCompletedSubdir = completedDir != null && hasPrefix parent completedDir;
    completedSubdir = removePrefix parent completedDir;
-    download = if hasCompletedSubdir then {
+    download =
+      if hasCompletedSubdir
+      then {
        path = parent;
        subdirectories = [
          (builtins.baseNameOf downloadDir)
          completedSubdir
        ];
-    } else {
+      }
+      else {
        path = downloadDir;
      };
    completed = {
      path = cfg.config.move_completed_path;
    };
-  in mkIf cfg.enable (mkAfter [
+  in
+    mkIf cfg.enable (mkAfter [
      download
      (mkIf (completedDir != null && !hasCompletedSubdir) completed)
    ]);
--- a/nixos/github-runner/zone.nix
+++ b/nixos/github-runner/zone.nix
@ -14,7 +14,9 @@
  genZoneAttrs = prefix: f: listToAttrs (genZone (i: nameValuePair "${prefix}${toString i}" (f i)));
 in {
  options.services.github-runner-zone = with lib.types; {
-    enable = mkEnableOption "github-runners.zone" // {
+    enable =
+      mkEnableOption "github-runners.zone"
+      // {
        default = true;
      };
    targetName = mkOption {
@ -88,7 +90,8 @@ in {
      };
    };

-    services.github-runners = genZoneAttrs cfg.keyPrefix (i: mkMerge [
+    services.github-runners = genZoneAttrs cfg.keyPrefix (i:
+      mkMerge [
        (unmerged.merge cfg.runnerSettings)
        {
          name = mkDefault "${cfg.namePrefix}${toString i}";
--- a/nixos/home-assistant.nix
+++ b/nixos/home-assistant.nix
@ -85,7 +85,8 @@ in {
        ];
        entity_config = {};
      };
-      homekit = [ {
+      homekit = [
+        {
          name = "Tewi";
          port = 21063;
          filter = let
@ -95,7 +96,8 @@ in {
            include_entities = "!include homekit_include_entities.yaml";
          };
          entity_config = "!include homekit_entity_config.yaml";
-      } ];
+        }
+      ];
      tts = [
        {
          platform = "google_translate";
--- a/nixos/invidious.nix
+++ b/nixos/invidious.nix
@ -1,4 +1,8 @@
-{ config, lib, ... }: let
+{
+  config,
+  lib,
+  ...
+}: let
  inherit (lib.modules) mkIf mkDefault mkForce;
  cfg = config.services.invidious;
 in {
@ -6,7 +10,8 @@ in {
    commonSecret = {
      sopsFile = ./secrets/invidious.yaml;
      owner = "invidious";
-    }; in {
+    };
+  in {
    invidious_db_password = commonSecret;
    invidious_hmac_key = commonSecret;
  };
--- a/nixos/kyuuto/mount.nix
+++ b/nixos/kyuuto/mount.nix
@ -42,10 +42,19 @@ in {
    kyuuto = {
      gameLibraries = [
        "PC"
-        "Wii" "Gamecube" "N64" "SNES" "NES"
-        "NDS" "GBA" "GBC"
-        "PS3" "PS2" "PS1"
-        "PSVita" "PSP"
+        "Wii"
+        "Gamecube"
+        "N64"
+        "SNES"
+        "NES"
+        "NDS"
+        "GBA"
+        "GBC"
+        "PS3"
+        "PS2"
+        "PS1"
+        "PSVita"
+        "PSP"
        "Genesis"
      ];
    };
@ -108,14 +117,19 @@ in {
    };

    users = let
-      mapId = id: if config.proxmoxLXC.privileged or true then 100000 + id else id;
+      mapId = id:
+        if config.proxmoxLXC.privileged or true
+        then 100000 + id
+        else id;
      mkDummyUsers = {
        name,
        group ? name,
-        enable ? !config.services.${serviceName}.enable, serviceName ? name,
+        enable ? !config.services.${serviceName}.enable,
+        serviceName ? name,
        uid ? config.ids.uids.${name},
        gid ? config.ids.gids.${group},
-      }: mkIf enable {
+      }:
+        mkIf enable {
          users.${name} = {
            group = mkIf (group != null) group;
            uid = mapId uid;
@ -125,7 +139,8 @@ in {
            gid = mapId gid;
          };
        };
-    in mkMerge [
+    in
+      mkMerge [
        (mkDummyUsers {name = "deluge";})
        (mkDummyUsers {name = "radarr";})
        (mkDummyUsers {name = "sonarr";})
--- a/nixos/kyuuto/nfs.nix
+++ b/nixos/kyuuto/nfs.nix
@ -1,4 +1,3 @@
-
 {
  config,
  lib,
--- a/nixos/kyuuto/opl.nix
+++ b/nixos/kyuuto/opl.nix
@ -10,7 +10,9 @@
  cfg = kyuuto.opl;
 in {
  options.kyuuto.opl = with lib.types; {
-    enable = mkEnableOption "hosting" // {
+    enable =
+      mkEnableOption "hosting"
+      // {
        default = config.services.samba.enable;
      };
    user = mkOption {
@ -39,9 +41,12 @@ in {
      };
      shares.opl = let
        inherit (config.networking.access) cidrForNetwork;
-        localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all
+        localAddrs =
+          cidrForNetwork.loopback.all
+          ++ cidrForNetwork.local.all
          ++ lib.optionals config.services.tailscale.enable cidrForNetwork.tail.all;
-      in mkIf cfg.enable {
+      in
+        mkIf cfg.enable {
          comment = "Kyuuto Media OPL";
          path = cfg.rootDir;
          writeable = true;
--- a/nixos/kyuuto/samba.nix
+++ b/nixos/kyuuto/samba.nix
@ -1,4 +1,3 @@
-
 {
  config,
  lib,
@ -9,7 +8,9 @@
  inherit (config.networking.access) cidrForNetwork;
  inherit (config) kyuuto;
  cfg = config.services.samba;
-  localAddrs = cidrForNetwork.loopback.all ++ cidrForNetwork.local.all
+  localAddrs =
+    cidrForNetwork.loopback.all
+    ++ cidrForNetwork.local.all
    ++ optionals config.services.tailscale.enable cidrForNetwork.tail.all;
  guestUsers = mkIf cfg.guest.enable [cfg.guest.user];
  kyuuto-media = {
@ -17,7 +18,9 @@
    "force directory mode" = "3000";
    "directory mask" = "7775";
  };
-  kyuuto-library = kyuuto-media // {
+  kyuuto-library =
+    kyuuto-media
+    // {
      "acl group control" = true;
    };
 in {
--- a/nixos/ombi.nix
+++ b/nixos/ombi.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.modules) mkDefault;
 in {
  services.ombi = {
--- a/nixos/plex.nix
+++ b/nixos/plex.nix
@ -1,4 +1,9 @@
-{config, lib, pkgs, ...}: let
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
  inherit (lib.modules) mkIf mkForce mkDefault;
  inherit (lib.strings) escapeShellArg;
  cfg = config.services.plex;
@ -21,7 +26,8 @@ in {
          fi
          ${pkgs.coreutils}/bin/ln -sfT ../Cache "$PLEX_DATADIR/Plex Media Server/Cache"
        '';
-      in mkForce [
+      in
+        mkForce [
          ''!${preStartScript}''
        ];
      # KillMode = "mixed" doesn't behave as expected...
--- a/nixos/postgres.nix
+++ b/nixos/postgres.nix
@ -8,7 +8,7 @@
 in {
  services.postgresql = {
    enable = mkDefault true;
-    ensureDatabases = ["hass" "invidious" "dex"];
+    ensureDatabases = ["hass" "invidious" "dex" "keycloak"];
    ensureUsers = [
      {
        name = "hass";
@ -25,6 +25,11 @@ in {
        ensureDBOwnership = true;
        authentication.local.allow = true;
      }
+      {
+        name = "keycloak";
+        ensureDBOwnership = true;
+        authentication.local.allow = true;
+      }
    ];
  };

--- a/nixos/reisen-ct/filesystem.nix
+++ b/nixos/reisen-ct/filesystem.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib) mkDefault;
 in {
  services.kanidm.serverSettings.db_fs_type = mkDefault "zfs";
--- a/nixos/secrets/postgres.yaml
+++ b/nixos/secrets/postgres.yaml
@ -1,4 +1,4 @@
-postgresql-init: ENC[AES256_GCM,data:fW9g0WKVHTO9blqlEXLJejyQUqC3na/Xh6Il2GNfuX6c2LfRjfFSeour4qt2envtPO+WanGl+ueE1AMck5t02TjqrN4a6DsQpAIGFVE7L4ajp/13Gp308pY4Xu7OKHjkGpzVBATKgLDZkoU8yAkqKZCBEU3d4xegp8pgnsLSpb/LndKiITjhTe2IJOSkIJd9twSsra8JQWRYCW8WjZZ9YOe5nqtU+56b/zb0CxVhhln0jU/3e5s7pfblfou2TnvnFezswjNTIGftNU1wOaxSCA==,iv:hjKNZ4EbPpl5YIcaWJYLKJzxuOmMjL4AtfUeL4vm5QA=,tag:mYcu4cRUnZeLgeISfaxXPQ==,type:str]
+postgresql-init: ENC[AES256_GCM,data:lbkeMv6PZgB7tEl4VbIYX9VUAgJ6Kcj0jLNyyqxJJcVJPjo1lF2d/i5bFnU1/6aJ2T7ftMW4hefYgrnIMdKXxPPfrHftaEMhl9bfJIsuX2I1CXAasZOhpsmg9Wf2cvXuVYIlqTVssg+3EKW0ejCMdX6OfGdAXvBlio1DQs7YrUc+BjDiEuAUAaaYbz67EYY3dpYQixQGl/8G2w7S897uCXpc1oOh6vbGY4Nl+GGQ7B5xrrbYcdATwfGyYlZYSlIv8feDsLv7Rt+w3o4tTAxcz+8qZ7KZ6sIsu/nUoYeqoT9MJ8uRpWccXKcBVAFSEooUIHUEBA/QsGizAXBgzCnyLDvuv3DOquo2xeMg0kWM8zsF1f9YRyUKqQ==,iv:RKIvggRZlPocygabF0iKNBThBRFG5rlzrIvGjjt7s0o=,tag:U/XUDJs5J8lHB9BJ5/0fFA==,type:str]
 sops:
    shamir_threshold: 1
    kms: []
@ -33,8 +33,8 @@ sops:
            a3l3bUx5NzdqUGd1TEpGY3UvQWt4TU0KB4MAjvI43FaOiGhWTkwPpeMMiAnX4v3L
            rLZDdc/vegF10FKTNJdxdq1E7ccMaV1KwjQkJoOJnWe6teKLjGOFkA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-19T03:46:45Z"
-    mac: ENC[AES256_GCM,data:FMzWnFllHDpgIoDJIKS7aWpUSVNH0+ij0+AIzl3qtjeuzmUUluDtEes6yAR8g/Daq+nxiMRnsse0HfUqZeT0rVVEpqvQB4Wsoq+G9qj8mmEUrHJzjU5rSDWV8uf5F1BsZbvF13VBulh/RWsmWjps+z6vyJ7uM1QjS3hSF2k3hSM=,iv:tpH8XjoTtNzPOOIosObpsvOAzZO7ywK9xjow3xTOJqY=,tag:BTzezbH9zZDZBzy1x+AJ1w==,type:str]
+    lastmodified: "2024-03-13T21:46:56Z"
+    mac: ENC[AES256_GCM,data:rEtRHX3PH1B+uoR82lDH3ACKHPbhxy+y7B9YgR6TzPSU4yIaTSqSK51eLJZoUtW6UTl6QDcTrsKDA8lGu9M/Ohfx8ayp6rkX63H/hkl0h6YaQmWDAQoNAAEWqfJ9r8O8tKKpE6qF/rw4c4KpuA5ONufOl9qj1KSgFzz0WHaKtWk=,iv:TUBAe62dmF6FAjZOPaxwzQjWL21TdWQG0YyuXJGgtk8=,tag:dewWivfnZO30Np2gajwLIw==,type:str]
    pgp:
        - created_at: "2024-01-19T19:08:55Z"
          enc: |-
--- a/nixos/sops.nix
+++ b/nixos/sops.nix
@ -1,4 +1,9 @@
-{ lib, inputs,  ... }: with lib; {
+{
+  lib,
+  inputs,
+  ...
+}:
+with lib; {
  imports = [
    inputs.sops-nix.nixosModules.sops
  ];
--- a/nixos/steam/account-switch.nix
+++ b/nixos/steam/account-switch.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.modules) mkDefault;
 in {
  services.steam.accountSwitch = {
--- a/nixos/steam/beatsaber.nix
+++ b/nixos/steam/beatsaber.nix
@ -1,7 +1,4 @@
-{
-  lib,
-  ...
-}: let
+{lib, ...}: let
  inherit (lib.modules) mkDefault;
 in {
  services.steam.beatsaber = {
--- a/nixos/systemd2mqtt.nix
+++ b/nixos/systemd2mqtt.nix
@ -10,7 +10,8 @@ in {
    enable = mkDefault true;
    user = mkDefault "root";
    mqtt = {
-      url = mkDefault (if config.services.mosquitto.enable
+      url = mkDefault (
+        if config.services.mosquitto.enable
        then "tcp://localhost:1883"
        else "tcp://mqtt.local.${config.networking.domain}:1883"
      );
--- a/nixos/tautulli.nix
+++ b/nixos/tautulli.nix
@ -1,4 +1,8 @@
-{config, lib, ...}: let
+{
+  config,
+  lib,
+  ...
+}: let
  inherit (lib.modules) mkIf mkDefault;
  cfg = config.services.tautulli;
 in {
--- a/nixos/users/arc.nix
+++ b/nixos/users/arc.nix
@ -1,15 +1,15 @@
-{ config, ... }:
-
-{
+{config, ...}: {
  users.users.arc = {name, ...}: {
    uid = 8001;
    isNormalUser = true;
    autoSubUidGidRange = false;
    group = name;
    extraGroups = [
-      "users" "peeps"
+      "users"
+      "peeps"
      "kyuuto"
-      "steamaccount" "beatsaber"
+      "steamaccount"
+      "beatsaber"
      "wheel"
    ];
    openssh.authorizedKeys.keys = [
--- a/nixos/users/connie.nix
+++ b/nixos/users/connie.nix
@ -1,13 +1,12 @@
-{ config, ... }:
-
-{
+{config, ...}: {
  users.users.connieallure = {name, ...}: {
    uid = 8003;
    isNormalUser = true;
    autoSubUidGidRange = false;
    group = name;
    extraGroups = [
-      "users" "peeps"
+      "users"
+      "peeps"
      "kyuuto"
    ];
  };
--- a/nixos/users/kaosu.nix
+++ b/nixos/users/kaosu.nix
@ -1,15 +1,15 @@
-{ config, ... }:
-
-{
+{config, ...}: {
  users.users.kaosubaloo = {name, ...}: {
    uid = 8002;
    isNormalUser = true;
    autoSubUidGidRange = false;
    group = name;
    extraGroups = [
-      "users" "peeps"
+      "users"
+      "peeps"
      "kyuuto"
-      "steamaccount" "beatsaber"
+      "steamaccount"
+      "beatsaber"
    ];
  };
  users.groups.kaosubaloo = {name, ...}: {
--- a/nixos/users/kat.nix
+++ b/nixos/users/kat.nix
@ -1,15 +1,15 @@
-{ config, ... }:
-
-{
+{config, ...}: {
  users.users.kat = {name, ...}: {
    uid = 8000;
    isNormalUser = true;
    autoSubUidGidRange = false;
    group = name;
    extraGroups = [
-      "users" "peeps"
+      "users"
+      "peeps"
      "kyuuto"
-      "steamaccount" "beatsaber"
+      "steamaccount"
+      "beatsaber"
      "wheel"
    ];
    openssh.authorizedKeys.keys = [
--- a/overlays/default.nix
+++ b/overlays/default.nix
@ -1,8 +1,10 @@
-{inputs, system}: {
+{
+  inputs,
+  system,
+}: {
  pkgs = import inputs.nixpkgs {
    inherit system;
-    overlays =
-      [
+    overlays = [
      inputs.deploy-rs.overlay
      inputs.arcexprs.overlays.default
      (final: prev: {
--- a/packages/default.nix
+++ b/packages/default.nix
@ -20,10 +20,15 @@
    NF_NIX_WHITELIST_FILES=(${string.concatMapSep " " string.escapeShellArg fmt.nix.whitelist})
  '';
  output = {
-    inherit (pkgs.buildPackages)
-      terraform tflint
-      alejandra deadnix statix
-      ssh-to-age jq
+    inherit
+      (pkgs.buildPackages)
+      terraform
+      tflint
+      alejandra
+      deadnix
+      statix
+      ssh-to-age
+      jq
      ;
    inherit (inputs.deploy-rs.packages.${system}) deploy-rs;
    nf-deploy = pkgs.writeShellScriptBin "nf-deploy" ''
@ -52,7 +57,8 @@
        INPUT_INFRA_CT_CONFIG = reisen + "/bin/ct-config.sh";
      };
      inputVars = set.mapToValues (key: path: ''${key}="$(base64 -w0 < ${path})"'') inputAttrs;
-    in pkgs.writeShellScriptBin "nf-setup-node" ''
+    in
+      pkgs.writeShellScriptBin "nf-setup-node" ''
        ${exports}
        NF_SETUP_INPUTS=(
          ${string.intercalate "\n" inputVars}
@ -144,4 +150,5 @@
      inherit (inputs) self;
    };
  };
-in output
+in
+  output
--- a/packages/snakeoil.nix
+++ b/packages/snakeoil.nix
@ -5,7 +5,12 @@
 }: let
  inherit (lib.strings) concatStringsSep;
  inherit (lib.lists) toList head;
-in { domain, name }: runCommand name {
+in
+  {
+    domain,
+    name,
+  }:
+    runCommand name {
      domains = concatStringsSep "," (toList domain);
      domain = head (toList domain);
      nativeBuildInputs = [buildPackages.minica];