diff --git a/checks/default.nix b/checks/default.nix
new file mode 100644
index 0000000..80279ba
--- /dev/null
+++ b/checks/default.nix
@@ -0,0 +1,52 @@
+{
+  self,
+  nixpkgs,
+  deploy-rs,
+  system,
+  ...
+}:
+let
+  pkgs = nixpkgs.legacyPackages.${system};
+
+  runNuCheck =
+    {
+      name,
+      packages,
+      check,
+    }:
+    pkgs.stdenvNoCC.mkDerivation {
+      inherit name;
+
+      src = nixpkgs.lib.cleanSourceWith {
+        src = self;
+        filter = nixpkgs.lib.cleanSourceFilter;
+      };
+
+      dontPatch = true;
+      dontConfigure = true;
+      dontBuild = true;
+      dontInstall = true;
+      dontFixup = true;
+      doCheck = true;
+
+      checkInputs = nixpkgs.lib.singleton pkgs.nushell ++ packages;
+
+      checkPhase = ''
+        nu ${check}
+      '';
+    };
+in
+nixpkgs.lib.recursiveUpdate {
+  lints = runNuCheck {
+    name = "lints";
+
+    packages = [
+      pkgs.deadnix
+      pkgs.nixfmt-rfc-style
+      pkgs.shellcheck
+      pkgs.statix
+    ];
+
+    check = ./lints.nu;
+  };
+} (deploy-rs.lib.${system}.deployChecks self.deploy)
diff --git a/checks/lints.nu b/checks/lints.nu
new file mode 100644
index 0000000..ffc2047
--- /dev/null
+++ b/checks/lints.nu
@@ -0,0 +1,39 @@
+#!/usr/bin/env nu
+
+let shell_files = ls **/*.sh | get name
+let nix_files = ls **/*.nix | where name !~ "hardware-configuration.nix|_sources" | get name
+
+let linters = [
+  ([shellcheck] ++ $shell_files)
+  ([nixfmt --check --strict] ++ $nix_files)
+  ([deadnix --fail] ++ $nix_files)
+  ([statix check] ++ $nix_files)
+]
+
+mkdir $env.out
+
+def run-linter [linterArgs: list<string>] {
+  print $'Running ($linterArgs.0)...'
+
+  let exit_code = try {
+    ^$linterArgs.0 ...($linterArgs | skip 1)
+    $env.LAST_EXIT_CODE
+  } catch {|e| $e.exit_code}
+
+  [$linterArgs.0, $exit_code]
+}
+
+let results = $linters | each {|linter| run-linter $linter}
+
+print 'Linter results:'
+
+let success = $results | each {|result|
+  match $result.1 {
+    0 => {print $'(ansi green)($result.0)(ansi reset)'}
+    _ => {print $'(ansi red)($result.0)(ansi reset)'}
+  }
+
+  $result.1
+} | math sum
+
+exit $success
diff --git a/configuration/default.nix b/configuration/default.nix
index f874733..aebea7a 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -1,7 +1,5 @@
 {
   config,
-  pkgs,
-  lib,
   modulesPath,
   flake-inputs,
   ...
@@ -32,13 +30,7 @@
     ./sops.nix
   ];
 
-  nixpkgs.overlays = [
-    (final: prev: {
-      local = import ../pkgs {
-        pkgs = prev;
-      };
-    })
-  ];
+  nixpkgs.overlays = [ (_: prev: { local = import ../pkgs { pkgs = prev; }; }) ];
 
   nix = {
     extraOptions = ''
diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix
index db563fe..23969f0 100644
--- a/configuration/hardware-specific/vm.nix
+++ b/configuration/hardware-specific/vm.nix
@@ -15,9 +15,7 @@
 
   systemd.network.networks."10-eth0" = {
     matchConfig.Name = "eth0";
-    gateway = [
-      "192.168.9.1"
-    ];
+    gateway = [ "192.168.9.1" ];
     networkConfig = {
       Address = "192.168.9.2/24";
     };
diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix
index 81e3554..baa61e3 100644
--- a/configuration/services/backups.nix
+++ b/configuration/services/backups.nix
@@ -57,7 +57,7 @@ in
       '';
       type = types.attrsOf (
         types.submodule (
-          { config, name, ... }:
+          { name, ... }:
           {
             options = {
               user = lib.mkOption {
@@ -246,7 +246,7 @@ in
         };
       }
       // lib.mapAttrs' (
-        name: backup:
+        name: _:
         lib.nameValuePair "backup-${name}" {
           wantedBy = [ "timers.target" ];
           timerConfig = {
diff --git a/configuration/services/conduit/matrix-hookshot.nix b/configuration/services/conduit/matrix-hookshot.nix
index c1f16dc..6846d99 100644
--- a/configuration/services/conduit/matrix-hookshot.nix
+++ b/configuration/services/conduit/matrix-hookshot.nix
@@ -74,9 +74,7 @@ in
   services.matrix-hookshot = {
     enable = true;
 
-    serviceDependencies = [
-      "conduit.service"
-    ];
+    serviceDependencies = [ "conduit.service" ];
 
     registrationFile = "/run/matrix-hookshot/registration.yaml";
 
@@ -126,15 +124,11 @@ in
       listeners = [
         {
           port = 9000;
-          resources = [
-            "webhooks"
-          ];
+          resources = [ "webhooks" ];
         }
         {
           port = 9001;
-          resources = [
-            "metrics"
-          ];
+          resources = [ "metrics" ];
         }
       ];
 
diff --git a/configuration/services/crowdsec.nix b/configuration/services/crowdsec.nix
index 6e0f367..b736047 100644
--- a/configuration/services/crowdsec.nix
+++ b/configuration/services/crowdsec.nix
@@ -8,9 +8,7 @@
   security.crowdsec = {
     enable = true;
 
-    parserWhitelist = [
-      "10.45.249.2"
-    ];
+    parserWhitelist = [ "10.45.249.2" ];
 
     extraGroups = [
       "systemd-journal"
@@ -21,25 +19,19 @@
       {
         source = "journalctl";
         labels.type = "syslog";
-        journalctl_filter = [
-          "SYSLOG_IDENTIFIER=Nextcloud"
-        ];
+        journalctl_filter = [ "SYSLOG_IDENTIFIER=Nextcloud" ];
       }
 
       {
         source = "journalctl";
         labels.type = "syslog";
-        journalctl_filter = [
-          "SYSLOG_IDENTIFIER=sshd-session"
-        ];
+        journalctl_filter = [ "SYSLOG_IDENTIFIER=sshd-session" ];
       }
 
       {
         labels.type = "nginx";
         filenames =
-          [
-            "/var/log/nginx/*.log"
-          ]
+          [ "/var/log/nginx/*.log" ]
           ++ lib.mapAttrsToList (
             vHost: _: "/var/log/nginx/${vHost}/access.log"
           ) config.services.nginx.virtualHosts;
diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix
index 80a3480..52c2a46 100644
--- a/configuration/services/metrics/exporters.nix
+++ b/configuration/services/metrics/exporters.nix
@@ -74,7 +74,7 @@ in
         listenAddress = "127.0.0.1";
         group = "nginx";
 
-        settings.namespaces = lib.mapAttrsToList (name: virtualHost: {
+        settings.namespaces = lib.mapAttrsToList (name: _: {
           inherit name;
           metrics_override.prefix = "nginxlog";
           namespace_label = "vhost";
diff --git a/configuration/services/metrics/options.nix b/configuration/services/metrics/options.nix
index d69ecfb..a0c35b6 100644
--- a/configuration/services/metrics/options.nix
+++ b/configuration/services/metrics/options.nix
@@ -38,7 +38,7 @@ in
     services.victoriametrics.scrapeConfigs = mkOption {
       type = types.attrsOf (
         types.submodule (
-          { name, self, ... }:
+          { name, ... }:
           {
             options = {
               job_name = mkOption {
@@ -212,7 +212,7 @@ in
 
     services.victoriametrics.scrapeConfigs =
       let
-        allExporters = lib.mapAttrs (name: exporter: { inherit (exporter) listenAddress port; }) (
+        allExporters = lib.mapAttrs (_: exporter: { inherit (exporter) listenAddress port; }) (
           (lib.filterAttrs (
             name: exporter:
             # A bunch of deprecated exporters that need to be ignored
diff --git a/configuration/services/metrics/victorialogs.nix b/configuration/services/metrics/victorialogs.nix
index ae47c39..413659a 100644
--- a/configuration/services/metrics/victorialogs.nix
+++ b/configuration/services/metrics/victorialogs.nix
@@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}:
+{ config, lib, ... }:
 let
   cfg = config.services.victorialogs;
 in
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index b5cb691..5790cdf 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -15,12 +15,12 @@ in
     package = nextcloud;
     phpPackage = lib.mkForce (
       pkgs.php.override {
-        packageOverrides = final: prev: {
+        packageOverrides = _: prev: {
           extensions = prev.extensions // {
-            pgsql = prev.extensions.pgsql.overrideAttrs (old: {
+            pgsql = prev.extensions.pgsql.overrideAttrs (_: {
               configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package}" ];
             });
-            pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (old: {
+            pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (_: {
               configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package}" ];
             });
           };
diff --git a/flake.nix b/flake.nix
index bdb60ed..6747c24 100644
--- a/flake.nix
+++ b/flake.nix
@@ -96,7 +96,7 @@
       #########
       # Tests #
       #########
-      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+      checks.${system} = import ./checks (inputs // { inherit system; });
 
       ###########################
       # Garbage collection root #
diff --git a/modules/crowdsec/default.nix b/modules/crowdsec/default.nix
index c0003a5..ac93c4a 100644
--- a/modules/crowdsec/default.nix
+++ b/modules/crowdsec/default.nix
@@ -267,9 +267,7 @@ in
       };
     };
 
-    systemd.packages = [
-      cfg.package
-    ];
+    systemd.packages = [ cfg.package ];
 
     environment = {
       systemPackages = [
diff --git a/modules/crowdsec/remediations/cs-firewall-bouncer.nix b/modules/crowdsec/remediations/cs-firewall-bouncer.nix
index aa70552..2769432 100644
--- a/modules/crowdsec/remediations/cs-firewall-bouncer.nix
+++ b/modules/crowdsec/remediations/cs-firewall-bouncer.nix
@@ -31,9 +31,7 @@ in
     security.crowdsec.remediationComponents.firewallBouncer.settings = {
       mode = lib.mkDefault "${if config.networking.nftables.enable then "nftables" else "iptables"}";
       log_mode = "stdout";
-      iptables_chains = [
-        "nixos-fw"
-      ];
+      iptables_chains = [ "nixos-fw" ];
 
       # Don't let users easily override this; unfortunately we need to
       # set up this key through substitution at runtime.
@@ -78,9 +76,7 @@ in
           requiredBy = [ "crowdsec.service" ];
 
           path =
-            lib.optionals (cfg.settings.mode == "ipset" || cfg.settings.mode == "iptables") [
-              pkgs.ipset
-            ]
+            lib.optionals (cfg.settings.mode == "ipset" || cfg.settings.mode == "iptables") [ pkgs.ipset ]
             ++ lib.optional (cfg.settings.mode == "iptables") pkgs.iptables
             ++ lib.optional (cfg.settings.mode == "nftables") pkgs.nftables;
         };
diff --git a/modules/crowdsec/remediations/default.nix b/modules/crowdsec/remediations/default.nix
index 7df6ade..c3c0790 100644
--- a/modules/crowdsec/remediations/default.nix
+++ b/modules/crowdsec/remediations/default.nix
@@ -1,5 +1 @@
-{
-  imports = [
-    ./cs-firewall-bouncer.nix
-  ];
-}
+{ imports = [ ./cs-firewall-bouncer.nix ]; }
diff --git a/pkgs/crowdsec/hub.nix b/pkgs/crowdsec/hub.nix
index d057ca8..1b8c9b3 100644
--- a/pkgs/crowdsec/hub.nix
+++ b/pkgs/crowdsec/hub.nix
@@ -1,4 +1 @@
-{
-  sources,
-}:
-sources.crowdsec-hub.src
+{ sources }: sources.crowdsec-hub.src