Format with nixfmt

Change-Id: If9839d2c3308538ac8f3e166b69675d3b40bd7d9
diff --git a/modules/cache.nix b/modules/cache.nix
index eee9d79..89bbce6 100644
--- a/modules/cache.nix
+++ b/modules/cache.nix
@@ -1,8 +1,7 @@
 {
   nix.settings = {
     substituters = [ "https://cache.garnix.io" ];
-    trusted-public-keys = [
-      "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
-    ];
+    trusted-public-keys =
+      [ "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" ];
   };
 }
diff --git a/modules/dmarc.nix b/modules/dmarc.nix
index c79721d..69e3313 100644
--- a/modules/dmarc.nix
+++ b/modules/dmarc.nix
@@ -6,10 +6,7 @@
     group = config.users.groups.clicks.name;
     shell = pkgs.bashInteractive;
   };
-  sops.secrets = lib.pipe [
-    "imap_password"
-    "maxmind_license_key"
-  ] [
+  sops.secrets = lib.pipe [ "imap_password" "maxmind_license_key" ] [
     (map (name: {
       inherit name;
       value = {
diff --git a/modules/doas.nix b/modules/doas.nix
index ab4303e..6a725bf 100644
--- a/modules/doas.nix
+++ b/modules/doas.nix
@@ -7,5 +7,6 @@
     sudo.enable = false;
   };
 
-  environment.shellAliases.sudo = "${config.security.wrapperDir}/${config.security.wrappers.doas.program}";
+  environment.shellAliases.sudo =
+    "${config.security.wrapperDir}/${config.security.wrappers.doas.program}";
 }
diff --git a/modules/drivePaths.nix b/modules/drivePaths.nix
index addd64b..49df2ce 100644
--- a/modules/drivePaths.nix
+++ b/modules/drivePaths.nix
@@ -1,8 +1,6 @@
 { drive_paths, lib, ... }: {
-  fileSystems = lib.mapAttrs'
-    (name: value: {
-      name = value.path;
-      value.device = "/dev/disk/by-uuid/${value.uuid}";
-    })
-    drive_paths;
+  fileSystems = lib.mapAttrs' (name: value: {
+    name = value.path;
+    value.device = "/dev/disk/by-uuid/${value.uuid}";
+  }) drive_paths;
 }
diff --git a/modules/ecryptfs.nix b/modules/ecryptfs.nix
index c54c93e..dd85ca9 100644
--- a/modules/ecryptfs.nix
+++ b/modules/ecryptfs.nix
@@ -1,7 +1,7 @@
 { pkgs, ... }: {
-  environment.systemPackages = with pkgs; let
-    unlock-database-script = writeScriptBin "unlock-database-encryption"
-      ''
+  environment.systemPackages = with pkgs;
+    let
+      unlock-database-script = writeScriptBin "unlock-database-encryption" ''
         if [ $UID -ne 0 ]; then
           echo "unlock-database-encryption must be run as root"
           exit 1
@@ -12,10 +12,5 @@
 
         mount -i -t ecryptfs /var/db/.mongodb-encrypted/ /var/db/mongodb -o ecryptfs_sig=$ECRYPTFS_SIG,ecryptfs_fnek_sig=$ECRYPTFS_SIG,ecryptfs_cipher=aes,ecryptfs_key_bytes=32,ecryptfs_unlink_sigs
       '';
-  in
-  [
-    ecryptfs
-    keyutils
-    unlock-database-script
-  ];
+    in [ ecryptfs keyutils unlock-database-script ];
 }
diff --git a/modules/gerrit.nix b/modules/gerrit.nix
index 962fb2b..6c0749c 100644
--- a/modules/gerrit.nix
+++ b/modules/gerrit.nix
@@ -1,7 +1,6 @@
-{ pkgs, config, lib, base, system, ... }: let
-  cfg = config.services.gerrit;
-in lib.recursiveUpdate
-{
+{ pkgs, config, lib, base, system, ... }:
+let cfg = config.services.gerrit;
+in lib.recursiveUpdate {
   sops.secrets.clicks_gerrit_db_password = {
     mode = lib.mkForce "0440";
     group = lib.mkForce "gerrit";
@@ -14,7 +13,7 @@
     group = config.users.groups.gerrit.name;
     shell = pkgs.bashInteractive;
   };
-  users.groups.gerrit = {};
+  users.groups.gerrit = { };
 
   systemd.services.gerrit.serviceConfig.User = "gerrit";
   systemd.services.gerrit.serviceConfig.Group = "gerrit";
@@ -24,8 +23,9 @@
     enable = true;
 
     /* jvmOpts = [
-      "-Djava.class.path=${pkgs.postgresql_jdbc}/share/java"
-    ]; */
+         "-Djava.class.path=${pkgs.postgresql_jdbc}/share/java"
+       ];
+    */
 
     settings = {
       # accountPatchReviewDb.url = "postgresql://localhost:${toString config.services.postgresql.port}/gerrit?user=gerrit&password=!!gerrit_database_password!!";
@@ -60,13 +60,15 @@
       };
       changeCleanup = {
         abandonAfter = "3 weeks";
-        abandonMessage = "This change was abandoned due to 3 weeks of inactivity. If you still want it, please restore it";
+        abandonMessage =
+          "This change was abandoned due to 3 weeks of inactivity. If you still want it, please restore it";
         startTime = "00:00";
         interval = "1 day";
       };
       attentionSet = {
         readdAfter = "1 week";
-        readdMessage = "I've given the owner a *ping* as nothing has happened for a week. If in two weeks time the change is still inactive, I'll abandon it for you. If you still want it, please do something before then";
+        readdMessage =
+          "I've given the owner a *ping* as nothing has happened for a week. If in two weeks time the change is still inactive, I'll abandon it for you. If you still want it, please do something before then";
         startTime = "00:00";
         interval = "1 day";
       };
@@ -85,13 +87,17 @@
         canonicalWebUrl = "https://git.clicks.codes/";
         canonicalGitUrl = "ssh://ssh.clicks.codes/";
         gitHttpUrl = "https://git.clicks.codes/";
-        reportBugUrl = "https://discord.gg/bPaNnxe"; # TODO: kinda obnoxious, better to setup bugzilla/similar
+        reportBugUrl =
+          "https://discord.gg/bPaNnxe"; # TODO: kinda obnoxious, better to setup bugzilla/similar
         enablePeerIPInReflogRecord = true;
         instanceId = "a1d1";
         instanceName = "a1d1.clicks";
       };
       mimetype = lib.pipe [ "image/*" "video/*" "application/pdf" ] [
-        (map (name: { inherit name; value.safe = true; }))
+        (map (name: {
+          inherit name;
+          value.safe = true;
+        }))
         builtins.listToAttrs
       ];
       receive.enableSignedPush = true;
@@ -105,53 +111,61 @@
       httpd.listenUrl = "proxy-https://${cfg.listenAddress}";
     };
 
-    plugins = [ (
-      derivation {
-        name = "oauth.jar"; # HACK: wrapping a derivation in a derivation to rename it seems like a bad hack... but bazel would not build if I didn't (I think because it didn't like the .jar extension...) check why though?
-        src = (
-          pkgs.buildBazelPackage {
-            __noChroot = true; # FIXME: terrible, horrible, no good, very bad
-            # name = "gerrit-oauth-provider.jar";
-            pname = "gerrit-oauth-provider.jar";
-            version = "unstable-2023-10-08";
-            src = pkgs.fetchgit {
-              url = "https://gerrit.googlesource.com/plugins/oauth";
-              rev = "1b3cc407cb2571d08601ab852e6e01f82d27160f";
-              hash = "sha256-yC/8qnkDbfIujl+Cvamr+EQSwto1DcIUWXh5cwDEZHo=";
-              deepClone = true; # FIXME: this bazel build uses some git stuff, maybe we should try replacing with fakegit?
-            };
-            bazelTargets = [ "oauth" ];
-            bazel = pkgs.bazel_4;
-            buildAttrs = {};
-            fetchAttrs.sha256 = "sha256-i5wOTn2NqqgJf4TCIqaCucpXu+5Vm5C84UPrGYFMSzc=";
+    plugins = [
+      (derivation {
+        name =
+          "oauth.jar"; # HACK: wrapping a derivation in a derivation to rename it seems like a bad hack... but bazel would not build if I didn't (I think because it didn't like the .jar extension...) check why though?
+        src = (pkgs.buildBazelPackage {
+          __noChroot = true; # FIXME: terrible, horrible, no good, very bad
+          # name = "gerrit-oauth-provider.jar";
+          pname = "gerrit-oauth-provider.jar";
+          version = "unstable-2023-10-08";
+          src = pkgs.fetchgit {
+            url = "https://gerrit.googlesource.com/plugins/oauth";
+            rev = "1b3cc407cb2571d08601ab852e6e01f82d27160f";
+            hash = "sha256-yC/8qnkDbfIujl+Cvamr+EQSwto1DcIUWXh5cwDEZHo=";
+            deepClone =
+              true; # FIXME: this bazel build uses some git stuff, maybe we should try replacing with fakegit?
+          };
+          bazelTargets = [ "oauth" ];
+          bazel = pkgs.bazel_4;
+          buildAttrs = { };
+          fetchAttrs.sha256 =
+            "sha256-i5wOTn2NqqgJf4TCIqaCucpXu+5Vm5C84UPrGYFMSzc=";
 
-            postUnpack = ''
-              echo "4.2.2" > */.bazelversion  # nixpkgs only has certain bazel versions, so let's upgrade the patch of this one
-            '';
+          postUnpack = ''
+            echo "4.2.2" > */.bazelversion  # nixpkgs only has certain bazel versions, so let's upgrade the patch of this one
+          '';
 
-            buildInputs = with pkgs; [
-              git
-              curl
-              jdk11
-            ];
+          buildInputs = with pkgs; [ git curl jdk11 ];
 
-            postInstall = ''
-              cp bazel-bin/oauth.jar $out
-            '';
-          }
-        );
+          postInstall = ''
+            cp bazel-bin/oauth.jar $out
+          '';
+        });
         builder = "/bin/sh";
         args = [ "-c" "${pkgs.coreutils}/bin/cp $src $out" ];
         inherit system;
-      }
-    ) ];
-    builtinPlugins = [ "codemirror-editor" "commit-message-length-validator" "delete-project" "download-commands" "gitiles" "hooks" "reviewnotes" "singleusergroup" "webhooks" ];
+      })
+    ];
+    builtinPlugins = [
+      "codemirror-editor"
+      "commit-message-length-validator"
+      "delete-project"
+      "download-commands"
+      "gitiles"
+      "hooks"
+      "reviewnotes"
+      "singleusergroup"
+      "webhooks"
+    ];
     serverId = "45f277d0-fce7-43b7-9eb3-2e3234e0110f";
 
     listenAddress = "127.0.0.255:1000";
   };
 
-  nix.settings.sandbox = "relaxed"; # FIXME: terrible, horrible, no good, very bad, here to support buildBazelPackage's use of cURL
+  nix.settings.sandbox =
+    "relaxed"; # FIXME: terrible, horrible, no good, very bad, here to support buildBazelPackage's use of cURL
 
   sops.secrets = {
     gerrit_email_private_key = {
@@ -169,34 +183,30 @@
       format = "json";
     };
   };
-}
-  (
-    let
-      isDerived = base != null;
-    in
-    if isDerived
-    then
-      let
-        gerrit_cfgfile = pkgs.writeText "gerrit.conf" (
-          lib.generators.toGitINI cfg.settings
-        );
-      in
-      {
-        scalpel.trafos."gerrit.conf" = {
-          source = toString gerrit_cfgfile;
-          matchers."gerrit_email_private_key".secret =
-            config.sops.secrets.gerrit_email_private_key.path;
-          matchers."gerrit_oauth_client_secret".secret =
-            config.sops.secrets.gerrit_oauth_client_secret.path;
-          owner = config.users.users.nobody.name;
-          group = "gerrit";
-          mode = "0040";
-        };
+} (let isDerived = base != null;
+in if isDerived then
+  let
+    gerrit_cfgfile =
+      pkgs.writeText "gerrit.conf" (lib.generators.toGitINI cfg.settings);
+  in {
+    scalpel.trafos."gerrit.conf" = {
+      source = toString gerrit_cfgfile;
+      matchers."gerrit_email_private_key".secret =
+        config.sops.secrets.gerrit_email_private_key.path;
+      matchers."gerrit_oauth_client_secret".secret =
+        config.sops.secrets.gerrit_oauth_client_secret.path;
+      owner = config.users.users.nobody.name;
+      group = "gerrit";
+      mode = "0040";
+    };
 
-        systemd.services.gerrit.preStart = base.config.systemd.services.gerrit.preStart + ''
+    systemd.services.gerrit.preStart =
+      base.config.systemd.services.gerrit.preStart + ''
         rm etc/gerrit.config
-        ln -sfv ${config.scalpel.trafos."gerrit.conf".destination} etc/gerrit.config
-        '';
-      }
-    else {}
-  )
+        ln -sfv ${
+          config.scalpel.trafos."gerrit.conf".destination
+        } etc/gerrit.config
+      '';
+  }
+else
+  { })
diff --git a/modules/grafana.nix b/modules/grafana.nix
index 9a97342..6c63f75 100644
--- a/modules/grafana.nix
+++ b/modules/grafana.nix
@@ -1,6 +1,5 @@
 { lib, config, base, pkgs, helpers, ... }:
-lib.recursiveUpdate
-{
+lib.recursiveUpdate {
   services.grafana = {
     enable = true;
 
@@ -29,7 +28,7 @@
         api_url =
           "https://login.clicks.codes/realms/clicks/protocol/openid-connect/userinfo";
         role_attribute_path =
-        "contains(resource_access.grafana.roles[*], 'server_admin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || 'Viewer'";
+          "contains(resource_access.grafana.roles[*], 'server_admin') && 'GrafanaAdmin' || contains(resource_access.grafana.roles[*], 'admin') && 'Admin' || contains(resource_access.grafana.roles[*], 'editor') && 'Editor' || 'Viewer'";
         allow_assign_grafana_admin = true;
         auto_login = true;
       };
@@ -57,42 +56,40 @@
     sopsFile = ../secrets/grafana.json;
     format = "json";
   };
-}
-  (
-    let isDerived = base != null;
-    in if isDerived then
-      let
-        generators = lib.generators;
-        cfg = config.services.grafana;
-        settingsFormatIni = pkgs.formats.ini {
-          listToValue =
-            lib.concatMapStringsSep " " (generators.mkValueStringDefault { });
-          mkKeyValue = generators.mkKeyValueDefault
-            {
-              mkValueString = v:
-                if v == null then "" else generators.mkValueStringDefault { } v;
-            } "=";
-        };
-        grafana_cfgfile = settingsFormatIni.generate "config.ini" cfg.settings;
-      in
-      {
-        scalpel.trafos."grafana.ini" = {
-          source = toString grafana_cfgfile;
-          matchers."client_secret".secret =
-            config.sops.secrets.clicks_grafana_client_secret.path;
-          owner = config.users.users.grafana.name;
-          group = "nobody";
-          mode = "0400";
-        };
+} (let isDerived = base != null;
+in if isDerived then
+  let
+    generators = lib.generators;
+    cfg = config.services.grafana;
+    settingsFormatIni = pkgs.formats.ini {
+      listToValue =
+        lib.concatMapStringsSep " " (generators.mkValueStringDefault { });
+      mkKeyValue = generators.mkKeyValueDefault {
+        mkValueString = v:
+          if v == null then "" else generators.mkValueStringDefault { } v;
+      } "=";
+    };
+    grafana_cfgfile = settingsFormatIni.generate "config.ini" cfg.settings;
+  in {
+    scalpel.trafos."grafana.ini" = {
+      source = toString grafana_cfgfile;
+      matchers."client_secret".secret =
+        config.sops.secrets.clicks_grafana_client_secret.path;
+      owner = config.users.users.grafana.name;
+      group = "nobody";
+      mode = "0400";
+    };
 
-        systemd.services.grafana.serviceConfig.ExecStart = lib.mkForce (pkgs.writeShellScript "grafana-start" ''
-          set -o errexit -o pipefail -o nounset -o errtrace
-          shopt -s inherit_errexit
+    systemd.services.grafana.serviceConfig.ExecStart = lib.mkForce
+      (pkgs.writeShellScript "grafana-start" ''
+        set -o errexit -o pipefail -o nounset -o errtrace
+        shopt -s inherit_errexit
 
-          exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} -config ${config.scalpel.trafos."grafana.ini".destination}
-        '');
-        systemd.services.grafana.restartTriggers = [ grafana_cfgfile ];
-      }
-    else
-      { }
-  )
+        exec ${cfg.package}/bin/grafana-server -homepath ${cfg.dataDir} -config ${
+          config.scalpel.trafos."grafana.ini".destination
+        }
+      '');
+    systemd.services.grafana.restartTriggers = [ grafana_cfgfile ];
+  }
+else
+  { })
diff --git a/modules/home-manager-users.nix b/modules/home-manager-users.nix
index 0e1dbd6..3ca8e1b 100644
--- a/modules/home-manager-users.nix
+++ b/modules/home-manager-users.nix
@@ -2,35 +2,38 @@
 # user accounts in the system config
 { base, pkgs, lib, config, ... }:
 let
-  mkUser = username: {
-    isSystemUser = true;
-    linger = true;
-    createHome = true;
-    home = "/services/${username}";
-    group = "clicks";
-    shell = pkgs.bashInteractive;
-  } // (
-    if builtins.pathExists "${../services}/${username}/system.nix"
-    then import "${../services}/${username}/system.nix"
-    else { }
-  );
-in
-{
+  mkUser = username:
+    {
+      isSystemUser = true;
+      linger = true;
+      createHome = true;
+      home = "/services/${username}";
+      group = "clicks";
+      shell = pkgs.bashInteractive;
+    } // (if builtins.pathExists "${../services}/${username}/system.nix" then
+      import "${../services}/${username}/system.nix"
+    else
+      { });
+in {
   users.users = lib.pipe ../services [
     builtins.readDir
     (lib.filterAttrs (_name: value: value == "directory"))
     builtins.attrNames
-    (map (name: { inherit name; value = mkUser name; }))
+    (map (name: {
+      inherit name;
+      value = mkUser name;
+    }))
     builtins.listToAttrs
   ];
-} // (
-  if (base != null)
-  then {
-    /*    users.groups = lib.mapAttrs'
-      (_: user: {
-        name = user.group;
-        value = { };
-      })
-      base.config.users.users;*/
-  } else { }
-)
+} // (if (base != null) then
+  {
+    /* users.groups = lib.mapAttrs'
+       (_: user: {
+         name = user.group;
+         value = { };
+       })
+       base.config.users.users;
+    */
+  }
+else
+  { })
diff --git a/modules/keycloak.nix b/modules/keycloak.nix
index d196ac9..30e078b 100644
--- a/modules/keycloak.nix
+++ b/modules/keycloak.nix
@@ -14,7 +14,8 @@
       hostname-strict = false;
 
       https-certificate-file = "/var/keycloak/login.clicks.codes.rsa.cert.pem";
-      https-certificate-key-file = "/var/keycloak/login.clicks.codes.rsa.private.pem";
+      https-certificate-key-file =
+        "/var/keycloak/login.clicks.codes.rsa.private.pem";
     };
     database = {
       createLocally = false;
diff --git a/modules/kitty.nix b/modules/kitty.nix
index 4d4b730..b85b35a 100644
--- a/modules/kitty.nix
+++ b/modules/kitty.nix
@@ -1,3 +1 @@
-{ pkgs, ... }: {
-  environment.systemPackages = [ pkgs.kitty ];
-}
+{ pkgs, ... }: { environment.systemPackages = [ pkgs.kitty ]; }
diff --git a/modules/loginctl-linger.nix b/modules/loginctl-linger.nix
index 6fe7c60..adc5c84 100644
--- a/modules/loginctl-linger.nix
+++ b/modules/loginctl-linger.nix
@@ -15,11 +15,14 @@
 
   dataDir = "/var/lib/systemd/linger";
 
-  lingeringUsers = map (u: u.name) (attrValues (flip filterAttrs config.users.users (n: u: u.linger)));
+  lingeringUsers = map (u: u.name)
+    (attrValues (flip filterAttrs config.users.users (n: u: u.linger)));
 
-  lingeringUsersFile = builtins.toFile "lingering-users"
-    (concatStrings (map (s: "${s}\n")
-      (sort (a: b: a < b) lingeringUsers))); # this sorting is important for `comm` to work correctly
+  lingeringUsersFile = builtins.toFile "lingering-users" (concatStrings (map
+    (s: ''
+      ${s}
+    '') (sort (a: b: a < b)
+      lingeringUsers))); # this sorting is important for `comm` to work correctly
 
   updateLingering = ''
     if [ -e ${dataDir} ] ; then
@@ -31,20 +34,16 @@
     fi
   '';
 
-  userOptions = {
-    options.linger = mkEnableOption "Lingering for the user";
-  };
+  userOptions = { options.linger = mkEnableOption "Lingering for the user"; };
 
-in
-
-{
+in {
   options = {
-    users.users = mkOption {
-      type = with types; attrsOf (submodule userOptions);
-    };
+    users.users =
+      mkOption { type = with types; attrsOf (submodule userOptions); };
   };
 
   config = {
-    system.activationScripts.update-lingering = stringAfter [ "users" ] updateLingering;
+    system.activationScripts.update-lingering =
+      stringAfter [ "users" ] updateLingering;
   };
 }
diff --git a/modules/matrix.nix b/modules/matrix.nix
index 7441390..2d41da9 100644
--- a/modules/matrix.nix
+++ b/modules/matrix.nix
@@ -1,13 +1,11 @@
 { base, config, lib, pkgs, ... }:
-lib.recursiveUpdate
-{
+lib.recursiveUpdate {
   services.matrix-synapse = {
     enable = true;
     withJemalloc = true;
 
-    plugins = with config.services.matrix-synapse.package.plugins; [
-      matrix-synapse-mjolnir-antispam
-    ];
+    plugins = with config.services.matrix-synapse.package.plugins;
+      [ matrix-synapse-mjolnir-antispam ];
 
     settings = rec {
       server_name = "coded.codes";
@@ -23,10 +21,7 @@
         x_forwarded = true;
         tls = false;
         resources = [{
-          names = [
-            "client"
-            "federation"
-          ];
+          names = [ "client" "federation" ];
           compress = true;
         }];
         port = 4527;
@@ -36,9 +31,10 @@
       turn_uris = [
 
         /* "turn:turn.coded.codes:3478?transport=udp"
-        "turn:turn.coded.codes:3478?transport=tcp"
-        "turns:turn.coded.codes:5349?transport=udp"
-        "turns:turn.coded.codes:5349?transport=tcp" */
+           "turn:turn.coded.codes:3478?transport=tcp"
+           "turns:turn.coded.codes:5349?transport=udp"
+           "turns:turn.coded.codes:5349?transport=tcp"
+        */
       ]; # Please use matrix.org turn
       # turn_shared_secret = "!!turn_shared_secret!!";
 
@@ -62,10 +58,7 @@
           handlers = [ "console" ];
         };
         "disable_existing_loggers" = false;
-      } [
-        builtins.toJSON
-        (builtins.toFile "logcfg.yaml")
-      ];
+      } [ builtins.toJSON (builtins.toFile "logcfg.yaml") ];
     };
   };
 
@@ -77,7 +70,8 @@
 
     settings = {
       autojoinOnlyIfManager = true;
-      automaticallyRedactForReasons = [ "nsfw" "gore" "spam" "harassment" "hate" ];
+      automaticallyRedactForReasons =
+        [ "nsfw" "gore" "spam" "harassment" "hate" ];
       recordIgnoredInvites = true;
       admin.enableMakeRoomAdminCommand = true;
       allowNoPrefix = true;
@@ -148,91 +142,67 @@
       format = "json";
     };
   };
-}
-  (
-    let
-      isDerived = base != null;
-    in
-    if isDerived
-    # We cannot use mkIf as both sides are evaluated no matter the condition value
-    # Given we use base as an attrset, mkIf will error if base is null in here
-    then
+} (let isDerived = base != null;
+in if isDerived
+# We cannot use mkIf as both sides are evaluated no matter the condition value
+# Given we use base as an attrset, mkIf will error if base is null in here
+then
+  let synapse_cfgfile = config.services.matrix-synapse.configFile;
+  in {
+    scalpel.trafos."synapse.yaml" = {
+      source = toString synapse_cfgfile;
+      matchers."registration_shared_secret".secret =
+        config.sops.secrets.registration_shared_secret.path;
+      # matchers."turn_shared_secret".secret =
+      #   config.sops.secrets.turn_shared_secret.path;
+      owner = config.users.users.matrix-synapse.name;
+      group = config.users.users.matrix-synapse.group;
+      mode = "0400";
+    };
+
+    systemd.services.matrix-synapse.serviceConfig.ExecStart = lib.mkForce
+      (builtins.replaceStrings [ "${synapse_cfgfile}" ]
+        [ "${config.scalpel.trafos."synapse.yaml".destination}" ]
+        "${base.config.systemd.services.matrix-synapse.serviceConfig.ExecStart}");
+
+    systemd.services.matrix-synapse.preStart = lib.mkForce
+      (builtins.replaceStrings [ "${synapse_cfgfile}" ]
+        [ "${config.scalpel.trafos."synapse.yaml".destination}" ]
+        "${base.config.systemd.services.matrix-synapse.preStart}");
+
+    systemd.services.matrix-synapse.restartTriggers = [ synapse_cfgfile ];
+
+    environment.systemPackages = with lib;
       let
-        synapse_cfgfile = config.services.matrix-synapse.configFile;
-      in
-      {
-        scalpel.trafos."synapse.yaml" = {
-          source = toString synapse_cfgfile;
-          matchers."registration_shared_secret".secret =
-            config.sops.secrets.registration_shared_secret.path;
-          # matchers."turn_shared_secret".secret =
-          #   config.sops.secrets.turn_shared_secret.path;
-          owner = config.users.users.matrix-synapse.name;
-          group = config.users.users.matrix-synapse.group;
-          mode = "0400";
-        };
+        cfg = config.services.matrix-synapse;
+        registerNewMatrixUser = let
+          isIpv6 = x: lib.length (lib.splitString ":" x) > 1;
+          listener = lib.findFirst (listener:
+            lib.any (resource: lib.any (name: name == "client") resource.names)
+            listener.resources) (lib.last cfg.settings.listeners)
+            cfg.settings.listeners;
+          # FIXME: Handle cases with missing client listener properly,
+          # don't rely on lib.last, this will not work.
 
-        systemd.services.matrix-synapse.serviceConfig.ExecStart = lib.mkForce (
-          builtins.replaceStrings
-            [ "${synapse_cfgfile}" ]
-            [ "${config.scalpel.trafos."synapse.yaml".destination}" ]
-            "${base.config.systemd.services.matrix-synapse.serviceConfig.ExecStart}"
-        );
-
-        systemd.services.matrix-synapse.preStart = lib.mkForce (
-          builtins.replaceStrings
-            [ "${synapse_cfgfile}" ]
-            [ "${config.scalpel.trafos."synapse.yaml".destination}" ]
-            "${base.config.systemd.services.matrix-synapse.preStart}"
-        );
-
-        systemd.services.matrix-synapse.restartTriggers = [ synapse_cfgfile ];
-
-        environment.systemPackages =
-          with lib; let
-            cfg = config.services.matrix-synapse;
-            registerNewMatrixUser =
-              let
-                isIpv6 = x: lib.length (lib.splitString ":" x) > 1;
-                listener =
-                  lib.findFirst
-                    (
-                      listener: lib.any
-                        (
-                          resource: lib.any
-                            (
-                              name: name == "client"
-                            )
-                            resource.names
-                        )
-                        listener.resources
-                    )
-                    (lib.last cfg.settings.listeners)
-                    cfg.settings.listeners;
-                # FIXME: Handle cases with missing client listener properly,
-                # don't rely on lib.last, this will not work.
-
-                # add a tail, so that without any bind_addresses we still have a useable address
-                bindAddress = head (listener.bind_addresses ++ [ "127.0.0.1" ]);
-                listenerProtocol =
-                  if listener.tls
-                  then "https"
-                  else "http";
-              in
-              pkgs.writeShellScriptBin "matrix-synapse-register_new_matrix_user" ''
-                exec ${cfg.package}/bin/register_new_matrix_user \
-                  $@ \
-                  ${lib.concatMapStringsSep " " (x: "-c ${x}") ([
-                    config.scalpel.trafos."synapse.yaml".destination ] ++ cfg.extraConfigFiles)} \
-                  "${listenerProtocol}://${
-                    if (isIpv6 bindAddress) then
-                      "[${bindAddress}]"
-                    else
-                      "${bindAddress}"
-                  }:${builtins.toString listener.port}/"
-              '';
-          in
-          [ (lib.meta.hiPrio registerNewMatrixUser) ];
-      }
-    else { }
-  )
+          # add a tail, so that without any bind_addresses we still have a useable address
+          bindAddress = head (listener.bind_addresses ++ [ "127.0.0.1" ]);
+          listenerProtocol = if listener.tls then "https" else "http";
+        in pkgs.writeShellScriptBin "matrix-synapse-register_new_matrix_user" ''
+          exec ${cfg.package}/bin/register_new_matrix_user \
+            $@ \
+            ${
+              lib.concatMapStringsSep " " (x: "-c ${x}")
+              ([ config.scalpel.trafos."synapse.yaml".destination ]
+                ++ cfg.extraConfigFiles)
+            } \
+            "${listenerProtocol}://${
+              if (isIpv6 bindAddress) then
+                "[${bindAddress}]"
+              else
+                "${bindAddress}"
+            }:${builtins.toString listener.port}/"
+        '';
+      in [ (lib.meta.hiPrio registerNewMatrixUser) ];
+  }
+else
+  { })
diff --git a/modules/mongodb.nix b/modules/mongodb.nix
index c6d8fe9..81473a2 100644
--- a/modules/mongodb.nix
+++ b/modules/mongodb.nix
@@ -6,5 +6,6 @@
   services.mongodb.initialRootPassword = "changeme";
   services.mongodb.package = pkgs.mongodb-6_0;
 
-  networking.firewall.extraCommands = "iptables -A INPUT -s 192.168.0.4 -p tcp --dport 27017 -j ACCEPT";
+  networking.firewall.extraCommands =
+    "iptables -A INPUT -s 192.168.0.4 -p tcp --dport 27017 -j ACCEPT";
 }
diff --git a/modules/networking.nix b/modules/networking.nix
index 1940ced..d7f17cf 100644
--- a/modules/networking.nix
+++ b/modules/networking.nix
@@ -1,8 +1,8 @@
 {
-    networking.hosts = {
-        "127.0.0.1" = [ "standard" ];
-        "127.0.0.2" = [ "clicks" ];
-        "127.0.0.3" = [ "caramels" ];
-        "127.0.0.255" = [ "generic" ];
-    };
+  networking.hosts = {
+    "127.0.0.1" = [ "standard" ];
+    "127.0.0.2" = [ "clicks" ];
+    "127.0.0.3" = [ "caramels" ];
+    "127.0.0.255" = [ "generic" ];
+  };
 }
diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix
index 52ab029..197ad89 100644
--- a/modules/nextcloud.nix
+++ b/modules/nextcloud.nix
@@ -1,67 +1,67 @@
-{config, pkgs, lib, ...}: {
-    sops.secrets.clicks_nextcloud_db_password = {
-        mode = lib.mkForce "0440";
-        group = lib.mkForce "nextcloud";
-    };
+{ config, pkgs, lib, ... }: {
+  sops.secrets.clicks_nextcloud_db_password = {
+    mode = lib.mkForce "0440";
+    group = lib.mkForce "nextcloud";
+  };
 
-    users.users.nextcloud = {
-        isSystemUser = true;
-        createHome = true;
-        home = "/var/lib/nextcloud";
-        group = config.users.groups.nextcloud.name;
-        shell = pkgs.bashInteractive;
-    };
-    users.groups.nextcloud = {};
+  users.users.nextcloud = {
+    isSystemUser = true;
+    createHome = true;
+    home = "/var/lib/nextcloud";
+    group = config.users.groups.nextcloud.name;
+    shell = pkgs.bashInteractive;
+  };
+  users.groups.nextcloud = { };
 
+  services.nextcloud.enable = true;
+  services.nextcloud.config.adminpassFile =
+    config.sops.secrets.nextcloud_admin_password.path;
+  services.nextcloud.hostName = "nextcloud.clicks.codes";
+  services.nextcloud.package = pkgs.nextcloud27;
+  services.nextcloud.poolSettings = {
+    pm = "dynamic";
+    "pm.max_children" = "32";
+    "pm.max_requests" = "500";
+    "pm.max_spare_servers" = "4";
+    "pm.min_spare_servers" = "2";
+    "pm.start_servers" = "2";
+    "listen.owner" = config.users.users.nextcloud.name;
+    "listen.group" = config.users.users.nextcloud.group;
+  };
 
-    services.nextcloud.enable = true;
-    services.nextcloud.config.adminpassFile = config.sops.secrets.nextcloud_admin_password.path;
-    services.nextcloud.hostName = "nextcloud.clicks.codes";
-    services.nextcloud.package = pkgs.nextcloud27;
-    services.nextcloud.poolSettings = {
-        pm = "dynamic";
-        "pm.max_children" = "32";
-        "pm.max_requests" = "500";
-        "pm.max_spare_servers" = "4";
-        "pm.min_spare_servers" = "2";
-        "pm.start_servers" = "2";
-        "listen.owner" = config.users.users.nextcloud.name;
-        "listen.group" = config.users.users.nextcloud.group;
-    };
+  services.nextcloud.config = {
+    dbtype = "pgsql";
+    dbport = config.services.postgresql.port;
+    dbpassFile = config.sops.secrets.clicks_nextcloud_db_password.path;
+    dbname = "nextcloud";
+    dbhost = "localhost";
+    extraTrustedDomains = [ "nextcloud.clicks.codes" "docs.clicks.codes" ];
+  };
 
-    services.nextcloud.config = {
-        dbtype = "pgsql";
-        dbport = config.services.postgresql.port;
-        dbpassFile = config.sops.secrets.clicks_nextcloud_db_password.path;
-        dbname = "nextcloud";
-        dbhost = "localhost";
-        extraTrustedDomains = [ "nextcloud.clicks.codes" "docs.clicks.codes" ];
-    };
+  services.nextcloud.extraOptions = { social_login_auto_redirect = true; };
 
-    services.nextcloud.extraOptions = {
-        social_login_auto_redirect = true;
+  services.nextcloud.extraApps = {
+    sociallogin = pkgs.fetchNextcloudApp {
+      url =
+        "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.5.3/release.tar.gz";
+      sha256 = "sha256-96/wtK7t23fXVRcntDONjgb5bYtZuaNZzbvQCa5Gsj4=";
     };
+    richdocumentscode = pkgs.fetchNextcloudApp {
+      url = "redacted";
+      sha256 = "sha256-XYtjBZCIQ6+PL3BNLSZfJTgLLpOyphzR5HOAwI7bWx0=";
+    };
+    richdocuments = pkgs.fetchNextcloudApp {
+      url =
+        "https://github.com/nextcloud-releases/richdocuments/releases/download/v8.2.0/richdocuments-v8.2.0.tar.gz";
+      sha256 = "sha256-PKw7FXSWvden2+6XjnUDOvbTF71slgeTF/ktS/l2+Dk=";
+    };
+  };
 
-    services.nextcloud.extraApps = {
-        sociallogin = pkgs.fetchNextcloudApp {
-            url = "https://github.com/zorn-v/nextcloud-social-login/releases/download/v5.5.3/release.tar.gz";
-            sha256 = "sha256-96/wtK7t23fXVRcntDONjgb5bYtZuaNZzbvQCa5Gsj4=";
-        };
-        richdocumentscode = pkgs.fetchNextcloudApp {
-            url = "redacted";
-            sha256 = "sha256-XYtjBZCIQ6+PL3BNLSZfJTgLLpOyphzR5HOAwI7bWx0=";
-        };
-        richdocuments = pkgs.fetchNextcloudApp {
-            url = "https://github.com/nextcloud-releases/richdocuments/releases/download/v8.2.0/richdocuments-v8.2.0.tar.gz";
-            sha256 = "sha256-PKw7FXSWvden2+6XjnUDOvbTF71slgeTF/ktS/l2+Dk=";
-        };
-    };
-
-    sops.secrets.nextcloud_admin_password = {
-        mode = "0600";
-        owner = config.users.users.nextcloud.name;
-        group = config.users.users.nextcloud.group;
-        sopsFile = ../secrets/nextcloud.json;
-        format = "json";
-    };
+  sops.secrets.nextcloud_admin_password = {
+    mode = "0600";
+    owner = config.users.users.nextcloud.name;
+    group = config.users.users.nextcloud.group;
+    sopsFile = ../secrets/nextcloud.json;
+    format = "json";
+  };
 }
diff --git a/modules/nginx-routes.nix b/modules/nginx-routes.nix
index 918d6dd..889a17c 100644
--- a/modules/nginx-routes.nix
+++ b/modules/nginx-routes.nix
@@ -6,7 +6,8 @@
     (Host "testing.coded.codes" (ReverseProxy "SamuelDesktop.local:3000"))
     (Hosts [ "kavita.coded.codes" "reading.coded.codes" ]
       (ReverseProxy "localhost:5000"))
-    (Host "www.clicks.codes" (RedirectPermanent "https://clicks.codes$request_uri"))
+    (Host "www.clicks.codes"
+      (RedirectPermanent "https://clicks.codes$request_uri"))
     (Host "clicks.codes" (ReverseProxy "127.0.0.1:3000"))
     (Host "passwords.clicks.codes" (ReverseProxy "localhost:8452"))
     (Host "login.clicks.codes" (ReverseProxy "localhost:9083"))
@@ -37,37 +38,39 @@
       "smtp.clicks.codes"
       "smtp.hopescaramels.com"
     ] (ReverseProxy "localhost:1080"))
-    (Hosts [
-      "mail.clicks.codes"
-      "mail.coded.codes"
-      "mail.hopescaramels.com"
-    ] (ReverseProxy "localhost:1080"))
-    (Host "matrix.coded.codes" (Directory "${builtins.toString (pkgs.schildichat-web.override {
-      conf = {
-        default_server_config = lib.pipe ./nginx/coded.codes/.well-known/matrix [
-          builtins.readFile
-          builtins.fromJSON
-        ];
-        features = {
-          feature_report_to_moderators = true;
-          feature_latex_maths = true;
-          feature_pinning = true;
-          feature_mjolnir = true;
-          feature_presence_in_room_list = true;
-          feature_custom_themes = true;
-          feature_dehydration = true;
+    (Hosts [ "mail.clicks.codes" "mail.coded.codes" "mail.hopescaramels.com" ]
+      (ReverseProxy "localhost:1080"))
+    (Host "matrix.coded.codes" (Directory "${builtins.toString
+      (pkgs.schildichat-web.override {
+        conf = {
+          default_server_config =
+            lib.pipe ./nginx/coded.codes/.well-known/matrix [
+              builtins.readFile
+              builtins.fromJSON
+            ];
+          features = {
+            feature_report_to_moderators = true;
+            feature_latex_maths = true;
+            feature_pinning = true;
+            feature_mjolnir = true;
+            feature_presence_in_room_list = true;
+            feature_custom_themes = true;
+            feature_dehydration = true;
+          };
+          setting_defaults = { "fallbackICEServerAllowed" = true; };
+          default_theme = "dark";
+          permalink_prefix = "https://matrix.coded.codes";
+          disable_guests = true;
+          disable_3pid_login = true;
         };
-        setting_defaults = { "fallbackICEServerAllowed" = true; };
-        default_theme = "dark";
-        permalink_prefix = "https://matrix.coded.codes";
-        disable_guests = true;
-        disable_3pid_login = true;
-      };
-    })}"))
-    (Host "api.clicks.codes" (Path "/nucleus/" (ReverseProxy "localhost:10000")))
-    (Host "api.coded.codes" (Path "/nucleus/" (ReverseProxy "SamuelDesktop.local:10000")))
+      })}"))
+    (Host "api.clicks.codes"
+      (Path "/nucleus/" (ReverseProxy "localhost:10000")))
+    (Host "api.coded.codes"
+      (Path "/nucleus/" (ReverseProxy "SamuelDesktop.local:10000")))
     (Host "coded.codes" (Compose [
-      (Path "/.well-known/matrix/" (File ./nginx/coded.codes/.well-known/matrix))
+      (Path "/.well-known/matrix/"
+        (File ./nginx/coded.codes/.well-known/matrix))
       (Redirect "https://clicks.codes$request_uri")
     ]))
     (Host "matrix-backend.coded.codes" (Compose [
@@ -88,12 +91,12 @@
     ])
   ];
   clicks.nginx.streams = with helpers.nginx; [
-    (Stream 143 "localhost:1143" "tcp") #imap
-    (Stream 993 "localhost:1993" "tcp") #imap
-    (Stream 110 "localhost:1110" "tcp") #pop3
-    (Stream 995 "localhost:1995" "tcp") #pop3
-    (Stream  25 "localhost:1025" "tcp") #smtp
-    (Stream 465 "localhost:1465" "tcp") #smtp
-    (Stream 587 "localhost:1587" "tcp") #smtp
+    (Stream 143 "localhost:1143" "tcp") # imap
+    (Stream 993 "localhost:1993" "tcp") # imap
+    (Stream 110 "localhost:1110" "tcp") # pop3
+    (Stream 995 "localhost:1995" "tcp") # pop3
+    (Stream 25 "localhost:1025" "tcp") # smtp
+    (Stream 465 "localhost:1465" "tcp") # smtp
+    (Stream 587 "localhost:1587" "tcp") # smtp
   ];
 }
diff --git a/modules/nginx.nix b/modules/nginx.nix
index 64ad1ce..9ccf0b2 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -1,6 +1,5 @@
 { config, lib, pkgs, helpers, base, ... }:
-lib.recursiveUpdate
-{
+lib.recursiveUpdate {
   options.clicks = {
     nginx = {
       services = lib.mkOption {
@@ -14,33 +13,25 @@
                 type = let
                   validServiceTypes = {
                     "redirect" = {
-                      to = ["string" str];
-                      permanent = ["bool" bool];
+                      to = [ "string" str ];
+                      permanent = [ "bool" bool ];
                     };
-                    "reverseproxy" = {
-                      to = ["string" str];
-                    };
+                    "reverseproxy" = { to = [ "string" str ]; };
                     "php" = {
-                      root = ["string" str];
-                      socket = ["string" str];
+                      root = [ "string" str ];
+                      socket = [ "string" str ];
                     };
                     "directory" = {
-                      private = ["bool" bool];
-                      root = ["string" str];
+                      private = [ "bool" bool ];
+                      root = [ "string" str ];
                     };
-                    "file" = {
-                      path = ["string" str];
-                    };
+                    "file" = { path = [ "string" str ]; };
                     "path" = {
-                      path = ["string" str];
-                      service = ["set" serviceType];
+                      path = [ "string" str ];
+                      service = [ "set" serviceType ];
                     };
-                    "compose" = {
-                      services = ["list" (listOf serviceType)];
-                    };
-                    "status" = {
-                      statusCode = ["int" int];
-                    };
+                    "compose" = { services = [ "list" (listOf serviceType) ]; };
+                    "status" = { statusCode = [ "int" int ]; };
                   };
 
                   serviceType = mkOptionType {
@@ -50,25 +41,36 @@
                     descriptionClass = "noun";
 
                     check = (x:
-                      if (builtins.typeOf x) != "set"
-                      then lib.warn "clicks nginx services must be sets but ${x} is not a set" false
-                      else if !(builtins.hasAttr "type" x)
-                      then lib.warn "clicks nginx services must have a type attribute but ${x} does not" false
-                      else if !(builtins.hasAttr x.type validServiceTypes)
-                      then lib.warn "clicks nginx services must have a valid type, but ${x.type} is not one" false
-                      else (let
-                        optionTypes =
-                          (builtins.mapAttrs (n: o: builtins.elemAt o 0) validServiceTypes.${x.type})
-                          // { type = "string"; };
-                      in (lib.pipe x [
-                        (builtins.mapAttrs (n: o: (builtins.hasAttr n optionTypes) && optionTypes.${n} == (builtins.typeOf o)))
-                        lib.attrValues
-                        (builtins.all (x: x))
-                      ]) && (lib.pipe optionTypes [
-                        (builtins.mapAttrs (n: _: builtins.hasAttr n x))
-                        lib.attrValues
-                        (builtins.all (x: x))
-                      ] )));
+                      if (builtins.typeOf x) != "set" then
+                        lib.warn
+                        "clicks nginx services must be sets but ${x} is not a set"
+                        false
+                      else if !(builtins.hasAttr "type" x) then
+                        lib.warn
+                        "clicks nginx services must have a type attribute but ${x} does not"
+                        false
+                      else if !(builtins.hasAttr x.type validServiceTypes) then
+                        lib.warn
+                        "clicks nginx services must have a valid type, but ${x.type} is not one"
+                        false
+                      else
+                        (let
+                          optionTypes =
+                            (builtins.mapAttrs (n: o: builtins.elemAt o 0)
+                              validServiceTypes.${x.type}) // {
+                                type = "string";
+                              };
+                        in (lib.pipe x [
+                          (builtins.mapAttrs (n: o:
+                            (builtins.hasAttr n optionTypes) && optionTypes.${n}
+                            == (builtins.typeOf o)))
+                          lib.attrValues
+                          (builtins.all (x: x))
+                        ]) && (lib.pipe optionTypes [
+                          (builtins.mapAttrs (n: _: builtins.hasAttr n x))
+                          lib.attrValues
+                          (builtins.all (x: x))
+                        ])));
                   };
                 in serviceType;
               };
@@ -116,13 +118,14 @@
         default = [ ];
       };
       streams = lib.mkOption {
-        type = with lib.types; listOf (submodule {
-          options = {
-            internal = lib.mkOption { type = str; };
-            external = lib.mkOption { type = port; };
-            protocol = lib.mkOption { type = strMatching "^(tcp|udp)$"; };
-          };
-        });
+        type = with lib.types;
+          listOf (submodule {
+            options = {
+              internal = lib.mkOption { type = str; };
+              external = lib.mkOption { type = port; };
+              protocol = lib.mkOption { type = strMatching "^(tcp|udp)$"; };
+            };
+          });
         example = lib.literalExpression ''
           with helpers.nginx; [
             (Stream 1001 "generic:1002" "tcp")
@@ -151,7 +154,9 @@
 
       streamConfig = builtins.concatStringsSep "\n" (map (stream: ''
         server {
-            listen ${builtins.toString stream.external}${lib.optionalString (stream.protocol == "udp") " udp"};
+            listen ${builtins.toString stream.external}${
+              lib.optionalString (stream.protocol == "udp") " udp"
+            };
             proxy_pass ${builtins.toString stream.internal};
         }
       '') config.clicks.nginx.streams);
@@ -180,8 +185,10 @@
       format = "binary";
     };
   };
-} (
-  if base != null
-  then {
-    config.security.acme.certs = builtins.mapAttrs (_: v: { webroot = null; dnsProvider = "cloudflare"; }) base.config.security.acme.certs;
-  } else {})
+} (if base != null then {
+  config.security.acme.certs = builtins.mapAttrs (_: v: {
+    webroot = null;
+    dnsProvider = "cloudflare";
+  }) base.config.security.acme.certs;
+} else
+  { })
diff --git a/modules/postgres.nix b/modules/postgres.nix
index 2ae67bb..0613633 100644
--- a/modules/postgres.nix
+++ b/modules/postgres.nix
@@ -10,13 +10,8 @@
       log_destination = lib.mkForce "syslog";
     };
 
-    ensureDatabases = [
-      "vaultwarden"
-      "gerrit"
-      "privatebin"
-      "keycloak"
-      "nextcloud"
-    ];
+    ensureDatabases =
+      [ "vaultwarden" "gerrit" "privatebin" "keycloak" "nextcloud" ];
 
     ensureUsers = [
       {
@@ -28,76 +23,75 @@
       }
       {
         name = "synapse";
-        ensurePermissions = {
-          "DATABASE synapse" = "ALL PRIVILEGES";
-        };
+        ensurePermissions = { "DATABASE synapse" = "ALL PRIVILEGES"; };
       }
       {
         name = "keycloak";
-        ensurePermissions = {
-          "DATABASE keycloak" = "ALL PRIVILEGES";
-        };
+        ensurePermissions = { "DATABASE keycloak" = "ALL PRIVILEGES"; };
       }
       {
         name = "gerrit";
-        ensurePermissions = {
-          "DATABASE gerrit" = "ALL PRIVILEGES";
-        };
+        ensurePermissions = { "DATABASE gerrit" = "ALL PRIVILEGES"; };
       }
       {
         name = "vaultwarden";
-        ensurePermissions = {
-          "DATABASE vaultwarden" = "ALL PRIVILEGES";
-        };
+        ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; };
       }
       {
         name = "privatebin";
-        ensurePermissions = {
-          "DATABASE privatebin" = "ALL PRIVILEGES";
-        };
+        ensurePermissions = { "DATABASE privatebin" = "ALL PRIVILEGES"; };
       }
       {
         name = "nextcloud";
-        ensurePermissions = {
-          "DATABASE nextcloud" = "ALL PRIVILEGES";
-        };
+        ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; };
       }
-    ] ++ (map
-      (name: (
-        {
-          inherit name;
-          ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
-        }
-      )) [ "minion" "coded" "pinea" ]);
+    ] ++ (map (name: ({
+      inherit name;
+      ensurePermissions = { "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES"; };
+    })) [ "minion" "coded" "pinea" ]);
 
   };
 
   systemd.services.postgresql.postStart = lib.mkMerge [
-    (
-      let
-        database = "synapse";
-        cfg = config.services.postgresql;
-      in
-      lib.mkBefore (
-        ''
-          PSQL="psql --port=${toString cfg.port}"
+    (let
+      database = "synapse";
+      cfg = config.services.postgresql;
+    in lib.mkBefore (''
+      PSQL="psql --port=${toString cfg.port}"
 
-          while ! $PSQL -d postgres -c "" 2> /dev/null; do
-              if ! kill -0 "$MAINPID"; then exit 1; fi
-              sleep 0.1
-          done
+      while ! $PSQL -d postgres -c "" 2> /dev/null; do
+          if ! kill -0 "$MAINPID"; then exit 1; fi
+          sleep 0.1
+      done
 
-          $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
-        ''
-      ) # synapse needs C collation, so we can't use ensureDatabases for it
+      $PSQL -tAc "SELECT 1 FROM pg_database WHERE datname = '${database}'" | grep -q 1 || $PSQL -tAc 'CREATE DATABASE "${database}" WITH LC_CTYPE="C" LC_COLLATE="C" TEMPLATE="template0"'
+    '') # synapse needs C collation, so we can't use ensureDatabases for it
     )
     (lib.mkAfter (lib.pipe [
-      { user = "clicks_grafana"; passwordFile = config.sops.secrets.clicks_grafana_db_password.path; }
-      { user = "keycloak"; passwordFile = config.sops.secrets.clicks_keycloak_db_password.path; }
-      { user = "gerrit"; passwordFile = config.sops.secrets.clicks_gerrit_db_password.path; }
-      { user = "vaultwarden"; passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path; }
-      { user = "privatebin"; passwordFile = config.sops.secrets.clicks_privatebin_db_password.path; }
-      { user = "nextcloud"; passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path; }
+      {
+        user = "clicks_grafana";
+        passwordFile = config.sops.secrets.clicks_grafana_db_password.path;
+      }
+      {
+        user = "keycloak";
+        passwordFile = config.sops.secrets.clicks_keycloak_db_password.path;
+      }
+      {
+        user = "gerrit";
+        passwordFile = config.sops.secrets.clicks_gerrit_db_password.path;
+      }
+      {
+        user = "vaultwarden";
+        passwordFile = config.sops.secrets.clicks_bitwarden_db_password.path;
+      }
+      {
+        user = "privatebin";
+        passwordFile = config.sops.secrets.clicks_privatebin_db_password.path;
+      }
+      {
+        user = "nextcloud";
+        passwordFile = config.sops.secrets.clicks_nextcloud_db_password.path;
+      }
     ] [
       (map (userData: ''
         $PSQL -tAc "ALTER USER ${userData.user} PASSWORD '$(cat ${userData.passwordFile})';"
@@ -119,7 +113,8 @@
       value = {
         mode = "0400";
         owner = config.services.postgresql.superUser;
-        group = config.users.users.${config.services.postgresql.superUser}.group;
+        group =
+          config.users.users.${config.services.postgresql.superUser}.group;
         sopsFile = ../secrets/postgres.json;
         format = "json";
       };
diff --git a/modules/privatebin.nix b/modules/privatebin.nix
index 17a1556..25e29fd 100644
--- a/modules/privatebin.nix
+++ b/modules/privatebin.nix
@@ -1,6 +1,5 @@
 { config, lib, base, ... }:
-lib.recursiveUpdate
-{
+lib.recursiveUpdate {
   services.privatebin = {
     enable = true;
     settings = {
@@ -14,8 +13,10 @@
         syntaxhighlightingtheme = "sons-of-obsidian";
         template = "bootstrap-dark";
 
-        info = ''Powered by <a href="https://privatebin.info/">PrivateBin</a>. Provided as a service free-of-charge by Clicks. Come chat with us <a href="https://matrix.to/#/#global:coded.codes"> on Matrix</a>'';
-        notice = "This service has no guarantee of uptime, and pastes are not backed up. If you need somewhere to host the last words of your wise old grandfather for time immemorial this is not the place.";
+        info = ''
+          Powered by <a href="https://privatebin.info/">PrivateBin</a>. Provided as a service free-of-charge by Clicks. Come chat with us <a href="https://matrix.to/#/#global:coded.codes"> on Matrix</a>'';
+        notice =
+          "This service has no guarantee of uptime, and pastes are not backed up. If you need somewhere to host the last words of your wise old grandfather for time immemorial this is not the place.";
 
         langaugeselection = true;
       };
@@ -28,7 +29,8 @@
       expire.default = "1month";
 
       expire_options = {
-        "5min" = 300; # looks bonkers, but I'm trying to keep the list ordered while also keeping the privatebin label formatter happy
+        "5min" =
+          300; # looks bonkers, but I'm trying to keep the list ordered while also keeping the privatebin label formatter happy
         "10min" = 600;
         "1hour" = 3600;
         "1day" = 86400;
@@ -43,7 +45,8 @@
       };
 
       traffic = {
-        exempted = "10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16";
+        exempted =
+          "10.0.0.0/8,127.0.0.0/8,169.254.0.0/16,172.16.0.0/12,192.168.0.0/16";
       };
 
       model.class = "Database";
@@ -55,23 +58,19 @@
       };
     };
   };
-}
-(
-  if base != null
-    then {
-      services.privatebin.environmentFiles = [
-        config.scalpel.trafos."privatebin.env".destination
-      ];
+} (if base != null then {
+  services.privatebin.environmentFiles =
+    [ config.scalpel.trafos."privatebin.env".destination ];
 
-      scalpel.trafos."privatebin.env" = {
-        source = builtins.toFile "privatebin.env" ''
-          PRIVATEBIN_DB_PASSWORD=!!privatebin_db_password!!
-        '';
-        matchers."privatebin_db_password".secret =
-          config.sops.secrets.clicks_privatebin_db_password.path;
-        owner = config.users.users.privatebin.name;
-        group = config.users.users.privatebin.group;
-        mode = "0400";
-      };
-    }
-    else {})
+  scalpel.trafos."privatebin.env" = {
+    source = builtins.toFile "privatebin.env" ''
+      PRIVATEBIN_DB_PASSWORD=!!privatebin_db_password!!
+    '';
+    matchers."privatebin_db_password".secret =
+      config.sops.secrets.clicks_privatebin_db_password.path;
+    owner = config.users.users.privatebin.name;
+    group = config.users.users.privatebin.group;
+    mode = "0400";
+  };
+} else
+  { })
diff --git a/modules/samba.nix b/modules/samba.nix
index 7429757..cd710c3 100644
--- a/modules/samba.nix
+++ b/modules/samba.nix
@@ -6,7 +6,8 @@
         path = "/services/kavita/Kavita/drive1";
         browseable = "yes";
         "guest ok" = "no";
-        comment = "Jellyfin, torrents & tempfiles. Use for large amounts of data that don't necessarily need to be accessed at top speed";
+        comment =
+          "Jellyfin, torrents & tempfiles. Use for large amounts of data that don't necessarily need to be accessed at top speed";
       };
       SSD = {
         path = "/services/kavita/Kavita/drive2";
@@ -18,12 +19,11 @@
   };
 
   fileSystems = {
-    "/services/kavita/Kavita/drive1".device = "/dev/disk/by-uuid/dda57e4d-81b7-4f52-b3ac-f14544b3aaf4";
-    "/services/kavita/Kavita/drive2".device = "/dev/disk/by-uuid/24d30ffe-91ed-4e41-b40d-f42b02e144a9";
+    "/services/kavita/Kavita/drive1".device =
+      "/dev/disk/by-uuid/dda57e4d-81b7-4f52-b3ac-f14544b3aaf4";
+    "/services/kavita/Kavita/drive2".device =
+      "/dev/disk/by-uuid/24d30ffe-91ed-4e41-b40d-f42b02e144a9";
   };
 
-  networking.firewall.allowedTCPPorts = [
-    139
-    445
-  ];
+  networking.firewall.allowedTCPPorts = [ 139 445 ];
 }
diff --git a/modules/scalpel.nix b/modules/scalpel.nix
index 0e0e257..49ae103 100644
--- a/modules/scalpel.nix
+++ b/modules/scalpel.nix
@@ -1,8 +1,6 @@
 { lib, config, ... }:
-let
-  cfg = config.scalpel;
-in
-{
+let cfg = config.scalpel;
+in {
   system.activationScripts.scalpelCreateStore.text = lib.mkForce ''
     echo "[scalpel] Ensuring existance of ${cfg.secretsDir}"
     mkdir -p ${cfg.secretsDir}
diff --git a/modules/tesseract.nix b/modules/tesseract.nix
index dc9fb32..d598323 100644
--- a/modules/tesseract.nix
+++ b/modules/tesseract.nix
@@ -1,3 +1 @@
-{ pkgs, ... }: {
-  environment.systemPackages = [ pkgs.tesseract5 ];
-}
+{ pkgs, ... }: { environment.systemPackages = [ pkgs.tesseract5 ]; }
diff --git a/modules/vaultwarden.nix b/modules/vaultwarden.nix
index 0a3764e..a46987e 100644
--- a/modules/vaultwarden.nix
+++ b/modules/vaultwarden.nix
@@ -1,146 +1,159 @@
 { base, pkgs, drive_paths, lib, config, ... }:
-lib.recursiveUpdate
-{
+lib.recursiveUpdate {
   environment.systemPackages = with pkgs; [ vaultwarden ];
 
   services.vaultwarden.enable = true;
   services.vaultwarden.dbBackend = "postgresql";
 
-  sops.secrets = lib.pipe [ "ADMIN_TOKEN" "SMTP_PASSWORD" "YUBICO_SECRET_KEY" "HIBP_API_KEY" ] [
+  sops.secrets = lib.pipe [
+    "ADMIN_TOKEN"
+    "SMTP_PASSWORD"
+    "YUBICO_SECRET_KEY"
+    "HIBP_API_KEY"
+  ] [
     (map (name: {
-      inherit name; value = {
-      mode = "0400";
-      owner = config.users.users.root.name;
-      group = config.users.users.nobody.group;
-      sopsFile = ../secrets/vaultwarden.json;
-      format = "json";
-    };
+      inherit name;
+      value = {
+        mode = "0400";
+        owner = config.users.users.root.name;
+        group = config.users.users.nobody.group;
+        sopsFile = ../secrets/vaultwarden.json;
+        format = "json";
+      };
     }))
     builtins.listToAttrs
   ];
-}
-  (
-    let
-      isDerived = base != null;
-    in
-    if isDerived
-    # We cannot use mkIf as both sides are evaluated no matter the condition value
-    # Given we use base as an attrset, mkIf will error if base is null in here
-    then
-      with lib;
+} (let isDerived = base != null;
+in if isDerived
+# We cannot use mkIf as both sides are evaluated no matter the condition value
+# Given we use base as an attrset, mkIf will error if base is null in here
+then
+  with lib;
+  let
+    cfg = config.services.vaultwarden;
+
+    vaultwarden_config = {
+      # Server Settings
+      DOMAIN = "https://passwords.clicks.codes";
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8452;
+
+      # General Settings
+      SIGNUPS_ALLOWED = false;
+      INVITATIONS_ALLOWED = true;
+      SIGNUPS_DOMAINS_WHITELIST =
+        "clicks.codes,coded.codes,thecoded.prof,starrysky.fyi,hopescaramels.com,pinea.dev,trans.gg";
+      SIGNUPS_VERIFY = true;
+
+      RSA_KEY_FILENAME =
+        "${drive_paths.External1000SSD.path}/bitwarden/rsa_key";
+      ICON_CACHE_FOLDER =
+        "${drive_paths.External1000SSD.path}/bitwarden/icon_cache";
+      ATTACHMENTS_FOLDER =
+        "${drive_paths.External4000HDD.path}/bitwarden/attachments";
+      SENDS_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/sends";
+      TMP_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/tmp";
+
+      DISABLE_2FA_REMEMBER = true;
+
+      # Admin Account
+      ADMIN_TOKEN = "!!ADMIN_TOKEN!!";
+
+      # Database Settings
+      DATABASE_URL =
+        "postgresql://vaultwarden:!!clicks_bitwarden_db_secret!!@127.0.0.1:${
+          toString config.services.postgresql.port
+        }/vaultwarden";
+
+      # Mail Settings
+      SMTP_HOST = "mail.clicks.codes";
+      SMTP_FROM = "bitwarden@clicks.codes";
+      SMTP_FROM_NAME = "Clicks Bitwarden";
+      SMTP_SECURITY = "starttls";
+      SMTP_PORT = 587;
+
+      SMTP_USERNAME = "bitwarden@clicks.codes";
+      SMTP_PASSWORD = "!!SMTP_PASSWORD!!";
+
+      REQUIRE_DEVICE_EMAIL = true;
+
+      IP_HEADER = "X-Forwarded-For";
+
+      # YubiKey Settings
+      YUBICO_CLIENT_ID = "89788";
+      YUBICO_SECRET_KEY = "!!YUBICO_SECRET_KEY!!";
+
+      # TODO: Buy a license
+      # HIBP Settings
+      # HIBP_API_KEY="!!HIBP_API_KEY!!";
+
+      ORG_ENABLE_GROUPS = true;
+      # I have looked at the risks. They seem relatively small in comparison to the utility
+      # (stuff like sync issues if you don't refresh your page)
+      # Also a general lack of real-world testing. Which, honestly, doesn't
+      # seem too bad. Please contact me *immediately* upon noticing issues
+      # as I want to make sure that as little as possible is lost if we need
+      # to restore from backups (although I doubt it'll come to that)
+    };
+
+    nameToEnvVar = name:
       let
-        cfg = config.services.vaultwarden;
+        parts = builtins.split "([A-Z0-9]+)" name;
+        partsToEnvVar = parts:
+          foldl' (key: x:
+            let last = stringLength key - 1;
+            in if isList x then
+              key
+              + optionalString (key != "" && substring last 1 key != "_") "_"
+              + head x
+            else if key != "" && elem (substring 0 1 x)
+            lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ]
+              substring 0 last key
+              + optionalString (substring (last - 1) 1 key != "_") "_"
+              + substring last 1 key + toUpper x
+            else
+              key + toUpper x) "" parts;
+      in if builtins.match "[A-Z0-9_]+" name != null then
+        name
+      else
+        partsToEnvVar parts;
 
-        vaultwarden_config = {
-          # Server Settings
-          DOMAIN = "https://passwords.clicks.codes";
-          ROCKET_ADDRESS = "127.0.0.1";
-          ROCKET_PORT = 8452;
+    # Due to the different naming schemes allowed for config keys,
+    # we can only check for values consistently after converting them to their corresponding environment variable name.
+    configEnv = let
+      configEnv = concatMapAttrs (name: value:
+        optionalAttrs (value != null) {
+          ${nameToEnvVar name} =
+            if isBool value then boolToString value else toString value;
+        }) vaultwarden_config;
+    in {
+      DATA_FOLDER = "/var/lib/bitwarden_rs";
+    } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED)
+      || configEnv.WEB_VAULT_ENABLED == "true") {
+        WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
+      } // configEnv;
 
+    configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList
+      (name: value: ''
+        ${name}=${value}
+      '') configEnv));
+  in {
+    scalpel.trafos."vaultwarden.env" = {
+      source = toString configFile;
+      matchers."ADMIN_TOKEN".secret = config.sops.secrets.ADMIN_TOKEN.path;
+      matchers."SMTP_PASSWORD".secret = config.sops.secrets.SMTP_PASSWORD.path;
+      matchers."YUBICO_SECRET_KEY".secret =
+        config.sops.secrets.YUBICO_SECRET_KEY.path;
+      matchers."HIBP_API_KEY".secret = config.sops.secrets.HIBP_API_KEY.path;
+      matchers."clicks_bitwarden_db_secret".secret =
+        config.sops.secrets.clicks_bitwarden_db_password.path;
+      owner = config.users.users.vaultwarden.name;
+      group = config.users.groups.vaultwarden.name;
+      mode = "0400";
+    };
 
-          # General Settings
-          SIGNUPS_ALLOWED = false;
-          INVITATIONS_ALLOWED = true;
-          SIGNUPS_DOMAINS_WHITELIST = "clicks.codes,coded.codes,thecoded.prof,starrysky.fyi,hopescaramels.com,pinea.dev,trans.gg";
-          SIGNUPS_VERIFY = true;
-
-          RSA_KEY_FILENAME = "${drive_paths.External1000SSD.path}/bitwarden/rsa_key";
-          ICON_CACHE_FOLDER = "${drive_paths.External1000SSD.path}/bitwarden/icon_cache";
-          ATTACHMENTS_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/attachments";
-          SENDS_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/sends";
-          TMP_FOLDER = "${drive_paths.External4000HDD.path}/bitwarden/tmp";
-
-          DISABLE_2FA_REMEMBER = true;
-
-          # Admin Account
-          ADMIN_TOKEN = "!!ADMIN_TOKEN!!";
-
-
-          # Database Settings
-          DATABASE_URL =
-            "postgresql://vaultwarden:!!clicks_bitwarden_db_secret!!@127.0.0.1:${toString config.services.postgresql.port}/vaultwarden";
-
-
-          # Mail Settings
-          SMTP_HOST = "mail.clicks.codes";
-          SMTP_FROM = "bitwarden@clicks.codes";
-          SMTP_FROM_NAME = "Clicks Bitwarden";
-          SMTP_SECURITY = "starttls";
-          SMTP_PORT = 587;
-
-          SMTP_USERNAME = "bitwarden@clicks.codes";
-          SMTP_PASSWORD = "!!SMTP_PASSWORD!!";
-
-          REQUIRE_DEVICE_EMAIL = true;
-
-          IP_HEADER = "X-Forwarded-For";
-
-          # YubiKey Settings
-          YUBICO_CLIENT_ID = "89788";
-          YUBICO_SECRET_KEY = "!!YUBICO_SECRET_KEY!!";
-
-
-          # TODO: Buy a license
-          # HIBP Settings
-          # HIBP_API_KEY="!!HIBP_API_KEY!!";
-
-          ORG_ENABLE_GROUPS = true;
-          # I have looked at the risks. They seem relatively small in comparison to the utility
-          # (stuff like sync issues if you don't refresh your page)
-          # Also a general lack of real-world testing. Which, honestly, doesn't
-          # seem too bad. Please contact me *immediately* upon noticing issues
-          # as I want to make sure that as little as possible is lost if we need
-          # to restore from backups (although I doubt it'll come to that)
-        };
-
-        nameToEnvVar = name:
-          let
-            parts = builtins.split "([A-Z0-9]+)" name;
-            partsToEnvVar = parts: foldl'
-              (key: x:
-                let last = stringLength key - 1; in
-                if isList x then key + optionalString (key != "" && substring last 1 key != "_") "_" + head x
-                else if key != "" && elem (substring 0 1 x) lowerChars then # to handle e.g. [ "disable" [ "2FAR" ] "emember" ]
-                  substring 0 last key + optionalString (substring (last - 1) 1 key != "_") "_" + substring last 1 key + toUpper x
-                else key + toUpper x) ""
-              parts;
-          in
-          if builtins.match "[A-Z0-9_]+" name != null then name else partsToEnvVar parts;
-
-        # Due to the different naming schemes allowed for config keys,
-        # we can only check for values consistently after converting them to their corresponding environment variable name.
-        configEnv =
-          let
-            configEnv = concatMapAttrs
-              (name: value: optionalAttrs (value != null) {
-                ${nameToEnvVar name} = if isBool value then boolToString value else toString value;
-              })
-              vaultwarden_config;
-          in
-          { DATA_FOLDER = "/var/lib/bitwarden_rs"; } // optionalAttrs (!(configEnv ? WEB_VAULT_ENABLED) || configEnv.WEB_VAULT_ENABLED == "true") {
-            WEB_VAULT_FOLDER = "${cfg.webVaultPackage}/share/vaultwarden/vault";
-          } // configEnv;
-
-        configFile = pkgs.writeText "vaultwarden.env" (concatStrings (mapAttrsToList (name: value: "${name}=${value}\n") configEnv));
-      in
-      {
-        scalpel.trafos."vaultwarden.env" = {
-          source = toString configFile;
-          matchers."ADMIN_TOKEN".secret =
-            config.sops.secrets.ADMIN_TOKEN.path;
-          matchers."SMTP_PASSWORD".secret =
-            config.sops.secrets.SMTP_PASSWORD.path;
-          matchers."YUBICO_SECRET_KEY".secret =
-            config.sops.secrets.YUBICO_SECRET_KEY.path;
-          matchers."HIBP_API_KEY".secret =
-            config.sops.secrets.HIBP_API_KEY.path;
-          matchers."clicks_bitwarden_db_secret".secret =
-            config.sops.secrets.clicks_bitwarden_db_password.path;
-          owner = config.users.users.vaultwarden.name;
-          group = config.users.groups.vaultwarden.name;
-          mode = "0400";
-        };
-
-        services.vaultwarden.environmentFile = config.scalpel.trafos."vaultwarden.env".destination;
-      } else { }
-  )
+    services.vaultwarden.environmentFile =
+      config.scalpel.trafos."vaultwarden.env".destination;
+  }
+else
+  { })