style: eliminate duplicate keys

2025-12-06 17:17:22 +01:00 · 2025-03-21 20:16:37 +01:00 · 2025-03-21 20:16:37 +01:00 · c997e9174e
commit c997e9174e
parent 658d2bb7ba
15 changed files with 1314 additions and 1249 deletions
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@ -1080,11 +1080,19 @@ My work machine. Built for more security, this is the gold standard of my config
        esac
      '';
-    boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "cryptd" "usbhid" "sd_mod" "r8152" ];
+    boot = {
-    boot.initrd.kernelModules = [ "sg" ];
+      initrd = {
-    boot.kernelModules = [ "kvm-amd" ];
+        availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "cryptd" "usbhid" "sd_mod" "r8152" ];
        kernelModules = [ "sg" ];
        luks.devices."cryptroot" = {
          # improve performance on ssds
          bypassWorkqueues = true;
          preLVM = true;
        };
      };
-    boot.kernelParams = [
+      kernelModules = [ "kvm-amd" ];
      kernelParams = [
        "mem_sleep_default=deep"
        "amd_pstate=passive"
        # Fix screen flickering issue at the cost of battery life (disable PSR and PSR-SU, keep PR enabled)
@ -1097,11 +1105,7 @@ My work machine. Built for more security, this is the gold standard of my config
        "amdgpu.dcdebugmask=0x410"
      ];
-    boot.extraModulePackages = [ ];
+      extraModulePackages = [ ];
    boot.initrd.luks.devices."cryptroot" = {
      # improve performance on ssds
      bypassWorkqueues = true;
      preLVM = true;
    };
    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@ -1291,25 +1295,29 @@ This is my main server that I run at home. It handles most tasks that require bi
        (modulesPath + "/installer/scan/not-detected.nix")
      ];
-    boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
+    boot = {
-    boot.initrd.kernelModules = [ ];
+      initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
-    boot.kernelModules = [ "kvm-intel" ];
+      initrd.kernelModules = [ ];
-    boot.extraModulePackages = [ ];
+      kernelModules = [ "kvm-intel" ];
      extraModulePackages = [ ];
-    boot.supportedFilesystems = [ "zfs" ];
+      supportedFilesystems = [ "zfs" ];
-    boot.zfs.extraPools = [ "Vault" ];
+      zfs.extraPools = [ "Vault" ];
    };
-    fileSystems."/" =
+    fileSystems = {
      "/" =
        {
          device = "/dev/disk/by-uuid/30e2f96a-b01d-4c27-9ebb-d5d7e9f0031f";
          fsType = "ext4";
        };
-    fileSystems."/boot" =
+      "/boot" =
        {
          device = "/dev/disk/by-uuid/F0D8-8BD1";
          fsType = "vfat";
        };
    };
    swapDevices =
      [{ device = "/dev/disk/by-uuid/a8eb6f3b-69bf-4160-90aa-9247abc108e0"; }];
@ -1454,7 +1462,38 @@ This machine mainly acts as an external sync helper. It manages the following th
      defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml";
    };
-    services.nginx = {
+    boot = {
      tmp.cleanOnBoot = true;
      loader.grub.device = "nodev";
    };
    zramSwap.enable = false;
    networking = {
      nftables.enable = lib.mkForce false;
      hostName = "sync";
      enableIPv6 = false;
      domain = "subnet03112148.vcn03112148.oraclevcn.com";
      firewall = {
        allowedTCPPorts = [ 8384 22000 ];
        allowedUDPPorts = [ 21027 22000 ];
        extraCommands = ''
          iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
          iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
          iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
          iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
          iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
          iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
          iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
          iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
          iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
        '';
      };
    };
    # system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
    services = {
      nginx = {
        virtualHosts = {
          "sync.swarsel.win" = {
            enableACME = true;
@ -1472,40 +1511,13 @@ This machine mainly acts as an external sync helper. It manages the following th
        };
      };
    boot = {
      tmp.cleanOnBoot = true;
      loader.grub.device = "nodev";
    };
    zramSwap.enable = false;
    networking = {
      nftables.enable = lib.mkForce false;
      firewall.allowedTCPPorts = [ 8384 22000 ];
      firewall.allowedUDPPorts = [ 21027 22000 ];
      hostName = "sync";
      enableIPv6 = false;
      domain = "subnet03112148.vcn03112148.oraclevcn.com";
      firewall.extraCommands = ''
        iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
      '';
    };
    # system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
      # do not manage OCI syncthing through nix config
-    services.syncthing = {
+      syncthing = {
        enable = true;
        guiAddress = "0.0.0.0:8384";
        openDefaultPorts = true;
      };
    };
    swarselsystems = {
@ -4947,17 +4959,19 @@ Needed for control over system-wide privileges etc. Also I make sure that the ro
  _:
  {
-    security.pam.services = {
+    security = {
      pam.services = {
        login.u2fAuth = true;
        sudo.u2fAuth = true;
        swaylock.u2fAuth = true;
        swaylock.fprintAuth = false;
      };
-    security.polkit.enable = true;
+      polkit.enable = true;
-    security.sudo.extraConfig = ''
+      sudo.extraConfig = ''
        Defaults    env_keep+=SSH_AUTH_SOCK
      '';
    };
  }
 #+end_src
@ -6442,9 +6456,11 @@ Here we just define some aliases for rebuilding the system, and we allow some in
    security.acme = {
      acceptTerms = true;
      preliminarySelfsigned = false;
-      defaults.email = "mrswarsel@gmail.com";
+      defaults = {
-      defaults.dnsProvider = "cloudflare";
+        email = "mrswarsel@gmail.com";
-      defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
+        dnsProvider = "cloudflare";
        environmentFile = "${config.sops.templates."certs.secret".path}";
      };
    };
    services.nginx = {
@ -6879,7 +6895,37 @@ Here we just define some aliases for rebuilding the system, and we allow some in
        };
      };
-      services.postgresql = {
+      systemd = {
        timers."restart-bridges" = {
          wantedBy = [ "timers.target" ];
          timerConfig = {
            OnBootSec = "1d";
            OnUnitActiveSec = "1d";
            Unit = "restart-bridges.service";
          };
        };
        services = {
          "restart-bridges" = {
            script = ''
              systemctl restart mautrix-whatsapp.service
              systemctl restart mautrix-signal.service
              systemctl restart mautrix-telegram.service
            '';
            serviceConfig = {
              Type = "oneshot";
              User = "root";
            };
          };
          mautrix-telegram.path = with pkgs; [
            lottieconverter # for animated stickers conversion, unfree package
            ffmpeg # if converting animated stickers to webm (very slow!)
          ];
        };
      };
      services = {
        postgresql = {
          enable = true;
          initialScript = pkgs.writeText "synapse-init.sql" ''
            CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
@ -6905,7 +6951,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
          '';
        };
-      services.matrix-synapse = {
+        matrix-synapse = {
          enable = true;
          settings = {
            app_service_config_files = [
@ -6940,7 +6986,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
          ];
        };
-      services.mautrix-telegram = {
+        mautrix-telegram = {
          enable = true;
          environmentFile = config.sops.templates.mautrixtelegram.path;
          settings = {
@ -6985,12 +7031,8 @@ Here we just define some aliases for rebuilding the system, and we allow some in
            };
          };
        };
      systemd.services.mautrix-telegram.path = with pkgs; [
        lottieconverter # for animated stickers conversion, unfree package
        ffmpeg # if converting animated stickers to webm (very slow!)
      ];
-      services.mautrix-whatsapp = {
+        mautrix-whatsapp = {
          enable = true;
          registerToSynapse = false;
          settings = {
@ -7037,7 +7079,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
          };
        };
-      services.mautrix-signal = {
+        mautrix-signal = {
          enable = true;
          registerToSynapse = false;
          settings = {
@ -7072,28 +7114,8 @@ Here we just define some aliases for rebuilding the system, and we allow some in
        # restart the bridges daily. this is done for the signal bridge mainly which stops carrying
        # messages out after a while.
      systemd.timers."restart-bridges" = {
        wantedBy = [ "timers.target" ];
        timerConfig = {
          OnBootSec = "1d";
          OnUnitActiveSec = "1d";
          Unit = "restart-bridges.service";
        };
      };
-      systemd.services."restart-bridges" = {
+        nginx = {
        script = ''
          systemctl restart mautrix-whatsapp.service
          systemctl restart mautrix-signal.service
          systemctl restart mautrix-telegram.service
        '';
        serviceConfig = {
          Type = "oneshot";
          User = "root";
        };
      };
      services.nginx = {
          virtualHosts = {
            "swatrix.swarsel.win" = {
              enableACME = true;
@ -7142,6 +7164,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
          };
        };
      };
    };
  }
@ -7164,7 +7187,8 @@ Here we just define some aliases for rebuilding the system, and we allow some in
        mode = "0440";
      };
-      services.nextcloud = {
+      services = {
        nextcloud = {
          enable = true;
          package = pkgs.nextcloud31;
          hostName = "stash.swarsel.win";
@ -7183,8 +7207,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
          };
        };
-
+        nginx = {
      services.nginx = {
          virtualHosts = {
            "stash.swarsel.win" = {
              enableACME = true;
@ -7196,6 +7219,7 @@ Here we just define some aliases for rebuilding the system, and we allow some in
          };
        };
      };
    };
  }
 #+end_src
@ -7617,15 +7641,20 @@ This section exposes several metrics that I use to check the health of my server
        };
      };
-      users.users.nextcloud-exporter = {
+      users = {
        users = {
          nextcloud-exporter = {
            extraGroups = [ "nextcloud" ];
          };
-      users.users.grafana = {
+          grafana = {
            extraGroups = [ "users" ];
          };
        };
      };
-      services.grafana = {
+      services = {
        grafana = {
          enable = true;
          dataDir = "/Vault/data/grafana";
          provision = {
@ -7668,7 +7697,7 @@ This section exposes several metrics that I use to check the health of my server
          };
        };
-      services.prometheus = {
+        prometheus = {
          enable = true;
          webExternalUrl = "https://status.swarsel.win/prometheus";
          port = 9090;
@ -7738,7 +7767,7 @@ This section exposes several metrics that I use to check the health of my server
        };
-      services.nginx = {
+        nginx = {
          virtualHosts = {
            "status.swarsel.win" = {
              enableACME = true;
@ -7762,6 +7791,7 @@ This section exposes several metrics that I use to check the health of my server
          };
        };
      };
    };
  }
 #+end_src
@ -9575,26 +9605,29 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
 #+begin_src nix :tangle profiles/home/common/mail.nix
  { lib, config, ... }:
  {
-    programs.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
+    programs = {
      mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
        enable = true;
      };
      msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
        enable = true;
      };
      mu = lib.mkIf (!config.swarselsystems.isPublic) {
        enable = true;
      };
    };
    services.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
      enable = true;
    };
    # this is needed so that mbsync can use the passwords from sops
    systemd.user.services.mbsync.Unit.After = lib.mkIf (!config.swarselsystems.isPublic) [ "sops-nix.service" ];
-    programs.msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
+    accounts = {
-      enable = true;
+      email = lib.mkIf (!config.swarselsystems.isPublic) {
    };
    programs.mu = lib.mkIf (!config.swarselsystems.isPublic) {
      enable = true;
    };
    accounts.email = lib.mkIf (!config.swarselsystems.isPublic) {
        maildirBasePath = "Mail";
-      accounts.leon = {
+        accounts = {
          leon = {
            primary = true;
            address = "leon.schwarzaeugl@gmail.com";
            userName = "leon.schwarzaeugl@gmail.com";
@ -9627,7 +9660,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
            };
          };
-      accounts.swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
+          swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
            address = "leon@swarsel.win";
            userName = "8227dc594dd515ce232eda1471cb9a19";
            realName = "Leon Schwarzäugl";
@ -9649,7 +9682,7 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
            };
          };
-      accounts.nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
+          nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
            primary = false;
            address = "nautilus.dw@gmail.com";
            userName = "nautilus.dw@gmail.com";
@ -9675,7 +9708,8 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
              };
            };
          };
-      accounts.mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
+
          mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
            primary = false;
            address = "mrswarsel@gmail.com";
            userName = "mrswarsel@gmail.com";
@ -9701,6 +9735,9 @@ Normally I use 4 mail accounts - here I set them all up. Three of them are Googl
              };
            };
          };
        };
      };
    };
  }
 #+end_src
@ -15107,21 +15144,3 @@ This file defines a few workflows that I often need to run when working on my co
    rsync -av --filter=':- .gitignore' -e "ssh -l {{USER}}" . {{USER}}@{{HOST}}:.dotfiles/
 #+end_src
 ** statix.toml
 :PROPERTIES:
 :CUSTOM_ID: h:d4dcb884-f24f-4786-8fa6-9f36c88a706e
 :END:
 This file is used to tell =statix= which checks and folders/fiels to ignore, as well as to specify the nix version that it should use.
 I need this mainly to disable the =repeated_keys= check, which checks if there is an attribute set called twice without stepping into it. While in general this should be avoided, since I am tangling some files and need to use the top-level attribute in each org-src block, the check would fail for all these cases.
 #+begin_src toml :tangle statix.toml
  disabled = [
  "repeated_keys"
  ]
  nix_version = '2.4'
  ignore = ['.direnv']
 #+end_src
--- a/hosts/nixos/chaostheatre/hardware-configuration.nix
+++ b/hosts/nixos/chaostheatre/hardware-configuration.nix
@ -9,21 +9,25 @@
      (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot = {
-  boot.initrd.kernelModules = [ ];
+    initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
-  boot.kernelModules = [ "kvm-amd" ];
+    initrd.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
+    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
-  fileSystems."/" = {
+  fileSystems = {
    "/" = {
      device = "/dev/disk-by-uuid/d2a8fad0-373e-4bcf-8e75-d9b5ef94199c";
      fsType = "ext4";
    };
-  fileSystems."/boot" = {
+    "/boot" = {
      device = "/dev/disk-by-uuid/5CF0-A66E";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
  };
  swapDevices = [ ];
--- a/hosts/nixos/nbl-imba-2/hardware-configuration.nix
+++ b/hosts/nixos/nbl-imba-2/hardware-configuration.nix
@ -21,11 +21,19 @@
      esac
    '';
-  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "cryptd" "usbhid" "sd_mod" "r8152" ];
+  boot = {
-  boot.initrd.kernelModules = [ "sg" ];
+    initrd = {
-  boot.kernelModules = [ "kvm-amd" ];
+      availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "cryptd" "usbhid" "sd_mod" "r8152" ];
      kernelModules = [ "sg" ];
      luks.devices."cryptroot" = {
        # improve performance on ssds
        bypassWorkqueues = true;
        preLVM = true;
      };
    };
-  boot.kernelParams = [
+    kernelModules = [ "kvm-amd" ];
    kernelParams = [
      "mem_sleep_default=deep"
      "amd_pstate=passive"
      # Fix screen flickering issue at the cost of battery life (disable PSR and PSR-SU, keep PR enabled)
@ -38,11 +46,7 @@
      "amdgpu.dcdebugmask=0x410"
    ];
-  boot.extraModulePackages = [ ];
+    extraModulePackages = [ ];
  boot.initrd.luks.devices."cryptroot" = {
    # improve performance on ssds
    bypassWorkqueues = true;
    preLVM = true;
  };
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
--- a/hosts/nixos/sync/default.nix
+++ b/hosts/nixos/sync/default.nix
@ -20,7 +20,38 @@ in
    defaultSopsFile = lib.mkForce "/root/.dotfiles/secrets/sync/secrets.yaml";
  };
-  services.nginx = {
+  boot = {
    tmp.cleanOnBoot = true;
    loader.grub.device = "nodev";
  };
  zramSwap.enable = false;
  networking = {
    nftables.enable = lib.mkForce false;
    hostName = "sync";
    enableIPv6 = false;
    domain = "subnet03112148.vcn03112148.oraclevcn.com";
    firewall = {
      allowedTCPPorts = [ 8384 22000 ];
      allowedUDPPorts = [ 21027 22000 ];
      extraCommands = ''
        iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
        iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
      '';
    };
  };
  # system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
  services = {
    nginx = {
      virtualHosts = {
        "sync.swarsel.win" = {
          enableACME = true;
@ -38,40 +69,13 @@ in
      };
    };
  boot = {
    tmp.cleanOnBoot = true;
    loader.grub.device = "nodev";
  };
  zramSwap.enable = false;
  networking = {
    nftables.enable = lib.mkForce false;
    firewall.allowedTCPPorts = [ 8384 22000 ];
    firewall.allowedUDPPorts = [ 21027 22000 ];
    hostName = "sync";
    enableIPv6 = false;
    domain = "subnet03112148.vcn03112148.oraclevcn.com";
    firewall.extraCommands = ''
      iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 27701 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 8384 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 22000 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p udp --dport 22000 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p udp --dport 21027 -j ACCEPT
      iptables -I INPUT -m state --state NEW -p tcp --dport 9812 -j ACCEPT
    '';
  };
  # system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
    # do not manage OCI syncthing through nix config
-  services.syncthing = {
+    syncthing = {
      enable = true;
      guiAddress = "0.0.0.0:8384";
      openDefaultPorts = true;
    };
  };
  swarselsystems = {
--- a/hosts/nixos/sync/hardware-configuration.nix
+++ b/hosts/nixos/sync/hardware-configuration.nix
@ -7,20 +7,24 @@
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
+  boot = {
-  boot.initrd.kernelModules = [ ];
+    initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" ];
-  boot.kernelModules = [ "kvm-amd" ];
+    initrd.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
+    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
-  fileSystems."/" = {
+  fileSystems = {
    "/" = {
      device = "/dev/disk/by-uuid/4b47378a-02eb-4548-bab8-59cbf379252a";
      fsType = "xfs";
    };
-  fileSystems."/boot" = {
+    "/boot" = {
      device = "/dev/disk/by-uuid/2B75-2AD5";
      fsType = "vfat";
    };
  };
  swapDevices = [
    { device = "/dev/disk/by-uuid/f0126a93-753e-4769-ada8-7499a1efb3a9"; }
--- a/hosts/nixos/toto/hardware-configuration.nix
+++ b/hosts/nixos/toto/hardware-configuration.nix
@ -9,10 +9,12 @@
      (modulesPath + "/profiles/qemu-guest.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot = {
-  boot.initrd.kernelModules = [ ];
+    initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
-  boot.kernelModules = [ "kvm-amd" ];
+    initrd.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
+    kernelModules = [ "kvm-amd" ];
    extraModulePackages = [ ];
  };
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/hosts/nixos/winters/hardware-configuration.nix
+++ b/hosts/nixos/winters/hardware-configuration.nix
@ -6,25 +6,29 @@
      (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
+  boot = {
-  boot.initrd.kernelModules = [ ];
+    initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
-  boot.kernelModules = [ "kvm-intel" ];
+    initrd.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
+    kernelModules = [ "kvm-intel" ];
    extraModulePackages = [ ];
-  boot.supportedFilesystems = [ "zfs" ];
+    supportedFilesystems = [ "zfs" ];
-  boot.zfs.extraPools = [ "Vault" ];
+    zfs.extraPools = [ "Vault" ];
  };
-  fileSystems."/" =
+  fileSystems = {
    "/" =
      {
        device = "/dev/disk/by-uuid/30e2f96a-b01d-4c27-9ebb-d5d7e9f0031f";
        fsType = "ext4";
      };
-  fileSystems."/boot" =
+    "/boot" =
      {
        device = "/dev/disk/by-uuid/F0D8-8BD1";
        fsType = "vfat";
      };
  };
  swapDevices =
    [{ device = "/dev/disk/by-uuid/a8eb6f3b-69bf-4160-90aa-9247abc108e0"; }];
--- a/profiles/home/common/mail.nix
+++ b/profiles/home/common/mail.nix
@ -1,25 +1,28 @@
 { lib, config, ... }:
 {
-  programs.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
+  programs = {
    mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
      enable = true;
    };
    msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
      enable = true;
    };
    mu = lib.mkIf (!config.swarselsystems.isPublic) {
      enable = true;
    };
  };
  services.mbsync = lib.mkIf (!config.swarselsystems.isPublic) {
    enable = true;
  };
  # this is needed so that mbsync can use the passwords from sops
  systemd.user.services.mbsync.Unit.After = lib.mkIf (!config.swarselsystems.isPublic) [ "sops-nix.service" ];
-  programs.msmtp = lib.mkIf (!config.swarselsystems.isPublic) {
+  accounts = {
-    enable = true;
+    email = lib.mkIf (!config.swarselsystems.isPublic) {
  };
  programs.mu = lib.mkIf (!config.swarselsystems.isPublic) {
    enable = true;
  };
  accounts.email = lib.mkIf (!config.swarselsystems.isPublic) {
      maildirBasePath = "Mail";
-    accounts.leon = {
+      accounts = {
        leon = {
          primary = true;
          address = "leon.schwarzaeugl@gmail.com";
          userName = "leon.schwarzaeugl@gmail.com";
@ -52,7 +55,7 @@
          };
        };
-    accounts.swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
+        swarsel = lib.mkIf (!config.swarselsystems.isPublic) {
          address = "leon@swarsel.win";
          userName = "8227dc594dd515ce232eda1471cb9a19";
          realName = "Leon Schwarzäugl";
@ -74,7 +77,7 @@
          };
        };
-    accounts.nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
+        nautilus = lib.mkIf (!config.swarselsystems.isPublic) {
          primary = false;
          address = "nautilus.dw@gmail.com";
          userName = "nautilus.dw@gmail.com";
@ -100,7 +103,8 @@
            };
          };
        };
-    accounts.mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
+
        mrswarsel = lib.mkIf (!config.swarselsystems.isPublic) {
          primary = false;
          address = "mrswarsel@gmail.com";
          userName = "mrswarsel@gmail.com";
@ -126,5 +130,8 @@
            };
          };
        };
      };
    };
  };
 }
--- a/profiles/nixos/common/polkit.nix
+++ b/profiles/nixos/common/polkit.nix
@ -1,16 +1,18 @@
 _:
 {
-  security.pam.services = {
+  security = {
    pam.services = {
      login.u2fAuth = true;
      sudo.u2fAuth = true;
      swaylock.u2fAuth = true;
      swaylock.fprintAuth = false;
    };
-  security.polkit.enable = true;
+    polkit.enable = true;
-  security.sudo.extraConfig = ''
+    sudo.extraConfig = ''
      Defaults    env_keep+=SSH_AUTH_SOCK
    '';
  };
 }
--- a/profiles/nixos/server/matrix.nix
+++ b/profiles/nixos/server/matrix.nix
@ -49,7 +49,37 @@ in
      };
    };
-    services.postgresql = {
+    systemd = {
      timers."restart-bridges" = {
        wantedBy = [ "timers.target" ];
        timerConfig = {
          OnBootSec = "1d";
          OnUnitActiveSec = "1d";
          Unit = "restart-bridges.service";
        };
      };
      services = {
        "restart-bridges" = {
          script = ''
            systemctl restart mautrix-whatsapp.service
            systemctl restart mautrix-signal.service
            systemctl restart mautrix-telegram.service
          '';
          serviceConfig = {
            Type = "oneshot";
            User = "root";
          };
        };
        mautrix-telegram.path = with pkgs; [
          lottieconverter # for animated stickers conversion, unfree package
          ffmpeg # if converting animated stickers to webm (very slow!)
        ];
      };
    };
    services = {
      postgresql = {
        enable = true;
        initialScript = pkgs.writeText "synapse-init.sql" ''
          CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
@ -75,7 +105,7 @@ in
        '';
      };
-    services.matrix-synapse = {
+      matrix-synapse = {
        enable = true;
        settings = {
          app_service_config_files = [
@ -110,7 +140,7 @@ in
        ];
      };
-    services.mautrix-telegram = {
+      mautrix-telegram = {
        enable = true;
        environmentFile = config.sops.templates.mautrixtelegram.path;
        settings = {
@ -155,12 +185,8 @@ in
          };
        };
      };
    systemd.services.mautrix-telegram.path = with pkgs; [
      lottieconverter # for animated stickers conversion, unfree package
      ffmpeg # if converting animated stickers to webm (very slow!)
    ];
-    services.mautrix-whatsapp = {
+      mautrix-whatsapp = {
        enable = true;
        registerToSynapse = false;
        settings = {
@ -207,7 +233,7 @@ in
        };
      };
-    services.mautrix-signal = {
+      mautrix-signal = {
        enable = true;
        registerToSynapse = false;
        settings = {
@ -242,28 +268,8 @@ in
      # restart the bridges daily. this is done for the signal bridge mainly which stops carrying
      # messages out after a while.
    systemd.timers."restart-bridges" = {
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnBootSec = "1d";
        OnUnitActiveSec = "1d";
        Unit = "restart-bridges.service";
      };
    };
-    systemd.services."restart-bridges" = {
+      nginx = {
      script = ''
        systemctl restart mautrix-whatsapp.service
        systemctl restart mautrix-signal.service
        systemctl restart mautrix-telegram.service
      '';
      serviceConfig = {
        Type = "oneshot";
        User = "root";
      };
    };
    services.nginx = {
        virtualHosts = {
          "swatrix.swarsel.win" = {
            enableACME = true;
@ -312,6 +318,7 @@ in
        };
      };
    };
  };
 }
--- a/profiles/nixos/server/monitoring.nix
+++ b/profiles/nixos/server/monitoring.nix
@ -11,15 +11,20 @@
      };
    };
-    users.users.nextcloud-exporter = {
+    users = {
      users = {
        nextcloud-exporter = {
          extraGroups = [ "nextcloud" ];
        };
-    users.users.grafana = {
+        grafana = {
          extraGroups = [ "users" ];
        };
      };
    };
-    services.grafana = {
+    services = {
      grafana = {
        enable = true;
        dataDir = "/Vault/data/grafana";
        provision = {
@ -62,7 +67,7 @@
        };
      };
-    services.prometheus = {
+      prometheus = {
        enable = true;
        webExternalUrl = "https://status.swarsel.win/prometheus";
        port = 9090;
@ -132,7 +137,7 @@
      };
-    services.nginx = {
+      nginx = {
        virtualHosts = {
          "status.swarsel.win" = {
            enableACME = true;
@ -156,5 +161,6 @@
        };
      };
    };
  };
 }
--- a/profiles/nixos/server/nextcloud.nix
+++ b/profiles/nixos/server/nextcloud.nix
@ -8,7 +8,8 @@
      mode = "0440";
    };
-    services.nextcloud = {
+    services = {
      nextcloud = {
        enable = true;
        package = pkgs.nextcloud31;
        hostName = "stash.swarsel.win";
@ -27,8 +28,7 @@
        };
      };
-
+      nginx = {
    services.nginx = {
        virtualHosts = {
          "stash.swarsel.win" = {
            enableACME = true;
@ -40,5 +40,6 @@
        };
      };
    };
  };
 }
--- a/profiles/nixos/server/nginx.nix
+++ b/profiles/nixos/server/nginx.nix
@ -17,9 +17,11 @@
  security.acme = {
    acceptTerms = true;
    preliminarySelfsigned = false;
-    defaults.email = "mrswarsel@gmail.com";
+    defaults = {
-    defaults.dnsProvider = "cloudflare";
+      email = "mrswarsel@gmail.com";
-    defaults.environmentFile = "${config.sops.templates."certs.secret".path}";
+      dnsProvider = "cloudflare";
      environmentFile = "${config.sops.templates."certs.secret".path}";
    };
  };
  services.nginx = {
--- a/statix.toml
+++ b/statix.toml
@ -1,5 +0,0 @@
 disabled = [
 "repeated_keys"
 ]
 nix_version = '2.4'
 ignore = ['.direnv']
--- a/templates/python/flake.nix
+++ b/templates/python/flake.nix
@ -13,15 +13,19 @@
    uv2nix = {
      url = "github:pyproject-nix/uv2nix";
-      inputs.pyproject-nix.follows = "pyproject-nix";
+      inputs = {
-      inputs.nixpkgs.follows = "nixpkgs";
+        pyproject-nix.follows = "pyproject-nix";
        nixpkgs.follows = "nixpkgs";
      };
    };
    pyproject-build-systems = {
      url = "github:pyproject-nix/build-system-pkgs";
-      inputs.pyproject-nix.follows = "pyproject-nix";
+      inputs = {
-      inputs.uv2nix.follows = "uv2nix";
+        pyproject-nix.follows = "pyproject-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
+        uv2nix.follows = "uv2nix";
        nixpkgs.follows = "nixpkgs";
      };
    };
  };