config/acme.nix

@@ -1,5 +1,4 @@
-{ config, ... }:
+{config, ...}: {
-{
   security.acme = {
     acceptTerms = true;
     defaults.email = "hey@winston.sh";

config/default.nix

@@ -1,5 +1,4 @@
-{ pkgs, ... }:
+{pkgs, ...}: {
-{
   imports = [
     ./games
     ./secrets

config/games/valheim.nix

@@ -1,7 +1,5 @@
-{ lib, ... }:
+{lib, ...}: {
-{
+  nixpkgs.config.allowUnfreePredicate = pkg:
-  nixpkgs.config.allowUnfreePredicate =
-    pkg:
     builtins.elem (lib.getName pkg) [
       "valheim-server"
       "steamworks-sdk-redist"

config/nix.nix

@@ -1,16 +1,12 @@
 {
   nix = {
     gc.automatic = true;
-    settings = (import ../flake.nix).nixConfig // {
+    settings =
+      (import ../flake.nix).nixConfig
+      // {
         auto-optimise-store = true;
-      experimental-features = [
+        experimental-features = ["nix-command" "flakes"];
-        "nix-command"
+        trusted-users = ["@wheel" "winston"];
-        "flakes"
-      ];
-      trusted-users = [
-        "@wheel"
-        "winston"
-      ];
       };
   };
 }

config/secrets/default.nix

@@ -1,13 +1,7 @@
-{ lib, ... }:
+{lib, ...}: {
-{
+  age.secrets = with builtins;
-  age.secrets =
+    listToAttrs (map (k: {
-    with builtins;
-    listToAttrs (
-      map (k: {
       name = lib.removeSuffix ".age" k;
-        value = {
+      value = {file = ./. + "/${k}";};
-          file = ./. + "/${k}";
+    }) (attrNames (import ./secrets.nix)));
-        };
-      }) (attrNames (import ./secrets.nix))
-    );
 }

config/secrets/secrets.nix

@@ -2,12 +2,8 @@ let
   users.winston = "age1yubikey1qfkn095xth4ukxjye98ew4ul6xdkyz7sek0hd67yfjs5z6tv7q9jgnfchls";
   systems.main-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcY5fuyxK8rs3eocLuLnvSPDL6qcvq7oUdYrE+wLj0y";
 
-  default = [
+  default = [users.winston systems.main-node];
-    users.winston
+in {
-    systems.main-node
-  ];
-in
-{
   "containers/faerber.env.age".publicKeys = default;
   "containers/ghcr-token.age".publicKeys = default;
 

config/services/attic.nix

@@ -1,5 +1,4 @@
-{ config, ... }:
+{config, ...}: {
-{
   services.atticd = {
     enable = true;
     credentialsFile = config.age.secrets."services/attic/atticd.env".path;

config/services/atuin.nix

@@ -1,5 +1,8 @@
-{ config, pkgs, ... }:
 {
+  config,
+  pkgs,
+  ...
+}: {
   services.atuin = {
     enable = true;
     package = pkgs.unstable.atuin;

config/services/forgejo.nix

@@ -3,17 +3,14 @@
   inputs,
   pkgs,
   ...
-}:
+}: let
-let
+  modules = ["services/misc/forgejo.nix" "services/continuous-integration/gitea-actions-runner.nix"];
-  modules = [
+in {
-    "services/misc/forgejo.nix"
-    "services/continuous-integration/gitea-actions-runner.nix"
-  ];
-in
-{
   # swap out stable for unstable modules
   disabledModules = modules;
-  imports = builtins.map (v: "${inputs.nixpkgs-unstable}/nixos/modules/${v}") modules;
+  imports =
+    builtins.map (v: "${inputs.nixpkgs-unstable}/nixos/modules/${v}")
+    modules;
 
   age.secrets = {
     "services/forgejo/minio-secretkey".owner = config.services.forgejo.user;
@@ -47,13 +44,10 @@ in
     settings = {
       DEFAULT.APP_NAME = "winston's forgejo";
 
-      indexer =
+      indexer = with config.services.elasticsearch; let
-        with config.services.elasticsearch;
-        let
         indexer = "elasticsearch";
         conn = "http://${listenAddress}:${toString port}";
-        in
+      in {
-        {
         REPO_INDEXER_ENABLED = true;
         REPO_INDEXER_CONN_STR = conn;
         REPO_INDEXER_TYPE = indexer;

config/services/freshrss.nix

@@ -1,5 +1,4 @@
-{ config, ... }:
+{config, ...}: {
-{
   services.freshrss = rec {
     enable = true;
 

config/services/geoipupdate.nix

@@ -1,15 +1,10 @@
-{ config, ... }:
+{config, ...}: {
-{
   services.geoipupdate = {
     enable = true;
     settings = {
       AccountID = 1062126;
       LicenseKey = config.age.secrets."services/geoipupdate/license".path;
-      EditionIDs = [
+      EditionIDs = ["GeoLite2-ASN" "GeoLite2-City" "GeoLite2-Country"];
-        "GeoLite2-ASN"
-        "GeoLite2-City"
-        "GeoLite2-Country"
-      ];
     };
   };
 }

config/services/minio.nix

@@ -1,5 +1,4 @@
-{ config, ... }:
+{config, ...}: {
-{
   services.minio = {
     enable = true;
     browser = true;

config/services/monitoring.nix

@@ -3,8 +3,7 @@
   lib,
   pkgs,
   ...
-}:
+}: let
-let
   geoipDir = config.services.geoipupdate.settings.DatabaseDirectory;
 
   log_params = [
@@ -26,8 +25,7 @@ let
   ];
   log_format = lib.concatStringsSep " " (map (p: "${p}=\"\$${p}\"") log_params);
   log_file = "/var/log/nginx/access.log";
-in
+in {
-{
   services.grafana = {
     enable = true;
     settings = {
@@ -84,12 +82,10 @@ in
 
     globalConfig.scrape_interval = "10s";
     scrapeConfigs =
-      (builtins.map
+      (builtins.map (config: {
-        (config: {
           inherit (config) job_name;
           static_configs = [{targets = ["localhost:${toString config.port}"];}];
-        })
+        }) [
-        [
           {
             job_name = "fail2ban";
             port = 9191;
@@ -110,8 +106,7 @@ in
             job_name = "postgres";
             port = config.services.prometheus.exporters.postgres.port;
           }
-        ]
+        ])
-      )
       ++ [
         {
           job_name = "minio";
@@ -121,9 +116,7 @@ in
         }
         {
           job_name = "forgejo";
-          static_configs = with config.services.forgejo.settings.server; [
+          static_configs = with config.services.forgejo.settings.server; [{targets = ["${HTTP_ADDR}:${toString HTTP_PORT}"];}];
-            { targets = [ "${HTTP_ADDR}:${toString HTTP_PORT}" ]; }
-          ];
         }
       ];
 
@@ -172,24 +165,8 @@ in
       };
       node = {
         enable = true;
-        enabledCollectors = [
+        enabledCollectors = ["logind" "processes" "systemd"];
-          "logind"
+        disabledCollectors = ["bonding" "fibrechannel" "infiniband" "ipvs" "mdadm" "nfs" "nfsd" "nvme" "tapestats" "watchdog" "zfs"];
-          "processes"
-          "systemd"
-        ];
-        disabledCollectors = [
-          "bonding"
-          "fibrechannel"
-          "infiniband"
-          "ipvs"
-          "mdadm"
-          "nfs"
-          "nfsd"
-          "nvme"
-          "tapestats"
-          "watchdog"
-          "zfs"
-        ];
       };
       postgres = {
         enable = true;

config/services/nextcloud.nix

@@ -1,5 +1,8 @@
-{ config, pkgs, ... }:
 {
+  config,
+  pkgs,
+  ...
+}: {
   age.secrets = {
     "services/nextcloud/admin-password".owner = "nextcloud";
     "services/nextcloud/s3-secret".owner = "nextcloud";
@@ -17,7 +20,8 @@
     };
 
     extraApps = {
-      inherit (config.services.nextcloud.package.packages.apps)
+      inherit
+        (config.services.nextcloud.package.packages.apps)
         end_to_end_encryption
         previewgenerator
         twofactor_webauthn

config/services/nginx.nix

@@ -1,11 +1,13 @@
-{ config, pkgs, ... }:
+{
-let
+  config,
+  pkgs,
+  ...
+}: let
   snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
     mkdir "$out"
     openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
   '';
-in
+in {
-{
   services.nginx = {
     enable = true;
     package = pkgs.nginxMainline;
@@ -45,10 +47,7 @@ in
     params.nginx = {};
   };
 
-  networking.firewall.allowedTCPPorts = [
+  networking.firewall.allowedTCPPorts = [80 443];
-    80
-    443
-  ];
 
   # allow nginx to access Acme secrets
   users.users.nginx.extraGroups = ["acme"];

config/services/postgres.nix

@@ -1,5 +1,4 @@
-{ pkgs, ... }:
+{pkgs, ...}: {
-{
   services.postgresql = {
     enable = true;
     package = pkgs.postgresql_14;

config/services/renovate.nix

@@ -3,8 +3,7 @@
   inputs,
   pkgs,
   ...
-}:
+}: {
-{
   imports = ["${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix"];
 
   services.renovate = {

config/services/wakapi.nix

@@ -1,5 +1,8 @@
-{ config, pkgs, ... }:
 {
+  config,
+  pkgs,
+  ...
+}: {
   services.wakapi = {
     enable = true;
     package = pkgs.unstable.wakapi;

config/users.nix

@@ -3,35 +3,29 @@
   lib,
   pkgs,
   ...
-}:
+}: let
-let
   nu_scripts = "${pkgs.nu_scripts}/share/nu_scripts";
-  mkCompletions =
+  mkCompletions = completions:
-    completions:
     lib.concatStringsSep "\n" (
       builtins.map (
         el: "source ${nu_scripts}/custom-completions/${el.name or el}/${el.filename or el}-completions.nu"
-      ) completions
+      )
+      completions
     );
-in
+in {
-{
   i18n.defaultLocale = "en_US.UTF-8";
 
   users = {
     mutableUsers = false;
     users.root = {
       hashedPasswordFile = config.age.secrets."system/password-root".path;
-      openssh.authorizedKeys.keys = [
+      openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ/mwLoiuaQ6KH+1IOvYO541gq37S43pYtMetilMG3v5"] ++ config.users.users.winston.openssh.authorizedKeys.keys;
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgFwSZPS1B3wndghjmgmamdM5LZ7hqv4fZsbcmYBQWT"
-      ] ++ config.users.users.winston.openssh.authorizedKeys.keys;
     };
     users.winston = {
       extraGroups = ["wheel"];
       hashedPasswordFile = config.age.secrets."system/password-winston".path;
       isNormalUser = true;
-      openssh.authorizedKeys.keys = [
+      openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILm0O46zW/XfVOSwz0okRWYeOAg+wCVkCtCAoVTpZsOh"];
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILm0O46zW/XfVOSwz0okRWYeOAg+wCVkCtCAoVTpZsOh"
-      ];
     };
   };
 
@@ -108,12 +102,7 @@ in
               }
 
               source ${nu_scripts}/aliases/git/git-aliases.nu
-              ${mkCompletions [
+              ${mkCompletions ["git" "man" "rg" "tar"]}
-                "git"
-                "man"
-                "rg"
-                "tar"
-              ]}
             '';
         };
         starship.enable = true;

flake.nix

@@ -1,13 +1,11 @@
 {
-  outputs =
+  outputs = {
-    {
     flake-parts,
     nixpkgs,
     nixpkgs-unstable,
     self,
     ...
-    }@inputs:
+  } @ inputs: let
-    let
     overlays = [
       (final: _: {
         unstable = nixpkgs-unstable.legacyPackages.${final.system};
@@ -35,9 +33,7 @@
             inputs.satisfactory-server.nixosModules.default
             inputs.valheim-server.nixosModules.default
           ];
-          specialArgs = {
+          specialArgs = {inherit inputs;};
-            inherit inputs;
-          };
         };
 
         checks = builtins.mapAttrs (_: deployLib: deployLib.deployChecks self.deploy) inputs.deploy-rs.lib;
@@ -51,17 +47,17 @@
         };
       };
 
-      perSystem =
+      perSystem = {
-        {
         config,
         inputs',
         pkgs,
         self',
         system,
         ...
-        }:
+      }: {
-        {
+        _module.args.pkgs = import nixpkgs {
-          _module.args.pkgs = import nixpkgs { inherit overlays system; };
+          inherit overlays system;
+        };
 
         devShells.default = pkgs.mkShell {
           inherit (config.pre-commit.devShell) shellHook;
@@ -75,28 +71,24 @@
           ];
         };
 
-          formatter = pkgs.nixfmt-rfc-style;
+        formatter = pkgs.alejandra;
 
         pre-commit = {
           check.enable = true;
           settings.excludes = ["_sources/"];
           settings.hooks = {
+            alejandra.enable = true;
             commitizen.enable = true;
+            deadnix.enable = true;
             editorconfig-checker.enable = true;
             nil.enable = true;
-              nixfmt-rfc-style.enable = true;
             shellcheck.enable = true;
           };
         };
       };
 
       imports = [inputs.pre-commit-hooks.flakeModule];
-      systems = [
+      systems = ["x86_64-linux" "aarch64-linux" "aarch64-darwin" "x86_64-darwin"];
-        "x86_64-linux"
-        "aarch64-linux"
-        "aarch64-darwin"
-        "x86_64-darwin"
-      ];
     };
 
   inputs = {

hosts/main-node/default.nix

@@ -1,5 +1,4 @@
-{ pkgs, ... }:
+{pkgs, ...}: {
-{
   imports = [./hardware-configuration.nix];
 
   boot = {

hosts/main-node/hardware-configuration.nix

@@ -3,18 +3,12 @@
   lib,
   modulesPath,
   ...
-}:
+}: {
-{
+  imports = [
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+    (modulesPath + "/profiles/qemu-guest.nix")
-
-  boot.initrd.availableKernelModules = [
-    "ata_piix"
-    "uhci_hcd"
-    "virtio_pci"
-    "virtio_scsi"
-    "sd_mod"
-    "sr_mod"
   ];
+
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
   boot.initrd.kernelModules = [];
   boot.kernelModules = [];
   boot.extraModulePackages = [];

modules/default.nix

@@ -1 +1,5 @@
-{ imports = [ ./wakapi.nix ]; }
+{
+  imports = [
+    ./wakapi.nix
+  ];
+}

modules/wakapi.nix

@@ -3,8 +3,7 @@
   lib,
   pkgs,
   ...
-}:
+}: let
-let
   cfg = config.services.wakapi;
   settingsFormat = pkgs.formats.yaml {};
   inherit (lib) types;
@@ -37,11 +36,7 @@ let
         ProtectKernelTunables = true;
         ProtectProc = "invisible";
         ProtectSystem = "strict";
-        RestrictAddressFamilies = [
+        RestrictAddressFamilies = ["AF_INET" "AF_INET6" "AF_UNIX"];
-          "AF_INET"
-          "AF_INET6"
-          "AF_UNIX"
-        ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
@@ -102,8 +97,7 @@ let
       public_url = lib.mkDefault cfg.domain;
     };
   };
-in
+in {
-{
   options.services.wakapi = {
     enable = lib.mkEnableOption "Wakapi";
     package = lib.mkPackageOption pkgs "wakapi" {};
@@ -191,11 +185,9 @@ in
     };
   };
 
-  config = lib.mkIf cfg.enable (
+  config = lib.mkIf cfg.enable (lib.mkMerge [
-    lib.mkMerge [
     databaseConfig
     nginxConfig
     serviceConfig
-    ]
+  ]);
-  );
 }

pkgs/prometheus-fail2ban-exporter/default.nix

@@ -2,8 +2,7 @@
   buildGoModule,
   fetchFromGitLab,
   lib,
-}:
+}: let
-let
   version = "0.10.1";
 in
   buildGoModule {