about summary refs log tree commit diff
path: root/modules/nixos
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2024-03-31 21:29:27 +0300
committerAzat Bahawi <azat@bahawi.net>2024-03-31 21:29:27 +0300
commit9a5427e3a0c0ccf2a82dc503149a26b23fbd6004 (patch)
treef28beec29deeea36038615a8fb98a810891940b5 /modules/nixos
parent2024-03-19 (diff)
2024-03-31
Diffstat (limited to 'modules/nixos')
-rw-r--r--modules/nixos/acme.nix20
-rw-r--r--modules/nixos/alertmanager.nix16
-rw-r--r--modules/nixos/android.nix14
-rw-r--r--modules/nixos/beets.nix167
-rw-r--r--modules/nixos/bluetooth.nix17
-rw-r--r--modules/nixos/chromium.nix10
-rw-r--r--modules/nixos/clickhouse.nix12
-rw-r--r--modules/nixos/common/ark.nix50
-rw-r--r--modules/nixos/common/console.nix5
-rw-r--r--modules/nixos/common/documentation.nix14
-rw-r--r--modules/nixos/common/home-manager.nix5
-rw-r--r--modules/nixos/common/kernel.nix7
-rw-r--r--modules/nixos/common/locale.nix7
-rw-r--r--modules/nixos/common/networking.nix59
-rw-r--r--modules/nixos/common/nix.nix13
-rw-r--r--modules/nixos/common/secrets.nix5
-rw-r--r--modules/nixos/common/shell.nix4
-rw-r--r--modules/nixos/common/stylix.nix5
-rw-r--r--modules/nixos/common/systemd.nix33
-rw-r--r--modules/nixos/common/users.nix14
-rw-r--r--modules/nixos/common/xdg.nix20
-rw-r--r--modules/nixos/default.nix3
-rw-r--r--modules/nixos/docker.nix10
-rw-r--r--modules/nixos/dwm.nix254
-rw-r--r--modules/nixos/emacs.nix12
-rw-r--r--modules/nixos/endlessh-go.nix20
-rw-r--r--modules/nixos/endlessh.nix26
-rw-r--r--modules/nixos/fail2ban.nix21
-rw-r--r--modules/nixos/firefox/addons.nix40
-rw-r--r--modules/nixos/firefox/default.nix1036
-rw-r--r--modules/nixos/foot.nix34
-rw-r--r--modules/nixos/games/default.nix15
-rw-r--r--modules/nixos/games/gamemode.nix19
-rw-r--r--modules/nixos/games/lutris.nix6
-rw-r--r--modules/nixos/games/mangohud.nix12
-rw-r--r--modules/nixos/games/minecraft.nix20
-rw-r--r--modules/nixos/games/steam-run.nix78
-rw-r--r--modules/nixos/games/steam.nix16
-rw-r--r--modules/nixos/git/default.nix152
-rw-r--r--modules/nixos/gnupg.nix8
-rw-r--r--modules/nixos/gotify.nix22
-rw-r--r--modules/nixos/grafana.nix19
-rw-r--r--modules/nixos/hydra.nix54
-rw-r--r--modules/nixos/incus.nix18
-rw-r--r--modules/nixos/ipfs.nix55
-rw-r--r--modules/nixos/jackett.nix10
-rw-r--r--modules/nixos/k3s.nix12
-rw-r--r--modules/nixos/kde.nix17
-rw-r--r--modules/nixos/libvirtd.nix12
-rw-r--r--modules/nixos/lidarr.nix10
-rw-r--r--modules/nixos/loki.nix10
-rw-r--r--modules/nixos/matrix/dendrite.nix259
-rw-r--r--modules/nixos/matrix/element.nix9
-rw-r--r--modules/nixos/monitoring/default.nix156
-rw-r--r--modules/nixos/mpd.nix28
-rw-r--r--modules/nixos/mpv.nix167
-rw-r--r--modules/nixos/murmur.nix8
-rw-r--r--modules/nixos/nextcloud.nix164
-rw-r--r--modules/nixos/nginx.nix40
-rw-r--r--modules/nixos/node-exporter.nix6
-rw-r--r--modules/nixos/nsd.nix342
-rw-r--r--modules/nixos/ntfy.nix17
-rw-r--r--modules/nixos/nullmailer.nix6
-rw-r--r--modules/nixos/openssh.nix19
-rw-r--r--modules/nixos/plausible.nix27
-rw-r--r--modules/nixos/podman.nix12
-rw-r--r--modules/nixos/postgresql.nix40
-rw-r--r--modules/nixos/profiles/default.nix8
-rw-r--r--modules/nixos/profiles/dev/containers.nix10
-rw-r--r--modules/nixos/profiles/dev/default.nix10
-rw-r--r--modules/nixos/profiles/headful.nix8
-rw-r--r--modules/nixos/profiles/headless.nix8
-rw-r--r--modules/nixos/prometheus.nix8
-rw-r--r--modules/nixos/promtail.nix109
-rw-r--r--modules/nixos/psd.nix65
-rw-r--r--modules/nixos/radarr.nix10
-rw-r--r--modules/nixos/radicale.nix19
-rw-r--r--modules/nixos/redis.nix8
-rw-r--r--modules/nixos/rss-bridge.nix10
-rw-r--r--modules/nixos/rtorrent.nix427
-rw-r--r--modules/nixos/searx.nix8
-rw-r--r--modules/nixos/shadowsocks.nix110
-rw-r--r--modules/nixos/soju.nix88
-rw-r--r--modules/nixos/solaar.nix48
-rw-r--r--modules/nixos/sonarr.nix10
-rw-r--r--modules/nixos/sound.nix15
-rw-r--r--modules/nixos/syncthing.nix62
-rw-r--r--modules/nixos/throttled.nix12
-rw-r--r--modules/nixos/thunderbird.nix15
-rw-r--r--modules/nixos/unbound.nix151
-rw-r--r--modules/nixos/vaultwarden.nix25
-rw-r--r--modules/nixos/victoriametrics.nix8
-rw-r--r--modules/nixos/vim/default.nix20
-rw-r--r--modules/nixos/wayland.nix10
-rw-r--r--modules/nixos/wireguard.nix75
-rw-r--r--modules/nixos/x11.nix40
-rw-r--r--modules/nixos/xmonad.nix8
-rw-r--r--modules/nixos/zathura.nix12
98 files changed, 2777 insertions, 2458 deletions
diff --git a/modules/nixos/acme.nix b/modules/nixos/acme.nix
index 49be684..6a75818 100644
--- a/modules/nixos/acme.nix
+++ b/modules/nixos/acme.nix
@@ -1,13 +1,15 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.acme;
-in {
+in
+{
   imports = [
-    (mkAliasOptionModule ["certs"] ["security" "acme" "certs"])
+    (mkAliasOptionModule [ "certs" ] [
+      "security"
+      "acme"
+      "certs"
+    ])
   ];
 
   options.nixfiles.modules.acme = {
@@ -21,7 +23,7 @@ in {
   };
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/acme"];
+    ark.directories = [ "/var/lib/acme" ];
 
     security.acme = {
       acceptTerms = true;
diff --git a/modules/nixos/alertmanager.nix b/modules/nixos/alertmanager.nix
index 4d7f2ec..a3457bc 100644
--- a/modules/nixos/alertmanager.nix
+++ b/modules/nixos/alertmanager.nix
@@ -5,10 +5,12 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.alertmanager;
-in {
-  imports = [inputs.alertmanager-ntfy.nixosModules.default];
+in
+{
+  imports = [ inputs.alertmanager-ntfy.nixosModules.default ];
 
   options.nixfiles.modules.alertmanager = {
     enable = mkEnableOption "Alertmanager";
@@ -31,7 +33,7 @@ in {
       ntfy.enable = true;
       nginx = {
         enable = true;
-        upstreams.alertmanager.servers."127.0.0.1:${toString cfg.port}" = {};
+        upstreams.alertmanager.servers."127.0.0.1:${toString cfg.port}" = { };
         virtualHosts.${cfg.domain} = {
           locations."/".proxyPass = "http://alertmanager";
           extraConfig = libNginx.config.internalOnly;
@@ -59,16 +61,14 @@ in {
 
           route = {
             receiver = my.username;
-            group_by = ["alertname"];
+            group_by = [ "alertname" ];
           };
 
           receivers = [
             {
               name = my.username;
               webhook_configs = [
-                {
-                  url = with config.services.alertmanager-ntfy; "http://${httpAddress}:${httpPort}";
-                }
+                { url = with config.services.alertmanager-ntfy; "http://${httpAddress}:${httpPort}"; }
               ];
             }
           ];
diff --git a/modules/nixos/android.nix b/modules/nixos/android.nix
index 41b7ef9..363bd6c 100644
--- a/modules/nixos/android.nix
+++ b/modules/nixos/android.nix
@@ -1,16 +1,14 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.android;
-in {
+in
+{
   options.nixfiles.modules.android.enable = mkEnableOption "support for Android devices";
 
   config = mkIf cfg.enable {
     programs.adb.enable = true;
 
-    my.extraGroups = ["adbusers"];
+    my.extraGroups = [ "adbusers" ];
   };
 }
diff --git a/modules/nixos/beets.nix b/modules/nixos/beets.nix
index f01e412..732f400 100644
--- a/modules/nixos/beets.nix
+++ b/modules/nixos/beets.nix
@@ -4,99 +4,102 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.beets;
-in {
-  options.nixfiles.modules.beets.enable =
-    mkEnableOption "beets";
+in
+{
+  options.nixfiles.modules.beets.enable = mkEnableOption "beets";
 
   config = mkIf cfg.enable {
-    hm = let
-      beetsdir = "${config.dirs.data}/beets";
-    in {
-      home = {
-        activation.initialiseBeets = ''
-          if [[ ! -d "${beetsdir}" ]]; then
-            mkdir -p ${beetsdir}
-          fi
-        '';
+    hm =
+      let
+        beetsdir = "${config.dirs.data}/beets";
+      in
+      {
+        home = {
+          activation.initialiseBeets = ''
+            if [[ ! -d "${beetsdir}" ]]; then
+              mkdir -p ${beetsdir}
+            fi
+          '';
 
-        sessionVariables.BEETSDIR = beetsdir;
-      };
+          sessionVariables.BEETSDIR = beetsdir;
+        };
 
-      programs = {
-        beets = {
-          enable = true;
+        programs = {
+          beets = {
+            enable = true;
 
-          package = pkgs.beets-unstable;
+            package = pkgs.beets-unstable;
 
-          settings = {
-            library = "${beetsdir}/library.db";
-            directory = config.userDirs.music;
-            plugins = concatStringsSep " " [
-              "badfiles"
-              "edit"
-              "fetchart"
-              "info"
-              "mbsync"
-              "mpdupdate"
-              "scrub"
-              "zero"
-            ];
-            original_date = true;
-            import = {
-              write = true;
-              copy = true;
-              move = false;
-              bell = true;
-              from_scratch = true;
-            };
-            match = {
-              preferred = {
-                countries = [
-                  "JP"
-                  "KR"
-                  "TW"
-                  "HK"
-                  "CN"
-                  "RU"
-                  "NL"
-                  "DE"
-                  "AT"
-                  "GB|UK"
-                  "CA"
-                  "AU"
-                  "NZ"
-                  "US"
-                ];
-                original_year = true;
+            settings = {
+              library = "${beetsdir}/library.db";
+              directory = config.userDirs.music;
+              plugins = concatStringsSep " " [
+                "badfiles"
+                "edit"
+                "fetchart"
+                "info"
+                "mbsync"
+                "mpdupdate"
+                "scrub"
+                "zero"
+              ];
+              original_date = true;
+              import = {
+                write = true;
+                copy = true;
+                move = false;
+                bell = true;
+                from_scratch = true;
+              };
+              match = {
+                preferred = {
+                  countries = [
+                    "JP"
+                    "KR"
+                    "TW"
+                    "HK"
+                    "CN"
+                    "RU"
+                    "NL"
+                    "DE"
+                    "AT"
+                    "GB|UK"
+                    "CA"
+                    "AU"
+                    "NZ"
+                    "US"
+                  ];
+                  original_year = true;
+                };
+              };
+              edit = {
+                albumfields = "album artist albumartist";
+                itemfields = "track title album artist albumartist day month year genre";
+              };
+              fetchart = {
+                auto = true;
+                cautious = true;
+                cover_names = "cover Cover folder Folder art Art album Album front Front";
+                sources = "filesystem coverart itunes amazon albumart wikipedia";
+                high_resolution = true;
+              };
+              scrub.auto = true;
+              zero = {
+                fields = "comments genre";
+                update_database = true;
+              };
+              mpd = {
+                host = "127.0.0.1";
+                port = 6600;
               };
-            };
-            edit = {
-              albumfields = "album artist albumartist";
-              itemfields = "track title album artist albumartist day month year genre";
-            };
-            fetchart = {
-              auto = true;
-              cautious = true;
-              cover_names = "cover Cover folder Folder art Art album Album front Front";
-              sources = "filesystem coverart itunes amazon albumart wikipedia";
-              high_resolution = true;
-            };
-            scrub.auto = true;
-            zero = {
-              fields = "comments genre";
-              update_database = true;
-            };
-            mpd = {
-              host = "127.0.0.1";
-              port = 6600;
             };
           };
-        };
 
-        bash.shellAliases.beet = "beet --config ${config.dirs.config}/beets/config.yaml";
+          bash.shellAliases.beet = "beet --config ${config.dirs.config}/beets/config.yaml";
+        };
       };
-    };
   };
 }
diff --git a/modules/nixos/bluetooth.nix b/modules/nixos/bluetooth.nix
index 26d081d..117aff7 100644
--- a/modules/nixos/bluetooth.nix
+++ b/modules/nixos/bluetooth.nix
@@ -1,16 +1,13 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.bluetooth;
-in {
-  options.nixfiles.modules.bluetooth.enable =
-    mkEnableOption "Bluetooth support";
+in
+{
+  options.nixfiles.modules.bluetooth.enable = mkEnableOption "Bluetooth support";
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/bluetooth"];
+    ark.directories = [ "/var/lib/bluetooth" ];
 
     hardware.bluetooth = {
       enable = true;
diff --git a/modules/nixos/chromium.nix b/modules/nixos/chromium.nix
index 3b87b4c..c7842d5 100644
--- a/modules/nixos/chromium.nix
+++ b/modules/nixos/chromium.nix
@@ -4,14 +4,16 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.chromium;
-in {
+in
+{
   options.nixfiles.modules.chromium.enable = mkEnableOption "Chromium";
 
   config = mkIf cfg.enable {
     hm = {
-      home.packages = with pkgs; [profile-cleaner];
+      home.packages = with pkgs; [ profile-cleaner ];
 
       programs.chromium = {
         enable = true;
@@ -19,7 +21,7 @@ in {
         package = pkgs.ungoogled-chromium;
 
         extensions = [
-          {id = "cjpalhdlnbpafiamejdnhcphjbkeiagm";} # uBlock Origin
+          { id = "cjpalhdlnbpafiamejdnhcphjbkeiagm"; } # uBlock Origin
         ];
       };
     };
diff --git a/modules/nixos/clickhouse.nix b/modules/nixos/clickhouse.nix
index 4fae683..12dc7fa 100644
--- a/modules/nixos/clickhouse.nix
+++ b/modules/nixos/clickhouse.nix
@@ -1,11 +1,9 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.clickhouse;
-in {
+in
+{
   options.nixfiles.modules.clickhouse = {
     enable = mkEnableOption "Clickhouse";
   };
diff --git a/modules/nixos/common/ark.nix b/modules/nixos/common/ark.nix
index 3a12050..6c7148f 100644
--- a/modules/nixos/common/ark.nix
+++ b/modules/nixos/common/ark.nix
@@ -4,34 +4,42 @@
   lib,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.ark;
-in {
+in
+{
   imports = [
-    (mkAliasOptionModule ["ark"] ["nixfiles" "modules" "ark"])
+    (mkAliasOptionModule [ "ark" ] [
+      "nixfiles"
+      "modules"
+      "ark"
+    ])
     inputs.impermanence.nixosModules.impermanence
   ];
 
-  options.nixfiles.modules.ark = let
-    mkListOfAnythingOption = mkOption {
-      type = with types; listOf anything; # Assumed to be matching with the upstream type.
-      default = [];
-    };
-  in {
-    enable = mkEnableOption "persistent storage support via impermanence";
+  options.nixfiles.modules.ark =
+    let
+      mkListOfAnythingOption = mkOption {
+        type = with types; listOf anything; # Assumed to be matching with the upstream type.
+        default = [ ];
+      };
+    in
+    {
+      enable = mkEnableOption "persistent storage support via impermanence";
 
-    path = mkOption {
-      type = types.str;
-      default = "/ark";
-    };
+      path = mkOption {
+        type = types.str;
+        default = "/ark";
+      };
 
-    directories = mkListOfAnythingOption;
-    files = mkListOfAnythingOption;
-    # hm = {
-    #   directories = mkListOfAnythingOption;
-    #   files = mkListOfAnythingOption;
-    # };
-  };
+      directories = mkListOfAnythingOption;
+      files = mkListOfAnythingOption;
+      # hm = {
+      #   directories = mkListOfAnythingOption;
+      #   files = mkListOfAnythingOption;
+      # };
+    };
 
   config = mkIf cfg.enable {
     environment.persistence.${cfg.path} = {
diff --git a/modules/nixos/common/console.nix b/modules/nixos/common/console.nix
index 3491e37..330310c 100644
--- a/modules/nixos/common/console.nix
+++ b/modules/nixos/common/console.nix
@@ -1,8 +1,5 @@
+{ config, pkgs, ... }:
 {
-  config,
-  pkgs,
-  ...
-}: {
   stylix.targets.console.enable = false;
 
   console = {
diff --git a/modules/nixos/common/documentation.nix b/modules/nixos/common/documentation.nix
index cb66818..f7d1585 100644
--- a/modules/nixos/common/documentation.nix
+++ b/modules/nixos/common/documentation.nix
@@ -5,7 +5,8 @@
   this,
   ...
 }:
-with lib; {
+with lib;
+{
   config = mkIf this.isHeadful {
     documentation = {
       dev.enable = true;
@@ -14,13 +15,12 @@ with lib; {
       man.man-db.manualPages =
         (pkgs.buildEnv {
           name = "man-paths";
-          paths = with config;
-            environment.systemPackages ++ hm.home.packages;
-          pathsToLink = ["/share/man"];
-          extraOutputsToInstall = ["man"];
+          paths = with config; environment.systemPackages ++ hm.home.packages;
+          pathsToLink = [ "/share/man" ];
+          extraOutputsToInstall = [ "man" ];
           ignoreCollisions = true;
-        })
-        .overrideAttrs (_: _: {__contentAddressed = true;});
+        }).overrideAttrs
+          (_: _: { __contentAddressed = true; });
     };
 
     environment.sessionVariables = {
diff --git a/modules/nixos/common/home-manager.nix b/modules/nixos/common/home-manager.nix
index 52f2fd3..c553a65 100644
--- a/modules/nixos/common/home-manager.nix
+++ b/modules/nixos/common/home-manager.nix
@@ -1,3 +1,4 @@
-{inputs, ...}: {
-  imports = [inputs.home-manager.nixosModule];
+{ inputs, ... }:
+{
+  imports = [ inputs.home-manager.nixosModule ];
 }
diff --git a/modules/nixos/common/kernel.nix b/modules/nixos/common/kernel.nix
index 2fc40f9..5c45b5d 100644
--- a/modules/nixos/common/kernel.nix
+++ b/modules/nixos/common/kernel.nix
@@ -1,11 +1,12 @@
-{lib, ...}:
-with lib; {
+{ lib, ... }:
+with lib;
+{
   boot = {
     # I don't use it even on laptops. It's also /required/ to disable it for
     # ZFS[1].
     # [1]: https://github.com/openzfs/zfs/issues/260
     # [1]: https://github.com/openzfs/zfs/issues/12842
-    kernelParams = ["hibernate=no"];
+    kernelParams = [ "hibernate=no" ];
 
     kernel.sysctl = {
       "fs.file-max" = pow 2 17;
diff --git a/modules/nixos/common/locale.nix b/modules/nixos/common/locale.nix
index 76186bc..699f89b 100644
--- a/modules/nixos/common/locale.nix
+++ b/modules/nixos/common/locale.nix
@@ -1,9 +1,6 @@
+{ lib, pkgs, ... }:
+with lib;
 {
-  lib,
-  pkgs,
-  ...
-}:
-with lib; {
   i18n = {
     defaultLocale = mkDefault "en_GB.UTF-8";
     supportedLocales = [
diff --git a/modules/nixos/common/networking.nix b/modules/nixos/common/networking.nix
index fb7d9b2..ecadf6e 100644
--- a/modules/nixos/common/networking.nix
+++ b/modules/nixos/common/networking.nix
@@ -5,14 +5,16 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.common.networking;
-in {
-  options.nixfiles.modules.common.networking.onlyDefault =
-    mkEnableOption "custom networking settings";
+in
+{
+  options.nixfiles.modules.common.networking.onlyDefault = mkEnableOption "custom networking settings";
 
   config = mkIf (!cfg.onlyDefault) {
-    ark.directories = with config.networking;
+    ark.directories =
+      with config.networking;
       optional networkmanager.enable "/etc/NetworkManager/system-connections"
       ++ optional wireless.iwd.enable "/var/lib/iwd";
 
@@ -27,8 +29,8 @@ in {
         # Remove default hostname mappings. This is required at least by the
         # current implementation of the monitoring module.
         hosts = {
-          "127.0.0.2" = mkForce [];
-          "::1" = mkForce [];
+          "127.0.0.2" = mkForce [ ];
+          "::1" = mkForce [ ];
         };
 
         nameservers = mkDefault dns.const.quad9.default;
@@ -52,33 +54,35 @@ in {
           logReversePathDrops = false;
         };
       }
-      (let
-        interface = "eth0"; # This assumes `usePredictableInterfaceNames` is false.
-      in
+      (
+        let
+          interface = "eth0"; # This assumes `usePredictableInterfaceNames` is false.
+        in
         mkIf (hasAttr "ipv4" this && hasAttr "ipv6" this) {
           usePredictableInterfaceNames = false; # NOTE This can break something!
           interfaces.${interface} = {
-            ipv4.addresses = with this.ipv4;
-              optional (isString address && isInt prefixLength) {
-                inherit address prefixLength;
-              };
-
-            ipv6.addresses = with this.ipv6;
-              optional (isString address && isInt prefixLength) {
-                inherit address prefixLength;
-              };
+            ipv4.addresses =
+              with this.ipv4;
+              optional (isString address && isInt prefixLength) { inherit address prefixLength; };
+
+            ipv6.addresses =
+              with this.ipv6;
+              optional (isString address && isInt prefixLength) { inherit address prefixLength; };
           };
-          defaultGateway = with this.ipv4;
+          defaultGateway =
+            with this.ipv4;
             mkIf (isString gatewayAddress) {
               inherit interface;
               address = gatewayAddress;
             };
-          defaultGateway6 = with this.ipv6;
+          defaultGateway6 =
+            with this.ipv6;
             mkIf (isString gatewayAddress) {
               inherit interface;
               address = gatewayAddress;
             };
-        })
+        }
+      )
       (mkIf this.isHeadful {
         interfaces = {
           eth0.useDHCP = mkDefault true;
@@ -100,12 +104,8 @@ in {
     ];
 
     environment = {
-      shellAliases = listToAttrs (map
-        ({
-          name,
-          value,
-        }:
-          nameValuePair name "${pkgs.iproute2}/bin/${value}") [
+      shellAliases = listToAttrs (
+        map ({ name, value }: nameValuePair name "${pkgs.iproute2}/bin/${value}") [
           {
             name = "bridge";
             value = "bridge -color=always";
@@ -118,7 +118,8 @@ in {
             name = "tc";
             value = "tc -color=always";
           }
-        ]);
+        ]
+      );
 
       systemPackages = with pkgs; [
         ethtool
diff --git a/modules/nixos/common/nix.nix b/modules/nixos/common/nix.nix
index 2976cfc..146575d 100644
--- a/modules/nixos/common/nix.nix
+++ b/modules/nixos/common/nix.nix
@@ -4,13 +4,15 @@
   lib,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.common.nix;
-in {
+in
+{
   options.nixfiles.modules.common.nix.allowedUnfreePackages = mkOption {
     description = "A list of allowed unfree packages.";
     type = with types; listOf str;
-    default = [];
+    default = [ ];
   };
 
   config = {
@@ -22,13 +24,12 @@ in {
 
     nixpkgs.config.allowUnfreePredicate = p: elem (getName p) cfg.allowedUnfreePackages;
 
-    system.stateVersion = with builtins;
-      head (split "\n" (readFile "${inputs.nixpkgs}/.version"));
+    system.stateVersion = with builtins; head (split "\n" (readFile "${inputs.nixpkgs}/.version"));
 
     environment = {
       sessionVariables.NIX_SHELL_PRESERVE_PROMPT = "1";
       localBinInPath = true;
-      defaultPackages = [];
+      defaultPackages = [ ];
     };
   };
 }
diff --git a/modules/nixos/common/secrets.nix b/modules/nixos/common/secrets.nix
index 9a82c44..31787ac 100644
--- a/modules/nixos/common/secrets.nix
+++ b/modules/nixos/common/secrets.nix
@@ -1,3 +1,4 @@
-{inputs, ...}: {
-  imports = [inputs.agenix.nixosModules.default];
+{ inputs, ... }:
+{
+  imports = [ inputs.agenix.nixosModules.default ];
 }
diff --git a/modules/nixos/common/shell.nix b/modules/nixos/common/shell.nix
index 5fbc441..a1a7f08 100644
--- a/modules/nixos/common/shell.nix
+++ b/modules/nixos/common/shell.nix
@@ -1,3 +1 @@
-_: {
-  programs.command-not-found.enable = false;
-}
+_: { programs.command-not-found.enable = false; }
diff --git a/modules/nixos/common/stylix.nix b/modules/nixos/common/stylix.nix
index 5ca5571..a89943a 100644
--- a/modules/nixos/common/stylix.nix
+++ b/modules/nixos/common/stylix.nix
@@ -5,8 +5,9 @@
   pkgs,
   ...
 }:
-with lib; {
-  imports = [inputs.stylix.nixosModules.stylix];
+with lib;
+{
+  imports = [ inputs.stylix.nixosModules.stylix ];
 
   stylix.cursor = {
     name = "phinger-cursors";
diff --git a/modules/nixos/common/systemd.nix b/modules/nixos/common/systemd.nix
index 3972670..b393d9f 100644
--- a/modules/nixos/common/systemd.nix
+++ b/modules/nixos/common/systemd.nix
@@ -1,14 +1,11 @@
+{ config, pkgs, ... }:
 {
-  config,
-  pkgs,
-  ...
-}: {
   ark = {
-    files = ["/etc/machine-id"];
-    directories = ["/var/lib/systemd/coredump"];
+    files = [ "/etc/machine-id" ];
+    directories = [ "/var/lib/systemd/coredump" ];
   };
 
-  my.extraGroups = ["systemd-journal"];
+  my.extraGroups = [ "systemd-journal" ];
 
   hm.systemd.user.startServices = "sd-switch";
 
@@ -24,15 +21,19 @@
     SystemMaxUse=5G
   '';
 
-  systemd = let
-    extraConfig = ''
-      DefaultTimeoutStartSec=30s
-      DefaultTimeoutStopSec=15s
-    '';
-  in {
-    inherit extraConfig;
-    user = {inherit extraConfig;};
-  };
+  systemd =
+    let
+      extraConfig = ''
+        DefaultTimeoutStartSec=30s
+        DefaultTimeoutStopSec=15s
+      '';
+    in
+    {
+      inherit extraConfig;
+      user = {
+        inherit extraConfig;
+      };
+    };
 
   environment.sessionVariables = {
     SYSTEMD_PAGERSECURE = "1";
diff --git a/modules/nixos/common/users.nix b/modules/nixos/common/users.nix
index 367af41..eca9e1b 100644
--- a/modules/nixos/common/users.nix
+++ b/modules/nixos/common/users.nix
@@ -1,8 +1,10 @@
-{lib, ...}:
-with lib; let
+{ lib, ... }:
+with lib;
+let
   home = "/home/${my.username}";
-in {
-  ark.directories = [home];
+in
+{
+  ark.directories = [ home ];
 
   users = {
     mutableUsers = false;
@@ -16,8 +18,8 @@ in {
         description = my.fullname;
         inherit home;
         inherit (my) hashedPassword;
-        openssh.authorizedKeys.keys = [my.ssh.key];
-        extraGroups = ["wheel"];
+        openssh.authorizedKeys.keys = [ my.ssh.key ];
+        extraGroups = [ "wheel" ];
       };
     };
   };
diff --git a/modules/nixos/common/xdg.nix b/modules/nixos/common/xdg.nix
index 668996f..1fe167e 100644
--- a/modules/nixos/common/xdg.nix
+++ b/modules/nixos/common/xdg.nix
@@ -4,19 +4,19 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.common.xdg;
-in {
+in
+{
   options.nixfiles.modules.common.xdg.defaultApplications = mkOption {
     description = "Default applications.";
     type = with types; attrsOf (listOf str);
-    default = {};
+    default = { };
   };
 
   config = {
-    xdg.portal = mkIf this.isHeadful {
-      enable = true;
-    };
+    xdg.portal = mkIf this.isHeadful { enable = true; };
 
     hm.xdg = mkMerge [
       (with cfg; {
@@ -31,11 +31,9 @@ in {
       (mkIf this.isHeadful {
         mimeApps = {
           enable = true;
-          defaultApplications =
-            mkMerge
-            (mapAttrsToList
-              (n: v: genAttrs v (_: ["${n}.desktop"]))
-              cfg.defaultApplications);
+          defaultApplications = mkMerge (
+            mapAttrsToList (n: v: genAttrs v (_: [ "${n}.desktop" ])) cfg.defaultApplications
+          );
         };
       })
     ];
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 1a42517..1d5e905 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -15,12 +15,14 @@ _: {
     ./endlessh.nix
     ./fail2ban.nix
     ./firefox
+    ./foot.nix
     ./games
     ./git
     ./gnupg.nix
     ./gotify.nix
     ./grafana.nix
     ./hydra.nix
+    ./incus.nix
     ./ipfs.nix
     ./jackett.nix
     ./k3s.nix
@@ -28,7 +30,6 @@ _: {
     ./libvirtd.nix
     ./lidarr.nix
     ./loki.nix
-    ./incus.nix
     ./matrix
     ./monitoring
     ./mpd.nix
diff --git a/modules/nixos/docker.nix b/modules/nixos/docker.nix
index 0795386..62dc095 100644
--- a/modules/nixos/docker.nix
+++ b/modules/nixos/docker.nix
@@ -5,9 +5,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.docker;
-in {
+in
+{
   options.nixfiles.modules.docker.enable = mkEnableOption "Docker";
 
   config = mkIf cfg.enable {
@@ -29,8 +31,8 @@ in {
 
     virtualisation.docker.enable = true;
 
-    environment.systemPackages = with pkgs; [docker-compose];
+    environment.systemPackages = with pkgs; [ docker-compose ];
 
-    my.extraGroups = ["docker"];
+    my.extraGroups = [ "docker" ];
   };
 }
diff --git a/modules/nixos/dwm.nix b/modules/nixos/dwm.nix
index a32ed29..912be0c 100644
--- a/modules/nixos/dwm.nix
+++ b/modules/nixos/dwm.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.dwm;
-in {
+in
+{
   options.nixfiles.modules.dwm.enable = mkEnableOption "dwm";
 
   config = mkIf cfg.enable {
@@ -15,134 +17,137 @@ in {
     hm.xsession = {
       enable = true;
 
-      windowManager.command = let
-        pkg = pkgs.dwm.override {
-          conf = let
-            font = with config.stylix.fonts; "${monospace.name}:size=${toString sizes.terminal}";
-          in ''
-            static const unsigned int borderpx = 1;
-            static const unsigned int snap = 32;
-            static const int showbar = 1;
-            static const int topbar = 1;
+      windowManager.command =
+        let
+          pkg = pkgs.dwm.override {
+            conf =
+              let
+                font = with config.stylix.fonts; "${monospace.name}:size=${toString sizes.terminal}";
+              in
+              ''
+                static const unsigned int borderpx = 1;
+                static const unsigned int snap = 32;
+                static const int showbar = 1;
+                static const int topbar = 1;
 
-            static const char *fonts[] = {
-              "${font}"
-            };
+                static const char *fonts[] = {
+                  "${font}"
+                };
 
-            static const char *colors[][3] = {
-              [SchemeNorm] = {
-                "${config.color.base06}",
-                "${config.color.base01}",
-                "${config.color.base01}",
-              },
-              [SchemeSel] = {
-                "${config.color.base01}",
-                "${config.color.base06}",
-                "${config.color.base06}",
-              },
-            };
+                static const char *colors[][3] = {
+                  [SchemeNorm] = {
+                    "${config.color.base06}",
+                    "${config.color.base01}",
+                    "${config.color.base01}",
+                  },
+                  [SchemeSel] = {
+                    "${config.color.base01}",
+                    "${config.color.base06}",
+                    "${config.color.base06}",
+                  },
+                };
 
-            static const char *tags[] = {
-              "1",
-              "2",
-              "3",
-              "4",
-              "5",
-              "6",
-              "7",
-              "8",
-              "9"
-            };
+                static const char *tags[] = {
+                  "1",
+                  "2",
+                  "3",
+                  "4",
+                  "5",
+                  "6",
+                  "7",
+                  "8",
+                  "9"
+                };
 
-            static const Rule rules[] = {
-              { "Emacs", NULL, NULL, 1 << 0, 0, -1 },
-            };
+                static const Rule rules[] = {
+                  { "Emacs", NULL, NULL, 1 << 0, 0, -1 },
+                };
 
-            static const float mfact = 0.666;
-            static const int nmaster = 1;
-            static const int resizehints = 0;
-            static const int lockfullscreen = 1;
+                static const float mfact = 0.666;
+                static const int nmaster = 1;
+                static const int resizehints = 0;
+                static const int lockfullscreen = 1;
 
-            static const Layout layouts[] = {
-              { "[]=", tile },
-              { "><>", NULL },
-              { "[M]", monocle },
-            };
+                static const Layout layouts[] = {
+                  { "[]=", tile },
+                  { "><>", NULL },
+                  { "[M]", monocle },
+                };
 
-            #define MODKEY Mod4Mask
-            #define TAGKEYS(KEY,TAG) \
-              { MODKEY,                       KEY, view,       { .ui = 1 << TAG } }, \
-              { MODKEY|ControlMask,           KEY, toggleview, { .ui = 1 << TAG } }, \
-              { MODKEY|ShiftMask,             KEY, tag,        { .ui = 1 << TAG } }, \
-              { MODKEY|ControlMask|ShiftMask, KEY, toggletag,  { .ui = 1 << TAG } },
+                #define MODKEY Mod4Mask
+                #define TAGKEYS(KEY,TAG) \
+                  { MODKEY,                       KEY, view,       { .ui = 1 << TAG } }, \
+                  { MODKEY|ControlMask,           KEY, toggleview, { .ui = 1 << TAG } }, \
+                  { MODKEY|ShiftMask,             KEY, tag,        { .ui = 1 << TAG } }, \
+                  { MODKEY|ControlMask|ShiftMask, KEY, toggletag,  { .ui = 1 << TAG } },
 
-            static char dmenumon[2] = "0";
-            static const char *dmenucmd[] = {
-              "${pkgs.dmenu}/bin/dmenu_run",
-              "-m", dmenumon,
-              "-fn", "${font}",
-              "-nb", "${config.color.base01}",
-              "-nf", "${config.color.base06}",
-              "-sb", "${config.color.base06}",
-              "-sf", "${config.color.base01}",
-              NULL,
-            };
-            static const char *termcmd[] = {
-              "${getExe pkgs.alacritty}",
-              NULL,
-            };
+                static char dmenumon[2] = "0";
+                static const char *dmenucmd[] = {
+                  "${pkgs.dmenu}/bin/dmenu_run",
+                  "-m", dmenumon,
+                  "-fn", "${font}",
+                  "-nb", "${config.color.base01}",
+                  "-nf", "${config.color.base06}",
+                  "-sb", "${config.color.base06}",
+                  "-sf", "${config.color.base01}",
+                  NULL,
+                };
+                static const char *termcmd[] = {
+                  "${getExe pkgs.alacritty}",
+                  NULL,
+                };
 
-            static const Key keys[] = {
-              { MODKEY,           XK_x,      spawn,          {.v = dmenucmd}       },
-              { MODKEY,           XK_Return, spawn,          {.v = termcmd}        },
-              { MODKEY,           XK_b,      togglebar,      {0}                   },
-              { MODKEY,           XK_j,      focusstack,     {.i = +1}             },
-              { MODKEY,           XK_k,      focusstack,     {.i = -1}             },
-              { MODKEY|ShiftMask, XK_k,      incnmaster,     {.i = +1}             },
-              { MODKEY|ShiftMask, XK_j,      incnmaster,     {.i = -1}             },
-              { MODKEY,           XK_comma,  setmfact,       {.f = -0.05}          },
-              { MODKEY,           XK_period, setmfact,       {.f = +0.05}          },
-              { MODKEY,           XK_p,      zoom,           {0}                   },
-              { MODKEY,           XK_Tab,    view,           {0}                   },
-              { MODKEY,           XK_d,      killclient,     {0}                   },
-              { MODKEY,           XK_t,      setlayout,      {.v = &layouts[0]}    },
-              { MODKEY,           XK_m,      setlayout,      {.v = &layouts[1]}    },
-              { MODKEY,           XK_f,      setlayout,      {.v = &layouts[2]}    },
-              { MODKEY,           XK_o,      togglefloating, {0}                   },
-              { MODKEY,           XK_0,      view,           {.ui = ~0}            },
-              { MODKEY|ShiftMask, XK_0,      tag,            {.ui = ~0}            },
-              { MODKEY,           XK_h,      focusmon,       {.i = -1}             },
-              { MODKEY,           XK_l,      focusmon,       {.i = +1}             },
-              { MODKEY|ShiftMask, XK_h,      tagmon,         {.i = -1}             },
-              { MODKEY|ShiftMask, XK_l,      tagmon,         {.i = +1}             },
-              TAGKEYS(            XK_1,                      0)
-              TAGKEYS(            XK_2,                      1)
-              TAGKEYS(            XK_3,                      2)
-              TAGKEYS(            XK_4,                      3)
-              TAGKEYS(            XK_5,                      4)
-              TAGKEYS(            XK_6,                      5)
-              TAGKEYS(            XK_7,                      6)
-              TAGKEYS(            XK_8,                      7)
-              TAGKEYS(            XK_9,                      8)
-              { MODKEY|ShiftMask, XK_q,      quit,           {0}                   },
-            };
+                static const Key keys[] = {
+                  { MODKEY,           XK_x,      spawn,          {.v = dmenucmd}       },
+                  { MODKEY,           XK_Return, spawn,          {.v = termcmd}        },
+                  { MODKEY,           XK_b,      togglebar,      {0}                   },
+                  { MODKEY,           XK_j,      focusstack,     {.i = +1}             },
+                  { MODKEY,           XK_k,      focusstack,     {.i = -1}             },
+                  { MODKEY|ShiftMask, XK_k,      incnmaster,     {.i = +1}             },
+                  { MODKEY|ShiftMask, XK_j,      incnmaster,     {.i = -1}             },
+                  { MODKEY,           XK_comma,  setmfact,       {.f = -0.05}          },
+                  { MODKEY,           XK_period, setmfact,       {.f = +0.05}          },
+                  { MODKEY,           XK_p,      zoom,           {0}                   },
+                  { MODKEY,           XK_Tab,    view,           {0}                   },
+                  { MODKEY,           XK_d,      killclient,     {0}                   },
+                  { MODKEY,           XK_t,      setlayout,      {.v = &layouts[0]}    },
+                  { MODKEY,           XK_m,      setlayout,      {.v = &layouts[1]}    },
+                  { MODKEY,           XK_f,      setlayout,      {.v = &layouts[2]}    },
+                  { MODKEY,           XK_o,      togglefloating, {0}                   },
+                  { MODKEY,           XK_0,      view,           {.ui = ~0}            },
+                  { MODKEY|ShiftMask, XK_0,      tag,            {.ui = ~0}            },
+                  { MODKEY,           XK_h,      focusmon,       {.i = -1}             },
+                  { MODKEY,           XK_l,      focusmon,       {.i = +1}             },
+                  { MODKEY|ShiftMask, XK_h,      tagmon,         {.i = -1}             },
+                  { MODKEY|ShiftMask, XK_l,      tagmon,         {.i = +1}             },
+                  TAGKEYS(            XK_1,                      0)
+                  TAGKEYS(            XK_2,                      1)
+                  TAGKEYS(            XK_3,                      2)
+                  TAGKEYS(            XK_4,                      3)
+                  TAGKEYS(            XK_5,                      4)
+                  TAGKEYS(            XK_6,                      5)
+                  TAGKEYS(            XK_7,                      6)
+                  TAGKEYS(            XK_8,                      7)
+                  TAGKEYS(            XK_9,                      8)
+                  { MODKEY|ShiftMask, XK_q,      quit,           {0}                   },
+                };
 
-            static const Button buttons[] = {
-              { ClkLtSymbol,   0,      Button1, setlayout,      {0}                },
-              { ClkLtSymbol,   0,      Button3, setlayout,      {.v = &layouts[2]} },
-              { ClkWinTitle,   0,      Button2, zoom,           {0}                },
-              { ClkStatusText, 0,      Button2, spawn,          {.v = termcmd}     },
-              { ClkClientWin,  MODKEY, Button1, movemouse,      {0}                },
-              { ClkClientWin,  MODKEY, Button2, togglefloating, {0}                },
-              { ClkClientWin,  MODKEY, Button3, resizemouse,    {0}                },
-              { ClkTagBar,     0,      Button1, view,           {0}                },
-              { ClkTagBar,     0,      Button3, toggleview,     {0}                },
-              { ClkTagBar,     MODKEY, Button1, tag,            {0}                },
-              { ClkTagBar,     MODKEY, Button3, toggletag,      {0}                },
-            };
-          '';
-        };
-      in
+                static const Button buttons[] = {
+                  { ClkLtSymbol,   0,      Button1, setlayout,      {0}                },
+                  { ClkLtSymbol,   0,      Button3, setlayout,      {.v = &layouts[2]} },
+                  { ClkWinTitle,   0,      Button2, zoom,           {0}                },
+                  { ClkStatusText, 0,      Button2, spawn,          {.v = termcmd}     },
+                  { ClkClientWin,  MODKEY, Button1, movemouse,      {0}                },
+                  { ClkClientWin,  MODKEY, Button2, togglefloating, {0}                },
+                  { ClkClientWin,  MODKEY, Button3, resizemouse,    {0}                },
+                  { ClkTagBar,     0,      Button1, view,           {0}                },
+                  { ClkTagBar,     0,      Button3, toggleview,     {0}                },
+                  { ClkTagBar,     MODKEY, Button1, tag,            {0}                },
+                  { ClkTagBar,     MODKEY, Button3, toggletag,      {0}                },
+                };
+              '';
+          };
+        in
         getExe' pkg "dwm";
     };
 
@@ -151,7 +156,14 @@ in {
       # package = pkgs.dwm-status.override {
       #   enableAlsaUtils = false;
       # };
-      order = ["audio" "backlight" "battery" "cpu_load" "network" "time"];
+      order = [
+        "audio"
+        "backlight"
+        "battery"
+        "cpu_load"
+        "network"
+        "time"
+      ];
     };
 
     services.xserver.displayManager.startx.enable = true;
diff --git a/modules/nixos/emacs.nix b/modules/nixos/emacs.nix
index 7d2112b..8a59c9b 100644
--- a/modules/nixos/emacs.nix
+++ b/modules/nixos/emacs.nix
@@ -1,11 +1,9 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.emacs;
-in {
+in
+{
   config = mkIf cfg.enable {
     nixfiles.modules.common.xdg.defaultApplications.emacs = [
       "application/atom+xml"
diff --git a/modules/nixos/endlessh-go.nix b/modules/nixos/endlessh-go.nix
index 435305d..efaaa8f 100644
--- a/modules/nixos/endlessh-go.nix
+++ b/modules/nixos/endlessh-go.nix
@@ -4,14 +4,17 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.endlessh-go;
-in {
+in
+{
   options.nixfiles.modules.endlessh-go.enable = mkEnableOption "endlessh-go";
 
-  config = let
-    port = 22;
-  in
+  config =
+    let
+      port = 22;
+    in
     mkIf cfg.enable {
       services.endlessh-go = {
         enable = true;
@@ -22,9 +25,12 @@ in {
           listenAddress = this.wireguard.ipv4.address;
           port = 9229;
         };
-        extraOptions = ["-geoip_supplier=ip-api" "-v=1"];
+        extraOptions = [
+          "-geoip_supplier=ip-api"
+          "-v=1"
+        ];
       };
 
-      networking.firewall.allowedTCPPorts = [port];
+      networking.firewall.allowedTCPPorts = [ port ];
     };
 }
diff --git a/modules/nixos/endlessh.nix b/modules/nixos/endlessh.nix
index caf9a38..f1bf0bc 100644
--- a/modules/nixos/endlessh.nix
+++ b/modules/nixos/endlessh.nix
@@ -1,16 +1,15 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.endlessh;
-in {
+in
+{
   options.nixfiles.modules.endlessh.enable = mkEnableOption "endlessh";
 
-  config = let
-    port = 22;
-  in
+  config =
+    let
+      port = 22;
+    in
     mkIf cfg.enable {
       ark.directories = [
         "/var/lib/gotify-server"
@@ -20,9 +19,12 @@ in {
       services.endlessh = {
         enable = true;
         inherit port;
-        extraOptions = ["-v" "-4"];
+        extraOptions = [
+          "-v"
+          "-4"
+        ];
       };
 
-      networking.firewall.allowedTCPPorts = [port];
+      networking.firewall.allowedTCPPorts = [ port ];
     };
 }
diff --git a/modules/nixos/fail2ban.nix b/modules/nixos/fail2ban.nix
index ce35c1f..a0cc2b4 100644
--- a/modules/nixos/fail2ban.nix
+++ b/modules/nixos/fail2ban.nix
@@ -4,14 +4,15 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.fail2ban;
-in {
-  options.nixfiles.modules.fail2ban.enable =
-    mkEnableOption "fail2ban";
+in
+{
+  options.nixfiles.modules.fail2ban.enable = mkEnableOption "fail2ban";
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/fail2ban"];
+    ark.directories = [ "/var/lib/fail2ban" ];
 
     services.fail2ban = {
       enable = true;
@@ -22,9 +23,13 @@ in {
         rndtime = "8m";
       };
 
-      ignoreIP =
-        optionals (hasAttr "wireguard" this)
-        (with config.nixfiles.modules.wireguard; [ipv4.subnet ipv6.subnet]);
+      ignoreIP = optionals (hasAttr "wireguard" this) (
+        with config.nixfiles.modules.wireguard;
+        [
+          ipv4.subnet
+          ipv6.subnet
+        ]
+      );
 
       jails.DEFAULT.settings.blocktype = "DROP";
     };
diff --git a/modules/nixos/firefox/addons.nix b/modules/nixos/firefox/addons.nix
index bd14bb5..28235d4 100644
--- a/modules/nixos/firefox/addons.nix
+++ b/modules/nixos/firefox/addons.nix
@@ -1,7 +1,5 @@
+{ buildFirefoxXpiAddon, lib }:
 {
-  buildFirefoxXpiAddon,
-  lib,
-}: {
   "bitwarden" = buildFirefoxXpiAddon {
     pname = "bitwarden";
     version = "2024.2.1";
@@ -33,10 +31,10 @@
   };
   "bypass-paywalls" = buildFirefoxXpiAddon {
     pname = "bypass-paywalls";
-    version = "3.5.9.0";
+    version = "3.6.0.0";
     addonId = "magnolia_limited_permissions_d@12.34";
-    url = "https://addons.mozilla.org/firefox/downloads/file/4248144/bypass_paywalls_clean_d-3.5.9.0.xpi";
-    sha256 = "938da8dcfa0e3ff012b40cf54a270ca73b03183387ef9330bf8b7771dbf10a5c";
+    url = "https://addons.mozilla.org/firefox/downloads/file/4251818/bypass_paywalls_clean_d-3.6.0.0.xpi";
+    sha256 = "30a57df51a241838dca9360a12801ea82f2deaf76a6b63f1279235e2f5f3c939";
     meta = with lib; {
       homepage = "https://gitlab.com/magnolia1234/bypass-paywalls-firefox-clean";
       description = "Bypass Paywalls";
@@ -173,6 +171,7 @@
         "*://*.courant.com/*"
         "*://*.courier-journal.com/*"
         "*://*.couriermail.com.au/*"
+        "*://*.courrierinternational.com/*"
         "*://*.crainscleveland.com/*"
         "*://*.crainsdetroit.com/*"
         "*://*.crainsnewyork.com/*"
@@ -290,6 +289,7 @@
         "*://*.ftm.nl/*"
         "*://*.gazetadopovo.com.br/*"
         "*://*.gazzetta.it/*"
+        "*://*.gbnews.com/*"
         "*://*.geelongadvertiser.com.au/*"
         "*://*.gelderlander.nl/*"
         "*://*.genomeweb.com/*"
@@ -423,6 +423,7 @@
         "*://*.lehighvalleylive.com/*"
         "*://*.lejdd.fr/*"
         "*://*.lemagit.fr/*"
+        "*://*.lemoniteur.fr/*"
         "*://*.lenouveleconomiste.fr/*"
         "*://*.lenouvelliste.ch/*"
         "*://*.leparisien.fr/*"
@@ -526,6 +527,7 @@
         "*://*.nytimes.com/*"
         "*://*.nzherald.co.nz/*"
         "*://*.nzz.ch/*"
+        "*://*.observador.pt/*"
         "*://*.ocbj.com/*"
         "*://*.ocregister.com/*"
         "*://*.oklahoman.com/*"
@@ -560,6 +562,7 @@
         "*://*.popularmechanics.com/*"
         "*://*.post-gazette.com/*"
         "*://*.pourlascience.fr/*"
+        "*://*.pourleco.com/*"
         "*://*.precisionmedicineonline.com/*"
         "*://*.pressenterprise.com/*"
         "*://*.prevention.com/*"
@@ -864,16 +867,21 @@
       homepage = "https://consentomatic.au.dk/";
       description = "Automatic handling of GDPR consent forms";
       license = licenses.mit;
-      mozPermissions = ["activeTab" "tabs" "storage" "<all_urls>"];
+      mozPermissions = [
+        "activeTab"
+        "tabs"
+        "storage"
+        "<all_urls>"
+      ];
       platforms = platforms.all;
     };
   };
   "darkreader" = buildFirefoxXpiAddon {
     pname = "darkreader";
-    version = "4.9.78";
+    version = "4.9.80";
     addonId = "addon@darkreader.org";
-    url = "https://addons.mozilla.org/firefox/downloads/file/4243182/darkreader-4.9.78.xpi";
-    sha256 = "21e08b3f26e9b54257d30f6b2fb2d966d41ace54d2d79ccec55e55517084c7ce";
+    url = "https://addons.mozilla.org/firefox/downloads/file/4249607/darkreader-4.9.80.xpi";
+    sha256 = "a93f1250b72cc27fe4a9b02be062c68fb079e45a1233d562852b48e1e9b99307";
     meta = with lib; {
       homepage = "https://darkreader.org/";
       description = "Dark mode for every website. Take care of your eyes, use dark theme for night and daily browsing.";
@@ -939,10 +947,10 @@
   };
   "languagetool" = buildFirefoxXpiAddon {
     pname = "languagetool";
-    version = "8.3.0";
+    version = "8.6.0";
     addonId = "languagetool-webextension@languagetool.org";
-    url = "https://addons.mozilla.org/firefox/downloads/file/4199245/languagetool-8.3.0.xpi";
-    sha256 = "e357424e3df9dde4ba10eb9f8f3719ac4830681570557f4d51db15a462cd7667";
+    url = "https://addons.mozilla.org/firefox/downloads/file/4249956/languagetool-8.6.0.xpi";
+    sha256 = "d9db9aac9fdd53eb39179c153161762cd9e9eb1f6d7da8e8b8a32238b4847094";
     meta = with lib; {
       homepage = "https://languagetool.org";
       description = "With this extension you can check text with the free style and grammar checker LanguageTool. It finds many errors that a simple spell checker cannot detect, like mixing up there/their, a/an, or repeating a word.";
@@ -970,7 +978,11 @@
       homepage = "https://github.com/MorbZ/no-pdf-download";
       description = "Opens all PDF files directly in the browser.";
       license = licenses.mit;
-      mozPermissions = ["webRequest" "webRequestBlocking" "<all_urls>"];
+      mozPermissions = [
+        "webRequest"
+        "webRequestBlocking"
+        "<all_urls>"
+      ];
       platforms = platforms.all;
     };
   };
diff --git a/modules/nixos/firefox/default.nix b/modules/nixos/firefox/default.nix
index 6d1b31b..881e9ad 100644
--- a/modules/nixos/firefox/default.nix
+++ b/modules/nixos/firefox/default.nix
@@ -5,9 +5,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.firefox;
-in {
+in
+{
   options.nixfiles.modules.firefox.enable = mkEnableOption "Firefox";
 
   config = mkIf cfg.enable {
@@ -18,13 +20,13 @@ in {
     ];
 
     hm = {
-      imports = [inputs.arkenfox.hmModules.arkenfox];
+      imports = [ inputs.arkenfox.hmModules.arkenfox ];
 
-      home.packages = with pkgs; [profile-cleaner];
+      home.packages = with pkgs; [ profile-cleaner ];
 
       stylix.targets.firefox = {
         enable = true;
-        profileNames = ["default"];
+        profileNames = [ "default" ];
       };
 
       programs.firefox = {
@@ -34,37 +36,40 @@ in {
 
         arkenfox.enable = true;
 
-        profiles.default = let
-          mkCssWithRoot = css:
-            mkMerge [
-              # https://github.com/tinted-theming/base24/blob/master/styling.md
-              (with config.colors.withHashtag; ''
-                :root {
-                  --black: ${base01};
-                  --red: ${base08};
-                  --green: ${base0B};
-                  --yellow: ${base09};
-                  --blue: ${base0D};
-                  --magenta: ${base0E};
-                  --cyan: ${base0C};
-                  --white: ${base06};
-                  --bright-black: ${base02};
-                  --bright-red: ${base12};
-                  --bright-green: ${base14};
-                  --bright-yellow: ${base13};
-                  --bright-blue: ${base16};
-                  --bright-magenta: ${base17};
-                  --bright-cyan: ${base15};
-                  --bright-white: ${base07};
-                  --background: ${base00};
-                  --foreground: ${base05};
-              '')
-              (
-                let
-                  mapFonts = concatMapStringsSep ", " (font: ''"${font}"'');
-                  size = toString config.stylix.fonts.sizes.applications;
-                in
-                  with config.fonts.fontconfig.defaultFonts; ''
+        profiles.default =
+          let
+            mkCssWithRoot =
+              css:
+              mkMerge [
+                # https://github.com/tinted-theming/base24/blob/master/styling.md
+                (with config.colors.withHashtag; ''
+                  :root {
+                    --black: ${base01};
+                    --red: ${base08};
+                    --green: ${base0B};
+                    --yellow: ${base09};
+                    --blue: ${base0D};
+                    --magenta: ${base0E};
+                    --cyan: ${base0C};
+                    --white: ${base06};
+                    --bright-black: ${base02};
+                    --bright-red: ${base12};
+                    --bright-green: ${base14};
+                    --bright-yellow: ${base13};
+                    --bright-blue: ${base16};
+                    --bright-magenta: ${base17};
+                    --bright-cyan: ${base15};
+                    --bright-white: ${base07};
+                    --background: ${base00};
+                    --foreground: ${base05};
+                '')
+                (
+                  let
+                    mapFonts = concatMapStringsSep ", " (font: ''"${font}"'');
+                    size = toString config.stylix.fonts.sizes.applications;
+                  in
+                  with config.fonts.fontconfig.defaultFonts;
+                  ''
                       --serif-font-family: ${mapFonts serif}, serif;
                       --serif-font-size: ${size};
                       --sans-serif-font-family: ${mapFonts sansSerif}, sans-serif;
@@ -73,50 +78,54 @@ in {
                       --monospace-font-size: ${size};
                     }
                   ''
-              )
-              (builtins.readFile css)
-            ];
-        in {
-          id = 0;
-
-          isDefault = true;
-
-          userChrome = mkCssWithRoot ./userChrome.css;
-
-          userContent = mkCssWithRoot ./userContent.css;
-
-          extensions = let
-            # This was done using the incredible addon generator[1]. All credit
-            # goes to Robert Helgesson.
-            #
-            # [1]: https://sr.ht/~rycee/mozilla-addons-to-nix/
-            buildFirefoxXpiAddon = makeOverridable ({
-              stdenv ? pkgs.stdenv,
-              fetchurl ? pkgs.fetchurl,
-              pname,
-              version,
-              addonId,
-              url,
-              sha256,
-              meta,
-              ...
-            }:
-              stdenv.mkDerivation {
-                name = "${pname}-${version}";
-                inherit meta;
-                src = fetchurl {inherit url sha256;};
-                preferLocalBuild = true;
-                allowSubstitutes = true;
-                buildCommand = ''
-                  dst="$out/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"
-                  mkdir -p "$dst"
-                  install -v -m644 "$src" "$dst/${addonId}.xpi"
-                '';
-              });
-
-            addons = import ./addons.nix {inherit buildFirefoxXpiAddon lib;};
+                )
+                (builtins.readFile css)
+              ];
           in
-            with addons;
+          {
+            id = 0;
+
+            isDefault = true;
+
+            userChrome = mkCssWithRoot ./userChrome.css;
+
+            userContent = mkCssWithRoot ./userContent.css;
+
+            extensions =
+              let
+                # This was done using the incredible addon generator[1]. All credit
+                # goes to Robert Helgesson.
+                #
+                # [1]: https://sr.ht/~rycee/mozilla-addons-to-nix/
+                buildFirefoxXpiAddon = makeOverridable (
+                  {
+                    stdenv ? pkgs.stdenv,
+                    fetchurl ? pkgs.fetchurl,
+                    pname,
+                    version,
+                    addonId,
+                    url,
+                    sha256,
+                    meta,
+                    ...
+                  }:
+                  stdenv.mkDerivation {
+                    name = "${pname}-${version}";
+                    inherit meta;
+                    src = fetchurl { inherit url sha256; };
+                    preferLocalBuild = true;
+                    allowSubstitutes = true;
+                    buildCommand = ''
+                      dst="$out/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}"
+                      mkdir -p "$dst"
+                      install -v -m644 "$src" "$dst/${addonId}.xpi"
+                    '';
+                  }
+                );
+
+                addons = import ./addons.nix { inherit buildFirefoxXpiAddon lib; };
+              in
+              with addons;
               [
                 bypass-paywalls
                 consent-o-matic
@@ -133,483 +142,434 @@ in {
               ]
               ++ optional config.nixfiles.modules.ipfs.enable ipfs-companion;
 
-          search = {
-            force = true;
-
-            default = "DuckDuckGo";
-            order = ["DuckDuckGo" "Yahoo" "Google"];
-
-            engines = let
-              getIcon = url: sha256: pkgs.fetchurl {inherit url sha256;};
-            in {
-              "Amazon.com".metaData.hidden = true;
-              "Bing".metaData.hidden = true;
-              "Ebay".metaData.hidden = true;
-
-              "2GIS" = {
-                urls = [{template = "https://2gis.ru/kazan/search/{searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://d-assets.2gis.ru/favicon.png"
-                  "sha256-BlSaYRcUx9zhfJnVK5V7rsyft4qaueIEOONiCg+6aLE=";
-                definedAliases = ["@2gis"];
-              };
-
-              "AliExpress" = {
-                urls = [{template = "https://aliexpress.ru/wholesale?SearchText={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://ae01.alicdn.com/images/eng/wholesale/icon/aliexpress.ico"
-                  "sha256-7xgem2pY2PNuv8as1YnS+U03GvDLLGjhcDLt69rtmaA=";
-                definedAliases = ["@aliexpress" "@ali"];
-              };
-
-              "Ansible Galaxy" = {
-                urls = [{template = "https://galaxy.ansible.com/search?keywords={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://galaxy.ansible.com/assets/favicon.ico"
-                  "sha256-oAolpZhdKbVTraes6dDlafpvq/Vypu264vgKN4jzJk8=";
-                definedAliases = ["@ansible" "@galaxy" "@ag"];
-              };
-
-              "Arch Wiki" = {
-                urls = [{template = "https://wiki.archlinux.org/index.php?search={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://wiki.archlinux.org/favicon.ico"
-                  "sha256-0uxMtT8myzTT7p9k6v5UxsguPKu+vHPlglNTMbnN1T0=";
-                definedAliases = ["@archwiki" "@aw"];
-              };
-
-              "crates.io" = {
-                urls = [{template = "https://crates.io/search?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://crates.io/favicon.ico"
-                  "sha256-upooA/+m5KMUD1t4WFY3EOmytdpUFgNqUj12Auta1mM=";
-                definedAliases = ["@crates"];
-              };
-
-              "Discogs" = {
-                urls = [{template = "https://www.discogs.com/search?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://st.discogs.com/d56dcb7367720ea20f1b11a4385705517c7e7702/images/favicon.ico"
-                  "sha256-zEDrbmcUf8XHUyYzNc6JsWzBioX8sm8tjScGHim5VTk=";
-                definedAliases = ["@discogs"];
-              };
-
-              "Docker Hub" = {
-                urls = [{template = "https://hub.docker.com/search?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://www.docker.com/wp-content/uploads/2023/04/cropped-Docker-favicon-32x32.png"
-                  "sha256-4NmHGMaq31qoIvdlmy7fI3qTbkcp1/tJhqQu/9Ci4/c=";
-                definedAliases = ["@dockerhub" "@docker"];
-              };
-
-              "Ecosia" = {
-                urls = [{template = "https://www.ecosia.org/search?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://cdn-static.ecosia.org/static/icons/favicon.ico"
-                  "sha256-uvPShG1yVh4C4zaJmGuhhr96V/NredB1Wte9O3U6QxA=";
-                definedAliases = ["@ecosia"];
-              };
-
-              "Genius" = {
-                urls = [{template = "https://genius.com/search?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://assets.genius.com/images/apple-touch-icon.png"
-                  "sha256-M9YQEVg3T7hMO/xPfihR1aXfG+/pNiVOBCOtzx3GrkE=";
-                definedAliases = ["@genius"];
-              };
-
-              "GitHub" = {
-                urls = [{template = "https://github.com/search?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://github.githubassets.com/favicons/favicon-dark.svg"
-                  "sha256-qu/d9ftvsntplFuxw9RFL8BpI9b2g5b6xfeGw6Ekh6w=";
-                definedAliases = ["@github" "@gh"];
-              };
-
-              "godocs.io" = {
-                urls = [{template = "https://godocs.io/?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://go.dev/images/favicon-gopher.svg"
-                  "sha256-OlKpUUeYF8TtMoX4e0ERK1ocIb53OJ8ZDxvwJaQVM/0=";
-                definedAliases = ["@godocs"];
-              };
-
-              "pkgs.go.dev" = {
-                urls = [{template = "https://pkg.go.dev/search?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://go.dev/images/favicon-gopher.svg"
-                  "sha256-OlKpUUeYF8TtMoX4e0ERK1ocIb53OJ8ZDxvwJaQVM/0=";
-                definedAliases = ["@gopkgs"];
-              };
-
-              "Hackage" = {
-                urls = [{template = "https://hackage.haskell.org/packages/search?terms={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://hackage.haskell.org/static/favicon.png"
-                  "sha256-+6WAv93yaA3L2eheGKxklY/uRAvbKD1q/WcmufmhKxY=";
-                definedAliases = ["@hackage"];
-              };
-
-              "Hoogle" = {
-                urls = [{template = "https://hoogle.haskell.org/?hoogle={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://hoogle.haskell.org/favicon.png"
-                  "sha256-6qmjRYDDRUwm6EdLoZB6o9XtoujsfDEQJ9xOu3Knei8=";
-                definedAliases = ["@hoogle"];
-              };
-
-              "Jisho" = {
-                urls = [{template = "https://jisho.org/search/{searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://assets.jisho.org/assets/favicon-062c4a0240e1e6d72c38aa524742c2d558ee6234497d91dd6b75a182ea823d65.ico"
-                  "sha256-BixKAkDh5tcsOKpSR0LC1VjuYjRJfZHda3WhguqCPWU=";
-                definedAliases = ["@jisho"];
-              };
-
-              "コトバンク" = {
-                urls = [{template = "https://kotobank.jp/gs/?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://kotobank.jp/favicon.ico"
-                  "sha256-t+EzqURlQwznuBqa0GcBbqumvZqtU7HrEAjGUlqp1tg=";
-                definedAliases = ["@kotobank"];
-              };
-
-              "Kubernetes" = {
-                urls = [{template = "https://kubernetes.io/search/?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://kubernetes.io/images/favicon.png"
-                  "sha256-YI5QvGQXoaTG3uUGQ/R99Xl2r+VqBAA1qqthzPbf8nQ=";
-                definedAliases = ["@kubernetes" "@k8s"];
-              };
-
-              "Last.fm" = {
-                urls = [{template = "https://www.last.fm/search?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://www.last.fm/static/images/favicon.702b239b6194.ico"
-                  "sha256-ID+DfF+dZ5CzKiBp/psQPRD6r/06PZ0rVYiELWUt5Mw=";
-                definedAliases = ["@lastfm"];
-              };
-
-              "MDN" = {
-                urls = [{template = "https://developer.mozilla.org/en-US/search?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://developer.mozilla.org/favicon-48x48.cbbd161b.png"
-                  "sha256-Wnd0BqQIKgroGmV+R8vqV9uNBwDvcxBrQ8hXOLOFeKY=";
-                definedAliases = ["@mdn"];
-              };
-
-              "MELPA" = {
-                urls = [{template = "https://melpa.org/#/?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://melpa.org/favicon.ico"
-                  "sha256-bmlydqXBM8MUMC6cOTGSHPx6zN8tZFqmQ+srbXkSCA4=";
-                definedAliases = ["@melpa"];
-              };
-
-              "MusicBrainz" = {
-                urls = [{template = "https://musicbrainz.org/search?type=artist&query={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://musicbrainz.org/static/images/favicons/favicon-16x16.png"
-                  "sha256-M5mKQurmO9AP0gfC+5OLwi8k4XWQy759eQrrKAeytl0=";
-                definedAliases = ["@musicbrainz" "@mb"];
-              };
-
-              "NixOS Packages" = {
-                urls = [{template = "https://search.nixos.org/packages?channel=unstable&query={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://nixos.org/favicon.png"
-                  "sha256-awcsDbbpRcDJnJpRavj/IcKMReEektRcqKbE35IJTKQ=";
-                definedAliases = ["@nixpkgs" "@np"];
-              };
-
-              "NixOS Options" = {
-                urls = [{template = "https://search.nixos.org/options?channel=unstable&query={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://nixos.org/favicon.png"
-                  "sha256-awcsDbbpRcDJnJpRavj/IcKMReEektRcqKbE35IJTKQ=";
-                definedAliases = ["@nixopts" "@no"];
-              };
-
-              "NixOS Wiki" = {
-                urls = [{template = "https://nixos.wiki/index.php?search={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://nixos.wiki/favicon.png"
-                  "sha256-DE8IgVninF6Aq3iNMgerhvF1dpoXqDUSibtWSpf/dN4=";
-                definedAliases = ["@nixoswiki" "@nw"];
-              };
-
-              "OpenStreetMap" = {
-                urls = [{template = "https://www.openstreetmap.org/search?query={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://www.openstreetmap.org/assets/favicon-32x32-99b88fcadeef736889823c8a886b89d8cada9d4423a49a27de29bacc0a6bebd1.png"
-                  "sha256-dt4QVbQPdb4neS/fwH3yOWOSbEdkjMZtAYnIeCfr7qI=";
-                definedAliases = ["@openstreetmap" "@osm" "@maps"];
-              };
-
-              "ProtonDB" = {
-                urls = [{template = "https://www.protondb.com/search?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://www.protondb.com/sites/protondb/images/favicon.ico"
-                  "sha256-oauOp0EASNjMcThfzYJ2TfbaOYHBPL8LOp+9lmp4pmc=";
-                definedAliases = ["@protondb"];
-              };
-
-              "PyPI" = {
-                urls = [{template = "https://pypi.org/search/?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://pypi.org/static/images/logo-small.2a411bc6.svg"
-                  "sha256-+fcSfcNxAMLIFkp+gh52c48lQORoyhcegUIFtuq/zYs=";
-                definedAliases = ["@pypi"];
-              };
+            search = {
+              force = true;
 
-              "Python Docs" = {
-                urls = [{template = "https://docs.python.org/3/search.html?q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://docs.python.org/3/_static/py.svg"
-                  "sha256-WGW+i8wK+IhZSQPqARL2yNkjxXJsQIHoyFYRDMcznO8=";
-                definedAliases = ["@pydocs"];
-              };
+              default = "DuckDuckGo";
+              order = [
+                "DuckDuckGo"
+                "Yahoo"
+                "Google"
+              ];
 
-              "Rate Your Music" = {
-                urls = [{template = "https://rateyourmusic.com/search?searchterm={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://e.snmc.io/3.0/img/logo/sonemic-32.png"
-                  "sha256-JpTt1tjBkUvDMTGrG7Hg2EiE8PR3RL7McodeZk1EpZA=";
-                definedAliases = ["@rym"];
-              };
+              engines =
+                let
+                  getIcon = url: sha256: pkgs.fetchurl { inherit url sha256; };
+                in
+                {
+                  "Amazon.com".metaData.hidden = true;
+                  "Bing".metaData.hidden = true;
+                  "Ebay".metaData.hidden = true;
+
+                  "2GIS" = {
+                    urls = [ { template = "https://2gis.ru/kazan/search/{searchTerms}"; } ];
+                    icon = getIcon "https://d-assets.2gis.ru/favicon.png" "sha256-BlSaYRcUx9zhfJnVK5V7rsyft4qaueIEOONiCg+6aLE=";
+                    definedAliases = [ "@2gis" ];
+                  };
+
+                  "AliExpress" = {
+                    urls = [ { template = "https://aliexpress.ru/wholesale?SearchText={searchTerms}"; } ];
+                    icon = getIcon "https://ae01.alicdn.com/images/eng/wholesale/icon/aliexpress.ico" "sha256-7xgem2pY2PNuv8as1YnS+U03GvDLLGjhcDLt69rtmaA=";
+                    definedAliases = [
+                      "@aliexpress"
+                      "@ali"
+                    ];
+                  };
+
+                  "Ansible Galaxy" = {
+                    urls = [ { template = "https://galaxy.ansible.com/search?keywords={searchTerms}"; } ];
+                    icon = getIcon "https://galaxy.ansible.com/assets/favicon.ico" "sha256-oAolpZhdKbVTraes6dDlafpvq/Vypu264vgKN4jzJk8=";
+                    definedAliases = [
+                      "@ansible"
+                      "@galaxy"
+                      "@ag"
+                    ];
+                  };
+
+                  "Arch Wiki" = {
+                    urls = [ { template = "https://wiki.archlinux.org/index.php?search={searchTerms}"; } ];
+                    icon = getIcon "https://wiki.archlinux.org/favicon.ico" "sha256-0uxMtT8myzTT7p9k6v5UxsguPKu+vHPlglNTMbnN1T0=";
+                    definedAliases = [
+                      "@archwiki"
+                      "@aw"
+                    ];
+                  };
+
+                  "crates.io" = {
+                    urls = [ { template = "https://crates.io/search?q={searchTerms}"; } ];
+                    icon = getIcon "https://crates.io/favicon.ico" "sha256-upooA/+m5KMUD1t4WFY3EOmytdpUFgNqUj12Auta1mM=";
+                    definedAliases = [ "@crates" ];
+                  };
+
+                  "Discogs" = {
+                    urls = [ { template = "https://www.discogs.com/search?q={searchTerms}"; } ];
+                    icon = getIcon "https://st.discogs.com/d56dcb7367720ea20f1b11a4385705517c7e7702/images/favicon.ico" "sha256-zEDrbmcUf8XHUyYzNc6JsWzBioX8sm8tjScGHim5VTk=";
+                    definedAliases = [ "@discogs" ];
+                  };
+
+                  "Docker Hub" = {
+                    urls = [ { template = "https://hub.docker.com/search?q={searchTerms}"; } ];
+                    icon = getIcon "https://www.docker.com/wp-content/uploads/2023/04/cropped-Docker-favicon-32x32.png" "sha256-4NmHGMaq31qoIvdlmy7fI3qTbkcp1/tJhqQu/9Ci4/c=";
+                    definedAliases = [
+                      "@dockerhub"
+                      "@docker"
+                    ];
+                  };
+
+                  "Ecosia" = {
+                    urls = [ { template = "https://www.ecosia.org/search?q={searchTerms}"; } ];
+                    icon = getIcon "https://cdn-static.ecosia.org/static/icons/favicon.ico" "sha256-uvPShG1yVh4C4zaJmGuhhr96V/NredB1Wte9O3U6QxA=";
+                    definedAliases = [ "@ecosia" ];
+                  };
+
+                  "Genius" = {
+                    urls = [ { template = "https://genius.com/search?q={searchTerms}"; } ];
+                    icon = getIcon "https://assets.genius.com/images/apple-touch-icon.png" "sha256-M9YQEVg3T7hMO/xPfihR1aXfG+/pNiVOBCOtzx3GrkE=";
+                    definedAliases = [ "@genius" ];
+                  };
+
+                  "GitHub" = {
+                    urls = [ { template = "https://github.com/search?q={searchTerms}"; } ];
+                    icon = getIcon "https://github.githubassets.com/favicons/favicon-dark.svg" "sha256-qu/d9ftvsntplFuxw9RFL8BpI9b2g5b6xfeGw6Ekh6w=";
+                    definedAliases = [
+                      "@github"
+                      "@gh"
+                    ];
+                  };
+
+                  "godocs.io" = {
+                    urls = [ { template = "https://godocs.io/?q={searchTerms}"; } ];
+                    icon = getIcon "https://go.dev/images/favicon-gopher.svg" "sha256-OlKpUUeYF8TtMoX4e0ERK1ocIb53OJ8ZDxvwJaQVM/0=";
+                    definedAliases = [ "@godocs" ];
+                  };
+
+                  "pkgs.go.dev" = {
+                    urls = [ { template = "https://pkg.go.dev/search?q={searchTerms}"; } ];
+                    icon = getIcon "https://go.dev/images/favicon-gopher.svg" "sha256-OlKpUUeYF8TtMoX4e0ERK1ocIb53OJ8ZDxvwJaQVM/0=";
+                    definedAliases = [ "@gopkgs" ];
+                  };
+
+                  "Hackage" = {
+                    urls = [ { template = "https://hackage.haskell.org/packages/search?terms={searchTerms}"; } ];
+                    icon = getIcon "https://hackage.haskell.org/static/favicon.png" "sha256-+6WAv93yaA3L2eheGKxklY/uRAvbKD1q/WcmufmhKxY=";
+                    definedAliases = [ "@hackage" ];
+                  };
+
+                  "Hoogle" = {
+                    urls = [ { template = "https://hoogle.haskell.org/?hoogle={searchTerms}"; } ];
+                    icon = getIcon "https://hoogle.haskell.org/favicon.png" "sha256-6qmjRYDDRUwm6EdLoZB6o9XtoujsfDEQJ9xOu3Knei8=";
+                    definedAliases = [ "@hoogle" ];
+                  };
+
+                  "Jisho" = {
+                    urls = [ { template = "https://jisho.org/search/{searchTerms}"; } ];
+                    icon = getIcon "https://assets.jisho.org/assets/favicon-062c4a0240e1e6d72c38aa524742c2d558ee6234497d91dd6b75a182ea823d65.ico" "sha256-BixKAkDh5tcsOKpSR0LC1VjuYjRJfZHda3WhguqCPWU=";
+                    definedAliases = [ "@jisho" ];
+                  };
+
+                  "コトバンク" = {
+                    urls = [ { template = "https://kotobank.jp/gs/?q={searchTerms}"; } ];
+                    icon = getIcon "https://kotobank.jp/favicon.ico" "sha256-t+EzqURlQwznuBqa0GcBbqumvZqtU7HrEAjGUlqp1tg=";
+                    definedAliases = [ "@kotobank" ];
+                  };
+
+                  "Kubernetes" = {
+                    urls = [ { template = "https://kubernetes.io/search/?q={searchTerms}"; } ];
+                    icon = getIcon "https://kubernetes.io/images/favicon.png" "sha256-YI5QvGQXoaTG3uUGQ/R99Xl2r+VqBAA1qqthzPbf8nQ=";
+                    definedAliases = [
+                      "@kubernetes"
+                      "@k8s"
+                    ];
+                  };
+
+                  "Last.fm" = {
+                    urls = [ { template = "https://www.last.fm/search?q={searchTerms}"; } ];
+                    icon = getIcon "https://www.last.fm/static/images/favicon.702b239b6194.ico" "sha256-ID+DfF+dZ5CzKiBp/psQPRD6r/06PZ0rVYiELWUt5Mw=";
+                    definedAliases = [ "@lastfm" ];
+                  };
+
+                  "MDN" = {
+                    urls = [ { template = "https://developer.mozilla.org/en-US/search?q={searchTerms}"; } ];
+                    icon = getIcon "https://developer.mozilla.org/favicon-48x48.cbbd161b.png" "sha256-Wnd0BqQIKgroGmV+R8vqV9uNBwDvcxBrQ8hXOLOFeKY=";
+                    definedAliases = [ "@mdn" ];
+                  };
+
+                  "MELPA" = {
+                    urls = [ { template = "https://melpa.org/#/?q={searchTerms}"; } ];
+                    icon = getIcon "https://melpa.org/favicon.ico" "sha256-bmlydqXBM8MUMC6cOTGSHPx6zN8tZFqmQ+srbXkSCA4=";
+                    definedAliases = [ "@melpa" ];
+                  };
+
+                  "MusicBrainz" = {
+                    urls = [ { template = "https://musicbrainz.org/search?type=artist&query={searchTerms}"; } ];
+                    icon = getIcon "https://musicbrainz.org/static/images/favicons/favicon-16x16.png" "sha256-M5mKQurmO9AP0gfC+5OLwi8k4XWQy759eQrrKAeytl0=";
+                    definedAliases = [
+                      "@musicbrainz"
+                      "@mb"
+                    ];
+                  };
+
+                  "NixOS Packages" = {
+                    urls = [ { template = "https://search.nixos.org/packages?channel=unstable&query={searchTerms}"; } ];
+                    icon = getIcon "https://nixos.org/favicon.png" "sha256-awcsDbbpRcDJnJpRavj/IcKMReEektRcqKbE35IJTKQ=";
+                    definedAliases = [
+                      "@nixpkgs"
+                      "@np"
+                    ];
+                  };
+
+                  "NixOS Options" = {
+                    urls = [ { template = "https://search.nixos.org/options?channel=unstable&query={searchTerms}"; } ];
+                    icon = getIcon "https://nixos.org/favicon.png" "sha256-awcsDbbpRcDJnJpRavj/IcKMReEektRcqKbE35IJTKQ=";
+                    definedAliases = [
+                      "@nixopts"
+                      "@no"
+                    ];
+                  };
+
+                  "NixOS Wiki" = {
+                    urls = [ { template = "https://nixos.wiki/index.php?search={searchTerms}"; } ];
+                    icon = getIcon "https://nixos.wiki/favicon.png" "sha256-DE8IgVninF6Aq3iNMgerhvF1dpoXqDUSibtWSpf/dN4=";
+                    definedAliases = [
+                      "@nixoswiki"
+                      "@nw"
+                    ];
+                  };
+
+                  "OpenStreetMap" = {
+                    urls = [ { template = "https://www.openstreetmap.org/search?query={searchTerms}"; } ];
+                    icon = getIcon "https://www.openstreetmap.org/assets/favicon-32x32-99b88fcadeef736889823c8a886b89d8cada9d4423a49a27de29bacc0a6bebd1.png" "sha256-dt4QVbQPdb4neS/fwH3yOWOSbEdkjMZtAYnIeCfr7qI=";
+                    definedAliases = [
+                      "@openstreetmap"
+                      "@osm"
+                      "@maps"
+                    ];
+                  };
+
+                  "ProtonDB" = {
+                    urls = [ { template = "https://www.protondb.com/search?q={searchTerms}"; } ];
+                    icon = getIcon "https://www.protondb.com/sites/protondb/images/favicon.ico" "sha256-oauOp0EASNjMcThfzYJ2TfbaOYHBPL8LOp+9lmp4pmc=";
+                    definedAliases = [ "@protondb" ];
+                  };
+
+                  "PyPI" = {
+                    urls = [ { template = "https://pypi.org/search/?q={searchTerms}"; } ];
+                    icon = getIcon "https://pypi.org/static/images/logo-small.2a411bc6.svg" "sha256-+fcSfcNxAMLIFkp+gh52c48lQORoyhcegUIFtuq/zYs=";
+                    definedAliases = [ "@pypi" ];
+                  };
+
+                  "Python Docs" = {
+                    urls = [ { template = "https://docs.python.org/3/search.html?q={searchTerms}"; } ];
+                    icon = getIcon "https://docs.python.org/3/_static/py.svg" "sha256-WGW+i8wK+IhZSQPqARL2yNkjxXJsQIHoyFYRDMcznO8=";
+                    definedAliases = [ "@pydocs" ];
+                  };
+
+                  "Rate Your Music" = {
+                    urls = [ { template = "https://rateyourmusic.com/search?searchterm={searchTerms}"; } ];
+                    icon = getIcon "https://e.snmc.io/3.0/img/logo/sonemic-32.png" "sha256-JpTt1tjBkUvDMTGrG7Hg2EiE8PR3RL7McodeZk1EpZA=";
+                    definedAliases = [ "@rym" ];
+                  };
+
+                  "Rust Std" = {
+                    urls = [ { template = "https://doc.rust-lang.org/std/?search={searchTerms}"; } ];
+                    icon = getIcon "https://www.rust-lang.org/static/images/favicon-32x32.png" "sha256-l2y4jpnODbua4dyLvXTMBlHVkoDPM9y00l6L61so7eA=";
+                    definedAliases = [
+                      "@ruststd"
+                      "@rust"
+                    ];
+                  };
+
+                  "SourceHut" = {
+                    urls = [ { template = "https://sr.ht/projects?search={searchTerms}"; } ];
+                    icon = getIcon "https://sr.ht/static/logo.png" "sha256-NBzKZhqE9//zVJlOwYiwyW/jRFh8+nS2YvC3zMCQ1fU=";
+                    definedAliases = [
+                      "@sourcehut"
+                      "@srht"
+                    ];
+                  };
+
+                  "SteamDB" = {
+                    urls = [ { template = "https://steamdb.info/search/?a=app&q={searchTerms}"; } ];
+                    icon = getIcon "https://steamdb.info/static/logos/32px.png" "sha256-IUBiB5JUSvyDa+m/wecmHB8s3Wfu0JK98bJ+ZRZ5ybQ=";
+                    definedAliases = [ "@steamdb" ];
+                  };
+
+                  "WolframAlpha" = {
+                    urls = [ { template = "https://www.wolframalpha.com/input?i={searchTerms}"; } ];
+                    icon = getIcon "https://www.wolframalpha.com/_next/static/images/favicon_1zbE9hjk.ico" "sha256-S9k7AlBQiDElBCGopJ8xfBD6dIhGU+EBh8t1QYbP2S4=";
+                    definedAliases = [
+                      "@wolframalpha"
+                      "@wa"
+                    ];
+                  };
+
+                  "Yahoo" = {
+                    urls = [ { template = "https://yahoo.com/search/?text={searchTerms}"; } ];
+                    icon = getIcon "https://yahoostatic.net/s3/web4static/_/v2/oxjfXL1EO-B5Arm80ZrL00p0al4.png" "sha256-gvYh4oCZEO7BL2QZ6QvQFlmFiP2L4SLJrxAsKFcG6G4=";
+                    definedAliases = [
+                      "@yahoo"
+                      "@ya"
+                    ];
+                  };
+
+                  "YouTube" = {
+                    urls = [ { template = "https://yewtu.be/search?q={}"; } ];
+                    icon = getIcon "https://www.youtube.com/s/desktop/280a3f09/img/favicon.ico" "sha256-i7HQ+kOhdDbVndVG9vdMdtxEc13vdSLCLYAxFm24kR0=";
+                    definedAliases = [
+                      "@youtube"
+                      "@yt"
+                    ];
+                  };
+                };
+            };
 
-              "Rust Std" = {
-                urls = [{template = "https://doc.rust-lang.org/std/?search={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://www.rust-lang.org/static/images/favicon-32x32.png"
-                  "sha256-l2y4jpnODbua4dyLvXTMBlHVkoDPM9y00l6L61so7eA=";
-                definedAliases = ["@ruststd" "@rust"];
-              };
+            # NOTE This silently overrides all other bookmarks.
+            bookmarks = [
+              {
+                name = "Bookmarks Toolbar";
+                toolbar = true;
+                bookmarks = with config.nixfiles.modules; [
+                  (mkIf syncthing.enable {
+                    name = "Syncthing";
+                    url = "http://${config.services.syncthing.guiAddress}";
+                  })
+                  (mkIf ipfs.enable {
+                    name = "IPFS";
+                    url = "http://127.0.0.1:${toString ipfs.apiPort}/webui";
+                  })
+                ];
+              }
+            ];
 
-              "SourceHut" = {
-                urls = [{template = "https://sr.ht/projects?search={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://sr.ht/static/logo.png"
-                  "sha256-NBzKZhqE9//zVJlOwYiwyW/jRFh8+nS2YvC3zMCQ1fU=";
-                definedAliases = ["@sourcehut" "@srht"];
+            # https://github.com/arkenfox/user.js/blob/master/user.js
+            arkenfox = {
+              enable = true;
+              "0000".enable = true;
+              "0100" = {
+                enable = true;
+                "0103"."browser.startup.homepage".value = "about:blank";
               };
-
-              "SteamDB" = {
-                urls = [{template = "https://steamdb.info/search/?a=app&q={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://steamdb.info/static/logos/32px.png"
-                  "sha256-IUBiB5JUSvyDa+m/wecmHB8s3Wfu0JK98bJ+ZRZ5ybQ=";
-                definedAliases = ["@steamdb"];
+              "0200".enable = true;
+              "0300".enable = true;
+              "0400" = {
+                enable = true;
+                "0401"."browser.safebrowsing.phishing.enabled".enable = true;
+                "0402"."browser.safebrowsing.downloads.enabled".enable = true;
+                "0404" = {
+                  "browser.safebrowsing.downloads.remote.block_potentially_unwanted".enable = true;
+                  "browser.safebrowsing.downloads.remote.block_uncommon".enable = true;
+                };
+                "0405"."browser.safebrowsing.allowOverride".enable = true;
               };
-
-              "WolframAlpha" = {
-                urls = [{template = "https://www.wolframalpha.com/input?i={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://www.wolframalpha.com/_next/static/images/favicon_1zbE9hjk.ico"
-                  "sha256-S9k7AlBQiDElBCGopJ8xfBD6dIhGU+EBh8t1QYbP2S4=";
-                definedAliases = ["@wolframalpha" "@wa"];
+              "0600".enable = true;
+              "0700" = {
+                enable = true;
+                "0710"."network.trr.mode" = {
+                  enable = true;
+                  value = 5;
+                };
               };
-
-              "Yahoo" = {
-                urls = [{template = "https://yahoo.com/search/?text={searchTerms}";}];
-                icon =
-                  getIcon
-                  "https://yahoostatic.net/s3/web4static/_/v2/oxjfXL1EO-B5Arm80ZrL00p0al4.png"
-                  "sha256-gvYh4oCZEO7BL2QZ6QvQFlmFiP2L4SLJrxAsKFcG6G4=";
-                definedAliases = ["@yahoo" "@ya"];
+              "0800" = {
+                enable = true;
+                "0830" = {
+                  "browser.search.separatePrivateDefault" = {
+                    enable = true;
+                    value = false;
+                  };
+                  "browser.search.separatePrivateDefault.ui.enabled" = {
+                    enable = true;
+                    value = false;
+                  };
+                };
               };
-
-              "YouTube" = {
-                urls = [{template = "https://yewtu.be/search?q={}";}];
-                icon =
-                  getIcon
-                  "https://www.youtube.com/s/desktop/280a3f09/img/favicon.ico"
-                  "sha256-i7HQ+kOhdDbVndVG9vdMdtxEc13vdSLCLYAxFm24kR0=";
-                definedAliases = ["@youtube" "@yt"];
+              "0900".enable = true;
+              "1000" = {
+                enable = true;
+                "1001".enable = false;
+              };
+              "1200".enable = true;
+              "1600".enable = true;
+              "1700".enable = true;
+              "2000".enable = true;
+              "2400".enable = true;
+              "2600" = {
+                enable = true;
+                "2615"."permissions.default.shortcuts".enable = true;
               };
-            };
-          };
-
-          # NOTE This silently overrides all other bookmarks.
-          bookmarks = [
-            {
-              name = "Bookmarks Toolbar";
-              toolbar = true;
-              bookmarks = with config.nixfiles.modules; [
-                (mkIf syncthing.enable {
-                  name = "Syncthing";
-                  url = "http://${config.services.syncthing.guiAddress}";
-                })
-                (mkIf ipfs.enable {
-                  name = "IPFS";
-                  url = "http://127.0.0.1:${toString ipfs.apiPort}/webui";
-                })
-              ];
-            }
-          ];
-
-          # https://github.com/arkenfox/user.js/blob/master/user.js
-          arkenfox = {
-            enable = true;
-            "0000".enable = true;
-            "0100" = {
-              enable = true;
-              "0103"."browser.startup.homepage".value = "about:blank";
-            };
-            "0200".enable = true;
-            "0300".enable = true;
-            "0400" = {
-              enable = true;
-              "0401"."browser.safebrowsing.phishing.enabled".enable = true;
-              "0402"."browser.safebrowsing.downloads.enabled".enable = true;
-              "0404" = {
-                "browser.safebrowsing.downloads.remote.block_potentially_unwanted".enable = true;
-                "browser.safebrowsing.downloads.remote.block_uncommon".enable = true;
+              "2700".enable = true;
+              "2800" = {
+                enable = true;
+                "2811"."privacy.clearOnShutdown.history".value = false;
               };
-              "0405"."browser.safebrowsing.allowOverride".enable = true;
-            };
-            "0600".enable = true;
-            "0700" = {
-              enable = true;
-              "0710"."network.trr.mode" = {
+              "4500" = {
                 enable = true;
-                value = 5;
+                "4502".enable = false;
+                "4504".enable = false;
               };
-            };
-            "0800" = {
-              enable = true;
-              "0830" = {
-                "browser.search.separatePrivateDefault" = {
-                  enable = true;
-                  value = false;
-                };
-                "browser.search.separatePrivateDefault.ui.enabled" = {
-                  enable = true;
-                  value = false;
+              "5000" = {
+                enable = true;
+                "5003"."signon.rememberSignons".enable = true;
+                "5017" = {
+                  "extensions.formautofill.addresses.enabled".enable = true;
+                  "extensions.formautofill.creditCards.enabled".enable = true;
                 };
+                "5019"."browser.pagethumbnails.capturing_disabled".enable = true;
               };
-            };
-            "0900".enable = true;
-            "1000" = {
-              enable = true;
-              "1001".enable = false;
-            };
-            "1200".enable = true;
-            "1600".enable = true;
-            "1700".enable = true;
-            "2000".enable = true;
-            "2400".enable = true;
-            "2600" = {
-              enable = true;
-              "2615"."permissions.default.shortcuts".enable = true;
-            };
-            "2700".enable = true;
-            "2800" = {
-              enable = true;
-              "2811"."privacy.clearOnShutdown.history".value = false;
-            };
-            "4500" = {
-              enable = true;
-              "4502".enable = false;
-              "4504".enable = false;
-            };
-            "5000" = {
-              enable = true;
-              "5003"."signon.rememberSignons".enable = true;
-              "5017" = {
-                "extensions.formautofill.addresses.enabled".enable = true;
-                "extensions.formautofill.creditCards.enabled".enable = true;
+              "5500" = {
+                enable = true;
+                "5508"."media.eme.enabled".enable = true;
+                "5508"."browser.eme.ui.enabled".enable = true;
               };
-              "5019"."browser.pagethumbnails.capturing_disabled".enable = true;
+              "6000".enable = true;
+              "7000".enable = true;
+              "8000".enable = true;
+              "9000".enable = true;
             };
-            "5500" = {
-              enable = true;
-              "5508"."media.eme.enabled".enable = true;
-              "5508"."browser.eme.ui.enabled".enable = true;
-            };
-            "6000".enable = true;
-            "7000".enable = true;
-            "8000".enable = true;
-            "9000".enable = true;
-          };
 
-          settings = {
-            "app.update.auto" = false;
-            "browser.backspace_action" = 0;
-            "browser.disableResetPrompt" = true;
-            "browser.download.autohideButton" = false;
-            "browser.newtabpage.introShown" = true;
-            "browser.newtabpage.pinned" = "";
-            "browser.onboarding.enabled" = false;
-            "browser.open.lastDir" = config.my.home;
-            "browser.protections_panel.infoMessage.seen" = true;
-            "browser.region.update.region" = "US";
-            "browser.search.region" = "US";
-            "browser.search.update" = false;
-            "browser.shell.checkDefaultBrowser" = false;
-            "browser.tabs.closeWindowWithLastTab" = true;
-            "browser.tabs.firefox-view" = false;
-            "browser.tabs.firefox-view-next" = false;
-            "browser.tabs.inTitlebar" = 0;
-            "browser.tabs.tabmanager.enabled" = false;
-            "browser.tabs.warnOnClose" = false;
-            "browser.tabs.warnOnCloseOtherTabs" = false;
-            "browser.tabs.warnOnOpen" = false;
-            "browser.toolbars.bookmarks.visibility" = "newtab";
-            "browser.translations.enable" = false;
-            "browser.urlbar.decodeURLsOnCopy" = true;
-            "browser.urlbar.suggest.engines" = false;
-            "browser.warnOnQuitShortcut" = false;
-            "devtools.everOpened" = true;
-            "doh-rollout.home-region" = "US";
-            "extensions.pocket.enabled" = false;
-            "extensions.update.autoUpdateDefault" = false;
-            "extensions.update.enabled" = false;
-            "full-screen-api.warning.delay" = 0;
-            "full-screen-api.warning.timeout" = 0;
-            "general.autoScroll" = true;
-            "general.smoothScroll" = true;
-            "identity.fxaccounts.enabled" = false;
-            "media.autoplay.blocking_policy" = 2;
-            "media.autoplay.default" = 5;
-            "media.hardwaremediakeys.enabled" = false;
-            "reader.parse-on-load.enabled" = false;
-            "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
+            settings = {
+              "app.update.auto" = false;
+              "browser.backspace_action" = 0;
+              "browser.disableResetPrompt" = true;
+              "browser.download.autohideButton" = false;
+              "browser.newtabpage.introShown" = true;
+              "browser.newtabpage.pinned" = "";
+              "browser.onboarding.enabled" = false;
+              "browser.open.lastDir" = config.my.home;
+              "browser.protections_panel.infoMessage.seen" = true;
+              "browser.region.update.region" = "US";
+              "browser.search.region" = "US";
+              "browser.search.update" = false;
+              "browser.shell.checkDefaultBrowser" = false;
+              "browser.tabs.closeWindowWithLastTab" = true;
+              "browser.tabs.firefox-view" = false;
+              "browser.tabs.firefox-view-next" = false;
+              "browser.tabs.inTitlebar" = 0;
+              "browser.tabs.tabmanager.enabled" = false;
+              "browser.tabs.warnOnClose" = false;
+              "browser.tabs.warnOnCloseOtherTabs" = false;
+              "browser.tabs.warnOnOpen" = false;
+              "browser.toolbars.bookmarks.visibility" = "newtab";
+              "browser.translations.enable" = false;
+              "browser.urlbar.decodeURLsOnCopy" = true;
+              "browser.urlbar.suggest.engines" = false;
+              "browser.warnOnQuitShortcut" = false;
+              "devtools.everOpened" = true;
+              "doh-rollout.home-region" = "US";
+              "extensions.pocket.enabled" = false;
+              "extensions.update.autoUpdateDefault" = false;
+              "extensions.update.enabled" = false;
+              "full-screen-api.warning.delay" = 0;
+              "full-screen-api.warning.timeout" = 0;
+              "general.autoScroll" = true;
+              "general.smoothScroll" = true;
+              "identity.fxaccounts.enabled" = false;
+              "media.autoplay.blocking_policy" = 2;
+              "media.autoplay.default" = 5;
+              "media.hardwaremediakeys.enabled" = false;
+              "reader.parse-on-load.enabled" = false;
+              "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
+            };
           };
-        };
       };
     };
   };
diff --git a/modules/nixos/foot.nix b/modules/nixos/foot.nix
new file mode 100644
index 0000000..502e143
--- /dev/null
+++ b/modules/nixos/foot.nix
@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  cfg = config.nixfiles.modules.foot;
+in
+{
+  options.nixfiles.modules.foot.enable = mkEnableOption "Foot terminal emulator";
+
+  config = mkIf cfg.enable {
+    hm = {
+      home.packages = with pkgs; [ libsixel ];
+
+      programs.foot = {
+        enable = true;
+        settings = {
+          main = {
+            utmp-helper = "${pkgs.libutempter}/lib/utempter/utempter";
+            pad =
+              let
+                n = toString config.stylix.fonts.sizes.terminal;
+              in
+              "${n}x${n}";
+          };
+          scrollback.lines = pow 2 14;
+        };
+      };
+    };
+  };
+}
diff --git a/modules/nixos/games/default.nix b/modules/nixos/games/default.nix
index 78aae62..585164e 100644
--- a/modules/nixos/games/default.nix
+++ b/modules/nixos/games/default.nix
@@ -1,11 +1,9 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.games;
-in {
+in
+{
   imports = [
     ./gamemode.nix
     ./lutris.nix
@@ -15,8 +13,7 @@ in {
     ./steam.nix
   ];
 
-  options.nixfiles.modules.games.enable32BitSupport =
-    mkEnableOption "support for games";
+  options.nixfiles.modules.games.enable32BitSupport = mkEnableOption "support for games";
 
   config = mkIf cfg.enable32BitSupport {
     services = {
diff --git a/modules/nixos/games/gamemode.nix b/modules/nixos/games/gamemode.nix
index 193a764..eb485f8 100644
--- a/modules/nixos/games/gamemode.nix
+++ b/modules/nixos/games/gamemode.nix
@@ -1,18 +1,13 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.games.gamemode;
-in {
-  options.nixfiles.modules.games.gamemode.enable =
-    mkEnableOption "Feral GameMode";
+in
+{
+  options.nixfiles.modules.games.gamemode.enable = mkEnableOption "Feral GameMode";
 
   config = mkIf cfg.enable {
-    hm.xdg.configFile."gamemode.ini".text = generators.toINI {} {
-      general.softrealtime = "auto";
-    };
+    hm.xdg.configFile."gamemode.ini".text = generators.toINI { } { general.softrealtime = "auto"; };
 
     programs.gamemode.enable = true;
   };
diff --git a/modules/nixos/games/lutris.nix b/modules/nixos/games/lutris.nix
index f130be3..62fe521 100644
--- a/modules/nixos/games/lutris.nix
+++ b/modules/nixos/games/lutris.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.games.lutris;
-in {
+in
+{
   options.nixfiles.modules.games.lutris.enable = mkEnableOption "Lutris";
 
   config = mkIf cfg.enable {
diff --git a/modules/nixos/games/mangohud.nix b/modules/nixos/games/mangohud.nix
index 509e035..955f50c 100644
--- a/modules/nixos/games/mangohud.nix
+++ b/modules/nixos/games/mangohud.nix
@@ -1,11 +1,9 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.games.mangohud;
-in {
+in
+{
   options.nixfiles.modules.games.mangohud.enable = mkEnableOption "MangoHud";
 
   config = mkIf cfg.enable {
diff --git a/modules/nixos/games/minecraft.nix b/modules/nixos/games/minecraft.nix
index 8a1a0b5..6e163dc 100644
--- a/modules/nixos/games/minecraft.nix
+++ b/modules/nixos/games/minecraft.nix
@@ -5,10 +5,12 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.games.minecraft;
-in {
-  imports = [inputs.minecraft.nixosModules.minecraft-servers];
+in
+{
+  imports = [ inputs.minecraft.nixosModules.minecraft-servers ];
 
   options.nixfiles.modules.games.minecraft = {
     client.enable = mkEnableOption "Minecraft client";
@@ -30,13 +32,11 @@ in {
   };
 
   config = mkMerge [
-    (mkIf cfg.client.enable {
-      hm.home.packages = [pkgs.prismlauncher];
-    })
+    (mkIf cfg.client.enable { hm.home.packages = [ pkgs.prismlauncher ]; })
     (mkIf cfg.server.enable {
-      nixfiles.modules.common.nix.allowedUnfreePackages = ["minecraft-server"];
+      nixfiles.modules.common.nix.allowedUnfreePackages = [ "minecraft-server" ];
 
-      ark.directories = [config.services.minecraft-servers.dataDir];
+      ark.directories = [ config.services.minecraft-servers.dataDir ];
 
       services.minecraft-servers = {
         enable = true;
@@ -78,9 +78,9 @@ in {
         };
       };
 
-      nixpkgs.overlays = [inputs.minecraft.overlay];
+      nixpkgs.overlays = [ inputs.minecraft.overlay ];
 
-      my.extraGroups = [config.services.minecraft-servers.group];
+      my.extraGroups = [ config.services.minecraft-servers.group ];
     })
   ];
 }
diff --git a/modules/nixos/games/steam-run.nix b/modules/nixos/games/steam-run.nix
index fc51c85..cfee8ae 100644
--- a/modules/nixos/games/steam-run.nix
+++ b/modules/nixos/games/steam-run.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.games.steam-run;
-in {
+in
+{
   options.nixfiles.modules.games.steam-run = {
     enable = mkEnableOption "native Steam runtime";
 
@@ -19,7 +21,10 @@ in {
 
   config = mkIf cfg.enable {
     nixfiles.modules = {
-      common.nix.allowedUnfreePackages = ["steam" "steam-run"];
+      common.nix.allowedUnfreePackages = [
+        "steam"
+        "steam-run"
+      ];
 
       games = {
         enable32BitSupport = true;
@@ -30,46 +35,55 @@ in {
 
     hm.home.packages = with pkgs; [
       (steam.override {
-        extraLibraries = _:
+        extraLibraries =
+          _:
           with cfg.quirks;
-            optional blackIsleStudios openssl_1_0_0
-            ++ optionals cryptOfTheNecrodancer [
-              (import (builtins.fetchTarball {
-                url = "https://github.com/NixOS/nixpkgs/archive/d1c3fea7ecbed758168787fe4e4a3157e52bc808.tar.gz";
-                sha256 = "0ykm15a690v8lcqf2j899za3j6hak1rm3xixdxsx33nz7n3swsyy";
-              }) {inherit (config.nixpkgs) config localSystem;})
-              .flac
-            ]
-            ++ optionals mountAndBladeWarband [
-              (glew.overrideAttrs (_: super: let
+          optional blackIsleStudios openssl_1_0_0
+          ++ optionals cryptOfTheNecrodancer [
+            (import (builtins.fetchTarball {
+              url = "https://github.com/NixOS/nixpkgs/archive/d1c3fea7ecbed758168787fe4e4a3157e52bc808.tar.gz";
+              sha256 = "0ykm15a690v8lcqf2j899za3j6hak1rm3xixdxsx33nz7n3swsyy";
+            }) { inherit (config.nixpkgs) config localSystem; }).flac
+          ]
+          ++ optionals mountAndBladeWarband [
+            (glew.overrideAttrs (
+              _: super:
+              let
                 opname = super.pname;
-              in rec {
+              in
+              rec {
                 pname = "${opname}-steam-run-fix";
                 inherit (super) version;
                 src = fetchurl {
                   url = "mirror://sourceforge/${opname}/${opname}-${version}.tgz";
                   hash = "sha256-BN6R5+Z2MDm8EZQAlc2cf4gLq6ghlqd2X3J6wFqZPJU=";
                 };
-              }))
-              (fmodex.overrideAttrs (_: super: let
+              }
+            ))
+            (fmodex.overrideAttrs (
+              _: super:
+              let
                 opname = super.pname;
-              in rec {
+              in
+              rec {
                 pname = "${opname}-steam-run-fix";
                 inherit (super) version;
-                installPhase = let
-                  libPath = makeLibraryPath [
-                    alsa-lib
-                    libpulseaudio
-                    stdenv.cc.cc
-                  ];
-                in ''
-                  install -Dm755 api/lib/libfmodex64-${version}.so $out/lib/libfmodex64.so
-                  patchelf --set-rpath ${libPath} $out/lib/libfmodex64.so
-                '';
-              }))
-            ];
-      })
-      .run
+                installPhase =
+                  let
+                    libPath = makeLibraryPath [
+                      alsa-lib
+                      libpulseaudio
+                      stdenv.cc.cc
+                    ];
+                  in
+                  ''
+                    install -Dm755 api/lib/libfmodex64-${version}.so $out/lib/libfmodex64.so
+                    patchelf --set-rpath ${libPath} $out/lib/libfmodex64.so
+                  '';
+              }
+            ))
+          ];
+      }).run
     ];
   };
 }
diff --git a/modules/nixos/games/steam.nix b/modules/nixos/games/steam.nix
index 7262d7f..5883b0e 100644
--- a/modules/nixos/games/steam.nix
+++ b/modules/nixos/games/steam.nix
@@ -4,15 +4,19 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.games.steam;
-in {
-  options.nixfiles.modules.games.steam.enable =
-    mkEnableOption "Steam runtime";
+in
+{
+  options.nixfiles.modules.games.steam.enable = mkEnableOption "Steam runtime";
 
   config = mkIf cfg.enable {
     nixfiles.modules = {
-      common.nix.allowedUnfreePackages = ["steam" "steam-original"];
+      common.nix.allowedUnfreePackages = [
+        "steam"
+        "steam-original"
+      ];
 
       games = {
         enable32BitSupport = true;
@@ -22,7 +26,7 @@ in {
     };
 
     hm.home.packages = with pkgs; [
-      (steam.override {extraEnv.MANGOHUD = 1;})
+      (steam.override { extraEnv.MANGOHUD = 1; })
       protontricks
     ];
   };
diff --git a/modules/nixos/git/default.nix b/modules/nixos/git/default.nix
index cbeb48a..34ca200 100644
--- a/modules/nixos/git/default.nix
+++ b/modules/nixos/git/default.nix
@@ -6,9 +6,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.git;
-in {
+in
+{
   options.nixfiles.modules.git.server = {
     enable = mkEnableOption "Git server";
 
@@ -26,59 +28,59 @@ in {
   };
 
   config = mkIf cfg.server.enable {
-    ark.directories = [
-      config.services.gitolite.dataDir
-    ];
+    ark.directories = [ config.services.gitolite.dataDir ];
 
     nixfiles.modules.nginx = {
       enable = true;
       virtualHosts.${cfg.server.domain} = {
         locations = {
-          "/".extraConfig = let
-            cgitrc = pkgs.writeText "cgitrc" ''
-              root-title=github sux (⩺_⩹)
-              root-desc=https://github.com/azahi
+          "/".extraConfig =
+            let
+              cgitrc = pkgs.writeText "cgitrc" ''
+                root-title=github sux (⩺_⩹)
+                root-desc=https://github.com/azahi
 
-              clone-url=https://${cfg.server.domain}/$CGIT_REPO_URL
+                clone-url=https://${cfg.server.domain}/$CGIT_REPO_URL
 
-              logo=/cgit-custom-logo.gif
-              favicon=/cgit-custom-favicon.gif
-              css=/cgit-custom-style.css
+                logo=/cgit-custom-logo.gif
+                favicon=/cgit-custom-favicon.gif
+                css=/cgit-custom-style.css
 
-              about-filter=${cfg.server.package}/lib/cgit/filters/about-formatting.sh
-              source-filter=${cfg.server.package}/lib/cgit/filters/syntax-highlighting.py
-              commit-filter=${cfg.server.package}/lib/cgit/filters/commit-links.sh
+                about-filter=${cfg.server.package}/lib/cgit/filters/about-formatting.sh
+                source-filter=${cfg.server.package}/lib/cgit/filters/syntax-highlighting.py
+                commit-filter=${cfg.server.package}/lib/cgit/filters/commit-links.sh
 
-              enable-git-config=1
-              enable-gitweb-owner=1
-              remove-suffix=1
+                enable-git-config=1
+                enable-gitweb-owner=1
+                remove-suffix=1
 
-              readme=:README
-              readme=:README.md
-              readme=:README.org
-              readme=:README.txt
-              readme=:readme
-              readme=:readme.md
-              readme=:readme.org
-              readme=:readme.txt
+                readme=:README
+                readme=:README.md
+                readme=:README.org
+                readme=:README.txt
+                readme=:readme
+                readme=:readme.md
+                readme=:readme.org
+                readme=:readme.txt
 
-              scan-path=${config.services.gitolite.dataDir}/repositories
-            '';
-          in ''
-            include ${config.services.nginx.package}/conf/fastcgi_params;
-            fastcgi_split_path_info ^(/?)(.+)$;
-            fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
-            fastcgi_param SCRIPT_FILENAME ${cfg.server.package}/cgit/cgit.cgi;
-            fastcgi_param CGIT_CONFIG ${cgitrc};
-            fastcgi_param PATH_INFO $uri;
-            fastcgi_param QUERY_STRING $args;
-            fastcgi_param HTTP_HOST $server_name;
+                scan-path=${config.services.gitolite.dataDir}/repositories
+              '';
+            in
+            ''
+              include ${config.services.nginx.package}/conf/fastcgi_params;
+              fastcgi_split_path_info ^(/?)(.+)$;
+              fastcgi_pass unix:${config.services.fcgiwrap.socketAddress};
+              fastcgi_param SCRIPT_FILENAME ${cfg.server.package}/cgit/cgit.cgi;
+              fastcgi_param CGIT_CONFIG ${cgitrc};
+              fastcgi_param PATH_INFO $uri;
+              fastcgi_param QUERY_STRING $args;
+              fastcgi_param HTTP_HOST $server_name;
 
-            ${libNginx.config.appendHead [
-              ''<meta name="go-import" content="$host$uri git https://$host$uri">''
-              (libPlausible.htmlPlausibleScript {inherit (cfg.server) domain;})
-            ]}
-          '';
+              ${libNginx.config.appendHead [
+                ''<meta name="go-import" content="$host$uri git https://$host$uri">''
+                (libPlausible.htmlPlausibleScript { inherit (cfg.server) domain; })
+              ]}
+            '';
           "~* ^.+(cgit.css|robots.txt)$".extraConfig = ''
             root ${cfg.server.package}/cgit;
           '';
@@ -88,43 +90,47 @@ in {
           "~* ^.+cgit-custom-favicon.gif$".extraConfig = ''
             alias ${./favicon.ico};
           '';
-          "~* ^.+cgit-custom-style.css$".extraConfig = let
-            css = pkgs.writeText "custom.css" ''
-              @import url("cgit.css");
+          "~* ^.+cgit-custom-style.css$".extraConfig =
+            let
+              css = pkgs.writeText "custom.css" ''
+                @import url("cgit.css");
 
-              div#cgit {
-                font-family: monospace;
-                -moz-tab-size: 4;
-                tab-size: 4;
-              }
+                div#cgit {
+                  font-family: monospace;
+                  -moz-tab-size: 4;
+                  tab-size: 4;
+                }
+              '';
+            in
+            ''
+              alias ${css};
             '';
-          in ''
-            alias ${css};
-          '';
         };
       };
     };
 
-    services = let
-      user = "git";
-      group = "git";
-    in {
-      gitolite = {
-        enable = true;
-        inherit user group;
-        adminPubkey = my.ssh.key;
-        extraGitoliteRc = ''
-          # This allows hiding repositories via "cgit.ignore"[1].
-          #
-          # [1]: https://www.omarpolo.com/post/cgit-gitolite.html
-          $RC{GIT_CONFIG_KEYS} = '.*';
-        '';
-      };
+    services =
+      let
+        user = "git";
+        group = "git";
+      in
+      {
+        gitolite = {
+          enable = true;
+          inherit user group;
+          adminPubkey = my.ssh.key;
+          extraGitoliteRc = ''
+            # This allows hiding repositories via "cgit.ignore"[1].
+            #
+            # [1]: https://www.omarpolo.com/post/cgit-gitolite.html
+            $RC{GIT_CONFIG_KEYS} = '.*';
+          '';
+        };
 
-      fcgiwrap = {
-        enable = true;
-        inherit user group;
+        fcgiwrap = {
+          enable = true;
+          inherit user group;
+        };
       };
-    };
   };
 }
diff --git a/modules/nixos/gnupg.nix b/modules/nixos/gnupg.nix
index 5300554..ad2c939 100644
--- a/modules/nixos/gnupg.nix
+++ b/modules/nixos/gnupg.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.gnupg;
-in {
+in
+{
   options.nixfiles.modules.gnupg.pinentry = mkOption {
     description = "Name of a pinentry implementation.";
     type = types.package;
@@ -30,7 +32,7 @@ in {
 
         grabKeyboardAndMouse = true;
 
-        sshKeys = [my.pgp.grip];
+        sshKeys = [ my.pgp.grip ];
 
         pinentryPackage = cfg.pinentry;
       };
diff --git a/modules/nixos/gotify.nix b/modules/nixos/gotify.nix
index 4bdd4fa..ad9b277 100644
--- a/modules/nixos/gotify.nix
+++ b/modules/nixos/gotify.nix
@@ -4,9 +4,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.gotify;
-in {
+in
+{
   options.nixfiles.modules.gotify = {
     enable = mkEnableOption "Gotify";
 
@@ -17,14 +19,15 @@ in {
     };
   };
 
-  config = let
-    db = "gotify";
-  in
+  config =
+    let
+      db = "gotify";
+    in
     mkIf cfg.enable {
       nixfiles.modules = {
         nginx = {
           enable = true;
-          upstreams.gotify.servers."127.0.0.1:${toString config.services.gotify.port}" = {};
+          upstreams.gotify.servers."127.0.0.1:${toString config.services.gotify.port}" = { };
           virtualHosts.${cfg.domain} = {
             locations."/" = {
               proxyPass = "http://gotify";
@@ -50,7 +53,7 @@ in {
         };
 
         postgresql = {
-          ensureDatabases = [db];
+          ensureDatabases = [ db ];
           ensureUsers = [
             {
               name = db;
@@ -61,7 +64,10 @@ in {
       };
 
       systemd.services.gotify-server = {
-        after = ["network-online.target" "postgresql.service"];
+        after = [
+          "network-online.target"
+          "postgresql.service"
+        ];
         environment = {
           GOTIFY_DATABASE_DIALECT = "postgres";
           GOTIFY_DATABASE_CONNECTION = concatStringsSep " " [
diff --git a/modules/nixos/grafana.nix b/modules/nixos/grafana.nix
index 2f32225..233c9e5 100644
--- a/modules/nixos/grafana.nix
+++ b/modules/nixos/grafana.nix
@@ -5,9 +5,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.grafana;
-in {
+in
+{
   options.nixfiles.modules.grafana = {
     enable = mkEnableOption "Grafana";
 
@@ -24,11 +26,12 @@ in {
     };
   };
 
-  config = let
-    db = "grafana";
-  in
+  config =
+    let
+      db = "grafana";
+    in
     mkIf cfg.enable {
-      ark.directories = [config.services.grafana.dataDir];
+      ark.directories = [ config.services.grafana.dataDir ];
 
       secrets = {
         grafana-key = {
@@ -51,7 +54,7 @@ in {
       nixfiles.modules = {
         nginx = {
           enable = true;
-          upstreams.grafana.servers."127.0.0.1:${toString cfg.port}" = {};
+          upstreams.grafana.servers."127.0.0.1:${toString cfg.port}" = { };
           virtualHosts.${cfg.domain} = {
             locations."/" = {
               proxyPass = "http://grafana";
@@ -109,7 +112,7 @@ in {
         };
 
         postgresql = {
-          ensureDatabases = [db];
+          ensureDatabases = [ db ];
           ensureUsers = [
             {
               name = db;
diff --git a/modules/nixos/hydra.nix b/modules/nixos/hydra.nix
index ec3297c..85b89ab 100644
--- a/modules/nixos/hydra.nix
+++ b/modules/nixos/hydra.nix
@@ -1,11 +1,9 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.hydra;
-in {
+in
+{
   options.nixfiles.modules.hydra = {
     enable = mkEnableOption "Hydra";
 
@@ -26,32 +24,34 @@ in {
     nixfiles.modules = {
       nginx = {
         enable = true;
-        upstreams.hydra.servers."127.0.0.1:${toString cfg.port}" = {};
+        upstreams.hydra.servers."127.0.0.1:${toString cfg.port}" = { };
         virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://hydra";
       };
       postgresql.enable = true;
     };
 
-    services = let
-      db = "hydra";
-    in {
-      hydra = {
-        enable = true;
-        listenHost = "127.0.0.1";
-        inherit (cfg) port;
-        dbi = "dbi:Pg:dbname=${db};user=${db}";
-        hydraURL = cfg.domain;
-      };
+    services =
+      let
+        db = "hydra";
+      in
+      {
+        hydra = {
+          enable = true;
+          listenHost = "127.0.0.1";
+          inherit (cfg) port;
+          dbi = "dbi:Pg:dbname=${db};user=${db}";
+          hydraURL = cfg.domain;
+        };
 
-      postgresql = {
-        ensureDatabases = [db];
-        ensureUsers = [
-          {
-            name = db;
-            ensureDBOwnership = true;
-          }
-        ];
+        postgresql = {
+          ensureDatabases = [ db ];
+          ensureUsers = [
+            {
+              name = db;
+              ensureDBOwnership = true;
+            }
+          ];
+        };
       };
-    };
   };
 }
diff --git a/modules/nixos/incus.nix b/modules/nixos/incus.nix
index 14bbc1d..184aa03 100644
--- a/modules/nixos/incus.nix
+++ b/modules/nixos/incus.nix
@@ -1,15 +1,13 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.incus;
-in {
+in
+{
   options.nixfiles.modules.incus.enable = mkEnableOption "Incus";
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/incus"];
+    ark.directories = [ "/var/lib/incus" ];
 
     virtualisation.incus = {
       enable = true;
@@ -55,7 +53,7 @@ in {
       };
     };
 
-    networking.firewall.trustedInterfaces = ["incusbr0"];
+    networking.firewall.trustedInterfaces = [ "incusbr0" ];
 
     # FIXME https://nixpk.gs/pr-tracker.html?pr=295364
     # systemd.services.incus.path = mkForce [
@@ -63,6 +61,6 @@ in {
     #   "${config.boot.zfs.package}/lib/udev"
     # ];
 
-    my.extraGroups = ["incus-admin"];
+    my.extraGroups = [ "incus-admin" ];
   };
 }
diff --git a/modules/nixos/ipfs.nix b/modules/nixos/ipfs.nix
index 99ce6c9..cd28372 100644
--- a/modules/nixos/ipfs.nix
+++ b/modules/nixos/ipfs.nix
@@ -5,13 +5,15 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.ipfs;
 
   gatewayDefaultPort = 6001;
   apiDefaultPort = 5001;
   swarmDefaultPort = 4001;
-in {
+in
+{
   options.nixfiles.modules.ipfs = {
     enable = mkEnableOption "IPFS daemon";
 
@@ -24,19 +26,13 @@ in {
     gatewayPort = mkOption {
       description = "Gateway port.";
       type = with types; port;
-      default =
-        if this.isHeadless
-        then gatewayDefaultPort + 990
-        else gatewayDefaultPort;
+      default = if this.isHeadless then gatewayDefaultPort + 990 else gatewayDefaultPort;
     };
 
     apiPort = mkOption {
       description = "API port.";
       type = with types; port;
-      default =
-        if this.isHeadless
-        then apiDefaultPort + 990
-        else apiDefaultPort;
+      default = if this.isHeadless then apiDefaultPort + 990 else apiDefaultPort;
     };
 
     swarmPort = mkOption {
@@ -86,22 +82,25 @@ in {
                   "/ip4/10.0.0.0/ipcidr/8"
                   "/ip6/fc00::/ipcidr/7"
                 ];
-            in {
+            in
+            {
               Addresses = {
                 API = "/ip4/127.0.0.1/tcp/${toString cfg.apiPort}";
                 Gateway = "/ip4/127.0.0.1/tcp/${toString cfg.gatewayPort}";
-                Swarm = let
-                  port = toString cfg.swarmPort;
-                in [
-                  "/ip4/0.0.0.0/tcp/${port}"
-                  "/ip6/::/tcp/${port}"
-                  "/ip4/0.0.0.0/udp/${port}/quic"
-                  "/ip4/0.0.0.0/udp/${port}/quic-v1"
-                  "/ip4/0.0.0.0/udp/${port}/quic-v1/webtransport"
-                  "/ip6/::/udp/${port}/quic"
-                  "/ip6/::/udp/${port}/quic-v1"
-                  "/ip6/::/udp/${port}/quic-v1/webtransport"
-                ];
+                Swarm =
+                  let
+                    port = toString cfg.swarmPort;
+                  in
+                  [
+                    "/ip4/0.0.0.0/tcp/${port}"
+                    "/ip6/::/tcp/${port}"
+                    "/ip4/0.0.0.0/udp/${port}/quic"
+                    "/ip4/0.0.0.0/udp/${port}/quic-v1"
+                    "/ip4/0.0.0.0/udp/${port}/quic-v1/webtransport"
+                    "/ip6/::/udp/${port}/quic"
+                    "/ip6/::/udp/${port}/quic-v1"
+                    "/ip6/::/udp/${port}/quic-v1/webtransport"
+                  ];
 
                 NoAnnounce = filterAddresses;
               };
@@ -116,7 +115,7 @@ in {
       };
 
       networking.firewall = rec {
-        allowedTCPPorts = [swarmDefaultPort];
+        allowedTCPPorts = [ swarmDefaultPort ];
         allowedUDPPorts = allowedTCPPorts;
       };
     }
@@ -124,8 +123,8 @@ in {
       nixfiles.modules.nginx = {
         enable = true;
         upstreams = with cfg; {
-          kubo_gateway.servers."127.0.0.1:${toString gatewayPort}" = {};
-          kubo_api.servers."127.0.0.1:${toString apiPort}" = {};
+          kubo_gateway.servers."127.0.0.1:${toString gatewayPort}" = { };
+          kubo_api.servers."127.0.0.1:${toString apiPort}" = { };
         };
         virtualHosts = {
           ${cfg.domain} = {
@@ -135,9 +134,7 @@ in {
           "api.${cfg.domain}" = {
             locations = {
               "/".proxyPass = "http://kubo_api";
-              "~ ^/$".return = "301 http${
-                optionalString config.nixfiles.modules.acme.enable "s"
-              }://api.${cfg.domain}/webui";
+              "~ ^/$".return = "301 http${optionalString config.nixfiles.modules.acme.enable "s"}://api.${cfg.domain}/webui";
             };
             extraConfig = libNginx.config.internalOnly;
           };
diff --git a/modules/nixos/jackett.nix b/modules/nixos/jackett.nix
index 772e0e9..492e77a 100644
--- a/modules/nixos/jackett.nix
+++ b/modules/nixos/jackett.nix
@@ -4,9 +4,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.jackett;
-in {
+in
+{
   options.nixfiles.modules.jackett = {
     enable = mkEnableOption "Jackett";
 
@@ -18,11 +20,11 @@ in {
   };
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/jackett"];
+    ark.directories = [ "/var/lib/jackett" ];
 
     nixfiles.modules.nginx = {
       enable = true;
-      upstreams.jackett.servers."127.0.0.1:9117" = {};
+      upstreams.jackett.servers."127.0.0.1:9117" = { };
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://jackett";
         extraConfig = libNginx.config.internalOnly;
diff --git a/modules/nixos/k3s.nix b/modules/nixos/k3s.nix
index 016eb50..a6efd9f 100644
--- a/modules/nixos/k3s.nix
+++ b/modules/nixos/k3s.nix
@@ -1,11 +1,9 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.k3s;
-in {
+in
+{
   options.nixfiles.modules.k3s = {
     enable = mkEnableOption "K3s";
   };
diff --git a/modules/nixos/kde.nix b/modules/nixos/kde.nix
index 2f6aa92..333e9f7 100644
--- a/modules/nixos/kde.nix
+++ b/modules/nixos/kde.nix
@@ -4,20 +4,25 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.kde;
-in {
+in
+{
   options.nixfiles.modules.kde.enable = mkEnableOption "KDE Plasma";
 
   config = mkIf cfg.enable {
     nixfiles.modules = {
-      common.xdg.defaultApplications."org.kde.dolphin" = ["inode/directory"];
+      common.xdg.defaultApplications."org.kde.dolphin" = [ "inode/directory" ];
 
       gnupg.pinentry = pkgs.pinentry-qt;
       sound.enable = true;
     };
 
     hm = {
+      # Fucking broken. I don't want to bother with fixing this shit now.
+      stylix.targets.kde.enable = false;
+
       programs.firefox.profiles.default.settings = {
         "widget.use-xdg-desktop-portal.file-picker" = 1;
         "widget.use-xdg-desktop-portal.mime-handler" = 1;
@@ -31,15 +36,13 @@ in {
       xdg.configFile = {
         "fontconfig/conf.d/10-hm-fonts.conf".force = mkForce true;
         "mimeapps.list".force = mkForce true;
-        "kcminputrc".text = generators.toINI {} {
+        "kcminputrc".text = generators.toINI { } {
           Keyboard = with config.services.xserver; {
             RepeatDelay = autoRepeatDelay;
             RepeatRate = autoRepeatInterval;
           };
         };
-        "baloofilerc".text = generators.toINI {} {
-          "Basic Settings"."Indexing-Enabled" = false;
-        };
+        "baloofilerc".text = generators.toINI { } { "Basic Settings"."Indexing-Enabled" = false; };
       };
     };
 
diff --git a/modules/nixos/libvirtd.nix b/modules/nixos/libvirtd.nix
index 0d58f5e..009fd24 100644
--- a/modules/nixos/libvirtd.nix
+++ b/modules/nixos/libvirtd.nix
@@ -4,13 +4,15 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.libvirtd;
-in {
+in
+{
   options.nixfiles.modules.libvirtd.enable = mkEnableOption "libvirtd";
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/libvirt"];
+    ark.directories = [ "/var/lib/libvirt" ];
 
     hm.home.packages = with pkgs; [
       bridge-utils
@@ -36,7 +38,7 @@ in {
 
         ovmf = {
           enable = true;
-          packages = [pkgs.OVMFFull.fd];
+          packages = [ pkgs.OVMFFull.fd ];
         };
 
         swtpm = {
@@ -46,6 +48,6 @@ in {
       };
     };
 
-    my.extraGroups = ["libvirtd"];
+    my.extraGroups = [ "libvirtd" ];
   };
 }
diff --git a/modules/nixos/lidarr.nix b/modules/nixos/lidarr.nix
index 9b166cf..84d363b 100644
--- a/modules/nixos/lidarr.nix
+++ b/modules/nixos/lidarr.nix
@@ -5,9 +5,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.lidarr;
-in {
+in
+{
   options.nixfiles.modules.lidarr = {
     enable = mkEnableOption "Lidarr";
 
@@ -21,11 +23,11 @@ in {
   config = mkIf cfg.enable {
     secrets.lidarr-api-key.file = "${inputs.self}/secrets/lidarr-api-key";
 
-    ark.directories = ["/var/lib/lidarr"];
+    ark.directories = [ "/var/lib/lidarr" ];
 
     nixfiles.modules.nginx = {
       enable = true;
-      upstreams.lidarr.servers."127.0.0.1:8686" = {};
+      upstreams.lidarr.servers."127.0.0.1:8686" = { };
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://lidarr";
         extraConfig = libNginx.config.internalOnly;
diff --git a/modules/nixos/loki.nix b/modules/nixos/loki.nix
index ce19004..c446848 100644
--- a/modules/nixos/loki.nix
+++ b/modules/nixos/loki.nix
@@ -4,9 +4,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.loki;
-in {
+in
+{
   options.nixfiles.modules.loki = {
     enable = mkEnableOption "Loki";
 
@@ -24,11 +26,11 @@ in {
   };
 
   config = mkIf cfg.enable {
-    ark.directories = [config.services.loki.configuration.common.path_prefix];
+    ark.directories = [ config.services.loki.configuration.common.path_prefix ];
 
     nixfiles.modules.nginx = with cfg; {
       enable = true;
-      upstreams.loki.servers."127.0.0.1:${toString cfg.port}" = {};
+      upstreams.loki.servers."127.0.0.1:${toString cfg.port}" = { };
       virtualHosts.${domain} = {
         locations."/".proxyPass = "http://loki";
         extraConfig = libNginx.config.internalOnly;
diff --git a/modules/nixos/matrix/dendrite.nix b/modules/nixos/matrix/dendrite.nix
index c65b55b..5e8a7e4 100644
--- a/modules/nixos/matrix/dendrite.nix
+++ b/modules/nixos/matrix/dendrite.nix
@@ -5,9 +5,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.matrix.dendrite;
-in {
+in
+{
   options.nixfiles.modules.matrix.dendrite = {
     enable = mkEnableOption "Dendrite Matrix server";
 
@@ -24,9 +26,10 @@ in {
     };
   };
 
-  config = let
-    db = "dendrite";
-  in
+  config =
+    let
+      db = "dendrite";
+    in
     mkIf cfg.enable {
       ark.directories = [
         "/var/lib/dendrite"
@@ -46,25 +49,21 @@ in {
       nixfiles.modules = {
         nginx = {
           enable = true;
-          upstreams.dendrite.servers."127.0.0.1:${toString config.services.dendrite.httpPort}" = {};
+          upstreams.dendrite.servers."127.0.0.1:${toString config.services.dendrite.httpPort}" = { };
           virtualHosts.${cfg.domain}.locations = {
             "/_matrix".proxyPass = "http://dendrite";
             "= /.well-known/matrix/server" = {
               extraConfig = ''
                 add_header Content-Type application/json;
               '';
-              return = "200 '${generators.toJSON {} {
-                "m.server" = "${cfg.domain}:443";
-              }}'";
+              return = "200 '${generators.toJSON { } { "m.server" = "${cfg.domain}:443"; }}'";
             };
             "= /.well-known/matrix/client" = {
               extraConfig = ''
                 add_header Content-Type application/json;
                 add_header Access-Control-Allow-Origin *;
               '';
-              return = "200 '${generators.toJSON {} {
-                "m.homeserver".base_url = "https://${cfg.domain}";
-              }}'";
+              return = "200 '${generators.toJSON { } { "m.homeserver".base_url = "https://${cfg.domain}"; }}'";
             };
           };
         };
@@ -95,7 +94,7 @@ in {
       };
 
       services.postgresql = {
-        ensureDatabases = [db];
+        ensureDatabases = [ db ];
         ensureUsers = [
           {
             name = db;
@@ -106,118 +105,134 @@ in {
 
       systemd.services.dendrite = {
         description = "Dendrite Matrix homeserver";
-        wantedBy = ["multi-user.target"];
-        requires = ["network.target" "postgresql.service"];
-        after = ["network.target" "postgresql.service"];
-        serviceConfig = let
-          needsPrivileges = cfg.port < 1024;
-          capabilities = [""] ++ optionals needsPrivileges ["CAP_NET_BIND_SERVICE"];
-        in {
-          Restart = "on-failure";
-          ExecStartPre = let
-            settings = {
-              version = 2;
-              global = {
-                server_name = cfg.domain;
-                private_key = config.secrets.dendrite-private-key.path;
-                database = {
-                  connection_string = "postgresql://${db}@/${db}?host=/run/postgresql";
-                  max_open_conns = 64;
-                  max_idle_connections = 8;
-                };
-                cache = {
-                  max_size_estimated = "1gb";
-                  max_age = "1h";
-                };
-                trusted_third_party_id_servers = [
-                  "matrix.org"
-                  "nixos.org"
-                  "vector.im"
-                ];
-                presence = {
-                  enable_inbound = false;
-                  enable_outbound = false;
+        wantedBy = [ "multi-user.target" ];
+        requires = [
+          "network.target"
+          "postgresql.service"
+        ];
+        after = [
+          "network.target"
+          "postgresql.service"
+        ];
+        serviceConfig =
+          let
+            needsPrivileges = cfg.port < 1024;
+            capabilities = [ "" ] ++ optionals needsPrivileges [ "CAP_NET_BIND_SERVICE" ];
+          in
+          {
+            Restart = "on-failure";
+            ExecStartPre =
+              let
+                settings = {
+                  version = 2;
+                  global = {
+                    server_name = cfg.domain;
+                    private_key = config.secrets.dendrite-private-key.path;
+                    database = {
+                      connection_string = "postgresql://${db}@/${db}?host=/run/postgresql";
+                      max_open_conns = 64;
+                      max_idle_connections = 8;
+                    };
+                    cache = {
+                      max_size_estimated = "1gb";
+                      max_age = "1h";
+                    };
+                    trusted_third_party_id_servers = [
+                      "matrix.org"
+                      "nixos.org"
+                      "vector.im"
+                    ];
+                    presence = {
+                      enable_inbound = false;
+                      enable_outbound = false;
+                    };
+                  };
+                  client_api = {
+                    registration_disabled = true;
+                    guests_disabled = true;
+                    registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
+                  };
+                  media_api = {
+                    base_path = "/var/lib/dendrite/media_store";
+                    max_file_size_bytes = 0;
+                    dynamic_thumbnails = true;
+                    max_thumbnail_generators = 8;
+                    thumbnail_sizes = [
+                      {
+                        width = 32;
+                        height = 32;
+                        method = "crop";
+                      }
+                      {
+                        width = 96;
+                        height = 96;
+                        method = "crop";
+                      }
+                      {
+                        width = 640;
+                        height = 480;
+                        method = "scale";
+                      }
+                    ];
+                  };
+                  logging = [
+                    {
+                      type = "std";
+                      level = "warn";
+                    }
+                  ];
                 };
-              };
-              client_api = {
-                registration_disabled = true;
-                guests_disabled = true;
-                registration_shared_secret = "$REGISTRATION_SHARED_SECRET";
-              };
-              media_api = {
-                base_path = "/var/lib/dendrite/media_store";
-                max_file_size_bytes = 0;
-                dynamic_thumbnails = true;
-                max_thumbnail_generators = 8;
-                thumbnail_sizes = [
-                  {
-                    width = 32;
-                    height = 32;
-                    method = "crop";
-                  }
-                  {
-                    width = 96;
-                    height = 96;
-                    method = "crop";
-                  }
-                  {
-                    width = 640;
-                    height = 480;
-                    method = "scale";
-                  }
-                ];
-              };
-              logging = [
-                {
-                  type = "std";
-                  level = "warn";
-                }
+              in
+              concatStringsSep " " [
+                (getExe pkgs.envsubst)
+                "-i ${(pkgs.formats.yaml { }).generate "dendrite.yaml" settings}"
+                "-o /run/dendrite/dendrite.yaml"
               ];
-            };
-          in
-            concatStringsSep " " [
-              (getExe pkgs.envsubst)
-              "-i ${(pkgs.formats.yaml {}).generate "dendrite.yaml" settings}"
-              "-o /run/dendrite/dendrite.yaml"
+            ExecStart = concatStringsSep " " [
+              (getExe' pkgs.dendrite "dendrite")
+              "--config /run/dendrite/dendrite.yaml"
+              "--http-bind-address 127.0.0.1:${toString cfg.port}"
             ];
-          ExecStart = concatStringsSep " " [
-            (getExe' pkgs.dendrite "dendrite")
-            "--config /run/dendrite/dendrite.yaml"
-            "--http-bind-address 127.0.0.1:${toString cfg.port}"
-          ];
-          ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
-          EnvironmentFile = config.secrets.dendrite-environment-file.path;
-          DynamicUser = true;
-          StateDirectory = "dendrite";
-          RuntimeDirectory = "dendrite";
-          RuntimeDirectoryMode = "0700";
-          AmbientCapabilities = capabilities;
-          CapabilityBoundingSet = capabilities;
-          UMask = "0077";
-          LockPersonality = true;
-          MemoryDenyWriteExecute = true;
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateTmp = true;
-          PrivateUsers = !needsPrivileges;
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectSystem = "strict";
-          ProtectProc = "noaccess";
-          ProcSubset = "pid";
-          RemoveIPC = true;
-          RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          SystemCallArchitectures = "native";
-          SystemCallFilter = ["@system-service" "~@privileged"];
-        };
+            ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+            EnvironmentFile = config.secrets.dendrite-environment-file.path;
+            DynamicUser = true;
+            StateDirectory = "dendrite";
+            RuntimeDirectory = "dendrite";
+            RuntimeDirectoryMode = "0700";
+            AmbientCapabilities = capabilities;
+            CapabilityBoundingSet = capabilities;
+            UMask = "0077";
+            LockPersonality = true;
+            MemoryDenyWriteExecute = true;
+            NoNewPrivileges = true;
+            PrivateDevices = true;
+            PrivateTmp = true;
+            PrivateUsers = !needsPrivileges;
+            ProtectClock = true;
+            ProtectControlGroups = true;
+            ProtectHome = true;
+            ProtectHostname = true;
+            ProtectKernelLogs = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            ProtectSystem = "strict";
+            ProtectProc = "noaccess";
+            ProcSubset = "pid";
+            RemoveIPC = true;
+            RestrictAddressFamilies = [
+              "AF_UNIX"
+              "AF_INET"
+              "AF_INET6"
+            ];
+            RestrictNamespaces = true;
+            RestrictRealtime = true;
+            RestrictSUIDSGID = true;
+            SystemCallArchitectures = "native";
+            SystemCallFilter = [
+              "@system-service"
+              "~@privileged"
+            ];
+          };
       };
     };
 }
diff --git a/modules/nixos/matrix/element.nix b/modules/nixos/matrix/element.nix
index 3d47800..92a2927 100644
--- a/modules/nixos/matrix/element.nix
+++ b/modules/nixos/matrix/element.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.matrix.element;
-in {
+in
+{
   options.nixfiles.modules.matrix.element = {
     enable = mkEnableOption "Element, a Matrix web interface";
 
@@ -26,7 +28,8 @@ in {
   config = mkIf cfg.enable {
     assertions = [
       {
-        assertion = with config.nixfiles.modules.matrix;
+        assertion =
+          with config.nixfiles.modules.matrix;
           (synapse.enable || dendrite.enable) && !(!synapse.enable && !dendrite.enable);
         message = "Synapse or Dendrite must be enabled";
       }
diff --git a/modules/nixos/monitoring/default.nix b/modules/nixos/monitoring/default.nix
index 5aed215..6e5b782 100644
--- a/modules/nixos/monitoring/default.nix
+++ b/modules/nixos/monitoring/default.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.monitoring;
-in {
+in
+{
   options.nixfiles.modules.monitoring.enable = mkEnableOption ''
     a glue to provision a monitoring stack
   '';
@@ -134,83 +136,93 @@ in {
       };
 
       prometheus = {
-        scrapeConfigs = with my.configurations;
+        scrapeConfigs =
+          with my.configurations;
           mapAttrsToList
-          (
-            name: value: {
+            (name: value: {
               job_name = name;
               static_configs = [
                 {
-                  targets = with value;
-                    map (host:
+                  targets =
+                    with value;
+                    map (
+                      host:
                       concatStringsSep ":" [
-                        (
-                          if isAttrs host
-                          then host.hostname
-                          else host
-                        )
+                        (if isAttrs host then host.hostname else host)
                         (toString port)
-                      ])
-                    hosts;
+                      ]
+                    ) hosts;
                 }
               ];
-              relabel_configs =
-                [
-                  {
-                    source_labels = ["__address__"];
-                    regex = "([^:]+):\\d+";
-                    target_label = "instance";
-                  }
-                ]
-                ++ optionals (hasAttr "relabel" value) value.relabel;
-            }
-          )
-          {
-            promtail = {
-              hosts = [manwe varda yavanna];
-              inherit (config.nixfiles.modules.promtail) port;
-            };
-            ntfy = {
-              hosts = [manwe];
-              inherit (config.nixfiles.modules.ntfy.prometheus) port;
-            };
-            soju = {
-              hosts = ["127.0.0.1"];
-              inherit (config.nixfiles.modules.soju.prometheus) port;
-            };
-            endlessh-go = {
-              hosts = [manwe varda yavanna];
-              inherit (config.services.endlessh-go.prometheus) port;
-            };
-            nginx = {
-              hosts = [manwe yavanna];
-              inherit (config.services.prometheus.exporters.nginx) port;
-            };
-            node = {
-              hosts = [manwe varda yavanna];
-              inherit (config.services.prometheus.exporters.node) port;
-            };
-            postgres = {
-              hosts = [manwe];
-              inherit (config.services.prometheus.exporters.postgres) port;
-            };
-            redis = {
-              hosts = [manwe];
-              inherit (config.services.prometheus.exporters.redis) port;
-            };
-            unbound = {
-              hosts = [manwe];
-              inherit (config.services.prometheus.exporters.unbound) port;
-            };
-            wireguard = {
-              hosts = [manwe];
-              inherit (config.services.prometheus.exporters.wireguard) port;
-            };
-            exportarr-lidarr = {
-              hosts = [yavanna];
-              inherit (config.services.prometheus.exporters.exportarr-lidarr) port;
+              relabel_configs = [
+                {
+                  source_labels = [ "__address__" ];
+                  regex = "([^:]+):\\d+";
+                  target_label = "instance";
+                }
+              ] ++ optionals (hasAttr "relabel" value) value.relabel;
+            })
+            {
+              promtail = {
+                hosts = [
+                  manwe
+                  varda
+                  yavanna
+                ];
+                inherit (config.nixfiles.modules.promtail) port;
+              };
+              ntfy = {
+                hosts = [ manwe ];
+                inherit (config.nixfiles.modules.ntfy.prometheus) port;
+              };
+              soju = {
+                hosts = [ "127.0.0.1" ];
+                inherit (config.nixfiles.modules.soju.prometheus) port;
+              };
+              endlessh-go = {
+                hosts = [
+                  manwe
+                  varda
+                  yavanna
+                ];
+                inherit (config.services.endlessh-go.prometheus) port;
+              };
+              nginx = {
+                hosts = [
+                  manwe
+                  yavanna
+                ];
+                inherit (config.services.prometheus.exporters.nginx) port;
+              };
+              node = {
+                hosts = [
+                  manwe
+                  varda
+                  yavanna
+                ];
+                inherit (config.services.prometheus.exporters.node) port;
+              };
+              postgres = {
+                hosts = [ manwe ];
+                inherit (config.services.prometheus.exporters.postgres) port;
+              };
+              redis = {
+                hosts = [ manwe ];
+                inherit (config.services.prometheus.exporters.redis) port;
+              };
+              unbound = {
+                hosts = [ manwe ];
+                inherit (config.services.prometheus.exporters.unbound) port;
+              };
+              wireguard = {
+                hosts = [ manwe ];
+                inherit (config.services.prometheus.exporters.wireguard) port;
+              };
+              exportarr-lidarr = {
+                hosts = [ yavanna ];
+                inherit (config.services.prometheus.exporters.exportarr-lidarr) port;
+              };
             };
-          };
 
         ruleFiles = [
           ./rules/nginx.yaml
@@ -222,9 +234,7 @@ in {
         alertmanagers = [
           {
             scheme = "https";
-            static_configs = [
-              {targets = [config.nixfiles.modules.alertmanager.domain];}
-            ];
+            static_configs = [ { targets = [ config.nixfiles.modules.alertmanager.domain ]; } ];
           }
         ];
       };
diff --git a/modules/nixos/mpd.nix b/modules/nixos/mpd.nix
index 485cde3..7c3c821 100644
--- a/modules/nixos/mpd.nix
+++ b/modules/nixos/mpd.nix
@@ -4,16 +4,18 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.mpd;
-in {
+in
+{
   options.nixfiles.modules.mpd.enable = mkEnableOption "MPD and its clients.";
 
   config = mkIf cfg.enable {
     nixfiles.modules.sound.enable = true;
 
     hm = {
-      home.packages = with pkgs; [mpc_cli];
+      home.packages = with pkgs; [ mpc_cli ];
 
       services.mpd = {
         enable = true;
@@ -170,19 +172,31 @@ in {
           }
           {
             key = "J";
-            command = ["select_item" "scroll_down"];
+            command = [
+              "select_item"
+              "scroll_down"
+            ];
           }
           {
             key = "K";
-            command = ["select_item" "scroll_up"];
+            command = [
+              "select_item"
+              "scroll_up"
+            ];
           }
           {
             key = "h";
-            command = ["previous_column" "master_screen"];
+            command = [
+              "previous_column"
+              "master_screen"
+            ];
           }
           {
             key = "l";
-            command = ["next_column" "slave_screen"];
+            command = [
+              "next_column"
+              "slave_screen"
+            ];
           }
           {
             key = "g";
diff --git a/modules/nixos/mpv.nix b/modules/nixos/mpv.nix
index a2b73fa..8042c1a 100644
--- a/modules/nixos/mpv.nix
+++ b/modules/nixos/mpv.nix
@@ -1,92 +1,91 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.mpv;
-in {
+in
+{
   config = mkIf cfg.enable {
     nixfiles.modules.common = {
       shell.aliases.cam = "mpv av://v4l2:/dev/video0";
 
-      xdg.defaultApplications.mpv = let
-        audio = [
-          "audio/aac"
-          "audio/ac3"
-          "audio/basic"
-          "audio/flac"
-          "audio/midi"
-          "audio/mp4"
-          "audio/mpeg"
-          "audio/ogg"
-          "audio/opus"
-          "audio/vnd.dts"
-          "audio/vnd.dts.hd"
-          "audio/webm"
-          "audio/x-adpcm"
-          "audio/x-aifc"
-          "audio/x-aiff"
-          "audio/x-ape"
-          "audio/x-flac+ogg"
-          "audio/x-m4b"
-          "audio/x-m4r"
-          "audio/x-matroska"
-          "audio/x-mpegurl"
-          "audio/x-musepack"
-          "audio/x-opus+ogg"
-          "audio/x-speex"
-          "audio/x-speex+ogg"
-          "audio/x-vorbis+ogg"
-          "audio/x-wav"
-          "audio/x-wavpack"
-          "x-content/audio-cdda"
-          "x-content/audio-dvd"
-        ];
-        video = [
-          "video/3gpp"
-          "video/3gpp2"
-          "video/mkv"
-          "video/mp2t"
-          "video/mp4"
-          "video/mpeg"
-          "video/ogg"
-          "video/quicktime"
-          "video/vnd.mpegurl"
-          "video/vnd.radgamettools.bink"
-          "video/vnd.radgamettools.smacker"
-          "video/wavelet"
-          "video/webm"
-          "video/x-matroska"
-          "video/x-matroska-3d"
-          "video/x-mjpeg"
-          "video/x-msvideo"
-          "video/x-ogm+ogg"
-          "video/x-theora+ogg"
-          "x-content/video-bluray"
-          "x-content/video-dvd"
-          "x-content/video-hddvd"
-          "x-content/video-svcd"
-          "x-content/video-vcd"
-        ];
-        image = [
-          "image/avif"
-          "image/bmp"
-          "image/gif"
-          "image/jp2"
-          "image/jpeg"
-          "image/jpg"
-          "image/jpm"
-          "image/jpx"
-          "image/jxl"
-          "image/png"
-          "image/tiff"
-          "image/vnd.microsoft.icon"
-          "image/webp"
-          "image/webp"
-          "image/x-tga"
-        ];
-      in
+      xdg.defaultApplications.mpv =
+        let
+          audio = [
+            "audio/aac"
+            "audio/ac3"
+            "audio/basic"
+            "audio/flac"
+            "audio/midi"
+            "audio/mp4"
+            "audio/mpeg"
+            "audio/ogg"
+            "audio/opus"
+            "audio/vnd.dts"
+            "audio/vnd.dts.hd"
+            "audio/webm"
+            "audio/x-adpcm"
+            "audio/x-aifc"
+            "audio/x-aiff"
+            "audio/x-ape"
+            "audio/x-flac+ogg"
+            "audio/x-m4b"
+            "audio/x-m4r"
+            "audio/x-matroska"
+            "audio/x-mpegurl"
+            "audio/x-musepack"
+            "audio/x-opus+ogg"
+            "audio/x-speex"
+            "audio/x-speex+ogg"
+            "audio/x-vorbis+ogg"
+            "audio/x-wav"
+            "audio/x-wavpack"
+            "x-content/audio-cdda"
+            "x-content/audio-dvd"
+          ];
+          video = [
+            "video/3gpp"
+            "video/3gpp2"
+            "video/mkv"
+            "video/mp2t"
+            "video/mp4"
+            "video/mpeg"
+            "video/ogg"
+            "video/quicktime"
+            "video/vnd.mpegurl"
+            "video/vnd.radgamettools.bink"
+            "video/vnd.radgamettools.smacker"
+            "video/wavelet"
+            "video/webm"
+            "video/x-matroska"
+            "video/x-matroska-3d"
+            "video/x-mjpeg"
+            "video/x-msvideo"
+            "video/x-ogm+ogg"
+            "video/x-theora+ogg"
+            "x-content/video-bluray"
+            "x-content/video-dvd"
+            "x-content/video-hddvd"
+            "x-content/video-svcd"
+            "x-content/video-vcd"
+          ];
+          image = [
+            "image/avif"
+            "image/bmp"
+            "image/gif"
+            "image/jp2"
+            "image/jpeg"
+            "image/jpg"
+            "image/jpm"
+            "image/jpx"
+            "image/jxl"
+            "image/png"
+            "image/tiff"
+            "image/vnd.microsoft.icon"
+            "image/webp"
+            "image/webp"
+            "image/x-tga"
+          ];
+        in
         audio ++ video ++ image;
     };
   };
diff --git a/modules/nixos/murmur.nix b/modules/nixos/murmur.nix
index 8ac7899..7621c9e 100644
--- a/modules/nixos/murmur.nix
+++ b/modules/nixos/murmur.nix
@@ -4,13 +4,15 @@
   lib,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.murmur;
-in {
+in
+{
   options.nixfiles.modules.murmur.enable = mkEnableOption "Murmur";
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/murmur"];
+    ark.directories = [ "/var/lib/murmur" ];
 
     secrets.murmur-environment = {
       file = "${inputs.self}/secrets/murmur-environment";
diff --git a/modules/nixos/nextcloud.nix b/modules/nixos/nextcloud.nix
index 13cecb7..4053c38 100644
--- a/modules/nixos/nextcloud.nix
+++ b/modules/nixos/nextcloud.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.nextcloud;
-in {
+in
+{
   options.nixfiles.modules.nextcloud = {
     enable = mkEnableOption "Nextcloud";
 
@@ -21,97 +23,105 @@ in {
     nixfiles.modules = {
       nginx = {
         enable = true;
-        virtualHosts.${cfg.domain} = {};
+        virtualHosts.${cfg.domain} = { };
       };
       postgresql.enable = true;
     };
 
-    services = let
-      db = "nextcloud";
-    in {
-      nextcloud = mkMerge [
-        {
-          enable = true;
-          package = pkgs.nextcloud23;
-
-          hostName = cfg.domain;
+    services =
+      let
+        db = "nextcloud";
+      in
+      {
+        nextcloud = mkMerge [
+          {
+            enable = true;
+            package = pkgs.nextcloud23;
 
-          appstoreEnable = false;
+            hostName = cfg.domain;
 
-          config = {
-            adminpassFile = null; # This needs to be set as secret.
+            appstoreEnable = false;
 
-            dbtype = "pgsql";
-            dbhost = "/run/postgresql";
-            dbuser = db;
-            dbname = db;
+            config = {
+              adminpassFile = null; # This needs to be set as secret.
 
-            defaultPhoneRegion = "RU";
-          };
+              dbtype = "pgsql";
+              dbhost = "/run/postgresql";
+              dbuser = db;
+              dbname = db;
 
-          extraApps = let
-            mkNextcloudApp = {
-              name,
-              version,
-              hash,
-            }:
-              pkgs.fetchNextcloudApp {
-                inherit name version hash;
-                url = "https://github.com/nextcloud/${name}/archive/refs/tags/v${version}.tar.gz";
-              };
-          in {
-            contacts = mkNextcloudApp {
-              name = "contacts";
-              version = "4.0.1";
-              sha256 = "sha256-dXKsG8KmlUojeY5dUn/XsMD3KaSh4QcZFOGDdcqlSvE=";
-            };
-            calendar = mkNextcloudApp {
-              name = "calendar";
-              version = "3.0.5";
-              sha256 = "sha256-aKUKm7fWJQxOWwma56Tv+GGIo+p0n30Nhoyt4XoxsjI=";
-            };
-            files_rightclick = mkNextcloudApp {
-              name = "files_rightclick";
-              version = "23.0.1";
-              sha256 = "sha256-VYODzkvvGrtpyRoug/8UPKhAgfCx1ltP1JdGPiB/lts=";
-            };
-            unsplash = mkNextcloudApp {
-              name = "unsplash";
-              version = "1.2.4";
-              sha256 = "sha256-KGSkBOrNu0nK0YvAPYaxEL/kZNoJQD1oBV2aUBxh6cI=";
-            };
-            previewgenerator = mkNextcloudApp {
-              name = "previewgenerator";
-              version = "3.4.1";
-              sha256 = "sha256-IUdj0xWt5zHxQoiMv1bYyYTzekuOFrsRIe530QOwC/w=";
+              defaultPhoneRegion = "RU";
             };
-            bruteforcesettings = mkNextcloudApp {
-              name = "bruteforcesettings";
-              version = "2.3.0";
-              sha256 = "sha256-J7ujmiPaw8GI7vDfVPXEum2XAMWvahciP8C6iXgckdE=";
-            };
-          };
-        }
-        (mkIf config.nixfiles.modules.acme.enable {
-          https = true;
-          config.overwriteProtocol = "https";
-        })
-      ];
 
-      postgresql = {
-        ensureDatabases = [db];
-        ensureUsers = [
-          {
-            name = db;
-            ensureDBOwnership = true;
+            extraApps =
+              let
+                mkNextcloudApp =
+                  {
+                    name,
+                    version,
+                    hash,
+                  }:
+                  pkgs.fetchNextcloudApp {
+                    inherit name version hash;
+                    url = "https://github.com/nextcloud/${name}/archive/refs/tags/v${version}.tar.gz";
+                  };
+              in
+              {
+                contacts = mkNextcloudApp {
+                  name = "contacts";
+                  version = "4.0.1";
+                  sha256 = "sha256-dXKsG8KmlUojeY5dUn/XsMD3KaSh4QcZFOGDdcqlSvE=";
+                };
+                calendar = mkNextcloudApp {
+                  name = "calendar";
+                  version = "3.0.5";
+                  sha256 = "sha256-aKUKm7fWJQxOWwma56Tv+GGIo+p0n30Nhoyt4XoxsjI=";
+                };
+                files_rightclick = mkNextcloudApp {
+                  name = "files_rightclick";
+                  version = "23.0.1";
+                  sha256 = "sha256-VYODzkvvGrtpyRoug/8UPKhAgfCx1ltP1JdGPiB/lts=";
+                };
+                unsplash = mkNextcloudApp {
+                  name = "unsplash";
+                  version = "1.2.4";
+                  sha256 = "sha256-KGSkBOrNu0nK0YvAPYaxEL/kZNoJQD1oBV2aUBxh6cI=";
+                };
+                previewgenerator = mkNextcloudApp {
+                  name = "previewgenerator";
+                  version = "3.4.1";
+                  sha256 = "sha256-IUdj0xWt5zHxQoiMv1bYyYTzekuOFrsRIe530QOwC/w=";
+                };
+                bruteforcesettings = mkNextcloudApp {
+                  name = "bruteforcesettings";
+                  version = "2.3.0";
+                  sha256 = "sha256-J7ujmiPaw8GI7vDfVPXEum2XAMWvahciP8C6iXgckdE=";
+                };
+              };
           }
+          (mkIf config.nixfiles.modules.acme.enable {
+            https = true;
+            config.overwriteProtocol = "https";
+          })
         ];
+
+        postgresql = {
+          ensureDatabases = [ db ];
+          ensureUsers = [
+            {
+              name = db;
+              ensureDBOwnership = true;
+            }
+          ];
+        };
       };
-    };
 
     systemd = {
       services = {
-        nextcloud-setup.after = ["network-online.target" "postgresql.service"];
+        nextcloud-setup.after = [
+          "network-online.target"
+          "postgresql.service"
+        ];
 
         nextcloud-preview-generate-cron.serviceConfig = {
           Type = "oneshot";
@@ -121,7 +131,7 @@ in {
       };
 
       timers.nextcloud-preview-generate = {
-        wantedBy = ["timers.target"];
+        wantedBy = [ "timers.target" ];
         timerConfig = {
           OnBootSec = "15m";
           OnUnitActiveSec = "15m";
diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix
index 05c6a06..ed34237 100644
--- a/modules/nixos/nginx.nix
+++ b/modules/nixos/nginx.nix
@@ -5,9 +5,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.nginx;
-in {
+in
+{
   options.nixfiles.modules.nginx = {
     enable = mkEnableOption "Nginx";
 
@@ -62,8 +64,9 @@ in {
           ''
             add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
           ''
-          (optionalString (hasAttr "wireguard" this)
-            (with config.nixfiles.modules.wireguard; ''
+          (optionalString (hasAttr "wireguard" this) (
+            with config.nixfiles.modules.wireguard;
+            ''
               geo $internal {
                 default 0;
                 127.0.0.1/32 1;
@@ -71,7 +74,8 @@ in {
                 ${ipv4.subnet} 1;
                 ${ipv6.subnet} 1;
               }
-            ''))
+            ''
+          ))
         ];
 
         inherit (cfg) upstreams;
@@ -84,15 +88,18 @@ in {
               locations."/".return = "444";
             };
           }
-          // (mkIf (cfg.virtualHosts != null) (mapAttrs (_: attr:
-            mkMerge [
-              attr
-              (mkIf config.nixfiles.modules.acme.enable {
-                enableACME = mkDefault true;
-                forceSSL = mkDefault true;
-              })
-            ])
-          cfg.virtualHosts));
+          // (mkIf (cfg.virtualHosts != null) (
+            mapAttrs (
+              _: attr:
+              mkMerge [
+                attr
+                (mkIf config.nixfiles.modules.acme.enable {
+                  enableACME = mkDefault true;
+                  forceSSL = mkDefault true;
+                })
+              ]
+            ) cfg.virtualHosts
+          ));
       };
 
       fail2ban.jails = {
@@ -107,6 +114,9 @@ in {
       };
     };
 
-    networking.firewall.allowedTCPPorts = [80 443];
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
   };
 }
diff --git a/modules/nixos/node-exporter.nix b/modules/nixos/node-exporter.nix
index 43f48f6..8e76903 100644
--- a/modules/nixos/node-exporter.nix
+++ b/modules/nixos/node-exporter.nix
@@ -4,9 +4,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.node-exporter;
-in {
+in
+{
   options.nixfiles.modules.node-exporter.enable = mkEnableOption "Prometheus Node Exporter";
 
   config = mkIf cfg.enable {
diff --git a/modules/nixos/nsd.nix b/modules/nixos/nsd.nix
index ae72f1d..f44a2a0 100644
--- a/modules/nixos/nsd.nix
+++ b/modules/nixos/nsd.nix
@@ -5,9 +5,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.nsd;
-in {
+in
+{
   options.nixfiles.modules.nsd = {
     enable = mkEnableOption "NSD";
 
@@ -19,194 +21,208 @@ in {
   };
 
   config = mkIf cfg.enable {
-    nixfiles.modules.nginx = let
-      domain = my.domain.shire;
-    in {
-      enable = true;
-      virtualHosts = mapAttrs' (_: v:
-        nameValuePair "mta-sts.${v}" {
-          locations."= /.well-known/mta-sts.txt" = {
-            extraConfig = ''
-              add_header default_type text/plain;
-            '';
-            return = "200 '${concatStringsSep "\\r\\n" [
-              "version: STSv1"
-              "mode: enforce"
-              "max_age: 2419200"
-              "mx: ${domain}"
-            ]}'";
-          };
-        })
-      my.domain;
-    };
+    nixfiles.modules.nginx =
+      let
+        domain = my.domain.shire;
+      in
+      {
+        enable = true;
+        virtualHosts = mapAttrs' (
+          _: v:
+          nameValuePair "mta-sts.${v}" {
+            locations."= /.well-known/mta-sts.txt" = {
+              extraConfig = ''
+                add_header default_type text/plain;
+              '';
+              return = "200 '${
+                concatStringsSep "\\r\\n" [
+                  "version: STSv1"
+                  "mode: enforce"
+                  "max_age: 2419200"
+                  "mx: ${domain}"
+                ]
+              }'";
+            };
+          }
+        ) my.domain;
+      };
 
     services = {
       nsd = {
         enable = true;
-        interfaces = with this; [ipv4.address ipv6.address];
+        interfaces = with this; [
+          ipv4.address
+          ipv6.address
+        ];
         ipTransparent = true;
         ratelimit.enable = true;
 
-        zones = let
-          dns = inputs.dns.lib;
-        in
-          with dns.combinators; let
-            ips = hostname:
-              with my.configurations.${hostname}; {
-                A = [(a ipv4.address)];
-                AAAA = [(aaaa ipv6.address)];
+        zones =
+          let
+            dns = inputs.dns.lib;
+          in
+          with dns.combinators;
+          let
+            ips =
+              hostname: with my.configurations.${hostname}; {
+                A = [ (a ipv4.address) ];
+                AAAA = [ (aaaa ipv6.address) ];
               };
 
-            mkEmailEntries = {
-              domain ? my.domain.shire,
-              dkimKey ? null,
-            }: {
-              MX = [(mx.mx 10 "${my.domain.shire}.")];
-              TXT = [(spf.soft ["a"])];
-              DMARC = [
-                {
-                  p = "quarantine";
-                  sp = "quarantine";
-                  rua = ["mailto:admin+rua@${domain}"];
-                  ruf = ["mailto:admin+ruf@${domain}"];
-                }
-              ];
-              DKIM = optional (dkimKey != null) {
-                selector = "mail";
-                p = dkimKey;
+            mkEmailEntries =
+              {
+                domain ? my.domain.shire,
+                dkimKey ? null,
+              }:
+              {
+                MX = [ (mx.mx 10 "${my.domain.shire}.") ];
+                TXT = [ (spf.soft [ "a" ]) ];
+                DMARC = [
+                  {
+                    p = "quarantine";
+                    sp = "quarantine";
+                    rua = [ "mailto:admin+rua@${domain}" ];
+                    ruf = [ "mailto:admin+ruf@${domain}" ];
+                  }
+                ];
+                DKIM = optional (dkimKey != null) {
+                  selector = "mail";
+                  p = dkimKey;
+                };
+                subdomains._mta-sts.TXT = [ "v=STSv1; id=20230506134541Z" ];
               };
-              subdomains._mta-sts.TXT = ["v=STSv1; id=20230506134541Z"];
-            };
 
-            mkZone = {
-              domain,
-              sldIps ? (ips "manwe"),
-              extra ? {},
-            }: {
-              ${domain}.data = dns.toString domain (mkMerge [
-                {
-                  TTL = 60 * 60;
+            mkZone =
+              {
+                domain,
+                sldIps ? (ips "manwe"),
+                extra ? { },
+              }:
+              {
+                ${domain}.data = dns.toString domain (mkMerge [
+                  {
+                    TTL = 60 * 60;
 
-                  SOA = {
-                    nameServer = "${cfg.fqdn}.";
-                    adminEmail = "admin+dns@${my.domain.shire}";
-                    serial = 2022091601; # Don't forget to bump the revision!
-                  };
+                    SOA = {
+                      nameServer = "${cfg.fqdn}.";
+                      adminEmail = "admin+dns@${my.domain.shire}";
+                      serial = 2022091601; # Don't forget to bump the revision!
+                    };
 
-                  NS = with my.domain; [
-                    "ns1.${shire}"
-                    # "ns2.${shire}"
-                  ];
+                    NS = with my.domain; [
+                      "ns1.${shire}"
+                      # "ns2.${shire}"
+                    ];
 
-                  CAA = letsEncrypt "admin+caa@${my.domain.shire}";
-                }
-                sldIps
-                extra
-              ]);
-            };
+                    CAA = letsEncrypt "admin+caa@${my.domain.shire}";
+                  }
+                  sldIps
+                  extra
+                ]);
+              };
 
             # https://ariadne.id/
             # https://docs.keyoxide.org/service-providers/dns/
-            ariadneIdProof.TXT = ["openpgp4fpr:${my.pgp.fingerprint}"];
+            ariadneIdProof.TXT = [ "openpgp4fpr:${my.pgp.fingerprint}" ];
           in
-            mkMerge [
-              (mkZone rec {
-                domain = my.domain.shire;
-                extra = mkMerge [
-                  (mkEmailEntries {
-                    inherit domain;
-                    dkimKey = "@DKIM_KEY@";
-                  })
-                  {
-                    subdomains = rec {
-                      manwe = ips "manwe";
-                      "*.manwe" = manwe;
-                      varda = ips "varda";
-                      "*.varda" = varda;
-                      yavanna = ips "yavanna";
-                      "*.yavanna" = yavanna;
-
-                      mta-sts = manwe;
-
-                      ns1 = manwe;
-                      # ns2 = varda;
-
-                      alertmanager = manwe;
-                      bitwarden = manwe;
-                      git = manwe;
-                      grafana = manwe;
-                      loki = manwe;
-                      ntfy = manwe;
-                      plausible = manwe;
-                      prometheus = manwe;
-                      radicale = manwe;
-                      rss-bridge = manwe;
-                      vaultwarden = manwe;
-
-                      flood = yavanna;
-                      jackett = yavanna;
-                      lidarr = yavanna;
-                    };
-                  }
-                ];
-              })
-              (mkZone rec {
-                domain = my.domain.azahi;
-                extra = mkMerge [
-                  (mkEmailEntries {
-                    inherit domain;
-                    dkimKey = "@DKIM_KEY@";
-                  })
-                  ariadneIdProof
-                  {
-                    subdomains = {
-                      mta-sts = ips "manwe";
+          mkMerge [
+            (mkZone rec {
+              domain = my.domain.shire;
+              extra = mkMerge [
+                (mkEmailEntries {
+                  inherit domain;
+                  dkimKey = "@DKIM_KEY@";
+                })
+                {
+                  subdomains = rec {
+                    manwe = ips "manwe";
+                    "*.manwe" = manwe;
+                    varda = ips "varda";
+                    "*.varda" = varda;
+                    yavanna = ips "yavanna";
+                    "*.yavanna" = yavanna;
+
+                    mta-sts = manwe;
+
+                    ns1 = manwe;
+                    # ns2 = varda;
+
+                    alertmanager = manwe;
+                    bitwarden = manwe;
+                    git = manwe;
+                    grafana = manwe;
+                    loki = manwe;
+                    ntfy = manwe;
+                    plausible = manwe;
+                    prometheus = manwe;
+                    radicale = manwe;
+                    rss-bridge = manwe;
+                    vaultwarden = manwe;
+
+                    flood = yavanna;
+                    jackett = yavanna;
+                    lidarr = yavanna;
+                  };
+                }
+              ];
+            })
+            (mkZone rec {
+              domain = my.domain.azahi;
+              extra = mkMerge [
+                (mkEmailEntries {
+                  inherit domain;
+                  dkimKey = "@DKIM_KEY@";
+                })
+                ariadneIdProof
+                {
+                  subdomains = {
+                    mta-sts = ips "manwe";
 
-                      git = ips "manwe";
-                    };
-                  }
-                ];
-              })
-              (mkZone rec {
-                domain = my.domain.gondor;
-                extra = mkMerge [
-                  (mkEmailEntries {
-                    inherit domain;
-                    dkimKey = "@DKIM_KEY@";
-                  })
-                  {
-                    subdomains = {
-                      mta-sts = ips "manwe";
+                    git = ips "manwe";
+                  };
+                }
+              ];
+            })
+            (mkZone rec {
+              domain = my.domain.gondor;
+              extra = mkMerge [
+                (mkEmailEntries {
+                  inherit domain;
+                  dkimKey = "@DKIM_KEY@";
+                })
+                {
+                  subdomains = {
+                    mta-sts = ips "manwe";
 
-                      frodo = ips "manwe" // ariadneIdProof;
-                    };
-                  }
-                ];
-              })
-              (mkZone rec {
-                domain = my.domain.rohan;
-                extra = mkMerge [
-                  (mkEmailEntries {
-                    inherit domain;
-                    dkimKey = "@DKIM_KEY@";
-                  })
-                  {
-                    subdomains = {
-                      mta-sts = ips "manwe";
+                    frodo = ips "manwe" // ariadneIdProof;
+                  };
+                }
+              ];
+            })
+            (mkZone rec {
+              domain = my.domain.rohan;
+              extra = mkMerge [
+                (mkEmailEntries {
+                  inherit domain;
+                  dkimKey = "@DKIM_KEY@";
+                })
+                {
+                  subdomains = {
+                    mta-sts = ips "manwe";
 
-                      frodo = ips "manwe" // ariadneIdProof;
-                    };
-                  }
-                ];
-              })
-            ];
+                    frodo = ips "manwe" // ariadneIdProof;
+                  };
+                }
+              ];
+            })
+          ];
       };
 
       fail2ban.jails.nsd.enabled = true;
     };
 
     networking.firewall = rec {
-      allowedTCPPorts = [53];
+      allowedTCPPorts = [ 53 ];
       allowedUDPPorts = allowedTCPPorts;
     };
   };
diff --git a/modules/nixos/ntfy.nix b/modules/nixos/ntfy.nix
index 037f84a..5739855 100644
--- a/modules/nixos/ntfy.nix
+++ b/modules/nixos/ntfy.nix
@@ -5,9 +5,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.ntfy;
-in {
+in
+{
   options.nixfiles.modules.ntfy = {
     enable = mkEnableOption "ntfy";
 
@@ -24,7 +26,9 @@ in {
     };
 
     prometheus = {
-      enable = mkEnableOption "Prometheus exporter." // {default = true;};
+      enable = mkEnableOption "Prometheus exporter." // {
+        default = true;
+      };
 
       address = mkOption {
         description = "Address.";
@@ -41,11 +45,11 @@ in {
   };
 
   config = mkIf cfg.enable {
-    ark.files = [config.services.ntfy-sh.settings.auth-file];
+    ark.files = [ config.services.ntfy-sh.settings.auth-file ];
 
     nixfiles.modules.nginx = {
       enable = true;
-      upstreams.ntfy.servers.${config.services.ntfy-sh.settings.listen-http} = {};
+      upstreams.ntfy.servers.${config.services.ntfy-sh.settings.listen-http} = { };
       virtualHosts.${cfg.domain} = {
         locations = {
           "/" = {
@@ -67,7 +71,8 @@ in {
         base-url = "https://${cfg.domain}";
         behind-proxy = true;
         enable-metrics = cfg.prometheus.enable;
-        metrics-listen-http = with cfg.prometheus;
+        metrics-listen-http =
+          with cfg.prometheus;
           optionalString cfg.prometheus.enable "${address}:${toString port}";
       };
     };
diff --git a/modules/nixos/nullmailer.nix b/modules/nixos/nullmailer.nix
index 193b109..9f7b4ac 100644
--- a/modules/nixos/nullmailer.nix
+++ b/modules/nixos/nullmailer.nix
@@ -4,9 +4,11 @@
   lib,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.nullmailer;
-in {
+in
+{
   options.nixfiles.modules.nullmailer.enable = mkEnableOption "Nullmailer";
 
   config = mkIf cfg.enable {
diff --git a/modules/nixos/openssh.nix b/modules/nixos/openssh.nix
index 4324e45..9b82757 100644
--- a/modules/nixos/openssh.nix
+++ b/modules/nixos/openssh.nix
@@ -1,11 +1,9 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.openssh;
-in {
+in
+{
   options.nixfiles.modules.openssh.server = {
     enable = mkEnableOption "OpenSSH server";
 
@@ -29,15 +27,12 @@ in {
     services = {
       openssh = {
         enable = true;
-        ports = [cfg.server.port];
+        ports = [ cfg.server.port ];
         settings = {
           ClientAliveCountMax = 3;
           ClientAliveInterval = 60;
           KbdInteractiveAuthentication = false;
-          LogLevel =
-            if config.nixfiles.modules.fail2ban.enable
-            then "VERBOSE"
-            else "ERROR";
+          LogLevel = if config.nixfiles.modules.fail2ban.enable then "VERBOSE" else "ERROR";
           MaxAuthTries = 3;
           PasswordAuthentication = false;
           PermitRootLogin = mkForce "no";
diff --git a/modules/nixos/plausible.nix b/modules/nixos/plausible.nix
index 8de54d2..d63e3ab 100644
--- a/modules/nixos/plausible.nix
+++ b/modules/nixos/plausible.nix
@@ -4,9 +4,11 @@
   lib,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.plausible;
-in {
+in
+{
   options.nixfiles.modules.plausible = {
     enable = mkEnableOption "Plausible Analytics";
 
@@ -23,15 +25,18 @@ in {
     };
   };
 
-  config = let
-    db = "plausible";
-  in
+  config =
+    let
+      db = "plausible";
+    in
     mkIf cfg.enable {
       _module.args.libPlausible = {
-        htmlPlausibleScript = {
-          domain ? "$host",
-          src ? "https://${cfg.domain}/js/script.js",
-        }: ''<script defer data-domain="${domain}" src="${src}"></script>'';
+        htmlPlausibleScript =
+          {
+            domain ? "$host",
+            src ? "https://${cfg.domain}/js/script.js",
+          }:
+          ''<script defer data-domain="${domain}" src="${src}"></script>'';
       };
 
       secrets = {
@@ -43,7 +48,7 @@ in {
       nixfiles.modules = {
         nginx = {
           enable = true;
-          upstreams.plausible.servers."127.0.0.1:${toString cfg.port}" = {};
+          upstreams.plausible.servers."127.0.0.1:${toString cfg.port}" = { };
           virtualHosts.${cfg.domain}.locations."/" = {
             proxyPass = "http://plausible";
             proxyWebsockets = true;
@@ -62,7 +67,7 @@ in {
       };
 
       services.postgresql = {
-        ensureDatabases = [db];
+        ensureDatabases = [ db ];
         ensureUsers = [
           {
             name = db;
diff --git a/modules/nixos/podman.nix b/modules/nixos/podman.nix
index 5e369a6..bb4fda5 100644
--- a/modules/nixos/podman.nix
+++ b/modules/nixos/podman.nix
@@ -5,9 +5,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.podman;
-in {
+in
+{
   options.nixfiles.modules.podman.enable = mkEnableOption "Podman";
 
   config = mkIf cfg.enable {
@@ -29,13 +31,13 @@ in {
 
     virtualisation.podman.enable = true;
 
-    environment.systemPackages = with pkgs; [podman-compose];
+    environment.systemPackages = with pkgs; [ podman-compose ];
 
-    my.extraGroups = ["podman"];
+    my.extraGroups = [ "podman" ];
 
     hm.xdg.configFile = {
       "containers/registries.conf".source = pkgs.writers.writeTOML "containers-registries.toml" {
-        registries.search.registries = ["docker.io"];
+        registries.search.registries = [ "docker.io" ];
       };
 
       "containers/storage.conf".source = pkgs.writers.writeTOML "containers-storage.toml" {
diff --git a/modules/nixos/postgresql.nix b/modules/nixos/postgresql.nix
index 89b24b8..5081340 100644
--- a/modules/nixos/postgresql.nix
+++ b/modules/nixos/postgresql.nix
@@ -5,9 +5,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.postgresql;
-in {
+in
+{
   options.nixfiles.modules.postgresql = {
     enable = mkEnableOption "PostgreSQL";
 
@@ -19,7 +21,7 @@ in {
 
     extraPostStart = mkOption {
       type = with types; listOf str;
-      default = [];
+      default = [ ];
       description = ''
         Additional post-startup commands.
 
@@ -37,7 +39,7 @@ in {
       }
     ];
 
-    ark.directories = [config.services.postgresql.dataDir];
+    ark.directories = [ config.services.postgresql.dataDir ];
 
     services = {
       postgresql = {
@@ -72,21 +74,25 @@ in {
       };
     };
 
-    systemd.services.postgresql.postStart = optionalString (cfg.extraPostStart != []) concatLines cfg.extraPostStart;
+    systemd.services.postgresql.postStart = optionalString (
+      cfg.extraPostStart != [ ]
+    ) concatLines cfg.extraPostStart;
 
-    environment.sessionVariables.PSQLRC = toString (pkgs.writeText "psqlrc" ''
-      \set QUIET 1
+    environment.sessionVariables.PSQLRC = toString (
+      pkgs.writeText "psqlrc" ''
+        \set QUIET 1
 
-      \timing
-      \x auto
-      \pset null '[NULL]'
-      \set PROMPT1 '%[%033[1m%]%M %n@%/%R%[%033[0m%]% λ '
-      \set PROMPT2 '    … > '
-      \set VERBOSITY verbose
-      \set HISTCONTROL ignoredups
-      \set HISTFILE /dev/null
+        \timing
+        \x auto
+        \pset null '[NULL]'
+        \set PROMPT1 '%[%033[1m%]%M %n@%/%R%[%033[0m%]% λ '
+        \set PROMPT2 '    … > '
+        \set VERBOSITY verbose
+        \set HISTCONTROL ignoredups
+        \set HISTFILE /dev/null
 
-      \unset QUIET
-    '');
+        \unset QUIET
+      ''
+    );
   };
 }
diff --git a/modules/nixos/profiles/default.nix b/modules/nixos/profiles/default.nix
index 2027758..93c46e3 100644
--- a/modules/nixos/profiles/default.nix
+++ b/modules/nixos/profiles/default.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.profiles.default;
-in {
+in
+{
   imports = [
     ./dev
     ./headful.nix
@@ -14,7 +16,7 @@ in {
   ];
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/log"];
+    ark.directories = [ "/var/log" ];
 
     programs.less = {
       enable = true;
diff --git a/modules/nixos/profiles/dev/containers.nix b/modules/nixos/profiles/dev/containers.nix
index 67754c0..d2a7d62 100644
--- a/modules/nixos/profiles/dev/containers.nix
+++ b/modules/nixos/profiles/dev/containers.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.profiles.dev.containers;
-in {
+in
+{
   config = mkIf cfg.enable {
     nixfiles.modules = {
       common.shell.aliases.b = "buildah";
@@ -17,10 +19,10 @@ in {
       home = {
         sessionVariables.MINIKUBE_HOME = "${config.dirs.config}/minikube";
 
-        packages = with pkgs; [buildah];
+        packages = with pkgs; [ buildah ];
       };
 
-      xdg.dataFile."minikube/config/config.json".text = generators.toJSON {} {
+      xdg.dataFile."minikube/config/config.json".text = generators.toJSON { } {
         config.Rootless = true;
         driver = "podman";
         container-runtime = "cri-o";
diff --git a/modules/nixos/profiles/dev/default.nix b/modules/nixos/profiles/dev/default.nix
index 5253e95..d2411ea 100644
--- a/modules/nixos/profiles/dev/default.nix
+++ b/modules/nixos/profiles/dev/default.nix
@@ -4,12 +4,12 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.profiles.dev;
-in {
-  imports = [
-    ./containers.nix
-  ];
+in
+{
+  imports = [ ./containers.nix ];
 
   config = mkIf cfg.enable {
     hm.home.language = {
diff --git a/modules/nixos/profiles/headful.nix b/modules/nixos/profiles/headful.nix
index d8e1699..8206aa8 100644
--- a/modules/nixos/profiles/headful.nix
+++ b/modules/nixos/profiles/headful.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.profiles.headful;
-in {
+in
+{
   config = mkIf cfg.enable {
     nixfiles.modules = {
       chromium.enable = true;
@@ -77,7 +79,7 @@ in {
       psd.enable = true;
     };
 
-    environment.systemPackages = with pkgs; [lm_sensors];
+    environment.systemPackages = with pkgs; [ lm_sensors ];
 
     my.extraGroups = [
       "audio"
diff --git a/modules/nixos/profiles/headless.nix b/modules/nixos/profiles/headless.nix
index d1fcfa4..f3f3572 100644
--- a/modules/nixos/profiles/headless.nix
+++ b/modules/nixos/profiles/headless.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.profiles.headless;
-in {
+in
+{
   config = mkIf cfg.enable {
     nixfiles.modules = {
       openssh.server.enable = true;
@@ -33,7 +35,7 @@ in {
 
       optimise = {
         automatic = true;
-        dates = ["daily"];
+        dates = [ "daily" ];
       };
     };
 
diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix
index 0320e82..9f28cd5 100644
--- a/modules/nixos/prometheus.nix
+++ b/modules/nixos/prometheus.nix
@@ -4,9 +4,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.prometheus;
-in {
+in
+{
   options.nixfiles.modules.prometheus = {
     enable = mkEnableOption "Prometheus";
 
@@ -26,7 +28,7 @@ in {
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
-      upstreams.prometheus.servers."127.0.0.1:${toString cfg.port}" = {};
+      upstreams.prometheus.servers."127.0.0.1:${toString cfg.port}" = { };
       virtualHosts.${domain} = {
         locations."/".proxyPass = "http://prometheus";
         extraConfig = libNginx.config.internalOnly;
diff --git a/modules/nixos/promtail.nix b/modules/nixos/promtail.nix
index 28dc897..65d88d4 100644
--- a/modules/nixos/promtail.nix
+++ b/modules/nixos/promtail.nix
@@ -4,9 +4,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.promtail;
-in {
+in
+{
   options.nixfiles.modules.promtail = {
     enable = mkEnableOption "Promtail";
 
@@ -25,7 +27,7 @@ in {
     filters = mkOption {
       description = ''Filters to use with "scrape_config.pipeline_stages".'';
       type = with types; listOf attrs;
-      default = [];
+      default = [ ];
     };
   };
 
@@ -64,60 +66,63 @@ in {
             job_name = "journal";
             journal.max_age = "24h";
             relabel_configs =
-              map (n: let
-                label = toLower n;
-              in {
-                source_labels = ["__journal_${label}"];
-                target_label =
-                  if hasPrefix "_" label
-                  then substring 1 (stringLength label - 1) label
-                  else label;
-              }) [
-                # Derived from systemd.journal fields[1].
-                #
-                # [1]: https://github.com/coreos/go-systemd/blob/main/sdjournal/journal.go#L335
-                # [1]: https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
+              map
+                (
+                  n:
+                  let
+                    label = toLower n;
+                  in
+                  {
+                    source_labels = [ "__journal_${label}" ];
+                    target_label = if hasPrefix "_" label then substring 1 (stringLength label - 1) label else label;
+                  }
+                )
+                [
+                  # Derived from systemd.journal fields[1].
+                  #
+                  # [1]: https://github.com/coreos/go-systemd/blob/main/sdjournal/journal.go#L335
+                  # [1]: https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
 
-                "MESSAGE"
-                # "MESSAGE_ID"
-                "PRIORITY"
-                # "CODE_FILE"
-                # "CODE_LINE"
-                # "CODE_FUNC"
-                # "ERRNO"
-                "SYSLOG_FACILITY"
-                "SYSLOG_IDENTIFIER"
-                # "SYSLOG_PID"
-                # "_PID"
-                # "_UID"
-                # "_GID"
-                # "_COMM"
-                # "_EXE"
-                "_CMDLINE"
-                # "_CAP_EFFECTIVE"
-                # "_AUDIT_SESSION"
-                # "_AUDIT_LOGINUID"
-                # "_SYSTEMD_CGROUP"
-                # "_SYSTEMD_SESSION"
-                # "_SYSTEMD_UNIT"
-                # "_SYSTEMD_USER_UNIT"
-                # "_SYSTEMD_OWNER_UID"
-                # "_SYSTEMD_SLICE"
-                # "_SELINUX_CONTEXT"
-                # "_SOURCE_REALTIME_TIMESTAMP"
-                # "_BOOT_ID"
-                # "_MACHINE_ID"
-                "_HOSTNAME"
-                # "_TRANSPORT"
-                # "__CURSOR"
-                # "__REALTIME_TIMESTAMP"
-                # "__MONOTONIC_TIMESTAMP"
-              ]
+                  "MESSAGE"
+                  # "MESSAGE_ID"
+                  "PRIORITY"
+                  # "CODE_FILE"
+                  # "CODE_LINE"
+                  # "CODE_FUNC"
+                  # "ERRNO"
+                  "SYSLOG_FACILITY"
+                  "SYSLOG_IDENTIFIER"
+                  # "SYSLOG_PID"
+                  # "_PID"
+                  # "_UID"
+                  # "_GID"
+                  # "_COMM"
+                  # "_EXE"
+                  "_CMDLINE"
+                  # "_CAP_EFFECTIVE"
+                  # "_AUDIT_SESSION"
+                  # "_AUDIT_LOGINUID"
+                  # "_SYSTEMD_CGROUP"
+                  # "_SYSTEMD_SESSION"
+                  # "_SYSTEMD_UNIT"
+                  # "_SYSTEMD_USER_UNIT"
+                  # "_SYSTEMD_OWNER_UID"
+                  # "_SYSTEMD_SLICE"
+                  # "_SELINUX_CONTEXT"
+                  # "_SOURCE_REALTIME_TIMESTAMP"
+                  # "_BOOT_ID"
+                  # "_MACHINE_ID"
+                  "_HOSTNAME"
+                  # "_TRANSPORT"
+                  # "__CURSOR"
+                  # "__REALTIME_TIMESTAMP"
+                  # "__MONOTONIC_TIMESTAMP"
+                ]
               ++ [
                 {
                   # This is weird. I can't find where is this defined in the
                   # source code but apparently it exists.
-                  source_labels = ["__journal_priority_keyword"];
+                  source_labels = [ "__journal_priority_keyword" ];
                   target_label = "level";
                 }
               ];
diff --git a/modules/nixos/psd.nix b/modules/nixos/psd.nix
index eb5a1a8..f974af2 100644
--- a/modules/nixos/psd.nix
+++ b/modules/nixos/psd.nix
@@ -4,15 +4,16 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.psd;
-in {
-  options.nixfiles.modules.psd.enable =
-    mkEnableOption "Profile Sync Daemon";
+in
+{
+  options.nixfiles.modules.psd.enable = mkEnableOption "Profile Sync Daemon";
 
   config = mkIf cfg.enable {
     hm = {
-      home.packages = with pkgs; [profile-sync-daemon];
+      home.packages = with pkgs; [ profile-sync-daemon ];
 
       xdg.configFile."psd/psd.conf".text = ''
         USE_OVERLAYFS="yes"
@@ -20,40 +21,42 @@ in {
     };
 
     systemd.user = {
-      services = let
-        exe = getExe' pkgs.profile-sync-daemon "profile-sync-daemon";
-      in {
-        psd = {
-          unitConfig = {
-            Description = "Profile-sync-daemon";
-            Wants = ["psd-resync.service"];
-            RequiresMountsFor = "/home/";
-            After = ["local-fs.target"];
-          };
-          serviceConfig = {
-            RemainAfterExit = true;
-            ExecStart = "${exe} startup";
-            ExecStop = "${exe} unsync";
+      services =
+        let
+          exe = getExe' pkgs.profile-sync-daemon "profile-sync-daemon";
+        in
+        {
+          psd = {
+            unitConfig = {
+              Description = "Profile-sync-daemon";
+              Wants = [ "psd-resync.service" ];
+              RequiresMountsFor = "/home/";
+              After = [ "local-fs.target" ];
+            };
+            serviceConfig = {
+              RemainAfterExit = true;
+              ExecStart = "${exe} startup";
+              ExecStop = "${exe} unsync";
+            };
+            wantedBy = [ "graphical.target" ];
           };
-          wantedBy = ["graphical.target"];
-        };
 
-        psd-resync = {
-          unitConfig = {
-            Description = "Profile-sync-daemon resync";
-            After = ["psd.service"];
-            Wants = ["psd-resync.timer"];
-            BindsTo = ["psd.service"];
+          psd-resync = {
+            unitConfig = {
+              Description = "Profile-sync-daemon resync";
+              After = [ "psd.service" ];
+              Wants = [ "psd-resync.timer" ];
+              BindsTo = [ "psd.service" ];
+            };
+            serviceConfig.ExecStart = "${exe} resync";
+            wantedBy = [ "graphical.target" ];
           };
-          serviceConfig.ExecStart = "${exe} resync";
-          wantedBy = ["graphical.target"];
         };
-      };
 
       timers.psd-resync = {
         unitConfig = {
           Description = "Profile-sync-daemon resync timer";
-          BindsTo = ["psd.service"];
+          BindsTo = [ "psd.service" ];
         };
         timerConfig.OnUnitActiveSec = "1h";
       };
diff --git a/modules/nixos/radarr.nix b/modules/nixos/radarr.nix
index 72abfac..9e4e13f 100644
--- a/modules/nixos/radarr.nix
+++ b/modules/nixos/radarr.nix
@@ -4,9 +4,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.radarr;
-in {
+in
+{
   options.nixfiles.modules.radarr = {
     enable = mkEnableOption "Radarr";
 
@@ -18,11 +20,11 @@ in {
   };
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/radarr"];
+    ark.directories = [ "/var/lib/radarr" ];
 
     nixfiles.modules.nginx = {
       enable = true;
-      upstreams.radarr.servers."127.0.0.1:7878" = {};
+      upstreams.radarr.servers."127.0.0.1:7878" = { };
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://radarr";
         extraConfig = libNginx.config.internalOnly;
diff --git a/modules/nixos/radicale.nix b/modules/nixos/radicale.nix
index 588ed51..59fb4a2 100644
--- a/modules/nixos/radicale.nix
+++ b/modules/nixos/radicale.nix
@@ -5,9 +5,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.radicale;
-in {
+in
+{
   options.nixfiles.modules.radicale = {
     enable = mkEnableOption "Radicale";
 
@@ -18,11 +20,12 @@ in {
     };
   };
 
-  config = let
-    port = 5232;
-  in
+  config =
+    let
+      port = 5232;
+    in
     mkIf cfg.enable {
-      ark.directories = ["/var/lib/radicale"];
+      ark.directories = [ "/var/lib/radicale" ];
 
       secrets.radicale-htpasswd = {
         file = "${inputs.self}/secrets/radicale-htpasswd";
@@ -32,7 +35,7 @@ in {
 
       nixfiles.modules.nginx = {
         enable = true;
-        upstreams.radicale.servers."127.0.0.1:${toString port}" = {};
+        upstreams.radicale.servers."127.0.0.1:${toString port}" = { };
         virtualHosts.${cfg.domain} = {
           locations."/".proxyPass = "http://radicale";
           extraConfig = libNginx.config.internalOnly;
@@ -42,7 +45,7 @@ in {
       services.radicale = {
         enable = true;
         settings = {
-          server.hosts = ["127.0.0.1:${toString port}"];
+          server.hosts = [ "127.0.0.1:${toString port}" ];
           web.type = "none";
           auth = {
             type = "htpasswd";
diff --git a/modules/nixos/redis.nix b/modules/nixos/redis.nix
index ca25101..e2151c7 100644
--- a/modules/nixos/redis.nix
+++ b/modules/nixos/redis.nix
@@ -4,13 +4,15 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.redis;
-in {
+in
+{
   options.nixfiles.modules.redis.enable = mkEnableOption "Redis";
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/redis-default"];
+    ark.directories = [ "/var/lib/redis-default" ];
 
     services = {
       redis = {
diff --git a/modules/nixos/rss-bridge.nix b/modules/nixos/rss-bridge.nix
index 486f2bf..de1d6b6 100644
--- a/modules/nixos/rss-bridge.nix
+++ b/modules/nixos/rss-bridge.nix
@@ -4,9 +4,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.rss-bridge;
-in {
+in
+{
   options.nixfiles.modules.rss-bridge = {
     enable = mkEnableOption "RSS-Bridge";
 
@@ -18,7 +20,7 @@ in {
   };
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/rss-bridge"];
+    ark.directories = [ "/var/lib/rss-bridge" ];
 
     nixfiles.modules.nginx = {
       enable = true;
@@ -28,7 +30,7 @@ in {
     services.rss-bridge = {
       enable = true;
       virtualHost = cfg.domain;
-      whitelist = ["*"];
+      whitelist = [ "*" ];
     };
   };
 }
diff --git a/modules/nixos/rtorrent.nix b/modules/nixos/rtorrent.nix
index c39f306..82ef1b2 100644
--- a/modules/nixos/rtorrent.nix
+++ b/modules/nixos/rtorrent.nix
@@ -5,14 +5,18 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.rtorrent;
-in {
+in
+{
   options.nixfiles.modules.rtorrent = {
     enable = mkEnableOption "rTorrent";
 
     flood = {
-      enable = mkEnableOption "Flood" // {default = cfg.enable;};
+      enable = mkEnableOption "Flood" // {
+        default = cfg.enable;
+      };
 
       domain = mkOption {
         description = "Domain name sans protocol scheme.";
@@ -22,202 +26,223 @@ in {
     };
   };
 
-  config = let
-    user = "rtorrent";
-    group = "rtorrent";
-    baseDir = "/var/lib/rtorrent";
-    rpcSocket = "${baseDir}/rpc.socket";
-  in
+  config =
+    let
+      user = "rtorrent";
+      group = "rtorrent";
+      baseDir = "/var/lib/rtorrent";
+      rpcSocket = "${baseDir}/rpc.socket";
+    in
     mkIf cfg.enable (mkMerge [
-      (let
-        port = 50000;
-      in {
-        ark.directories = [baseDir];
-
-        systemd = {
-          services.rtorrent = {
-            description = "rTorrent";
-            after = ["network.target" "local-fs.target"];
-            serviceConfig = let
-              leechDir = "${baseDir}/leech";
-              seedDir = "${baseDir}/seed";
-              sessionDir = "${baseDir}/session";
-              logDir = "${baseDir}/log";
-              configFile = let
-                moveCompleted = getExe (pkgs.writeShellApplication {
-                  name = "move-completed";
-                  runtimeInputs = with pkgs; [
-                    coreutils-full
-                    gnused
-                    findutils
+      (
+        let
+          port = 50000;
+        in
+        {
+          ark.directories = [ baseDir ];
+
+          systemd = {
+            services.rtorrent = {
+              description = "rTorrent";
+              after = [
+                "network.target"
+                "local-fs.target"
+              ];
+              serviceConfig =
+                let
+                  leechDir = "${baseDir}/leech";
+                  seedDir = "${baseDir}/seed";
+                  sessionDir = "${baseDir}/session";
+                  logDir = "${baseDir}/log";
+                  configFile =
+                    let
+                      moveCompleted = getExe (
+                        pkgs.writeShellApplication {
+                          name = "move-completed";
+                          runtimeInputs = with pkgs; [
+                            coreutils-full
+                            gnused
+                            findutils
+                          ];
+                          text = ''
+                            set -x
+
+                            leech_path="$1"
+                            seed_path="$2"
+                            # seed_path="$(echo "$2" | sed 's@+@ @g;s@%@\\x@g' | xargs -0 printf '%b')"
+
+                            mkdir -pv "$seed_path"
+                            mv -fv "$leech_path" "$seed_path"
+                          '';
+                        }
+                      );
+                    in
+                    pkgs.writeText "rtorrent.rc" ''
+                      method.insert = cfg.leech,     private|const|string, (cat, "${leechDir}")
+                      method.insert = cfg.seed,      private|const|string, (cat, "${seedDir}")
+                      method.insert = cfg.session,   private|const|string, (cat, "${sessionDir}")
+                      method.insert = cfg.log,       private|const|string, (cat, "${logDir}")
+                      method.insert = cfg.rpcsocket, private|const|string, (cat, "${rpcSocket}")
+
+                      directory.default.set = (cat, (cfg.leech))
+                      session.path.set = (cat, (cfg.session))
+
+                      network.port_range.set = ${toString port}-${toString port}
+                      network.port_random.set = no
+
+                      dht.mode.set = disable
+                      protocol.pex.set = no
+
+                      trackers.use_udp.set = no
+
+                      protocol.encryption.set = allow_incoming,try_outgoing,enable_retry
+
+                      pieces.memory.max.set = ${toString (pow 2 11)}M
+                      pieces.preload.type.set = 2
+
+                      network.xmlrpc.size_limit.set = ${toString (pow 2 17)}
+
+                      network.max_open_files.set   = ${toString (pow 2 10)}
+                      network.max_open_sockets.set = ${toString (pow 2 10)}
+
+                      network.http.max_open.set = ${toString (pow 2 8)}
+
+                      throttle.global_down.max_rate.set_kb = 0
+                      throttle.global_up.max_rate.set_kb   = 0
+
+                      encoding.add = UTF-8
+                      system.umask.set = 0027
+                      system.cwd.set = (directory.default)
+
+                      network.scgi.open_local = (cat, (cfg.rpcsocket))
+
+                      method.insert = d.move_completed, simple, "\
+                        d.directory.set=$argument.1=;\
+                        execute=${moveCompleted}, $argument.0=, $argument.1=;\
+                        d.save_full_session=\
+                      "
+                      method.insert = d.leech_path, simple, "\
+                        if=(d.is_multi_file),\
+                        (cat, (d.directory), /),\
+                        (cat, (d.directory), /, (d.name))\
+                      "
+                      method.insert = d.seed_path, simple, "\
+                        cat=$cfg.seed=, /, $d.custom1=\
+                      "
+                      method.set_key = event.download.finished, move_complete, "\
+                        d.move_completed=$d.leech_path=, $d.seed_path=\
+                      "
+
+                      log.open_file = "log", (cat, (cfg.log), "/", "default.log")
+                      log.add_output = "info", "log"
+                      log.execute = (cat, (cfg.log), "/", "execute.log")
+                    '';
+                in
+                {
+                  Restart = "on-failure";
+                  RestartSec = 3;
+
+                  KillMode = "process";
+                  KillSignal = "SIGHUP";
+
+                  User = user;
+                  Group = group;
+
+                  ExecStartPre = concatStringsSep " " [
+                    "${pkgs.coreutils-full}/bin/mkdir -p"
+                    leechDir
+                    seedDir
+                    sessionDir
+                    logDir
+                  ];
+                  ExecStart = concatStringsSep " " [
+                    (getExe pkgs.rtorrent)
+                    "-n"
+                    "-o system.daemon.set=true"
+                    "-o network.bind_address.set=0.0.0.0"
+                    "-o import=${configFile}"
+                  ];
+                  ExecStop = concatStringsSep " " [
+                    "${pkgs.coreutils-full}/bin/rm -rf"
+                    rpcSocket
                   ];
-                  text = ''
-                    set -x
-
-                    leech_path="$1"
-                    seed_path="$2"
-                    # seed_path="$(echo "$2" | sed 's@+@ @g;s@%@\\x@g' | xargs -0 printf '%b')"
-
-                    mkdir -pv "$seed_path"
-                    mv -fv "$leech_path" "$seed_path"
-                  '';
-                });
-              in
-                pkgs.writeText "rtorrent.rc" ''
-                  method.insert = cfg.leech,     private|const|string, (cat, "${leechDir}")
-                  method.insert = cfg.seed,      private|const|string, (cat, "${seedDir}")
-                  method.insert = cfg.session,   private|const|string, (cat, "${sessionDir}")
-                  method.insert = cfg.log,       private|const|string, (cat, "${logDir}")
-                  method.insert = cfg.rpcsocket, private|const|string, (cat, "${rpcSocket}")
-
-                  directory.default.set = (cat, (cfg.leech))
-                  session.path.set = (cat, (cfg.session))
-
-                  network.port_range.set = ${toString port}-${toString port}
-                  network.port_random.set = no
-
-                  dht.mode.set = disable
-                  protocol.pex.set = no
-
-                  trackers.use_udp.set = no
-
-                  protocol.encryption.set = allow_incoming,try_outgoing,enable_retry
-
-                  pieces.memory.max.set = ${toString (pow 2 11)}M
-                  pieces.preload.type.set = 2
-
-                  network.xmlrpc.size_limit.set = ${toString (pow 2 17)}
-
-                  network.max_open_files.set   = ${toString (pow 2 10)}
-                  network.max_open_sockets.set = ${toString (pow 2 10)}
-
-                  network.http.max_open.set = ${toString (pow 2 8)}
-
-                  throttle.global_down.max_rate.set_kb = 0
-                  throttle.global_up.max_rate.set_kb   = 0
-
-                  encoding.add = UTF-8
-                  system.umask.set = 0027
-                  system.cwd.set = (directory.default)
-
-                  network.scgi.open_local = (cat, (cfg.rpcsocket))
-
-                  method.insert = d.move_completed, simple, "\
-                    d.directory.set=$argument.1=;\
-                    execute=${moveCompleted}, $argument.0=, $argument.1=;\
-                    d.save_full_session=\
-                  "
-                  method.insert = d.leech_path, simple, "\
-                    if=(d.is_multi_file),\
-                    (cat, (d.directory), /),\
-                    (cat, (d.directory), /, (d.name))\
-                  "
-                  method.insert = d.seed_path, simple, "\
-                    cat=$cfg.seed=, /, $d.custom1=\
-                  "
-                  method.set_key = event.download.finished, move_complete, "\
-                    d.move_completed=$d.leech_path=, $d.seed_path=\
-                  "
-
-                  log.open_file = "log", (cat, (cfg.log), "/", "default.log")
-                  log.add_output = "info", "log"
-                  log.execute = (cat, (cfg.log), "/", "execute.log")
-                '';
-            in {
-              Restart = "on-failure";
-              RestartSec = 3;
-
-              KillMode = "process";
-              KillSignal = "SIGHUP";
 
-              User = user;
-              Group = group;
+                  RuntimeDirectory = "rtorrent";
+                  RuntimeDirectoryMode = 750;
+                  UMask = 27;
+                  AmbientCapabilities = [ "" ];
+                  CapabilityBoundingSet = [ "" ];
+                  LockPersonality = true;
+                  MemoryDenyWriteExecute = true;
+                  NoNewPrivileges = true;
+                  PrivateDevices = true;
+                  PrivateTmp = true;
+                  PrivateUsers = true;
+                  ProtectClock = true;
+                  ProtectControlGroups = true;
+                  ProtectHome = true;
+                  ProtectHostname = true;
+                  ProtectKernelLogs = true;
+                  ProtectKernelModules = true;
+                  ProtectKernelTunables = true;
+                  ProcSubset = "pid";
+                  RemoveIPC = true;
+                  RestrictAddressFamilies = [
+                    "AF_UNIX"
+                    "AF_INET"
+                    "AF_INET6"
+                  ];
+                  RestrictNamespaces = true;
+                  RestrictRealtime = true;
+                  RestrictSUIDSGID = true;
+                  SystemCallArchitectures = "native";
+                  SystemCallFilter = [
+                    "@system-service"
+                    "~@resources"
+                    "~@privileged"
+                  ];
+                };
+              wantedBy = [ "multi-user.target" ];
+            };
 
-              ExecStartPre = concatStringsSep " " [
-                "${pkgs.coreutils-full}/bin/mkdir -p"
-                leechDir
-                seedDir
-                sessionDir
-                logDir
-              ];
-              ExecStart = concatStringsSep " " [
-                (getExe pkgs.rtorrent)
-                "-n"
-                "-o system.daemon.set=true"
-                "-o network.bind_address.set=0.0.0.0"
-                "-o import=${configFile}"
-              ];
-              ExecStop = concatStringsSep " " [
-                "${pkgs.coreutils-full}/bin/rm -rf"
-                rpcSocket
-              ];
+            tmpfiles.rules = [ "d '${baseDir}' 0750 ${user} ${group} -" ];
+          };
 
-              RuntimeDirectory = "rtorrent";
-              RuntimeDirectoryMode = 0750;
-              UMask = 0027;
-              AmbientCapabilities = [""];
-              CapabilityBoundingSet = [""];
-              LockPersonality = true;
-              MemoryDenyWriteExecute = true;
-              NoNewPrivileges = true;
-              PrivateDevices = true;
-              PrivateTmp = true;
-              PrivateUsers = true;
-              ProtectClock = true;
-              ProtectControlGroups = true;
-              ProtectHome = true;
-              ProtectHostname = true;
-              ProtectKernelLogs = true;
-              ProtectKernelModules = true;
-              ProtectKernelTunables = true;
-              ProcSubset = "pid";
-              RemoveIPC = true;
-              RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
-              RestrictNamespaces = true;
-              RestrictRealtime = true;
-              RestrictSUIDSGID = true;
-              SystemCallArchitectures = "native";
-              SystemCallFilter = ["@system-service" "~@resources" "~@privileged"];
+          users = {
+            users.${user} = {
+              inherit group;
+              shell = pkgs.bashInteractive;
+              home = baseDir;
+              description = "rTorrent";
+              isSystemUser = true;
             };
-            wantedBy = ["multi-user.target"];
+            groups.${group} = { };
           };
-
-          tmpfiles.rules = ["d '${baseDir}' 0750 ${user} ${group} -"];
-        };
-
-        users = {
-          users.${user} = {
-            inherit group;
-            shell = pkgs.bashInteractive;
-            home = baseDir;
-            description = "rTorrent";
-            isSystemUser = true;
+          my.extraGroups = [ group ];
+
+          networking.firewall.allowedTCPPorts = [ port ];
+
+          boot.kernel.sysctl = {
+            "net.core.rmem_max" = mkOverride 500 (pow 2 24);
+            "net.core.wmem_max" = mkOverride 500 (pow 2 24);
+            "net.ipv4.tcp_fin_timeout" = mkOverride 500 30;
+            "net.ipv4.tcp_rmem" = mkOverride 500 (mkTcpMem 12 23 24);
+            "net.ipv4.tcp_slow_start_after_idle" = 0;
+            "net.ipv4.tcp_tw_recycle" = mkOverride 500 1;
+            "net.ipv4.tcp_tw_reuse" = mkOverride 500 1;
+            "net.ipv4.tcp_wmem" = mkOverride 500 (mkTcpMem 12 23 24);
           };
-          groups.${group} = {};
-        };
-        my.extraGroups = [group];
-
-        networking.firewall.allowedTCPPorts = [port];
-
-        boot.kernel.sysctl = {
-          "net.core.rmem_max" = mkOverride 500 (pow 2 24);
-          "net.core.wmem_max" = mkOverride 500 (pow 2 24);
-          "net.ipv4.tcp_fin_timeout" = mkOverride 500 30;
-          "net.ipv4.tcp_rmem" = mkOverride 500 (mkTcpMem 12 23 24);
-          "net.ipv4.tcp_slow_start_after_idle" = 0;
-          "net.ipv4.tcp_tw_recycle" = mkOverride 500 1;
-          "net.ipv4.tcp_tw_reuse" = mkOverride 500 1;
-          "net.ipv4.tcp_wmem" = mkOverride 500 (mkTcpMem 12 23 24);
-        };
-      })
-      (let
-        port = 50001;
-        pkg = pkgs.nodePackages.flood;
-      in
+        }
+      )
+      (
+        let
+          port = 50001;
+          pkg = pkgs.nodePackages.flood;
+        in
         mkIf cfg.flood.enable {
           nixfiles.modules.nginx = {
             enable = true;
-            upstreams.flood.servers."127.0.0.1:${toString port}" = {};
+            upstreams.flood.servers."127.0.0.1:${toString port}" = { };
             virtualHosts.${cfg.flood.domain} = {
               root = "${pkg}/lib/node_modules/flood/dist/assets";
               locations = {
@@ -233,8 +258,11 @@ in {
 
           systemd.services.flood = {
             description = "Flood";
-            after = ["network.target" "rtorrent.service"];
-            path = with pkgs; [mediainfo];
+            after = [
+              "network.target"
+              "rtorrent.service"
+            ];
+            path = with pkgs; [ mediainfo ];
             serviceConfig = {
               Restart = "on-failure";
               RestartSec = 3;
@@ -255,10 +283,10 @@ in {
               ];
 
               RuntimeDirectory = "rtorrent";
-              RuntimeDirectoryMode = 0750;
-              UMask = 0027;
-              AmbientCapabilities = [""];
-              CapabilityBoundingSet = [""];
+              RuntimeDirectoryMode = 750;
+              UMask = 27;
+              AmbientCapabilities = [ "" ];
+              CapabilityBoundingSet = [ "" ];
               LockPersonality = true;
               NoNewPrivileges = true;
               PrivateDevices = true;
@@ -274,7 +302,11 @@ in {
               ProcSubset = "pid";
               ProtectProc = "invisible";
               RemoveIPC = true;
-              RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+              RestrictAddressFamilies = [
+                "AF_UNIX"
+                "AF_INET"
+                "AF_INET6"
+              ];
               RestrictNamespaces = true;
               RestrictRealtime = true;
               RestrictSUIDSGID = true;
@@ -288,8 +320,9 @@ in {
                 "~@resources"
               ];
             };
-            wantedBy = ["multi-user.target"];
+            wantedBy = [ "multi-user.target" ];
           };
-        })
+        }
+      )
     ]);
 }
diff --git a/modules/nixos/searx.nix b/modules/nixos/searx.nix
index 5c37f58..de51a20 100644
--- a/modules/nixos/searx.nix
+++ b/modules/nixos/searx.nix
@@ -5,9 +5,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.searx;
-in {
+in
+{
   options.nixfiles.modules.searx = {
     enable = mkEnableOption "SearX";
 
@@ -33,7 +35,7 @@ in {
 
     nixfiles.modules.nginx = {
       enable = true;
-      upstreams.searx.servers."127.0.0.1:${toString cfg.port}" = {};
+      upstreams.searx.servers."127.0.0.1:${toString cfg.port}" = { };
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://searx";
         extraConfig = libNginx.config.internalOnly;
diff --git a/modules/nixos/shadowsocks.nix b/modules/nixos/shadowsocks.nix
index 69688da..670faec 100644
--- a/modules/nixos/shadowsocks.nix
+++ b/modules/nixos/shadowsocks.nix
@@ -5,9 +5,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.shadowsocks;
-in {
+in
+{
   options.nixfiles.modules.shadowsocks = {
     enable = mkEnableOption "Shadowsocks";
 
@@ -31,61 +33,65 @@ in {
 
     systemd.services.shadowsocks = {
       description = "Shadowsocks";
-      after = ["network.target"];
-      wantedBy = ["multi-user.target"];
+      after = [ "network.target" ];
+      wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         DynamicUser = true;
         RuntimeDirectory = "shadowsocks";
         LoadCredential = "secret.json:${config.secrets.shadowsocks-json.path}";
-        ExecStartPre = let
-          mergeJson = let
-            configFile = pkgs.writeText "config.json" (generators.toJSON {} {
-              server = "::";
-              server_port = cfg.port;
-              # Can't really use AEAD-2022[1] just yet because it's not
-              # supported by some[2] clients.
-              #
-              # [1]: https://shadowsocks.org/doc/sip022.html
-              # [2]: https://github.com/shadowsocks/ShadowsocksX-NG/issues/1480
-              # [2]: https://github.com/shadowsocks/shadowsocks-windows/issues/3448
-              # method = "2022-blake3-chacha20-poly1305";
-              method = "chacha20-ietf-poly1305";
-              password = null; # Must be set as a secret.
-              users = null; # Muse be set as a secret.
-              fast_open = true;
-              acl = pkgs.writeText "block-internal-access.acl" ''
-                [outbound_block_list]
-                0.0.0.0/8
-                10.0.0.0/8
-                100.64.0.0/10
-                127.0.0.0/8
-                169.254.0.0/16
-                172.16.0.0/12
-                192.0.0.0/24
-                192.0.2.0/24
-                192.88.99.0/24
-                192.168.0.0/16
-                198.18.0.0/15
-                198.51.100.0/24
-                203.0.113.0/24
-                224.0.0.0/4
-                240.0.0.0/4
-                255.255.255.255/32
-                ::1/128
-                ::ffff:127.0.0.1/104
-                fc00::/7
-                fe80::/10
+        ExecStartPre =
+          let
+            mergeJson =
+              let
+                configFile = pkgs.writeText "config.json" (
+                  generators.toJSON { } {
+                    server = "::";
+                    server_port = cfg.port;
+                    # Can't really use AEAD-2022[1] just yet because it's not
+                    # supported by some[2] clients.
+                    #
+                    # [1]: https://shadowsocks.org/doc/sip022.html
+                    # [2]: https://github.com/shadowsocks/ShadowsocksX-NG/issues/1480
+                    # [2]: https://github.com/shadowsocks/shadowsocks-windows/issues/3448
+                    # method = "2022-blake3-chacha20-poly1305";
+                    method = "chacha20-ietf-poly1305";
+                    password = null; # Must be set as a secret.
+                    users = null; # Muse be set as a secret.
+                    fast_open = true;
+                    acl = pkgs.writeText "block-internal-access.acl" ''
+                      [outbound_block_list]
+                      0.0.0.0/8
+                      10.0.0.0/8
+                      100.64.0.0/10
+                      127.0.0.0/8
+                      169.254.0.0/16
+                      172.16.0.0/12
+                      192.0.0.0/24
+                      192.0.2.0/24
+                      192.88.99.0/24
+                      192.168.0.0/16
+                      198.18.0.0/15
+                      198.51.100.0/24
+                      203.0.113.0/24
+                      224.0.0.0/4
+                      240.0.0.0/4
+                      255.255.255.255/32
+                      ::1/128
+                      ::ffff:127.0.0.1/104
+                      fc00::/7
+                      fe80::/10
+                    '';
+                  }
+                );
+              in
+              pkgs.writeShellScript "meregeJson" ''
+                ${getExe pkgs.jq} \
+                  -s '.[0] * .[1]' \
+                  ${configFile} \
+                  $CREDENTIALS_DIRECTORY/secret.json \
+                  >$RUNTIME_DIRECTORY/config.json
               '';
-            });
           in
-            pkgs.writeShellScript "meregeJson" ''
-              ${getExe pkgs.jq} \
-                -s '.[0] * .[1]' \
-                ${configFile} \
-                $CREDENTIALS_DIRECTORY/secret.json \
-                >$RUNTIME_DIRECTORY/config.json
-            '';
-        in
           mergeJson;
         ExecStart = "${pkgs.shadowsocks-rust}/bin/ssserver --config \${RUNTIME_DIRECTORY}/config.json";
       };
@@ -100,7 +106,7 @@ in {
       '';
     };
 
-    networking.firewall.allowedTCPPorts = [cfg.port];
+    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
     # https://github.com/shadowsocks/shadowsocks/wiki/Optimizing-Shadowsocks
     boot.kernel.sysctl = {
diff --git a/modules/nixos/soju.nix b/modules/nixos/soju.nix
index 71dff86..f8212b5 100644
--- a/modules/nixos/soju.nix
+++ b/modules/nixos/soju.nix
@@ -5,9 +5,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.soju;
-in {
+in
+{
   options.nixfiles.modules.soju = {
     enable = mkEnableOption "soju";
 
@@ -30,7 +32,9 @@ in {
     };
 
     prometheus = {
-      enable = mkEnableOption "Prometheus exporter" // {default = true;};
+      enable = mkEnableOption "Prometheus exporter" // {
+        default = true;
+      };
 
       port = mkOption {
         description = "Port.";
@@ -40,9 +44,10 @@ in {
     };
   };
 
-  config = let
-    db = "soju";
-  in
+  config =
+    let
+      db = "soju";
+    in
     mkIf cfg.enable {
       nixfiles.modules = {
         acme.enable = true;
@@ -58,7 +63,7 @@ in {
       };
 
       services.postgresql = {
-        ensureDatabases = [db];
+        ensureDatabases = [ db ];
         ensureUsers = [
           {
             name = db;
@@ -69,41 +74,41 @@ in {
 
       systemd.services.soju = {
         description = "soju IRC bouncer";
-        wantedBy = ["multi-user.target"];
-        wants = ["network-online.target"];
-        requires = ["postgresql.service"];
-        after = ["network-online.target" "postgresql.service"];
+        wantedBy = [ "multi-user.target" ];
+        wants = [ "network-online.target" ];
+        requires = [ "postgresql.service" ];
+        after = [
+          "network-online.target"
+          "postgresql.service"
+        ];
         serviceConfig = {
-          ExecStart = let
-            # https://soju.im/doc/soju.1.html
-            configFile = pkgs.writeText "soju.conf" ''
-              listen ircs://${cfg.address}:${toString cfg.port}
-              tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"}
-              ${
-                with cfg.prometheus;
-                  optionalString enable
-                  "listen http+prometheus://localhost:${toString port}"
-              }
-              db postgres ${
-                concatStringsSep " " [
-                  "host=/run/postgresql"
-                  "user=${db}"
-                  "dbname=${db}"
-                  "sslmode=disable"
-                ]
-              }
-              hostname ${cfg.domain}
-              title ${cfg.domain}
-            '';
-          in
+          ExecStart =
+            let
+              # https://soju.im/doc/soju.1.html
+              configFile = pkgs.writeText "soju.conf" ''
+                listen ircs://${cfg.address}:${toString cfg.port}
+                tls ${with config.certs.${cfg.domain}; "${directory}/fullchain.pem ${directory}/key.pem"}
+                ${with cfg.prometheus; optionalString enable "listen http+prometheus://localhost:${toString port}"}
+                db postgres ${
+                  concatStringsSep " " [
+                    "host=/run/postgresql"
+                    "user=${db}"
+                    "dbname=${db}"
+                    "sslmode=disable"
+                  ]
+                }
+                hostname ${cfg.domain}
+                title ${cfg.domain}
+              '';
+            in
             concatStringsSep " " [
               (getExe' pkgs.soju "soju")
               "-config ${configFile}"
             ];
           DynamicUser = true;
-          SupplementaryGroups = [config.services.nginx.group];
-          AmbientCapabilities = [""];
-          CapabilityBoundingSet = [""];
+          SupplementaryGroups = [ config.services.nginx.group ];
+          AmbientCapabilities = [ "" ];
+          CapabilityBoundingSet = [ "" ];
           UMask = "0077";
           LockPersonality = true;
           MemoryDenyWriteExecute = true;
@@ -122,12 +127,19 @@ in {
           ProtectProc = "invisible";
           ProcSubset = "pid";
           RemoveIPC = true;
-          RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
+          RestrictAddressFamilies = [
+            "AF_UNIX"
+            "AF_INET"
+            "AF_INET6"
+          ];
           RestrictNamespaces = true;
           RestrictRealtime = true;
           RestrictSUIDSGID = true;
           SystemCallArchitectures = "native";
-          SystemCallFilter = ["@system-service" "~@privileged"];
+          SystemCallFilter = [
+            "@system-service"
+            "~@privileged"
+          ];
         };
       };
     };
diff --git a/modules/nixos/solaar.nix b/modules/nixos/solaar.nix
index ccfff4a..17a04de 100644
--- a/modules/nixos/solaar.nix
+++ b/modules/nixos/solaar.nix
@@ -4,49 +4,59 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.solaar;
-in {
+in
+{
   options.nixfiles.modules.solaar = {
     enable = mkEnableOption "Solaar";
   };
 
   config = mkIf cfg.enable {
     hm = {
-      home.packages = with pkgs; [solaar];
+      home.packages = with pkgs; [ solaar ];
 
       systemd.user.services.solaar = {
         Unit = {
           Description = "Device manager for Logitech devices";
-          After = ["graphical-session-pre.target"];
-          PartOf = ["graphical-session.target"];
+          After = [ "graphical-session-pre.target" ];
+          PartOf = [ "graphical-session.target" ];
         };
         Service = {
           # The dirtiest hack I've ever implemented... I should be ashamed of
           # it. Regardless, that shit still doesn't work because each reconnect,
           # /dev/hidraw* is recreated and has default permissions which breaks
           # Solaar. Fuck this shit.
-          ExecStartPre = getExe (pkgs.writeShellApplication {
-            name = "solaar-pre";
-            text = ''
-              for i in /dev/hidraw*; do
-                if [ -c "$i" ]; then
-                  sudo chown root:input "$i"
-                  sudo chmod 0660 "$i"
-                fi
-              done
-            '';
-          });
+          ExecStartPre = getExe (
+            pkgs.writeShellApplication {
+              name = "solaar-pre";
+              text = ''
+                for i in /dev/hidraw*; do
+                  if [ -c "$i" ]; then
+                    sudo chown root:input "$i"
+                    sudo chmod 0660 "$i"
+                  fi
+                done
+              '';
+            }
+          );
           ExecStart = "${getExe pkgs.solaar "solaar"} --window=hide";
         };
-        Install.WantedBy = ["graphical-session.target"];
+        Install.WantedBy = [ "graphical-session.target" ];
       };
     };
 
-    boot.kernelModules = ["hid_logitech_dj" "hid_logitech_hidpp"];
+    boot.kernelModules = [
+      "hid_logitech_dj"
+      "hid_logitech_hidpp"
+    ];
 
     hardware.uinput.enable = true;
 
-    my.extraGroups = ["uinput" "input"];
+    my.extraGroups = [
+      "uinput"
+      "input"
+    ];
   };
 }
diff --git a/modules/nixos/sonarr.nix b/modules/nixos/sonarr.nix
index 5cd8931..b11dda0 100644
--- a/modules/nixos/sonarr.nix
+++ b/modules/nixos/sonarr.nix
@@ -4,9 +4,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.sonarr;
-in {
+in
+{
   options.nixfiles.modules.sonarr = {
     enable = mkEnableOption "Sonarr";
 
@@ -18,11 +20,11 @@ in {
   };
 
   config = mkIf cfg.enable {
-    ark.directories = ["/var/lib/sonarr"];
+    ark.directories = [ "/var/lib/sonarr" ];
 
     nixfiles.modules.nginx = {
       enable = true;
-      upstreams.sonarr.servers."127.0.0.1:8989" = {};
+      upstreams.sonarr.servers."127.0.0.1:8989" = { };
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://sonarr";
         extraConfig = libNginx.config.internalOnly;
diff --git a/modules/nixos/sound.nix b/modules/nixos/sound.nix
index 073d59c..ff90dfc 100644
--- a/modules/nixos/sound.nix
+++ b/modules/nixos/sound.nix
@@ -1,13 +1,10 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.sound;
-in {
-  options.nixfiles.modules.sound.enable =
-    mkEnableOption "sound support";
+in
+{
+  options.nixfiles.modules.sound.enable = mkEnableOption "sound support";
 
   config = mkIf cfg.enable {
     services.pipewire = {
diff --git a/modules/nixos/syncthing.nix b/modules/nixos/syncthing.nix
index ecc983f..74d4afe 100644
--- a/modules/nixos/syncthing.nix
+++ b/modules/nixos/syncthing.nix
@@ -6,9 +6,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.syncthing;
-in {
+in
+{
   options.nixfiles.modules.syncthing = {
     enable = mkEnableOption "Syncthing";
 
@@ -74,7 +76,8 @@ in {
             insecureSkipHostcheck = this.isHeadless;
           };
 
-          devices = mapAttrs (name: attr:
+          devices = mapAttrs (
+            name: attr:
             mkIf (attr.syncthing.id != null && hasAttr "wireguard" attr) {
               inherit (attr.syncthing) id;
               compression = "metadata";
@@ -82,30 +85,33 @@ in {
               address = "tcp://${name}.${config.networking.domain}:22000";
               autoAcceptFolders = true;
               untrusted = false;
-            })
-          my.configurations;
-
-          folders = let
-            filterDevices = f:
-              attrNames (filterAttrs (_: attr:
-                (attr.hostname != this.hostname)
-                && (attr.syncthing.id != null)
-                && f attr)
-              my.configurations);
-            all = filterDevices (_: true);
-            notHeadless = filterDevices (attr: !attr.isHeadless);
-            notOther = filterDevices (attr: !attr.isOther);
-
-            simple = {
-              type = "simple";
-              params.keep = "5";
-            };
-            trashcan = {
-              type = "trashcan";
-              params.cleanoutDays = "7";
-            };
-          in
-            with config.hm.xdg.userDirs; {
+            }
+          ) my.configurations;
+
+          folders =
+            let
+              filterDevices =
+                f:
+                attrNames (
+                  filterAttrs (
+                    _: attr: (attr.hostname != this.hostname) && (attr.syncthing.id != null) && f attr
+                  ) my.configurations
+                );
+              all = filterDevices (_: true);
+              notHeadless = filterDevices (attr: !attr.isHeadless);
+              notOther = filterDevices (attr: !attr.isOther);
+
+              simple = {
+                type = "simple";
+                params.keep = "5";
+              };
+              trashcan = {
+                type = "trashcan";
+                params.cleanoutDays = "7";
+              };
+            in
+            with config.hm.xdg.userDirs;
+            {
               share = {
                 path = publicShare;
                 devices = notHeadless;
@@ -145,7 +151,7 @@ in {
     (mkIf this.isHeadless {
       nixfiles.modules.nginx = {
         enable = true;
-        upstreams.syncthing.servers.${config.services.syncthing.guiAddress} = {};
+        upstreams.syncthing.servers.${config.services.syncthing.guiAddress} = { };
         virtualHosts.${cfg.domain} = {
           locations."/".proxyPass = "http://syncthing";
           extraConfig = libNginx.config.internalOnly;
diff --git a/modules/nixos/throttled.nix b/modules/nixos/throttled.nix
index eca803b..7d37cd4 100644
--- a/modules/nixos/throttled.nix
+++ b/modules/nixos/throttled.nix
@@ -1,11 +1,9 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.throttled;
-in {
+in
+{
   options.nixfiles.modules.throttled.enable = mkEnableOption "Throttled";
 
   config = mkIf cfg.enable {
diff --git a/modules/nixos/thunderbird.nix b/modules/nixos/thunderbird.nix
index 29ea9c9..74af3b5 100644
--- a/modules/nixos/thunderbird.nix
+++ b/modules/nixos/thunderbird.nix
@@ -1,11 +1,9 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.thunderbird;
-in {
+in
+{
   options.nixfiles.modules.thunderbird.enable = mkEnableOption "Thunderbird";
 
   config = mkIf cfg.enable {
@@ -20,7 +18,8 @@ in {
         isDefault = true;
         withExternalGnupg = true;
         # https://github.com/HorlogeSkynet/thunderbird-user.js/blob/master/user.js
-        settings = with config.colors.withHashtag;
+        settings =
+          with config.colors.withHashtag;
           config.hm.programs.firefox.profiles.default.settings
           // {
             "app.donation.eoy.version.viewed" = 999;
diff --git a/modules/nixos/unbound.nix b/modules/nixos/unbound.nix
index 5aaf104..e71d48c 100644
--- a/modules/nixos/unbound.nix
+++ b/modules/nixos/unbound.nix
@@ -5,9 +5,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.unbound;
-in {
+in
+{
   options.nixfiles.modules.unbound = {
     enable = mkEnableOption "Unbound";
 
@@ -18,11 +20,12 @@ in {
     };
   };
 
-  config = let
-    adblock-conf = "${config.services.unbound.stateDir}/adblock.conf";
-  in
+  config =
+    let
+      adblock-conf = "${config.services.unbound.stateDir}/adblock.conf";
+    in
     mkIf cfg.enable {
-      ark.directories = [config.services.unbound.stateDir];
+      ark.directories = [ config.services.unbound.stateDir ];
 
       nixfiles.modules.redis.enable = true;
 
@@ -45,40 +48,51 @@ in {
                 ipv6.address
               ];
 
-              local-zone =
-                concatLists
-                (mapAttrsToList (h: _: ["\"${h}.${cfg.domain}\" redirect"])
-                  my.configurations);
-              local-data = concatLists (mapAttrsToList (hostname: let
-                domain = "${hostname}.${cfg.domain}";
-              in
-                attr: (optionals (hasAttr "wireguard" attr) (with attr.wireguard;
-                  [
-                    "\"${domain} 604800 IN A ${ipv4.address}\""
-                    "\"${domain} 604800 IN AAAA ${ipv6.address}\""
-                    "\"${domain}. A ${ipv4.address}\""
-                    "\"${domain}. AAAA ${ipv6.address}\""
-                  ]
-                  ++ concatMap (domain: [
-                    "\"${domain}. A ${ipv4.address}\""
-                    "\"${domain}. AAAA ${ipv6.address}\""
-                  ])
-                  attr.domains)))
-              my.configurations);
-              local-data-ptr = concatLists (mapAttrsToList (hostname: let
-                domain = "${hostname}.${cfg.domain}";
-              in
-                attr: (optionals (hasAttr "wireguard" attr) (with attr.wireguard;
-                  [
-                    "\"${ipv4.address} ${domain}\""
-                    "\"${ipv6.address} ${domain}\""
-                  ]
-                  ++ concatMap (domain: [
-                    "\"${ipv4.address} ${domain}\""
-                    "\"${ipv6.address} ${domain}\""
-                  ])
-                  attr.domains)))
-              my.configurations);
+              local-zone = concatLists (
+                mapAttrsToList (h: _: [ "\"${h}.${cfg.domain}\" redirect" ]) my.configurations
+              );
+              local-data = concatLists (
+                mapAttrsToList (
+                  hostname:
+                  let
+                    domain = "${hostname}.${cfg.domain}";
+                  in
+                  attr:
+                  (optionals (hasAttr "wireguard" attr) (
+                    with attr.wireguard;
+                    [
+                      "\"${domain} 604800 IN A ${ipv4.address}\""
+                      "\"${domain} 604800 IN AAAA ${ipv6.address}\""
+                      "\"${domain}. A ${ipv4.address}\""
+                      "\"${domain}. AAAA ${ipv6.address}\""
+                    ]
+                    ++ concatMap (domain: [
+                      "\"${domain}. A ${ipv4.address}\""
+                      "\"${domain}. AAAA ${ipv6.address}\""
+                    ]) attr.domains
+                  ))
+                ) my.configurations
+              );
+              local-data-ptr = concatLists (
+                mapAttrsToList (
+                  hostname:
+                  let
+                    domain = "${hostname}.${cfg.domain}";
+                  in
+                  attr:
+                  (optionals (hasAttr "wireguard" attr) (
+                    with attr.wireguard;
+                    [
+                      "\"${ipv4.address} ${domain}\""
+                      "\"${ipv6.address} ${domain}\""
+                    ]
+                    ++ concatMap (domain: [
+                      "\"${ipv4.address} ${domain}\""
+                      "\"${ipv6.address} ${domain}\""
+                    ]) attr.domains
+                  ))
+                ) my.configurations
+              );
 
               private-domain = map (domain: "${domain}.") [
                 cfg.domain
@@ -124,9 +138,19 @@ in {
               {
                 name = ".";
                 forward-tls-upstream = true;
-                forward-addr = let
-                  mkDnsOverTls = ips: auth: map (ip: concatStrings [ip "@" auth]) ips;
-                in
+                forward-addr =
+                  let
+                    mkDnsOverTls =
+                      ips: auth:
+                      map (
+                        ip:
+                        concatStrings [
+                          ip
+                          "@"
+                          auth
+                        ]
+                      ) ips;
+                  in
                   mkDnsOverTls dns.const.quad9.default "853#dns.quad9.net";
               }
             ];
@@ -154,40 +178,45 @@ in {
 
       systemd = {
         services = {
-          unbound.after = ["unbound-adblock-update.service"];
+          unbound.after = [ "unbound-adblock-update.service" ];
 
           unbound-adblock-update = {
             serviceConfig = with config.services.unbound; {
               Type = "oneshot";
               User = user;
               Group = group;
-              ExecStart = getExe (pkgs.writeShellApplication {
-                name = "unbound-adblock-update";
-                runtimeInputs = [pkgs.curl package];
-                text = ''
-                  curl \
-                    -s \
-                    -o ${adblock-conf} \
-                    "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf"
-
-                  if [[ -f "${localControlSocketPath}" ]]; then
-                    unbound-control reload
-                  fi
-                '';
-              });
+              ExecStart = getExe (
+                pkgs.writeShellApplication {
+                  name = "unbound-adblock-update";
+                  runtimeInputs = [
+                    pkgs.curl
+                    package
+                  ];
+                  text = ''
+                    curl \
+                      -s \
+                      -o ${adblock-conf} \
+                      "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/unbound/multi.blacklist.conf"
+
+                    if [[ -f "${localControlSocketPath}" ]]; then
+                      unbound-control reload
+                    fi
+                  '';
+                }
+              );
             };
           };
         };
 
         timers.unbound-adblock-update = {
-          requires = ["network-online.target"];
-          after = ["network-online.target"];
+          requires = [ "network-online.target" ];
+          after = [ "network-online.target" ];
           timerConfig = {
             OnCalendar = "daily";
             Persistent = true;
             Unit = "unbound-adblock-update.service";
           };
-          wantedBy = ["timers.target"];
+          wantedBy = [ "timers.target" ];
         };
       };
 
diff --git a/modules/nixos/vaultwarden.nix b/modules/nixos/vaultwarden.nix
index 53a3f81..2cacb6c 100644
--- a/modules/nixos/vaultwarden.nix
+++ b/modules/nixos/vaultwarden.nix
@@ -4,9 +4,11 @@
   lib,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.vaultwarden;
-in {
+in
+{
   options.nixfiles.modules.vaultwarden = {
     enable = mkEnableOption "Vaultwarden";
 
@@ -17,11 +19,12 @@ in {
     };
   };
 
-  config = let
-    db = "vaultwarden";
-  in
+  config =
+    let
+      db = "vaultwarden";
+    in
     mkIf cfg.enable {
-      ark.directories = ["/var/lib/bitwarden_rs"];
+      ark.directories = [ "/var/lib/bitwarden_rs" ];
 
       secrets.vaultwarden-environment = {
         file = "${inputs.self}/secrets/vaultwarden-environment";
@@ -33,8 +36,8 @@ in {
         nginx = {
           enable = true;
           upstreams = with config.services.vaultwarden.config; {
-            vaultwarden_rocket.servers."${ROCKET_ADDRESS}:${toString ROCKET_PORT}" = {};
-            vaultwarden_websocket.servers."${WEBSOCKET_ADDRESS}:${toString WEBSOCKET_PORT}" = {};
+            vaultwarden_rocket.servers."${ROCKET_ADDRESS}:${toString ROCKET_PORT}" = { };
+            vaultwarden_websocket.servers."${WEBSOCKET_ADDRESS}:${toString WEBSOCKET_PORT}" = { };
           };
           virtualHosts.${cfg.domain}.locations = {
             "/" = {
@@ -95,7 +98,7 @@ in {
         };
 
         postgresql = {
-          ensureDatabases = [db];
+          ensureDatabases = [ db ];
           ensureUsers = [
             {
               name = db;
@@ -123,14 +126,14 @@ in {
       };
 
       environment.etc = {
-        "fail2ban/filter.d/vaultwarden.conf".text = generators.toINI {} {
+        "fail2ban/filter.d/vaultwarden.conf".text = generators.toINI { } {
           Definition = {
             failregex = "^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$";
             ignoreregex = "";
             journalmatch = "_SYSTEMD_UNIT=vaultwarden.service";
           };
         };
-        "fail2ban/filter.d/vaultwarden-admin.conf".text = generators.toINI {} {
+        "fail2ban/filter.d/vaultwarden-admin.conf".text = generators.toINI { } {
           Definition = {
             failregex = "^.*Invalid admin token\. IP: <ADDR>.*$";
             ignoreregex = "";
diff --git a/modules/nixos/victoriametrics.nix b/modules/nixos/victoriametrics.nix
index 6b037b9..88dff1b 100644
--- a/modules/nixos/victoriametrics.nix
+++ b/modules/nixos/victoriametrics.nix
@@ -4,9 +4,11 @@
   libNginx,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.prometheus;
-in {
+in
+{
   options.nixfiles.modules.prometheus = {
     enable = mkEnableOption "VictoriaMetrics";
 
@@ -26,7 +28,7 @@ in {
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
-      upstreams.victoriametrics.servers."127.0.0.1:${toString cfg.port}" = {};
+      upstreams.victoriametrics.servers."127.0.0.1:${toString cfg.port}" = { };
       virtualHosts.${domain} = {
         locations."/".proxyPass = "http://victoriametrics";
         extraConfig = libNginx.config.internalOnly;
diff --git a/modules/nixos/vim/default.nix b/modules/nixos/vim/default.nix
index 2fdf064..5d62e35 100644
--- a/modules/nixos/vim/default.nix
+++ b/modules/nixos/vim/default.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.vim;
-in {
+in
+{
   config = mkIf cfg.enable {
     programs.vim.package =
       (pkgs.vim-full.override {
@@ -23,13 +25,13 @@ in {
         rubySupport = false;
         tclSupport = false;
         ximSupport = false;
-      })
-      .customize {
-        name = "vim";
-        vimrcConfig = with cfg; {
-          customRC = rc;
-          packages.myVimPackage.start = plugins;
+      }).customize
+        {
+          name = "vim";
+          vimrcConfig = with cfg; {
+            customRC = rc;
+            packages.myVimPackage.start = plugins;
+          };
         };
-      };
   };
 }
diff --git a/modules/nixos/wayland.nix b/modules/nixos/wayland.nix
index b64ab32..e3dba79 100644
--- a/modules/nixos/wayland.nix
+++ b/modules/nixos/wayland.nix
@@ -4,12 +4,16 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.wayland;
-in {
+in
+{
   options.nixfiles.modules.wayland.enable = mkEnableOption "Wayland";
 
   config = mkIf cfg.enable {
-    hm.home.packages = with pkgs; [wl-clipboard];
+    nixfiles.modules.foot.enable = true;
+
+    hm.home.packages = with pkgs; [ wl-clipboard ];
   };
 }
diff --git a/modules/nixos/wireguard.nix b/modules/nixos/wireguard.nix
index d05c6ae..f645a90 100644
--- a/modules/nixos/wireguard.nix
+++ b/modules/nixos/wireguard.nix
@@ -6,9 +6,11 @@
   this,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.wireguard;
-in {
+in
+{
   options.nixfiles.modules.wireguard = {
     client = {
       enable = mkEnableOption "WireGuard client";
@@ -56,16 +58,20 @@ in {
       peers = mkOption {
         description = "List of peers.";
         type = with types; listOf attrs;
-        default = mapAttrsToList (_: attr:
-          with attr; {
-            inherit (wireguard) publicKey;
-            allowedIPs = with wireguard; [
-              "${ipv4.address}/32"
-              "${ipv6.address}/128"
-            ];
-          }) (filterAttrs (_: attr:
-          attr.hostname != this.hostname && hasAttr "wireguard" attr)
-        my.configurations);
+        default =
+          mapAttrsToList
+            (
+              _: attr: with attr; {
+                inherit (wireguard) publicKey;
+                allowedIPs = with wireguard; [
+                  "${ipv4.address}/32"
+                  "${ipv6.address}/128"
+                ];
+              }
+            )
+            (
+              filterAttrs (_: attr: attr.hostname != this.hostname && hasAttr "wireguard" attr) my.configurations
+            );
       };
     };
 
@@ -105,13 +111,16 @@ in {
       (mkIf (cfg.client.enable || cfg.server.enable) {
         secrets."wireguard-private-key-${this.hostname}".file = "${inputs.self}/secrets/wireguard-private-key-${this.hostname}";
 
-        networking.firewall.trustedInterfaces = [cfg.interface];
+        networking.firewall.trustedInterfaces = [ cfg.interface ];
       })
       (mkIf cfg.client.enable {
         networking.wg-quick.interfaces.${cfg.interface} = mkMerge [
           (with this.wireguard; {
             privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path;
-            address = ["${ipv4.address}/16" "${ipv6.address}/16"];
+            address = [
+              "${ipv4.address}/16"
+              "${ipv6.address}/16"
+            ];
           })
           (with cfg.server; {
             peers = [
@@ -119,15 +128,16 @@ in {
                 inherit publicKey;
                 endpoint = "${address}:${toString port}";
                 allowedIPs =
-                  if cfg.client.enableTrafficRouting
-                  then [
-                    "0.0.0.0/0"
-                    "::/0"
-                  ]
-                  else [
-                    cfg.ipv4.subnet
-                    cfg.ipv6.subnet
-                  ];
+                  if cfg.client.enableTrafficRouting then
+                    [
+                      "0.0.0.0/0"
+                      "::/0"
+                    ]
+                  else
+                    [
+                      cfg.ipv4.subnet
+                      cfg.ipv6.subnet
+                    ];
                 persistentKeepalive = 25;
               }
             ];
@@ -141,7 +151,11 @@ in {
         environment.systemPackages = with pkgs; [
           (writeShellApplication {
             name = "wg-toggle";
-            runtimeInputs = [iproute2 jq wireguard-tools];
+            runtimeInputs = [
+              iproute2
+              jq
+              wireguard-tools
+            ];
             text = ''
               ip46() {
                 sudo ip -4 "$@"
@@ -166,7 +180,10 @@ in {
             enable = true;
             interfaces.${cfg.interface} = with cfg.server; {
               privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path;
-              ips = ["${ipv4.address}/16" "${ipv6.address}/16"];
+              ips = [
+                "${ipv4.address}/16"
+                "${ipv6.address}/16"
+              ];
               listenPort = port;
               inherit peers;
               allowedIPsAsRoutes = false;
@@ -179,12 +196,12 @@ in {
 
             externalInterface = mkDefault "eth0";
 
-            internalInterfaces = [cfg.interface];
-            internalIPs = [cfg.ipv4.subnet];
-            internalIPv6s = [cfg.ipv6.subnet];
+            internalInterfaces = [ cfg.interface ];
+            internalIPs = [ cfg.ipv4.subnet ];
+            internalIPv6s = [ cfg.ipv6.subnet ];
           };
 
-          firewall.allowedUDPPorts = [cfg.server.port];
+          firewall.allowedUDPPorts = [ cfg.server.port ];
         };
 
         services.prometheus.exporters.wireguard = {
diff --git a/modules/nixos/x11.nix b/modules/nixos/x11.nix
index 52420db..55ba0b5 100644
--- a/modules/nixos/x11.nix
+++ b/modules/nixos/x11.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.x11;
-in {
+in
+{
   options.nixfiles.modules.x11.enable = mkEnableOption "X11";
 
   config = mkIf cfg.enable {
@@ -19,7 +21,7 @@ in {
           XCOMPOSECACHE = "${config.dirs.cache}/libx11/compose";
         };
 
-        packages = with pkgs; [xclip];
+        packages = with pkgs; [ xclip ];
       };
 
       xresources.properties = {
@@ -34,21 +36,23 @@ in {
       services.xsettingsd = {
         enable = true;
         # https://codeberg.org/derat/xsettingsd#settings
-        settings = let
-          xprop = config.hm.xresources.properties;
-        in {
-          "Net/CursorBlink" = 1;
-          "Net/CursorBlinkTime" = 1200;
-          "Net/DndDragThreshold" = 0;
-          "Net/DoubleClickDistance" = 5;
-          "Net/DoubleClickTime" = 250;
-          "Net/EnableEventSounds" = 1;
-          "Net/EnableInputFeedbackSounds" = 1;
-          "Xft/Antialias" = xprop."Xft.antialias";
-          "Xft/HintStyle" = xprop."Xft.hintstyle";
-          "Xft/Hinting" = xprop."Xft.hinting";
-          "Xft/RGBA" = xprop."Xft.rgba";
-        };
+        settings =
+          let
+            xprop = config.hm.xresources.properties;
+          in
+          {
+            "Net/CursorBlink" = 1;
+            "Net/CursorBlinkTime" = 1200;
+            "Net/DndDragThreshold" = 0;
+            "Net/DoubleClickDistance" = 5;
+            "Net/DoubleClickTime" = 250;
+            "Net/EnableEventSounds" = 1;
+            "Net/EnableInputFeedbackSounds" = 1;
+            "Xft/Antialias" = xprop."Xft.antialias";
+            "Xft/HintStyle" = xprop."Xft.hintstyle";
+            "Xft/Hinting" = xprop."Xft.hinting";
+            "Xft/RGBA" = xprop."Xft.rgba";
+          };
       };
     };
 
diff --git a/modules/nixos/xmonad.nix b/modules/nixos/xmonad.nix
index b4eb4a0..7b49f52 100644
--- a/modules/nixos/xmonad.nix
+++ b/modules/nixos/xmonad.nix
@@ -4,9 +4,11 @@
   pkgs,
   ...
 }:
-with lib; let
+with lib;
+let
   cfg = config.nixfiles.modules.xmonad;
-in {
+in
+{
   options.nixfiles.modules.xmonad.enable = mkEnableOption "XMonad";
 
   config = mkIf cfg.enable {
@@ -24,6 +26,6 @@ in {
 
     services.xserver.displayManager.startx.enable = true;
 
-    nixpkgs.overlays = [inputs.xmonad-ng.overlays.default];
+    nixpkgs.overlays = [ inputs.xmonad-ng.overlays.default ];
   };
 }
diff --git a/modules/nixos/zathura.nix b/modules/nixos/zathura.nix
index e7d1415..95039a5 100644
--- a/modules/nixos/zathura.nix
+++ b/modules/nixos/zathura.nix
@@ -1,11 +1,9 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
+{ config, lib, ... }:
+with lib;
+let
   cfg = config.nixfiles.modules.zathura;
-in {
+in
+{
   config = mkIf cfg.enable {
     nixfiles.modules.common.xdg.defaultApplications."org.pwmt.zathura" = [
       "application/pdf"

Consider giving Nix/NixOS a try! <3