Refactoring

custom-utils/default.nix

@@ -8,9 +8,9 @@ let
       )
     )
   );
-  onlyUniqueItemsInList = (x: lib.lists.length x == lib.lists.length (lib.lists.unique x));
-  protocols = (x: lib.lists.unique (lib.flatten (map builtins.attrNames (lib.attrValues x))));
-  mkRange = (x: lib.lists.range (builtins.elemAt x 0) (builtins.elemAt x 1));
+  onlyUniqueItemsInList = x: lib.lists.length x == lib.lists.length (lib.lists.unique x);
+  protocols = x: lib.lists.unique (lib.flatten (map builtins.attrNames (lib.attrValues x)));
+  mkRange = x: lib.lists.range (builtins.elemAt x 0) (builtins.elemAt x 1);
   validateList = allowed: builtins.all (x: builtins.elem x allowed);
 in
 {

custom-utils/ports.nix

@@ -8,9 +8,9 @@ let
       )
     )
   );
-  onlyUniqueItemsInList = (x: lib.lists.length x == lib.lists.length (lib.lists.unique x));
-  protocols = (x: lib.lists.unique (lib.flatten (map builtins.attrNames (lib.attrValues x))));
-  mkRange = (x: lib.lists.range (builtins.elemAt x 0) (builtins.elemAt x 1));
+  onlyUniqueItemsInList = x: lib.lists.length x == lib.lists.length (lib.lists.unique x);
+  protocols = x: lib.lists.unique (lib.flatten (map builtins.attrNames (lib.attrValues x)));
+  mkRange = x: lib.lists.range (builtins.elemAt x 0) (builtins.elemAt x 1);
   validateList = allowed: builtins.all (x: builtins.elem x allowed);
 in
 {

flake.nix

@@ -5,24 +5,34 @@
 
     flake-utils.url = "github:numtide/flake-utils";
 
-    gomod2nix.inputs.flake-utils.follows = "flake-utils";
-    gomod2nix.inputs.nixpkgs.follows = "nixpkgs";
-    gomod2nix.url = "github:nix-community/gomod2nix";
+    gomod2nix = {
+      url = "github:nix-community/gomod2nix";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
-    home-manager.inputs.nixpkgs.follows = "nixpkgs";
-    home-manager.url = "github:nix-community/home-manager/release-24.11";
+    home-manager = {
+      url = "github:nix-community/home-manager/release-24.11";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     impermanence.url = "github:nix-community/impermanence";
 
-    krops.inputs.flake-utils.follows = "flake-utils";
-    krops.inputs.nixpkgs.follows = "nixpkgs";
-    krops.url = "github:Mic92/krops";
+    krops = {
+      url = "github:Mic92/krops";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
-    lanzaboote.url = "github:nix-community/lanzaboote/v0.4.1";
-    lanzaboote.inputs.nixpkgs.follows = "nixpkgs";
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote/v0.4.1";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
-    nix-pre-commit-hooks.inputs.nixpkgs.follows = "nixpkgs";
-    nix-pre-commit-hooks.url = "github:cachix/git-hooks.nix/master";
+    nix-pre-commit-hooks = {
+      url = "github:cachix/git-hooks.nix/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     nixos-hardware.url = "github:nixos/nixos-hardware/master";
 
@@ -32,12 +42,16 @@
 
     nur.url = "github:nix-community/NUR";
 
-    poetry2nix.inputs.flake-utils.follows = "flake-utils";
-    poetry2nix.inputs.nixpkgs.follows = "nixpkgs";
-    poetry2nix.url = "github:nix-community/poetry2nix";
+    poetry2nix = {
+      url = "github:nix-community/poetry2nix";
+      inputs.flake-utils.follows = "flake-utils";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
-    sops-nix.inputs.nixpkgs.follows = "nixpkgs";
-    sops-nix.url = "github:Mic92/sops-nix";
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
   outputs =
     { self
@@ -74,14 +88,14 @@
           };
         };
         devShells.default = pkgs.mkShell {
-          buildInputs = (with pkgs; [
+          buildInputs = with pkgs; [
             black
             just
             nixpkgs-fmt
             shellcheck
             sops
             ssh-to-age
-          ]);
+          ];
 
           shellHook = ''
             ${self.checks.${system}.pre-commit-check.shellHook}
@@ -159,8 +173,8 @@
 
             {
               _module.args = {
-                inputs = inputs;
-                custom-utils = import ./custom-utils { lib = nixpkgs.lib; };
+                inherit inputs;
+                custom-utils = import ./custom-utils { inherit (nixpkgs) lib; };
               };
             }
 

hosts/aluminium/configuration.nix

@@ -7,11 +7,11 @@
     ./services
   ];
 
-  networking.hostName = "aluminium";
   services.openssh.enable = true;
   security.sudo.wheelNeedsPassword = false;
 
   networking = {
+    hostName = "aluminium";
     useDHCP = false;
     vlans = {
       lechner = {
@@ -78,6 +78,15 @@
       iifname "voice" udp dport 5059 accept
       ip saddr 217.10.68.150 udp dport 5060 accept
     '';
+    nftables.tables.pppoe = {
+      family = "ip";
+      content = ''
+        chain clamp {
+          type filter hook forward priority mangle;
+          oifname "ppp0" tcp flags syn tcp option maxseg size set rt mtu comment "clamp MSS to Path MTU"
+        }
+      '';
+    };
   };
 
 
@@ -116,16 +125,6 @@
     };
   };
 
-  networking.nftables.tables.pppoe = {
-    family = "ip";
-    content = ''
-      chain clamp {
-        type filter hook forward priority mangle;
-        oifname "ppp0" tcp flags syn tcp option maxseg size set rt mtu comment "clamp MSS to Path MTU"
-      }
-    '';
-  };
-
   zramSwap = {
     enable = true;
     algorithm = "zstd";

hosts/aluminium/services/asterisk/default.nix

@@ -14,21 +14,6 @@ let
   voicemail-sounds = pkgs.callPackage ./voicemail-sounds { };
 in
 {
-  systemd.services.asterisk-voicemail-sounds = {
-    wantedBy = [ "asterisk.service" ];
-    after = [ "asterisk.service" ];
-    script = ''
-      ln -sfn \
-        ${voicemail-sounds}/unavail.wav \
-        /var/spool/asterisk/voicemail/lechner/876/unavail.wav
-    '';
-    restartTriggers = [ voicemail-sounds ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-  };
-
   services.asterisk = {
     enable = true;
     confFiles = {
@@ -169,12 +154,12 @@ in
     useTheseDefaultConfFiles = [ ];
   };
 
-  sops.secrets = (lib.listToAttrs (map
+  sops.secrets = lib.listToAttrs (map
     (name: lib.nameValuePair "asterisk-${name}" {
       sopsFile = ../../secrets.yaml;
       owner = config.users.users.asterisk.name;
     })
-    secretConfigFiles));
+    secretConfigFiles);
   environment.etc = lib.mapAttrs'
     (name: _: lib.nameValuePair
       "asterisk/${name}.conf"
@@ -194,7 +179,8 @@ in
     };
   };
 
-  systemd.services."asterisk-reload-endpoint@" = {
+  systemd.services = {
+    "asterisk-reload-endpoint@" = {
       description = "Check if asterisk endpoint is identified and reload it when it is not.";
       serviceConfig = {
         Type = "oneshot";
@@ -209,19 +195,21 @@ in
         fi
       '';
     };
-
-  systemd.timers.asterisk-reload-endpoint = {
-    description = "Check if asterisk endpoint is identified and reload it when it is not.";
+    asterisk-voicemail-sounds = {
+      wantedBy = [ "asterisk.service" ];
       after = [ "asterisk.service" ];
-    wantedBy = [ "timers.target" ];
-    timerConfig = {
-      Persistent = true;
-      OnCalendar = "*-*-* *:*:00";
-      Unit = "asterisk-reload-endpoint@sipgate.service";
+      script = ''
+        ln -sfn \
+          ${voicemail-sounds}/unavail.wav \
+          /var/spool/asterisk/voicemail/lechner/876/unavail.wav
+      '';
+      restartTriggers = [ voicemail-sounds ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
       };
     };
-
-  systemd.services."asterisk-voicemail-call@" = {
+    "asterisk-voicemail-call@" = {
       description = "Check if voicemail exists and place a call to the voicemail application.";
       serviceConfig = {
         Type = "oneshot";
@@ -251,8 +239,21 @@ in
         mv "$callfile" /var/spool/asterisk/outgoing/
       '';
     };
+  };
 
-  systemd.timers.asterisk-voicemail-call-10 = {
+  systemd.timers = {
+    asterisk-reload-endpoint = {
+      description = "Check if asterisk endpoint is identified and reload it when it is not.";
+      after = [ "asterisk.service" ];
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        Persistent = true;
+        OnCalendar = "*-*-* *:*:00";
+        Unit = "asterisk-reload-endpoint@sipgate.service";
+      };
+    };
+
+    asterisk-voicemail-call-10 = {
       description = "Check if voicemail exists and place a call to the voicemail application.";
       after = [ "asterisk.service" ];
       wantedBy = [ "timers.target" ];
@@ -262,7 +263,7 @@ in
         Unit = "asterisk-voicemail-call@876:lechner:10.service";
       };
     };
-  systemd.timers.asterisk-voicemail-call-11 = {
+    asterisk-voicemail-call-11 = {
       description = "Check if voicemail exists and place a call to the voicemail application.";
       after = [ "asterisk.service" ];
       wantedBy = [ "timers.target" ];
@@ -272,6 +273,5 @@ in
         Unit = "asterisk-voicemail-call@876:lechner:11.service";
       };
     };
-
-  #voicemailCallScript
+  };
 }

hosts/aluminium/services/home-assistant.nix

@@ -78,8 +78,8 @@ in
         unit_system = "metric";
         time_zone = "Europe/Berlin";
         temperature_unit = "C";
-        longitude = config.location.longitude;
-        latitude = config.location.latitude;
+        inherit (config.location) longitude;
+        inherit (config.location) latitude;
       };
       default_config = { };
       "automation nix" = [

hosts/copper/configuration.nix

@@ -8,8 +8,6 @@
     ./services
   ];
 
-  services.fstrim.enable = true;
-
   networking = {
     hostName = "copper";
     extraHosts = lib.concatStringsSep "\n" (
@@ -32,7 +30,10 @@
     priority = 1;
   };
 
-  services.snapper.configs = {
+  services = {
+    fstrim.enable = true;
+    flatpak.enable = true;
+    snapper.configs = {
       home = {
         SUBVOLUME = "/home";
         ALLOW_USERS = [ "jalr" ];
@@ -52,6 +53,7 @@
         EMPTY_PRE_POST_MIN_AGE = "1800";
       };
     };
+  };
 
   jalr = {
     bootloader = "lanzaboote";
@@ -68,7 +70,5 @@
   };
 
   system.stateVersion = "24.05";
-
-  services.flatpak.enable = true;
 }
 

hosts/default.nix

@@ -1,4 +1,4 @@
-{ ... }@inputs:
+inputs:
 let
   hardware = inputs.nixos-hardware.nixosModules;
 in

hosts/iron/configuration.nix

@@ -28,7 +28,7 @@ let
     luksDev = "-part3";
     biosBoot = "-part4";
   };
-  efiSystemPartitions = (map (diskName: diskName + partitionScheme.efiBoot) (lib.attrValues disks));
+  efiSystemPartitions = map (diskName: diskName + partitionScheme.efiBoot) (lib.attrValues disks);
 in
 with lib; {
   imports = [
@@ -154,19 +154,19 @@ with lib; {
       };
       supportedFilesystems = [ "zfs" ];
       zfs = {
-        devNodes = devNodes;
+        inherit devNodes;
         forceImportRoot = false;
       };
       loader = {
         efi = {
-          canTouchEfiVariables = (if removableEfi then false else true);
-          efiSysMountPoint = ("/boot/efis/" + (head (lib.attrValues disks))
-            + partitionScheme.efiBoot);
+          canTouchEfiVariables = if removableEfi then false else true;
+          efiSysMountPoint = "/boot/efis/" + (head (lib.attrValues disks))
+            + partitionScheme.efiBoot;
         };
         generationsDir.copyKernels = true;
         grub = {
           enable = true;
-          devices = (map (diskName: devNodes + diskName) (attrValues disks));
+          devices = map (diskName: devNodes + diskName) (attrValues disks);
           efiInstallAsRemovable = removableEfi;
           copyKernels = true;
           efiSupport = true;
@@ -176,11 +176,11 @@ with lib; {
             terminal_input --append serial
             terminal_output --append serial
           '';
-          extraInstallCommands = (toString (map
+          extraInstallCommands = toString (map
             (diskName: ''
               ${pkgs.coreutils-full}/bin/cp -r ${config.boot.loader.efi.efiSysMountPoint}/EFI /boot/efis/${diskName}${partitionScheme.efiBoot}
             '')
-            (tail (attrValues disks))));
+            (tail (attrValues disks)));
         };
       };
       kernelParams = [

hosts/iron/services/avahi.nix

@@ -6,11 +6,13 @@ in
   services.avahi = {
     enable = true;
     allowInterfaces = [ interfaces.lan ];
-    publish.domain = true;
-    publish.enable = true;
-    publish.userServices = true;
-    publish.workstation = true;
     openFirewall = false;
+    publish = {
+      domain = true;
+      enable = true;
+      userServices = true;
+      workstation = true;
+    };
   };
 
   networking.firewall.interfaces."${interfaces.lan}".allowedUDPPorts = [

hosts/iron/services/calibre.nix

@@ -8,23 +8,29 @@ in
     sopsFile = ../secrets.yaml;
   };
 
-  services.calibre-server = {
+  services = {
+    calibre-server = {
       enable = true;
       port = ports.calibre-server.tcp;
       host = "127.0.0.1";
     };
 
-  services.calibre-web = {
+    calibre-web = {
       enable = true;
-    user = config.services.calibre-server.user;
-    group = config.services.calibre-server.group;
+      inherit (config.services.calibre-server) user;
+      inherit (config.services.calibre-server) group;
       listen = {
         ip = "127.0.0.1";
         port = ports.calibre-web.tcp;
       };
-    options.enableBookUploading = true;
-    options.reverseProxyAuth.enable = true;
-    options.reverseProxyAuth.header = "X-Remote-User";
+      options = {
+        enableBookUploading = true;
+        reverseProxyAuth = {
+          enable = true;
+          header = "X-Remote-User";
+        };
+      };
+    };
   };
 
   systemd.services.calibre-web = {

hosts/iron/services/home-assistant.nix

@@ -5,19 +5,28 @@ let
   domain = "hass.jalr.de";
 in
 {
-  sops.secrets.home-assistant = {
+  sops.secrets = {
+    home-assistant = {
       sopsFile = ../secrets.yaml;
       owner = "root";
       group = "hass";
       mode = "0640";
     };
-  sops.secrets."mqtt-users/home-assistant" = {
+    "mqtt-users/home-assistant" = {
       sopsFile = ../secrets.yaml;
     };
-  sops.secrets."mqtt-users/valetudo" = {
+    "mqtt-users/valetudo" = {
       sopsFile = ../secrets.yaml;
     };
-  services.home-assistant = {
+  };
+
+  networking.firewall.interfaces = {
+    "${interfaces.lan}".allowedTCPPorts = [ ports.mqtt.tcp ];
+    iot.allowedTCPPorts = [ ports.mqtt.tcp ];
+  };
+
+  services = {
+    home-assistant = {
       enable = true;
       lovelaceConfig = {
         title = "Home";
@@ -88,8 +97,8 @@ in
           unit_system = "metric";
           time_zone = "Europe/Berlin";
           temperature_unit = "C";
-        longitude = config.location.longitude;
-        latitude = config.location.latitude;
+          inherit (config.location) longitude;
+          inherit (config.location) latitude;
           external_url = "https://${domain}/";
           internal_url = "https://${domain}/";
         };
@@ -177,7 +186,7 @@ in
       };
     };
 
-  services.mosquitto = {
+    mosquitto = {
       enable = true;
       persistence = true;
       listeners = [
@@ -199,8 +208,17 @@ in
         }
       ];
     };
+  };
 
-  systemd.services.hass-vlc = {
+  systemd.services = {
+    home-assistant.serviceConfig.ExecStartPre = [
+      (
+        pkgs.writeShellScript "home-assistant-secrets" ''
+          ln -sf "${config.sops.secrets.home-assistant.path}" "${config.services.home-assistant.configDir}/secrets.yaml"
+        ''
+      )
+    ];
+    hass-vlc = {
       script = ''
         exec ${pkgs.vlc}/bin/cvlc \
             --no-video \
@@ -243,17 +261,7 @@ in
       };
       wantedBy = [ "multi-user.target" ];
     };
-
-  networking.firewall.interfaces."${interfaces.lan}".allowedTCPPorts = [ ports.mqtt.tcp ];
-  networking.firewall.interfaces.iot.allowedTCPPorts = [ ports.mqtt.tcp ];
-
-  systemd.services.home-assistant.serviceConfig.ExecStartPre = [
-    (
-      pkgs.writeShellScript "home-assistant-secrets" ''
-        ln -sf "${config.sops.secrets.home-assistant.path}" "${config.services.home-assistant.configDir}/secrets.yaml"
-      ''
-    )
-  ];
+  };
 
   systemd.tmpfiles.rules = [
     "f ${config.services.home-assistant.configDir}/automations.yaml 0755 hass hass"

hosts/iron/services/public-ip-tunnel.nix

@@ -13,27 +13,27 @@ let
   };
 in
 {
-  sops.secrets = (
-    lib.listToAttrs (map
+  sops.secrets = lib.listToAttrs (map
     (name: lib.nameValuePair "wireguard_key_${name}" {
       sopsFile = ../secrets.yaml;
     })
     [
       "hetzner-ha"
     ]
-    )
   );
 
-  networking.iproute2.enable = true;
-  networking.iproute2.rttablesExtraConfig = ''
+  networking = {
+    iproute2 = {
+      enable = true;
+      rttablesExtraConfig = ''
         ${toString rtTable.id} ${rtTable.name}
       '';
-
-  networking.wireguard.interfaces = {
-    hetzner-ha = {
+    };
+    firewall.allowedUDPPorts = [ listenPort ];
+    wireguard.interfaces.hetzner-ha = {
       ips = [ "${externalIp}/32" ];
       privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
-      listenPort = listenPort;
+      inherit listenPort;
       table = rtTable.name;
       postSetup = ''
         ${pkgs.iproute2}/bin/ip rule add from ${externalIp} to 192.168.0.0/16 table main priority 10
@@ -44,7 +44,7 @@ in
         ${pkgs.iproute2}/bin/ip rule del from ${externalIp} table ${rtTable.name} priority 20
       '';
       peers = [{
-        publicKey = publicKey;
+        inherit publicKey;
         endpoint = "${remoteHost}:${toString remotePort}";
         persistentKeepalive = 25;
         allowedIPs = [
@@ -53,6 +53,4 @@ in
       }];
     };
   };
-
-  networking.firewall.allowedUDPPorts = [ listenPort ];
 }

hosts/iron/services/radicale.nix

@@ -14,7 +14,8 @@ in
       enableACME = true;
       forceSSL = true;
       basicAuthFile = config.sops.secrets.radicale-htpasswd.path;
-      locations."/radicale/" = {
+      locations = {
+        "/radicale/" = {
           proxyPass = "http://127.0.0.1:${toString ports.radicale.tcp}/";
           recommendedProxySettings = true;
           #basicAuthFile = "";
@@ -25,8 +26,9 @@ in
           # proxy_pass_request_headers = on;
           # underscores_in_headers = on;
         };
-      locations."/.well-known/caldav".return = "301 $scheme://$host:$server_port/radicale";
-      locations."/.well-known/carddav".return = "301 $scheme://$host:$server_port/radicale";
+        "/.well-known/caldav".return = "301 $scheme://$host:$server_port/radicale";
+        "/.well-known/carddav".return = "301 $scheme://$host:$server_port/radicale";
+      };
     };
   };
 

hosts/iron/services/remarkable.nix

@@ -3,9 +3,9 @@ let
   ports = import ../ports.nix args;
   domain = "rmfakecloud.jalr.de";
   cfg = config.services.rmfakecloud;
-  mkEnvironment = (settings: lib.strings.concatLines (
+  mkEnvironment = settings: lib.strings.concatLines (
     lib.attrsets.mapAttrsToList (name: value: "export ${name}='${value}'") settings
-  ));
+  );
   managementScript = pkgs.writeShellScriptBin "rmfakecloud" ''
     [[ $(id -u) == "rmfakecloud" ]] || exec sudo -u rmfakecloud -- "$0" "$@"
     set -a

hosts/iron/services/snapcast/bluetooth-sink.nix

@@ -24,16 +24,11 @@
 
   services.blueman.enable = true;
 
-  systemd.services.bluetooth-auto-pair = {
-    wantedBy = [
-      "bluetooth.service"
-    ];
-    after = [
-      "bluetooth.service"
-    ];
-    bindsTo = [
-      "bluetooth.service"
-    ];
+  systemd.services = {
+    bluetooth-auto-pair = {
+      wantedBy = [ "bluetooth.service" ];
+      after = [ "bluetooth.service" ];
+      bindsTo = [ "bluetooth.service" ];
       serviceConfig = {
         Type = "simple";
         ExecStart = pkgs.writeShellScript "exec-start" ''
@@ -50,11 +45,8 @@
         Restart = "on-failure";
       };
     };
-
-  systemd.services.bluealsa-aplay = {
-    wantedBy = [
-      "multi-user.target"
-    ];
+    bluealsa-aplay = {
+      wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         DynamicUser = true;
         Type = "simple";
@@ -63,15 +55,13 @@
         SupplementaryGroups = [ "audio" ];
       };
     };
-
-  systemd.services.bluealsa-a2dp = {
-    wantedBy = [
-      "multi-user.target"
-    ];
+    bluealsa-a2dp = {
+      wantedBy = [ "multi-user.target" ];
       serviceConfig = {
         Type = "simple";
         ExecStart = "${pkgs.bluez-alsa}/bin/bluealsa -p a2dp-sink";
         Restart = "on-failure";
       };
     };
+  };
 }

hosts/iron/services/whatsapp.nix

@@ -30,13 +30,14 @@ in
 
   jalr.libvirt.enable = true;
 
-  systemd.services.libvirt-guests.serviceConfig.ExecStop = [
+  systemd.services = {
+    libvirt-guests.serviceConfig.ExecStop = [
       ""
       "${shutdownAndroidVm} ${vmName}"
       "${pkgs.libvirt}/libexec/libvirt-guests.sh stop"
     ];
 
-  systemd.services."whatsapp@" = {
+    "whatsapp@" = {
       description = "Start Android VM, wait for WhatsApp and shut down VM.";
       serviceConfig = {
         Type = "oneshot";
@@ -75,6 +76,7 @@ in
         adb -s "$host:$port" shell -- reboot -p
       '';
     };
+  };
   systemd.timers."whatsapp-${vmName}" = {
     description = "Start Android VM to run WhatsApp";
     after = [ "network.target" ];

hosts/magnesium/persistence.nix

@@ -2,7 +2,7 @@
 {
   boot.initrd.postDeviceCommands =
     let
-      device = config.disko.devices.disk.virt.content.partitions.linux.device;
+      inherit (config.disko.devices.disk.virt.content.partitions.linux) device;
     in
     lib.mkAfter ''
       mkdir /mnt
@@ -14,15 +14,16 @@
       btrfs subvolume snapshot /mnt/root-blank /mnt/root
     '';
 
-  services.openssh = {
+  services = {
+    openssh = {
       hostKeys = lib.mkForce [{
         path = "/persist/etc/ssh/ssh_host_ed25519_key";
         type = "ed25519";
       }];
     };
-
-  services.forgejo.stateDir = "/persist/var/lib/forgejo";
-  services.postgresql.dataDir = "/persist/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
+    forgejo.stateDir = "/persist/var/lib/forgejo";
+    postgresql.dataDir = "/persist/var/lib/postgresql/${config.services.postgresql.package.psqlSchema}";
+  };
 
   fileSystems."/persist".neededForBoot = true;
   environment.persistence."/persist" = {

hosts/magnesium/services/hedgedoc.nix

@@ -10,14 +10,15 @@ in
     owner = config.systemd.services.hedgedoc.serviceConfig.User;
     sopsFile = ../secrets.yaml;
   };
-  services.hedgedoc = {
+  services = {
+    hedgedoc = {
       enable = true;
       settings =
         let
           day = 24 * 60 * 60 * 1000;
         in
         {
-        domain = domain;
+          inherit domain;
           protocolUseSSL = true;
           csp.enable = true;
           port = ports.hedgedoc.tcp;
@@ -32,8 +33,7 @@ in
           sessionLife = 90 * day;
         };
     };
-
-  services.postgresql = {
+    postgresql = {
       enable = true;
       ensureDatabases = [ "hedgedoc" ];
       ensureUsers = [{
@@ -41,8 +41,7 @@ in
         ensureDBOwnership = true;
       }];
     };
-
-  services.nginx.virtualHosts."${domain}" = {
+    nginx.virtualHosts."${domain}" = {
       enableACME = true;
       forceSSL = true;
 
@@ -50,4 +49,5 @@ in
         proxyPass = "http://${cfg.settings.host}:${toString cfg.settings.port}";
       };
     };
+  };
 }

hosts/magnesium/services/public-ip-tunnel.nix

@@ -6,15 +6,13 @@ let
   publicKey = "GCmQs7upvDYFueEfqD2yJkkOZg3K7YaGluWWzdjsyTo=";
 in
 {
-  sops.secrets = (
-    lib.listToAttrs (map
+  sops.secrets = lib.listToAttrs (map
     (name: lib.nameValuePair "wireguard_key_${name}" {
       sopsFile = ../secrets.yaml;
     })
     [
       "hetzner-ha"
     ]
-    )
   );
 
   #boot.kernel.sysctl = {
@@ -22,17 +20,21 @@ in
   #  "net.ipv4.conf.hetzner-ha.proxy_arp" = 1;
   #  "net.ipv4.conf.enp1s0.proxy_arp" = 1;
   #};
-  networking.interfaces.hetzner-ha.proxyARP = true;
-  networking.interfaces.enp1s0.proxyARP = true;
 
-  networking.wireguard.interfaces = {
+  networking = {
+    interfaces = {
+      hetzner-ha.proxyARP = true;
+      enp1s0.proxyARP = true;
+    };
+    firewall.allowedUDPPorts = [ listenPort ];
+    wireguard.interfaces = {
       hetzner-ha = {
         ips = [ ];
         privateKeyFile = config.sops.secrets.wireguard_key_hetzner-ha.path;
-      listenPort = listenPort;
+        inherit listenPort;
 
         peers = [{
-        publicKey = publicKey;
+          inherit publicKey;
           persistentKeepalive = 25;
           allowedIPs = [
             "159.69.103.126/32"
@@ -40,6 +42,5 @@ in
         }];
       };
     };
-
-  networking.firewall.allowedUDPPorts = [ listenPort ];
+  };
 }

hosts/weinturm-pretix-prod/hardware-configuration.nix

@@ -2,10 +2,14 @@
 {
   imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
 
-  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
+  boot = {
+    initrd = {
+      availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+  };
 
   fileSystems = {
     "/" = {

hosts/weinturm-pretix-prod/services/pretix.nix

@@ -23,7 +23,34 @@ in
     };
   };
 
-  services.pretix = {
+  # Add user to `redis-pretix` group
+  # to grant access to /run/redis-pretix/redis.sock
+  users.users.pretix.extraGroups = [ "redis-pretix" ];
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = lib.mkForce "helfer@weinturm-open-air.de";
+  };
+
+  jalr.mailserver = {
+    enable = true;
+    fqdn = "tickets.weinturm-open-air.de";
+    relayPort = ports.postfix-relay.tcp;
+    domains = [
+      {
+        domain = "tickets.weinturm-open-air.de";
+        enableDKIM = false;
+      }
+    ];
+    messageSizeLimit = 10 * 1024 * 1024;
+    users = [ ];
+    spam.enable = false;
+  };
+
+  services = {
+    pretix = {
       enable = true;
       settings = {
         pretix = {
@@ -54,19 +81,13 @@ in
       };
     };
 
-  # Add user to `redis-pretix` group
-  # to grant access to /run/redis-pretix/redis.sock
-  users.users.pretix.extraGroups = [ "redis-pretix" ];
-
-  services.pretix-banktool = {
+    pretix-banktool = {
       enable = true;
       days = 14;
       secretsFile = config.sops.secrets.pretix-banktool-cfg.path;
     };
 
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
-
-  services.nginx = lib.mkIf cfg.nginx.enable {
+    nginx = lib.mkIf cfg.nginx.enable {
       recommendedGzipSettings = true;
       recommendedOptimisation = true;
       recommendedProxySettings = true;
@@ -85,24 +106,5 @@ in
         };
       };
     };
-
-  jalr.mailserver = {
-    enable = true;
-    fqdn = "tickets.weinturm-open-air.de";
-    relayPort = ports.postfix-relay.tcp;
-    domains = [
-      {
-        domain = "tickets.weinturm-open-air.de";
-        enableDKIM = false;
-      }
-    ];
-    messageSizeLimit = 10 * 1024 * 1024;
-    users = [ ];
-    spam.enable = false;
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = lib.mkForce "helfer@weinturm-open-air.de";
   };
 }

modules/bluetooth.nix

@@ -9,9 +9,11 @@ in
   };
   config = lib.mkIf cfg.bluetooth.enable {
     hardware.bluetooth.enable = true;
-    services.blueman.enable = true;
-    services.ofono.enable = true;
-    services.upower.enable = true;
+    services = {
+      blueman.enable = true;
+      ofono.enable = true;
+      upower.enable = true;
+    };
     hardware.bluetooth.settings.General.Experimental = true; # to show battery state
   };
 }

modules/luksusb.nix

@@ -45,8 +45,7 @@ in
       });
     };
   };
-  config = lib.mkIf cfg.enable
-    (
+  config = lib.mkIf cfg.enable (
     let
       makeUsbDevPath = usbDevice: "/dev/disk/" + usbDevice;
       makeMountPath = usbDevice: "/key/" + (builtins.hashString "md5" usbDevice);
@@ -56,9 +55,9 @@ in
         lib.listToAttrs (map f (lib.attrsToList set));
     in
     {
-        boot.initrd.kernelModules = [ "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1" ];
-
-        boot.initrd.systemd.services =
+      boot.initrd = {
+        kernelModules = [ "uas" "usbcore" "usb_storage" "vfat" "nls_cp437" "nls_iso8859_1" ];
+        systemd.services =
           let
             makeService = name: { keyPath, usbDevice, waitForDevice }:
               let
@@ -89,7 +88,12 @@ in
 
                   if [ -e ${lib.escapeShellArg usbDevPath} ]; then
                     mkdir -m0500 -p ${lib.escapeShellArg usbMountPath}
-                    mount -n -t ${lib.escapeShellArg usbFsType} -o ro,fmask=0137,dmask=0027 ${lib.escapeShellArg usbDevPath} ${lib.escapeShellArg usbMountPath}
+                    mount \
+                      -n \
+                      -t ${lib.escapeShellArg usbFsType} \
+                      -o ro,fmask=0137,dmask=0027 \
+                      ${lib.escapeShellArg usbDevPath} \
+                      ${lib.escapeShellArg usbMountPath}
                   fi
                 '';
               };
@@ -101,7 +105,7 @@ in
             })
             cfg.devices;
 
-        boot.initrd.luks.devices = builtins.mapAttrs
+        luks.devices = builtins.mapAttrs
           (name: { keyPath, usbDevice, ... }:
             let
               usbMountPath = makeMountPath usbDevice;
@@ -111,6 +115,7 @@ in
               keyFileTimeout = 1;
             })
           cfg.devices;
+      };
     }
   );
 }

modules/mailserver/postfix.nix

@@ -5,26 +5,26 @@ let
   listToString = lib.concatStringsSep ",";
 
   # List of attribute sets with single key-value pair
-  plainAliases = (lib.flatten
+  plainAliases = lib.flatten
     (map
       ({ address, aliases, ... }:
         map
           (alias: { "${alias}" = address; })
           (aliases ++ lib.singleton address))
-      cfg.users));
+      cfg.users);
 
   # Attribute set with every alias mapped to a list of receivers
-  mergedAliases = (lib.attrsets.foldAttrs
+  mergedAliases = lib.attrsets.foldAttrs
     (val: col: lib.singleton val ++ col)
     [ ]
-    plainAliases);
+    plainAliases;
 
   # Contents of the aliases file
-  aliasesString = (lib.concatStringsSep
+  aliasesString = lib.concatStringsSep
     "\n"
     (lib.mapAttrsToList
       (alias: addresses: "${alias} ${listToString addresses}")
-      mergedAliases));
+      mergedAliases);
 
   valiases = pkgs.writeText "valiases" aliasesString;
 
@@ -38,7 +38,7 @@ lib.mkIf cfg.enable {
   services.postfix = {
     enable = true;
 
-    relayPort = cfg.relayPort;
+    inherit (cfg) relayPort;
 
     enableSubmission = false; # plain/STARTTLS (latter is forced in submissionOptions)
     enableSubmissions = true; # submission with implicit TLS (TCP/465)

modules/mailserver/rspamd.nix

@@ -6,7 +6,7 @@ let
   # nix shell nixpkgs#rspamd -c \
   #   rspamadm dkim_keygen -s default -d example.com -b 4096 -k /dev/shm/dkim.key > dkim.txt
 
-  dkimEnabledDomains = (lib.filter (d: d.enableDKIM) cfg.domains);
+  dkimEnabledDomains = lib.filter (d: d.enableDKIM) cfg.domains;
   dkimSignatureDir = pkgs.stdenvNoCC.mkDerivation {
     name = "dkim-signatures";
     dontUnpack = true;

modules/matrix/default.nix

@@ -65,7 +65,7 @@ in
         type = port;
       };
       settings = mkOption {
-        type = (pkgs.formats.json { }).type;
+        inherit ((pkgs.formats.json { })) type;
       };
     };
     mautrix-whatsapp = {
@@ -75,7 +75,7 @@ in
         type = port;
       };
       settings = mkOption {
-        type = (pkgs.formats.json { }).type;
+        inherit ((pkgs.formats.json { })) type;
       };
     };
   };

modules/matrix/mautrix-signal.nix

@@ -16,7 +16,7 @@ lib.mkIf cfg.mautrix-signal.enable {
       };
       appservice = rec {
         hostname = "127.0.0.1";
-        port = cfg.mautrix-signal.port;
+        inherit (cfg.mautrix-signal) port;
         address = "http://${hostname}:${toString port}";
         provisioning.shared_secret = "disable";
         database = "sqlite:///${dataDir}/mautrix-signal.db";

modules/matrix/mautrix-whatsapp.nix

@@ -15,7 +15,7 @@ lib.mkIf cfg.mautrix-whatsapp.enable {
       };
       appservice = rec {
         hostname = "127.0.0.1";
-        port = cfg.mautrix-whatsapp.port;
+        inherit (cfg.mautrix-whatsapp) port;
         address = "http://${hostname}:${toString port}";
         provisioning.shared_secret = "disable";
         database = {

modules/matrix/synapse.nix

@@ -4,7 +4,8 @@ let
   cfg = config.jalr.matrix;
 in
 lib.mkIf cfg.enable {
-  services.matrix-synapse = {
+  services = {
+    matrix-synapse = {
       enable = true;
 
       settings = {
@@ -14,7 +15,7 @@ lib.mkIf cfg.enable {
         database.name = "sqlite3";
 
         listeners = lib.singleton {
-        port = cfg.synapse.port;
+          inherit (cfg.synapse) port;
           bind_addresses = [ "127.0.0.1" "::1" ];
           type = "http";
           tls = false;
@@ -76,12 +77,34 @@ lib.mkIf cfg.enable {
       ];
     };
 
-  services.matrix-synapse.settings.app_service_config_files = lib.attrsets.mapAttrsToList
+    matrix-synapse.settings.app_service_config_files = lib.attrsets.mapAttrsToList
       (
         name: value:
           "/run/matrix-synapse/app_service_config/${name}.yaml"
       )
       cfg.synapse.app_service_config;
+
+    nginx.virtualHosts = {
+      "${cfg.fqdn}" = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."/_matrix" =
+          let
+            listenerCfg = lib.elemAt config.services.matrix-synapse.settings.listeners 0;
+          in
+          {
+            proxyPass = "http://${lib.elemAt listenerCfg.bind_addresses 0}:${toString listenerCfg.port}";
+
+            extraConfig = ''
+              client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
+            '';
+          };
+      };
+
+    };
+  };
+
   systemd.services.matrix-synapse = {
     restartTriggers = lib.attrsets.mapAttrsToList
       (
@@ -109,24 +132,4 @@ lib.mkIf cfg.enable {
         cfg.synapse.app_service_config;
     };
   };
-
-  services.nginx.virtualHosts = {
-    "${cfg.fqdn}" = {
-      enableACME = true;
-      forceSSL = true;
-
-      locations."/_matrix" =
-        let
-          listenerCfg = (lib.elemAt config.services.matrix-synapse.settings.listeners 0);
-        in
-        {
-          proxyPass = "http://${lib.elemAt listenerCfg.bind_addresses 0}:${toString listenerCfg.port}";
-
-          extraConfig = ''
-            client_max_body_size ${config.services.matrix-synapse.settings.max_upload_size};
-          '';
-        };
-    };
-
-  };
 }

modules/nix.nix

@@ -45,7 +45,7 @@
     (final: prev: {
       master = import inputs.nixpkgsMaster {
         inherit system;
-        config = prev.config;
+        inherit (prev) config;
       };
     })
   ];

modules/providers/hetzner-cloud.nix

@@ -67,7 +67,7 @@ in
                   extraArgs = [ "-f" ];
                   postCreateHook =
                     let
-                      device = cfg.devices.disk.virt.content.partitions.linux.device;
+                      inherit (cfg.devices.disk.virt.content.partitions.linux) device;
                     in
                     ''
                       mountpoint="$(mktemp -d)"

modules/qbittorrent/default.nix

@@ -49,7 +49,7 @@ in
       ];
 
       sops.secrets.sturzbach-htpasswd = {
-        sopsFile = cfg.sopsFile;
+        inherit (cfg) sopsFile;
         owner = "nginx";
       };
 

modules/sway.nix

@@ -1,11 +1,15 @@
 { config, lib, pkgs, ... }:
 
 lib.mkIf (config.jalr.gui.enable && config.jalr.gui.desktop == "sway") {
-  programs.sway = {
+  programs = {
+    wshowkeys.enable = true;
+    dconf.enable = true;
+    sway = {
       enable = true;
       xwayland.enable = true;
       wrapperFeatures.gtk = true;
     };
+  };
 
   hardware.graphics.enable = true;
 
@@ -19,6 +23,7 @@ lib.mkIf (config.jalr.gui.enable && config.jalr.gui.desktop == "sway") {
   }];
 
   xdg = {
+    icons.enable = true;
     portal = {
       enable = true;
       extraPortals = with pkgs; [
@@ -27,13 +32,8 @@ lib.mkIf (config.jalr.gui.enable && config.jalr.gui.desktop == "sway") {
       ];
       xdgOpenUsePortal = true;
     };
-    icons.enable = true;
   };
 
-  programs.wshowkeys.enable = true;
-
-  programs.dconf.enable = true;
-
   environment.systemPackages = with pkgs; [
     adwaita-icon-theme
   ];

modules/unfree.nix

@@ -1,8 +1,8 @@
 { lib, ... }:
 
 {
-  nixpkgs.config.allowUnfreePredicate = (pkg: lib.elem (lib.getName pkg) [
+  nixpkgs.config.allowUnfreePredicate = pkg: lib.elem (lib.getName pkg) [
     "unifi-controller"
     "mongodb"
-  ]);
+  ];
 }

pkgs/default.nix

@@ -1,4 +1,4 @@
-{ ... }@inputs:
+inputs:
 
 final: prev:
 let

pkgs/myintercom-doorbell/module.nix

@@ -84,20 +84,21 @@ in
 
   config = lib.mkIf cfg.enable {
     environment.etc."myintercom-doorbell/settings.json".text = builtins.toJSON {
-      host = cfg.host;
-      username = cfg.username;
-      passwordFile = cfg.passwordFile;
+      inherit (cfg) host;
+      inherit (cfg) username;
+      inherit (cfg) passwordFile;
       audiosocket = {
-        address = cfg.audiosocket.address;
-        port = cfg.audiosocket.port;
-        uuid = cfg.audiosocket.uuid;
+        inherit (cfg.audiosocket) address;
+        inherit (cfg.audiosocket) port;
+        inherit (cfg.audiosocket) uuid;
       };
-      callerId = cfg.callerId;
-      dialTime = cfg.dialTime;
+      inherit (cfg) callerId;
+      inherit (cfg) dialTime;
     };
 
-    systemd.services.myintercom-doorbell-poll = {
-      enable = cfg.enable;
+    systemd.services = {
+      myintercom-doorbell-poll = {
+        inherit (cfg) enable;
         description = "Polls myintercom doorbell ring button status.";
         after = [ "asterisk.service" "network.target" ];
         wantedBy = [ "multi-user.target" ];
@@ -108,9 +109,8 @@ in
           ExecStart = "${pkgs.myintercom-doorbell}/bin/myintercom-doorbell-poll";
         };
       };
-
-    systemd.services.myintercom-doorbell-audiosocket = {
-      enable = cfg.enable;
+      myintercom-doorbell-audiosocket = {
+        inherit (cfg) enable;
         description = "myintercom doorbell AudioSocket for Asterisk";
         requires = [ "asterisk.service" ];
         after = [ "network.target" ];
@@ -135,9 +135,8 @@ in
           ExecStart = "${pkgs.myintercom-doorbell}/bin/myintercom-doorbell-audiosocket";
         };
       };
-
-    systemd.services.myintercom-doorbell-cam-proxy = {
-      enable = cfg.cam.enable;
+      myintercom-doorbell-cam-proxy = {
+        inherit (cfg.cam) enable;
         after = [ "network.target" ];
         wantedBy = [ "multi-user.target" ];
         description = "Proxies the videostream of myintercom doorbell.";
@@ -154,4 +153,5 @@ in
         };
       };
     };
+  };
 }

pkgs/wofi-bluetooth/wofi-bluetooth.nix

@@ -8,8 +8,8 @@
 
 stdenv.mkDerivation rec {
   pname = "wofi-bluetooth";
-  version = rofi-bluetooth.version;
-  src = rofi-bluetooth.src;
+  inherit (rofi-bluetooth) version;
+  inherit (rofi-bluetooth) src;
   patches = [
     ./wofi-bluetooth.patch
   ];

users/jalr/modules/alacritty.nix

@@ -128,7 +128,7 @@ in
 {
 
   programs.alacritty = {
-    enable = nixosConfig.jalr.gui.enable;
+    inherit (nixosConfig.jalr.gui) enable;
   };
 
   xdg.configFile = lib.attrsets.mapAttrs'

users/jalr/modules/aws.nix

@@ -1,7 +1,7 @@
 { nixosConfig, lib, pkgs, config, ... }:
 
 let
-  xdg = config.xdg;
+  inherit (config) xdg;
 in
 {
   config = lib.mkIf nixosConfig.jalr.aws.enable {
@@ -17,7 +17,7 @@ in
     xdg.configFile."aws/config".text = lib.generators.toINI { } (
       lib.mapAttrs'
         (name: value:
-          lib.attrsets.nameValuePair ("profile ${name}") (value)
+          lib.attrsets.nameValuePair "profile ${name}" value
         )
         nixosConfig.jalr.aws.accounts
       //

users/jalr/modules/cli/htop.nix

@@ -12,8 +12,7 @@
     } // (with config.lib.htop; leftMeters ([
       (bar "LeftCPUs")
       (bar "Memory")
-    ] ++ lib.lists.optional nixosConfig.zramSwap.enable (bar "Zram") ++ [
-    ] ++ lib.lists.optional (!(nixosConfig.swapDevices == [ ])) (bar "Swap") ++ [
+    ] ++ lib.lists.optional nixosConfig.zramSwap.enable (bar "Zram") ++ lib.lists.optional (nixosConfig.swapDevices != [ ]) (bar "Swap") ++ [
       (bar "DiskIO")
     ])) // (with config.lib.htop; rightMeters [
       (bar "RightCPUs")

users/jalr/modules/dynamic-colors.nix

@@ -40,18 +40,16 @@ let
       target = "myclirc";
     }
     {
-      exec = (
+      exec =
         if nixosConfig.jalr.gui.enable
         then [ "/usr/bin/env" "gsettings" "set" "org.gnome.desktop.interface" "color-scheme" "prefer-%scheme%" ]
-        else null
-      );
+        else null;
     }
     {
-      exec = (
+      exec =
         if nixosConfig.jalr.gui.enable
         then [ "/usr/bin/env" "gsettings" "set" "org.gnome.desktop.interface" "gtk-theme" "Adwaita-%scheme%" ]
-        else null
-      );
+        else null;
     }
   ];
   dynamic-colors = pkgs.writers.writePython3Bin "dynamic-colors" { } ''

users/jalr/modules/firefox/default.nix

@@ -1,7 +1,7 @@
 { nixosConfig, pkgs, ... }:
 {
   programs.firefox = {
-    enable = nixosConfig.jalr.gui.enable;
+    inherit (nixosConfig.jalr.gui) enable;
     package = pkgs.firefox-esr;
     policies = {
       AllowedDomainsForApps = "";
@@ -155,12 +155,13 @@
         }
       ];
       */
-      SearchEngines.Default = "DuckDuckGo";
-      SearchEngines.Remove = [
+      SearchEngines = {
+        Default = "DuckDuckGo";
+        Remove = [
           "Google"
           "Wikipedia (en)"
         ];
-      SearchEngines.Add = [
+        Add = [
           {
             Name = "Startpage";
             URLTemplate = "https://www.startpage.com/sp/search";
@@ -263,6 +264,7 @@
           }
         ];
       };
+    };
     profiles.default = {
       id = 0;
       isDefault = true;

users/jalr/modules/fish.nix

@@ -169,7 +169,8 @@
     };
   };
 
-  xdg.configFile."fish/completions/mycli.fish".text = ''
+  xdg.configFile = {
+    "fish/completions/mycli.fish".text = ''
       complete -e -c mycli
       complete -c mycli -f
       complete -c mycli -f -s h -l host     -d "Host address of the database."
@@ -194,11 +195,12 @@
       complete -c mycli -f -s d -l dsn -r -a '(mycli --list-dsn)'
     '';
 
-  xdg.configFile."fish/completions/myssh.fish".text = ''
+    "fish/completions/myssh.fish".text = ''
       complete -c myssh -f -a '(myssh --list)'
     '';
 
-  xdg.configFile."fish/completions/just.fish".source = pkgs.runCommand "just-fish-completions" { } ''
+    "fish/completions/just.fish".source = pkgs.runCommand "just-fish-completions" { } ''
       ${pkgs.just}/bin/just --completions fish > $out
     '';
+  };
 }

users/jalr/modules/gnuradio.nix

@@ -8,6 +8,6 @@ let
       pkgs.gnuradio3_8Packages;
   };
 in
-(lib.mkIf nixosConfig.jalr.gui.enable {
+lib.mkIf nixosConfig.jalr.gui.enable {
   home.packages = [ gnuradioEnv ];
-})
+}

users/jalr/modules/neovim/default.nix

@@ -139,7 +139,19 @@ in
     ]);
   };
 
-  xdg.configFile."nvim/lua/init.lua".text = builtins.concatStringsSep "\n" (
+  xdg.configFile = {
+    "nvim/ftplugin/gitcommit.vim".text = ''
+      setlocal spell
+      setlocal colorcolumn=73
+    '';
+    "nvim/ftplugin/markdown.vim".text = ''
+      setlocal spell
+      setlocal colorcolumn=81
+    '';
+    "nvim/ftplugin/sshconfig.vim".text = ''
+      setlocal tabstop=4 shiftwidth=4 softtabstop=4 expandtab
+    '';
+    "nvim/lua/init.lua".text = builtins.concatStringsSep "\n" (
       [
         ''
           -- init.lua
@@ -234,16 +246,5 @@ in
         )
       )
     );
-
-  xdg.configFile."nvim/ftplugin/gitcommit.vim".text = ''
-    setlocal spell
-    setlocal colorcolumn=73
-  '';
-  xdg.configFile."nvim/ftplugin/markdown.vim".text = ''
-    setlocal spell
-    setlocal colorcolumn=81
-  '';
-  xdg.configFile."nvim/ftplugin/sshconfig.vim".text = ''
-    setlocal tabstop=4 shiftwidth=4 softtabstop=4 expandtab
-  '';
+  };
 }

users/jalr/modules/obs-studio/default.nix

@@ -2,7 +2,7 @@
 
 {
   programs.obs-studio = {
-    enable = nixosConfig.jalr.gui.enable;
+    inherit (nixosConfig.jalr.gui) enable;
     plugins = with pkgs; [
       obs-studio-plugins.wlrobs
     ];

users/jalr/modules/sway/default.nix

@@ -35,7 +35,7 @@ let
       #gsettings set $gnome_schema gtk-theme 'Dracula'
       ${pkgs.glib}/bin/gsettings "$@"
     '';
-  matchHostname = (hostname: lib.optionalAttrs (nixosConfig.networking.hostName == hostname));
+  matchHostname = hostname: lib.optionalAttrs (nixosConfig.networking.hostName == hostname);
   resumeTimeTrackingNotification = pkgs.writeShellScript "resume-time-tracking-notification" ''
     export PATH=${pkgs.lib.makeBinPath [pkgs.timewarrior pkgs.libnotify]}
     task="$1"
@@ -97,19 +97,6 @@ in
     end
   '';
 
-  xdg.configFile."sway/light-theme".text = with solarized; ''
-    client.focused ${base01.hex} ${blue.hex} ${base3.hex} ${blue.hex} ${blue.hex}
-    client.focused_inactive ${base2.hex} ${base2.hex} ${base01.hex} ${base0.hex} ${base2.hex}
-    client.unfocused ${base2.hex} ${base3.hex} ${base01.hex} ${base2.hex} ${base2.hex}
-    client.urgent ${red.hex} ${red.hex} ${base3.hex} ${red.hex} ${red.hex}
-  '';
-  xdg.configFile."sway/dark-theme".text = with solarized; ''
-    client.focused          ${base1.hex} ${blue.hex} ${base03.hex} ${blue.hex} ${blue.hex}
-    client.focused_inactive ${base02.hex} ${base02.hex} ${base1.hex} ${base03.hex} ${base02.hex}
-    client.unfocused        ${base02.hex} ${base03.hex} ${base1.hex} ${base02.hex} ${base02.hex}
-    client.urgent           ${red.hex} ${red.hex} ${base03.hex} ${red.hex} ${red.hex}
-  '';
-
   wayland.windowManager.sway = {
     enable = true;
 
@@ -379,7 +366,20 @@ in
     };
   };
 
-  xdg.configFile."swaynag/config".text =
+  xdg.configFile = {
+    "sway/light-theme".text = with solarized; ''
+      client.focused ${base01.hex} ${blue.hex} ${base3.hex} ${blue.hex} ${blue.hex}
+      client.focused_inactive ${base2.hex} ${base2.hex} ${base01.hex} ${base0.hex} ${base2.hex}
+      client.unfocused ${base2.hex} ${base3.hex} ${base01.hex} ${base2.hex} ${base2.hex}
+      client.urgent ${red.hex} ${red.hex} ${base3.hex} ${red.hex} ${red.hex}
+    '';
+    "sway/dark-theme".text = with solarized; ''
+      client.focused          ${base1.hex} ${blue.hex} ${base03.hex} ${blue.hex} ${blue.hex}
+      client.focused_inactive ${base02.hex} ${base02.hex} ${base1.hex} ${base03.hex} ${base02.hex}
+      client.unfocused        ${base02.hex} ${base03.hex} ${base1.hex} ${base02.hex} ${base02.hex}
+      client.urgent           ${red.hex} ${red.hex} ${base03.hex} ${red.hex} ${red.hex}
+    '';
+    "swaynag/config".text =
       let
         # adding it to the header doesn’t work since the defaults overwrite it
         commonConfig = /* ini */ ''
@@ -401,4 +401,5 @@ in
         text=${lib.substring 1 6 solarized.red.hex}
         ${commonConfig}
       '';
+  };
 })

users/jalr/modules/sway/waybar.nix

@@ -18,7 +18,7 @@ let
   thinsp = " ";
 
   solarized = import ../solarized.nix;
-  solarizedColors = (as: lib.strings.concatLines (lib.attrsets.mapAttrsToList (name: value: let color = solarized."${value}".hex; in "@define-color ${name} ${color};") as));
+  solarizedColors = as: lib.strings.concatLines (lib.attrsets.mapAttrsToList (name: value: let color = solarized."${value}".hex; in "@define-color ${name} ${color};") as);
 in
 {
   # home-manager’s waybar module performs additional checks that are overly strict
@@ -227,7 +227,8 @@ in
       };
     };
 
-  xdg.configFile."waybar/theme-light.css".text = solarizedColors {
+  xdg.configFile = {
+    "waybar/theme-light.css".text = solarizedColors {
       base00 = "base3";
       base01 = "base2";
       base02 = "base1";
@@ -245,7 +246,7 @@ in
       base0E = "violet";
       base0F = "magenta";
     };
-  xdg.configFile."waybar/theme-dark.css".text = solarizedColors {
+    "waybar/theme-dark.css".text = solarizedColors {
       base00 = "base03";
       base01 = "base02";
       base02 = "base01";
@@ -263,7 +264,7 @@ in
       base0E = "violet";
       base0F = "magenta";
     };
-  xdg.configFile."waybar/style.css".text = ''
+    "waybar/style.css".text = ''
       @import "theme.css";
 
       * {
@@ -419,6 +420,7 @@ in
         background-color: @base0B;
       }
     '';
+  };
 
   systemd.user.services.waybar = {
     Unit = {

users/jalr/modules/sway/wofi.nix

@@ -4,7 +4,8 @@ let
   solarized = import ../solarized.nix;
 in
 {
-  xdg.configFile."wofi/color-light".text = lib.strings.concatLines (map (c: solarized."${c}".hex) [
+  xdg.configFile = {
+    "wofi/color-light".text = lib.strings.concatLines (map (c: solarized."${c}".hex) [
       "base3"
       "base2"
       "base1"
@@ -22,7 +23,7 @@ in
       "violet"
       "magenta"
     ]);
-  xdg.configFile."wofi/color-dark".text = lib.strings.concatLines (map (c: solarized."${c}".hex) [
+    "wofi/color-dark".text = lib.strings.concatLines (map (c: solarized."${c}".hex) [
       "base03"
       "base02"
       "base01"
@@ -40,7 +41,7 @@ in
       "violet"
       "magenta"
     ]);
-  xdg.configFile."wofi/style.css".text = ''
+    "wofi/style.css".text = ''
       window {
         margin: 0px;
         border: 3px solid --wofi-color1;
@@ -86,4 +87,5 @@ in
         color: --wofi-color11;
       }
     '';
+  };
 }

users/jalr/modules/thunderbird.nix

@@ -1,7 +1,7 @@
 { nixosConfig, pkgs, ... }:
 {
   programs.thunderbird = {
-    enable = nixosConfig.jalr.gui.enable;
+    inherit (nixosConfig.jalr.gui) enable;
     package = pkgs.thunderbird-esr;
     profiles."default" = {
       isDefault = true;