diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
index df9d62b..cee878d 100644
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -1,9 +1,6 @@
 # Run this command to always ignore formatting commits in `git blame`
 # git config blame.ignoreRevsFile .git-blame-ignore-revs
 
-# Switch to nixfmt formatting
-04f7a7ef1d38906163afc9cddfa8ce2b0ebf3b45
-
 # Switch to nixpkgs-fmt formatting
 fd138d45e6a2cad89fead6e9f246ba282070d6b7
 
diff --git a/configuration/default.nix b/configuration/default.nix
index 333488b..792a4c9 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -1,12 +1,10 @@
-{
-  config,
-  pkgs,
-  lib,
-  modulesPath,
-  flake-inputs,
-  ...
-}:
-{
+{ config
+, pkgs
+, lib
+, modulesPath
+, flake-inputs
+, ...
+}: {
   imports = [
     flake-inputs.disko.nixosModules.disko
     flake-inputs.sops-nix.nixosModules.sops
@@ -53,10 +51,7 @@
 
   # Optimization for minecraft servers, see:
   # https://bugs.mojang.com/browse/MC-183518
-  boot.kernelParams = [
-    "highres=off"
-    "nohz=off"
-  ];
+  boot.kernelParams = [ "highres=off" "nohz=off" ];
 
   networking = {
     usePredictableInterfaceNames = false;
diff --git a/configuration/hardware-specific/hetzner/default.nix b/configuration/hardware-specific/hetzner/default.nix
index 6795377..3106f19 100644
--- a/configuration/hardware-specific/hetzner/default.nix
+++ b/configuration/hardware-specific/hetzner/default.nix
@@ -25,7 +25,9 @@
         };
       }
       # IPv6
-      { addressConfig.Address = "2a01:4f8:10b:3c85::2/64"; }
+      {
+        addressConfig.Address = "2a01:4f8:10b:3c85::2/64";
+      }
     ];
 
     networkConfig = {
diff --git a/configuration/hardware-specific/hetzner/disko.nix b/configuration/hardware-specific/hetzner/disko.nix
index cc15471..a2ea764 100644
--- a/configuration/hardware-specific/hetzner/disko.nix
+++ b/configuration/hardware-specific/hetzner/disko.nix
@@ -19,10 +19,7 @@
         };
       };
 
-      mountOptions = [
-        "compress=zstd"
-        "noatime"
-      ];
+      mountOptions = [ "compress=zstd" "noatime" ];
     in
     {
       sda = {
@@ -57,15 +54,7 @@
                 type = "btrfs";
                 # Hack to get multi-device btrfs going
                 # See https://github.com/nix-community/disko/issues/99
-                extraArgs = [
-                  "-d"
-                  "raid1"
-                  "-m"
-                  "raid1"
-                  "--runtime-features"
-                  "quota"
-                  "/dev/sda3"
-                ];
+                extraArgs = [ "-d" "raid1" "-m" "raid1" "--runtime-features" "quota" "/dev/sda3" ];
                 subvolumes = {
                   "/volume" = { };
                   "/volume/root" = {
diff --git a/configuration/hardware-specific/vm.nix b/configuration/hardware-specific/vm.nix
index 1783956..86fcaed 100644
--- a/configuration/hardware-specific/vm.nix
+++ b/configuration/hardware-specific/vm.nix
@@ -1,5 +1,4 @@
-{ lib, ... }:
-{
+{ lib, ... }: {
   users.users.tlater.password = "insecure";
 
   # Disable graphical tty so -curses works
diff --git a/configuration/nginx.nix b/configuration/nginx.nix
index b38118b..d696bba 100644
--- a/configuration/nginx.nix
+++ b/configuration/nginx.nix
@@ -1,5 +1,7 @@
-{ config, lib, ... }:
-{
+{ config
+, lib
+, ...
+}: {
   services.nginx = {
     enable = true;
     recommendedTlsSettings = true;
@@ -24,23 +26,26 @@
       # Override the default, just keep fewer logs
       nginx.rotate = 6;
     }
-    // lib.mapAttrs' (
-      virtualHost: _:
-      lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
-        frequency = "daily";
-        rotate = 2;
-        compress = true;
-        delaycompress = true;
-        su = "${config.services.nginx.user} ${config.services.nginx.group}";
-        postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
-      }
-    ) config.services.nginx.virtualHosts;
+    // lib.mapAttrs'
+      (virtualHost: _:
+        lib.nameValuePair "/var/log/nginx/${virtualHost}/access.log" {
+          frequency = "daily";
+          rotate = 2;
+          compress = true;
+          delaycompress = true;
+          su = "${config.services.nginx.user} ${config.services.nginx.group}";
+          postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
+        })
+      config.services.nginx.virtualHosts;
 
-  systemd.tmpfiles.rules = lib.mapAttrsToList (
-    virtualHost: _:
-    #
-    "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}"
-  ) config.services.nginx.virtualHosts;
+  systemd.tmpfiles.rules =
+    lib.mapAttrsToList
+      (
+        virtualHost: _:
+          #
+          "d /var/log/nginx/${virtualHost} 0750 ${config.services.nginx.user} ${config.services.nginx.group}"
+      )
+      config.services.nginx.virtualHosts;
 
   security.acme = {
     defaults.email = "tm@tlater.net";
@@ -56,8 +61,8 @@
 
   services.backups.acme = {
     user = "acme";
-    paths = lib.mapAttrsToList (
-      virtualHost: _: "/var/lib/acme/${virtualHost}"
-    ) config.services.nginx.virtualHosts;
+    paths =
+      lib.mapAttrsToList (virtualHost: _: "/var/lib/acme/${virtualHost}")
+        config.services.nginx.virtualHosts;
   };
 }
diff --git a/configuration/services/afvalcalendar.nix b/configuration/services/afvalcalendar.nix
index ec7d9f7..28e3a75 100644
--- a/configuration/services/afvalcalendar.nix
+++ b/configuration/services/afvalcalendar.nix
@@ -1,5 +1,7 @@
-{ pkgs, config, ... }:
-{
+{ pkgs
+, config
+, ...
+}: {
   systemd.services.afvalcalendar = {
     description = "Enschede afvalcalendar -> ical converter";
     wantedBy = [ "multi-user.target" ];
@@ -23,23 +25,16 @@
       ProtectKernelModules = true;
       ProtectKernelLogs = true;
       ProtectControlGroups = true;
-      RestrictAddressFamilies = [
-        "AF_UNIX"
-        "AF_INET"
-        "AF_INET6"
-      ];
+      RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
       RestrictNamespaces = true;
       LockPersonality = true;
       MemoryDenyWriteExecute = true;
       RestrictRealtime = true;
       RestrictSUIDSGID = true;
       SystemCallArchitectures = "native";
-      SystemCallFilter = [
-        "@system-service"
-        "~@privileged @resources @setuid @keyring"
-      ];
+      SystemCallFilter = [ "@system-service" "~@privileged @resources @setuid @keyring" ];
 
-      Umask = 2;
+      Umask = 0002;
       SupplementaryGroups = "afvalcalendar-hosting";
 
       ReadWritePaths = "/srv/afvalcalendar";
diff --git a/configuration/services/backups.nix b/configuration/services/backups.nix
index 81e3554..7c77399 100644
--- a/configuration/services/backups.nix
+++ b/configuration/services/backups.nix
@@ -1,35 +1,29 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
+{ config
+, pkgs
+, lib
+, ...
 }:
 let
   inherit (lib) types optional singleton;
-  mkShutdownScript =
-    service:
+  mkShutdownScript = service:
     pkgs.writeShellScript "backup-${service}-shutdown" ''
       if systemctl is-active --quiet '${service}'; then
         touch '/tmp/${service}-was-active'
         systemctl stop '${service}'
       fi
     '';
-  mkRestartScript =
-    service:
+  mkRestartScript = service:
     pkgs.writeShellScript "backup-${service}-restart" ''
       if [ -f '/tmp/${service}-was-active' ]; then
         rm '/tmp/${service}-was-active'
         systemctl start '${service}'
       fi
     '';
-  writeScript =
-    name: packages: text:
-    lib.getExe (
-      pkgs.writeShellApplication {
-        inherit name text;
-        runtimeInputs = packages;
-      }
-    );
+  writeScript = name: packages: text:
+    lib.getExe (pkgs.writeShellApplication {
+      inherit name text;
+      runtimeInputs = packages;
+    });
 
   # *NOT* a TOML file, for some reason quotes are interpreted
   # *literally
@@ -55,87 +49,85 @@ in
       description = lib.mdDoc ''
         Configure restic backups with a specific tag.
       '';
-      type = types.attrsOf (
-        types.submodule (
-          { config, name, ... }:
-          {
-            options = {
-              user = lib.mkOption {
-                type = types.str;
-                description = ''
-                  The user as which to run the backup.
-                '';
-              };
-              paths = lib.mkOption {
-                type = types.listOf types.str;
-                description = ''
-                  The paths to back up.
-                '';
-              };
-              tag = lib.mkOption {
-                type = types.str;
-                description = ''
-                  The restic tag to mark the backup with.
-                '';
-                default = name;
-              };
-              preparation = {
-                packages = lib.mkOption {
-                  type = types.listOf types.package;
-                  default = [ ];
-                  description = ''
-                    The list of packages to make available in the
-                    preparation script.
-                  '';
-                };
-                text = lib.mkOption {
-                  type = types.nullOr types.str;
-                  default = null;
-                  description = ''
-                    The preparation script to run before the backup.
-
-                    This should include things like database dumps and
-                    enabling maintenance modes. If a service needs to be
-                    shut down for backups, use `pauseServices` instead.
-                  '';
-                };
-              };
-              cleanup = {
-                packages = lib.mkOption {
-                  type = types.listOf types.package;
-                  default = [ ];
-                  description = ''
-                    The list of packages to make available in the
-                    cleanup script.
-                  '';
-                };
-                text = lib.mkOption {
-                  type = types.nullOr types.str;
-                  default = null;
-                  description = ''
-                    The cleanup script to run after the backup.
-
-                    This should do things like cleaning up database dumps
-                    and disabling maintenance modes.
-                  '';
-                };
-              };
-              pauseServices = lib.mkOption {
-                type = types.listOf types.str;
-                default = [ ];
-                description = ''
-                  The systemd services that need to be shut down before
-                  the backup can run. Services will be restarted after the
-                  backup is complete.
-
-                  This is intended to be used for services that do not
-                  support hot backups.
-                '';
-              };
+      type = types.attrsOf (types.submodule ({ config
+                                             , name
+                                             , ...
+                                             }: {
+        options = {
+          user = lib.mkOption {
+            type = types.str;
+            description = ''
+              The user as which to run the backup.
+            '';
+          };
+          paths = lib.mkOption {
+            type = types.listOf types.str;
+            description = ''
+              The paths to back up.
+            '';
+          };
+          tag = lib.mkOption {
+            type = types.str;
+            description = ''
+              The restic tag to mark the backup with.
+            '';
+            default = name;
+          };
+          preparation = {
+            packages = lib.mkOption {
+              type = types.listOf types.package;
+              default = [ ];
+              description = ''
+                The list of packages to make available in the
+                preparation script.
+              '';
             };
-          }
-        )
-      );
+            text = lib.mkOption {
+              type = types.nullOr types.str;
+              default = null;
+              description = ''
+                The preparation script to run before the backup.
+
+                This should include things like database dumps and
+                enabling maintenance modes. If a service needs to be
+                shut down for backups, use `pauseServices` instead.
+              '';
+            };
+          };
+          cleanup = {
+            packages = lib.mkOption {
+              type = types.listOf types.package;
+              default = [ ];
+              description = ''
+                The list of packages to make available in the
+                cleanup script.
+              '';
+            };
+            text = lib.mkOption {
+              type = types.nullOr types.str;
+              default = null;
+              description = ''
+                The cleanup script to run after the backup.
+
+                This should do things like cleaning up database dumps
+                and disabling maintenance modes.
+              '';
+            };
+          };
+          pauseServices = lib.mkOption {
+            type = types.listOf types.str;
+            default = [ ];
+            description = ''
+              The systemd services that need to be shut down before
+              the backup can run. Services will be restarted after the
+              backup is complete.
+
+              This is intended to be used for services that do not
+              support hot backups.
+            '';
+          };
+        };
+      }));
     };
   };
 
@@ -172,68 +164,58 @@ in
           };
         };
       }
-      // lib.mapAttrs' (
-        name: backup:
-        lib.nameValuePair "backup-${name}" {
-          # Don't want to restart mid-backup
-          restartIfChanged = false;
+      // lib.mapAttrs'
+        (name: backup:
+          lib.nameValuePair "backup-${name}" {
+            # Don't want to restart mid-backup
+            restartIfChanged = false;
 
-          environment = resticEnv // {
-            RESTIC_CACHE_DIR = "%C/backup-${name}";
-          };
+            environment =
+              resticEnv
+              // {
+                RESTIC_CACHE_DIR = "%C/backup-${name}";
+              };
 
-          path = with pkgs; [
-            coreutils
-            openssh
-            rclone
-            restic
-          ];
-
-          # TODO(tlater): If I ever add more than one repo, service
-          # shutdown/restarting will potentially break if multiple
-          # backups for the same service overlap. A more clever
-          # sentinel file with reference counts would probably solve
-          # this.
-          serviceConfig = {
-            User = backup.user;
-            Group = "backup";
-            RuntimeDirectory = "backup-${name}";
-            CacheDirectory = "backup-${name}";
-            CacheDirectoryMode = "0700";
-            PrivateTmp = true;
-
-            ExecStart = [
-              (lib.concatStringsSep " " (
-                [
-                  "${pkgs.restic}/bin/restic"
-                  "backup"
-                  "--tag"
-                  name
-                ]
-                ++ backup.paths
-              ))
+            path = with pkgs; [
+              coreutils
+              openssh
+              rclone
+              restic
             ];
 
-            ExecStartPre =
-              map (service: "+${mkShutdownScript service}") backup.pauseServices
-              ++ singleton (
-                writeScript "backup-${name}-repo-init" [ ] ''
-                  restic snapshots || restic init
-                ''
-              )
-              ++ optional (backup.preparation.text != null) (
-                writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text
-              );
+            # TODO(tlater): If I ever add more than one repo, service
+            # shutdown/restarting will potentially break if multiple
+            # backups for the same service overlap. A more clever
+            # sentinel file with reference counts would probably solve
+            # this.
+            serviceConfig = {
+              User = backup.user;
+              Group = "backup";
+              RuntimeDirectory = "backup-${name}";
+              CacheDirectory = "backup-${name}";
+              CacheDirectoryMode = "0700";
+              PrivateTmp = true;
 
-            # TODO(tlater): Add repo pruning/checking
-            ExecStopPost =
-              map (service: "+${mkRestartScript service}") backup.pauseServices
-              ++ optional (backup.cleanup.text != null) (
-                writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text
-              );
-          };
-        }
-      ) config.services.backups;
+              ExecStart = [
+                (lib.concatStringsSep " " ([ "${pkgs.restic}/bin/restic" "backup" "--tag" name ] ++ backup.paths))
+              ];
+
+              ExecStartPre =
+                map (service: "+${mkShutdownScript service}") backup.pauseServices
+                ++ singleton (writeScript "backup-${name}-repo-init" [ ] ''
+                  restic snapshots || restic init
+                '')
+                ++ optional (backup.preparation.text != null)
+                  (writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text);
+
+              # TODO(tlater): Add repo pruning/checking
+              ExecStopPost =
+                map (service: "+${mkRestartScript service}") backup.pauseServices
+                ++ optional (backup.cleanup.text != null)
+                  (writeScript "backup-${name}-cleanup" backup.cleanup.packages backup.cleanup.text);
+            };
+          })
+        config.services.backups;
 
     systemd.timers =
       {
@@ -245,18 +227,18 @@ in
           # of the backup jobs.
         };
       }
-      // lib.mapAttrs' (
-        name: backup:
-        lib.nameValuePair "backup-${name}" {
-          wantedBy = [ "timers.target" ];
-          timerConfig = {
-            OnCalendar = "Wednesday 02:30:00 UTC";
-            RandomizedDelaySec = "1h";
-            FixedRandomDelay = true;
-            Persistent = true;
-          };
-        }
-      ) config.services.backups;
+      // lib.mapAttrs'
+        (name: backup:
+          lib.nameValuePair "backup-${name}" {
+            wantedBy = [ "timers.target" ];
+            timerConfig = {
+              OnCalendar = "Wednesday 02:30:00 UTC";
+              RandomizedDelaySec = "1h";
+              FixedRandomDelay = true;
+              Persistent = true;
+            };
+          })
+        config.services.backups;
 
     users = {
       # This user is only used to own the ssh key, because apparently
diff --git a/configuration/services/battery-manager.nix b/configuration/services/battery-manager.nix
index a16cca1..7783a3b 100644
--- a/configuration/services/battery-manager.nix
+++ b/configuration/services/battery-manager.nix
@@ -1,6 +1,10 @@
-{ config, flake-inputs, ... }:
-{
-  imports = [ flake-inputs.sonnenshift.nixosModules.default ];
+{ config
+, flake-inputs
+, ...
+}: {
+  imports = [
+    flake-inputs.sonnenshift.nixosModules.default
+  ];
 
   services.batteryManager = {
     enable = true;
diff --git a/configuration/services/conduit.nix b/configuration/services/conduit.nix
index 4e53241..8734785 100644
--- a/configuration/services/conduit.nix
+++ b/configuration/services/conduit.nix
@@ -1,8 +1,7 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
+{ pkgs
+, config
+, lib
+, ...
 }:
 let
   inherit (lib.strings) concatMapStringsSep;
@@ -43,30 +42,28 @@ in
   systemd.services.heisenbridge =
     let
       replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
-      registrationFile = builtins.toFile "heisenbridge-registration.yaml" (
-        builtins.toJSON {
-          id = "heisenbridge";
-          url = "http://127.0.0.1:9898";
-          as_token = "@AS_TOKEN@";
-          hs_token = "@HS_TOKEN@";
-          rate_limited = false;
-          sender_localpart = "heisenbridge";
-          namespaces = {
-            users = [
-              {
-                regex = "@irc_.*";
-                exclusive = true;
-              }
-              {
-                regex = "@heisenbridge:.*";
-                exclusive = true;
-              }
-            ];
-            aliases = [ ];
-            rooms = [ ];
-          };
-        }
-      );
+      registrationFile = builtins.toFile "heisenbridge-registration.yaml" (builtins.toJSON {
+        id = "heisenbridge";
+        url = "http://127.0.0.1:9898";
+        as_token = "@AS_TOKEN@";
+        hs_token = "@HS_TOKEN@";
+        rate_limited = false;
+        sender_localpart = "heisenbridge";
+        namespaces = {
+          users = [
+            {
+              regex = "@irc_.*";
+              exclusive = true;
+            }
+            {
+              regex = "@heisenbridge:.*";
+              exclusive = true;
+            }
+          ];
+          aliases = [ ];
+          rooms = [ ];
+        };
+      });
 
       # TODO(tlater): Starting with systemd 253 it will become possible
       # to do the credential setup as part of ExecStartPre/preStart
@@ -117,7 +114,7 @@ in
         RestrictRealtime = true;
         ProtectProc = "invisible";
         ProcSubset = "pid";
-        UMask = 77;
+        UMask = 0077;
 
         # For the identd port
         # CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
@@ -137,7 +134,9 @@ in
     use-auth-secret = true;
     static-auth-secret-file = config.sops.secrets."turn/secret".path;
     realm = turn-realm;
-    relay-ips = [ "116.202.158.55" ];
+    relay-ips = [
+      "116.202.158.55"
+    ];
 
     # SSL config
     #
@@ -246,7 +245,9 @@ in
 
   services.backups.conduit = {
     user = "root";
-    paths = [ "/var/lib/private/matrix-conduit/" ];
+    paths = [
+      "/var/lib/private/matrix-conduit/"
+    ];
     # Other services store their data in conduit, so no other services
     # need to be shut down currently.
     pauseServices = [ "conduit.service" ];
diff --git a/configuration/services/fail2ban.nix b/configuration/services/fail2ban.nix
index f09668c..1811046 100644
--- a/configuration/services/fail2ban.nix
+++ b/configuration/services/fail2ban.nix
@@ -1,5 +1,4 @@
-{ pkgs, ... }:
-{
+{ pkgs, ... }: {
   services.fail2ban = {
     enable = true;
     extraPackages = [ pkgs.ipset ];
diff --git a/configuration/services/foundryvtt.nix b/configuration/services/foundryvtt.nix
index 614b818..3383ab3 100644
--- a/configuration/services/foundryvtt.nix
+++ b/configuration/services/foundryvtt.nix
@@ -1,9 +1,8 @@
-{
-  lib,
-  config,
-  flake-inputs,
-  pkgs,
-  ...
+{ lib
+, config
+, flake-inputs
+, pkgs
+, ...
 }:
 let
   domain = "foundryvtt.${config.services.nginx.domain}";
@@ -41,7 +40,9 @@ in
 
   services.backups.foundryvtt = {
     user = "foundryvtt";
-    paths = [ config.services.foundryvtt.dataDir ];
+    paths = [
+      config.services.foundryvtt.dataDir
+    ];
     pauseServices = [ "foundryvtt.service" ];
   };
 }
diff --git a/configuration/services/gitea.nix b/configuration/services/gitea.nix
index c88dd01..4ef6238 100644
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@@ -1,8 +1,7 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
+{ pkgs
+, config
+, lib
+, ...
 }:
 let
   domain = "gitea.${config.services.nginx.domain}";
@@ -35,7 +34,9 @@ in
       secretPath = config.sops.secrets."forgejo/metrics-token".path;
       runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
     in
-    [ "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'" ];
+    [
+      "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
+    ];
 
   # Set up SSL
   services.nginx.virtualHosts."${domain}" =
diff --git a/configuration/services/metrics/exporters.nix b/configuration/services/metrics/exporters.nix
index e16b945..e17be8e 100644
--- a/configuration/services/metrics/exporters.nix
+++ b/configuration/services/metrics/exporters.nix
@@ -1,8 +1,7 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
+{ config
+, pkgs
+, lib
+, ...
 }:
 let
   yaml = pkgs.formats.yaml { };
@@ -21,7 +20,9 @@ in
               "tlater.com"
             ];
           in
-          [ "--config=${yaml.generate "domains.yml" conf}" ];
+          [
+            "--config=${yaml.generate "domains.yml" conf}"
+          ];
       };
 
       # System statistics
@@ -50,21 +51,26 @@ in
         listenAddress = "127.0.0.1";
         group = "nginx";
 
-        settings.namespaces = lib.mapAttrsToList (name: virtualHost: {
-          inherit name;
-          metrics_override.prefix = "nginxlog";
-          namespace_label = "vhost";
+        settings.namespaces =
+          lib.mapAttrsToList
+            (name: virtualHost: {
+              inherit name;
+              metrics_override.prefix = "nginxlog";
+              namespace_label = "vhost";
 
-          format = lib.concatStringsSep " " [
-            "$remote_addr - $remote_user [$time_local]"
-            ''"$request" $status $body_bytes_sent''
-            ''"$http_referer" "$http_user_agent"''
-            ''rt=$request_time uct="$upstream_connect_time"''
-            ''uht="$upstream_header_time" urt="$upstream_response_time"''
-          ];
+              format = lib.concatStringsSep " " [
+                "$remote_addr - $remote_user [$time_local]"
+                ''"$request" $status $body_bytes_sent''
+                ''"$http_referer" "$http_user_agent"''
+                ''rt=$request_time uct="$upstream_connect_time"''
+                ''uht="$upstream_header_time" urt="$upstream_response_time"''
+              ];
 
-          source.files = [ "/var/log/nginx/${name}/access.log" ];
-        }) config.services.nginx.virtualHosts;
+              source.files = [
+                "/var/log/nginx/${name}/access.log"
+              ];
+            })
+            config.services.nginx.virtualHosts;
       };
     };
 
@@ -80,11 +86,7 @@ in
             requires = [ "fail2ban.service" ];
             serviceConfig = {
               Group = "fail2ban";
-              RestrictAddressFamilies = [
-                "AF_UNIX"
-                "AF_INET"
-                "AF_INET6"
-              ];
+              RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
               ExecStart = lib.concatStringsSep " " [
                 "${pkgs.local.prometheus-fail2ban-exporter}/bin/fail2ban-prometheus-exporter"
                 "--collector.f2b.socket=/var/run/fail2ban/fail2ban.sock"
diff --git a/configuration/services/metrics/options.nix b/configuration/services/metrics/options.nix
index 5dd17a3..552aec8 100644
--- a/configuration/services/metrics/options.nix
+++ b/configuration/services/metrics/options.nix
@@ -1,8 +1,7 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
+{ pkgs
+, config
+, lib
+, ...
 }:
 let
   inherit (lib) types mkOption mkDefault;
@@ -12,94 +11,87 @@ in
   options = {
     services.prometheus = {
       extraExporters = mkOption {
-        type = types.attrsOf (
-          types.submodule {
-            options = {
-              port = mkOption {
-                type = types.int;
-                description = "The port on which this exporter listens.";
-              };
-              listenAddress = mkOption {
-                type = types.str;
-                default = "127.0.0.1";
-                description = "Address to listen on.";
-              };
-              serviceOpts = mkOption {
-                type = types.attrs;
-                description = "An attrset to be merged with the exporter's systemd service.";
-              };
+        type = types.attrsOf (types.submodule {
+          options = {
+            port = mkOption {
+              type = types.int;
+              description = "The port on which this exporter listens.";
             };
-          }
-        );
+            listenAddress = mkOption {
+              type = types.str;
+              default = "127.0.0.1";
+              description = "Address to listen on.";
+            };
+            serviceOpts = mkOption {
+              type = types.attrs;
+              description = "An attrset to be merged with the exporter's systemd service.";
+            };
+          };
+        });
       };
     };
 
     services.victoriametrics.scrapeConfigs = mkOption {
-      type = types.attrsOf (
-        types.submodule (
-          { name, self, ... }:
-          {
-            options = {
-              job_name = mkOption {
-                type = types.str;
-                default = name;
+      type = types.attrsOf (types.submodule ({ name
+                                             , self
+                                             , ...
+                                             }: {
+        options = {
+          job_name = mkOption {
+            type = types.str;
+            default = name;
+          };
+
+          extraSettings = mkOption {
+            type = types.anything;
+            description = ''
+              Other settings to set for this scrape config.
+            '';
+            default = { };
+          };
+
+          targets = mkOption {
+            type = types.listOf types.str;
+            description = lib.mdDoc ''
+              Addresses scrape targets for this config listen on.
+
+              Shortcut for `static_configs = lib.singleton {targets = [<targets>];}`
+            '';
+            default = [ ];
+          };
+
+          static_configs = mkOption {
+            default = [ ];
+            type = types.listOf (types.submodule {
+              options = {
+                targets = mkOption {
+                  type = types.listOf types.str;
+                  description = lib.mdDoc ''
+                    The addresses scrape targets for this config listen on.
+
+                    Must in `listenAddress:port` format.
+                  '';
+                };
+                labels = mkOption {
+                  type = types.attrsOf types.str;
+                  description = lib.mdDoc ''
+                    Labels to apply to all targets defined for this static config.
+                  '';
+                  default = { };
+                };
               };
-
-              extraSettings = mkOption {
-                type = types.anything;
-                description = ''
-                  Other settings to set for this scrape config.
-                '';
-                default = { };
-              };
-
-              targets = mkOption {
-                type = types.listOf types.str;
-                description = lib.mdDoc ''
-                  Addresses scrape targets for this config listen on.
-
-                  Shortcut for `static_configs = lib.singleton {targets = [<targets>];}`
-                '';
-                default = [ ];
-              };
-
-              static_configs = mkOption {
-                default = [ ];
-                type = types.listOf (
-                  types.submodule {
-                    options = {
-                      targets = mkOption {
-                        type = types.listOf types.str;
-                        description = lib.mdDoc ''
-                          The addresses scrape targets for this config listen on.
-
-                          Must in `listenAddress:port` format.
-                        '';
-                      };
-                      labels = mkOption {
-                        type = types.attrsOf types.str;
-                        description = lib.mdDoc ''
-                          Labels to apply to all targets defined for this static config.
-                        '';
-                        default = { };
-                      };
-                    };
-                  }
-                );
-              };
-            };
-          }
-        )
-      );
+            });
+          };
+        };
+      }));
     };
   };
 
   config = {
     systemd.services = lib.mkMerge [
-      (lib.mapAttrs' (
-        name: exporter:
-        lib.nameValuePair "prometheus-${name}-exporter" (
-          lib.mkMerge [
+      (lib.mapAttrs'
+        (name: exporter:
+          lib.nameValuePair "prometheus-${name}-exporter" (lib.mkMerge [
             {
               # Shamelessly copied from upstream because the upstream
               # module is an intractable mess
@@ -125,10 +117,7 @@ in
               serviceConfig.ProtectKernelTunables = true;
               serviceConfig.ProtectSystem = mkDefault "strict";
               serviceConfig.RemoveIPC = true;
-              serviceConfig.RestrictAddressFamilies = [
-                "AF_INET"
-                "AF_INET6"
-              ];
+              serviceConfig.RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
               serviceConfig.RestrictNamespaces = true;
               serviceConfig.RestrictRealtime = true;
               serviceConfig.RestrictSUIDSGID = true;
@@ -136,9 +125,8 @@ in
               serviceConfig.UMask = "0077";
             }
             exporter.serviceOpts
-          ]
-        )
-      ) config.services.prometheus.extraExporters)
+          ]))
+        config.services.prometheus.extraExporters)
 
       {
         vmagent-scrape-exporters =
@@ -146,25 +134,24 @@ in
             listenAddress = config.services.victoriametrics.listenAddress;
             vmAddr = (lib.optionalString (lib.hasPrefix ":" listenAddress) "127.0.0.1") + listenAddress;
             promscrape = yaml.generate "prometheus.yml" {
-              scrape_configs = lib.mapAttrsToList (
-                _: scrape:
-                lib.recursiveUpdate {
-                  inherit (scrape) job_name;
-                  static_configs =
-                    scrape.static_configs
-                    ++ lib.optional (scrape.targets != [ ]) { targets = scrape.targets; };
-                } scrape.extraSettings
-              ) config.services.victoriametrics.scrapeConfigs;
+              scrape_configs = lib.mapAttrsToList
+                (_: scrape:
+                  lib.recursiveUpdate
+                    {
+                      inherit (scrape) job_name;
+                      static_configs =
+                        scrape.static_configs
+                        ++ lib.optional (scrape.targets != [ ]) { targets = scrape.targets; };
+                    }
+                    scrape.extraSettings)
+                config.services.victoriametrics.scrapeConfigs;
             };
           in
           {
             enable = true;
             path = [ pkgs.victoriametrics ];
             wantedBy = [ "multi-user.target" ];
-            after = [
-              "network.target"
-              "victoriametrics.service"
-            ];
+            after = [ "network.target" "victoriametrics.service" ];
             serviceConfig = {
               ExecStart = [
                 (lib.concatStringsSep " " [
@@ -193,10 +180,7 @@ in
               ProtectKernelTunables = true;
               ProtectSystem = "strict";
               RemoveIPC = true;
-              RestrictAddressFamilies = [
-                "AF_INET"
-                "AF_INET6"
-              ];
+              RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
               RestrictNamespaces = true;
               RestrictRealtime = true;
               RestrictSUIDSGID = true;
@@ -211,15 +195,19 @@ in
 
     services.victoriametrics.scrapeConfigs =
       let
-        allExporters = lib.mapAttrs (name: exporter: { inherit (exporter) listenAddress port; }) (
-          (lib.filterAttrs (
-            _: exporter: builtins.isAttrs exporter && exporter.enable
-          ) config.services.prometheus.exporters)
-          // config.services.prometheus.extraExporters
-        );
+        allExporters =
+          lib.mapAttrs
+            (name: exporter: {
+              inherit (exporter) listenAddress port;
+            })
+            ((lib.filterAttrs (_: exporter: builtins.isAttrs exporter && exporter.enable)
+              config.services.prometheus.exporters)
+            // config.services.prometheus.extraExporters);
       in
-      lib.mapAttrs (_: exporter: {
-        targets = [ "${exporter.listenAddress}:${toString exporter.port}" ];
-      }) allExporters;
+      lib.mapAttrs
+        (_: exporter: {
+          targets = [ "${exporter.listenAddress}:${toString exporter.port}" ];
+        })
+        allExporters;
   };
 }
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index 710cf70..695b89e 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -1,8 +1,9 @@
-{ config, ... }:
-{
+{ config, ... }: {
   config.services.victoriametrics = {
     enable = true;
-    extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];
+    extraOptions = [
+      "-storage.minFreeDiskSpaceBytes=5GB"
+    ];
 
     scrapeConfigs = {
       forgejo = {
diff --git a/configuration/services/nextcloud.nix b/configuration/services/nextcloud.nix
index 63c7446..30adf6e 100644
--- a/configuration/services/nextcloud.nix
+++ b/configuration/services/nextcloud.nix
@@ -1,8 +1,7 @@
-{
-  pkgs,
-  config,
-  lib,
-  ...
+{ pkgs
+, config
+, lib
+, ...
 }:
 let
   # Update pending on rewrite of nextcloud news, though there is an
@@ -16,8 +15,8 @@ in
     inherit hostName;
 
     package = nextcloud;
-    phpPackage = lib.mkForce (
-      pkgs.php.override {
+    phpPackage = lib.mkForce
+      (pkgs.php.override {
         packageOverrides = final: prev: {
           extensions = prev.extensions // {
             pgsql = prev.extensions.pgsql.overrideAttrs (old: {
@@ -28,8 +27,7 @@ in
             });
           };
         };
-      }
-    );
+      });
     enable = true;
     maxUploadSize = "2G";
     https = true;
@@ -54,14 +52,7 @@ in
     };
 
     extraApps = {
-      inherit (pkgs.local)
-        bookmarks
-        calendar
-        contacts
-        cookbook
-        news
-        notes
-        ;
+      inherit (pkgs.local) bookmarks calendar contacts cookbook news notes;
     };
   };
 
diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix
index 85a6843..62dfb01 100644
--- a/configuration/services/postgres.nix
+++ b/configuration/services/postgres.nix
@@ -1,5 +1,4 @@
-{ pkgs, ... }:
-{
+{ pkgs, ... }: {
   services.postgresql = {
     package = pkgs.postgresql_14;
     enable = true;
diff --git a/configuration/services/starbound.nix b/configuration/services/starbound.nix
index f5b23c3..3b54ee9 100644
--- a/configuration/services/starbound.nix
+++ b/configuration/services/starbound.nix
@@ -1,4 +1,7 @@
-{ pkgs, lib, ... }:
+{ pkgs
+, lib
+, ...
+}:
 let
   inherit (lib) concatStringsSep;
 in
@@ -111,7 +114,9 @@ in
 
   services.backups.starbound = {
     user = "root";
-    paths = [ "/var/lib/private/starbound/storage/universe/" ];
+    paths = [
+      "/var/lib/private/starbound/storage/universe/"
+    ];
     pauseServices = [ "starbound.service" ];
   };
 }
diff --git a/configuration/services/wireguard.nix b/configuration/services/wireguard.nix
index 6f8f6a2..057a2e9 100644
--- a/configuration/services/wireguard.nix
+++ b/configuration/services/wireguard.nix
@@ -1,5 +1,4 @@
-{ config, ... }:
-{
+{ config, ... }: {
   # iptables needs to permit forwarding from wg0 to wg0
   networking.firewall.extraCommands = ''
     iptables -A FORWARD -i wg0 -o wg0 -j ACCEPT
diff --git a/flake.nix b/flake.nix
index 6dbbaa5..56f3972 100644
--- a/flake.nix
+++ b/flake.nix
@@ -33,14 +33,13 @@
   };
 
   outputs =
-    {
-      self,
-      nixpkgs,
-      sops-nix,
-      nvfetcher,
-      deploy-rs,
-      ...
-    }@inputs:
+    { self
+    , nixpkgs
+    , sops-nix
+    , nvfetcher
+    , deploy-rs
+    , ...
+    } @ inputs:
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
@@ -85,12 +84,7 @@
           };
 
           sshUser = "tlater";
-          sshOpts = [
-            "-p"
-            "2222"
-            "-o"
-            "ForwardAgent=yes"
-          ];
+          sshOpts = [ "-p" "2222" "-o" "ForwardAgent=yes" ];
         };
       };
 
@@ -150,11 +144,10 @@
       # Development environment #
       ###########################
       devShells.${system}.default = nixpkgs.legacyPackages.${system}.mkShell {
-        sopsPGPKeyDirs = [
-          "./keys/hosts/"
-          "./keys/users/"
+        sopsPGPKeyDirs = [ "./keys/hosts/" "./keys/users/" ];
+        nativeBuildInputs = [
+          sops-nix.packages.${system}.sops-import-keys-hook
         ];
-        nativeBuildInputs = [ sops-nix.packages.${system}.sops-import-keys-hook ];
 
         packages = with pkgs; [
           sops-nix.packages.${system}.sops-init-gpg-key
diff --git a/modules/default.nix b/modules/default.nix
index e1db4cc..9341a5a 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1 +1,5 @@
-{ imports = [ ./nginxExtensions.nix ]; }
+{
+  imports = [
+    ./nginxExtensions.nix
+  ];
+}
diff --git a/modules/nginxExtensions.nix b/modules/nginxExtensions.nix
index bd505d3..3603756 100644
--- a/modules/nginxExtensions.nix
+++ b/modules/nginxExtensions.nix
@@ -1,10 +1,8 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-{
+{ config
+, pkgs
+, lib
+, ...
+}: {
   options = {
     services.nginx.domain = lib.mkOption {
       type = lib.types.str;
@@ -14,8 +12,10 @@
     services.nginx.virtualHosts =
       let
         extraVirtualHostOptions =
-          { name, config, ... }:
-          {
+          { name
+          , config
+          , ...
+          }: {
             options = {
               enableHSTS = lib.mkEnableOption "Enable HSTS";
 
@@ -40,7 +40,9 @@
             };
           };
       in
-      lib.mkOption { type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions); };
+      lib.mkOption {
+        type = lib.types.attrsOf (lib.types.submodule extraVirtualHostOptions);
+      };
   };
 
   config = {
@@ -49,11 +51,11 @@
       let
         confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
       in
-      lib.mapAttrs' (
-        cert: _:
-        lib.nameValuePair "acme-${cert}" {
-          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
-        }
-      ) config.security.acme.certs;
+      lib.mapAttrs'
+        (cert: _:
+          lib.nameValuePair "acme-${cert}" {
+            serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
+          })
+        config.security.acme.certs;
   };
 }
diff --git a/pkgs/afvalcalendar/default.nix b/pkgs/afvalcalendar/default.nix
index 6392220..12b868c 100644
--- a/pkgs/afvalcalendar/default.nix
+++ b/pkgs/afvalcalendar/default.nix
@@ -1,12 +1,19 @@
-{ pkgs, rustPlatform, ... }:
+{ pkgs
+, rustPlatform
+, ...
+}:
 rustPlatform.buildRustPackage {
   pname = "afvalcalendar";
   version = "0.1.0";
   src = ./.;
 
-  nativeBuildInputs = with pkgs; [ pkg-config ];
+  nativeBuildInputs = with pkgs; [
+    pkg-config
+  ];
 
-  buildInputs = with pkgs; [ openssl ];
+  buildInputs = with pkgs; [
+    openssl
+  ];
 
   cargoHash = "sha256-JXx6aUKdKbUTBCwlBw5i1hZy8ofCfSrhLCwFzqdA8cI=";
 }
diff --git a/pkgs/default.nix b/pkgs/default.nix
index a9d7aa1..132d0f5 100644
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@@ -1,4 +1,7 @@
-{ pkgs, lib }:
+{ pkgs
+, lib
+,
+}:
 let
   inherit (builtins) fromJSON mapAttrs readFile;
   inherit (pkgs) callPackage;
@@ -10,7 +13,7 @@ in
   };
   afvalcalendar = callPackage ./afvalcalendar { };
 }
-// (
+  // (
   # Add nextcloud apps
   let
     mkNextcloudApp = pkgs.callPackage ./mkNextcloudApp.nix { };
diff --git a/pkgs/mkNextcloudApp.nix b/pkgs/mkNextcloudApp.nix
index 095b0e8..7453f44 100644
--- a/pkgs/mkNextcloudApp.nix
+++ b/pkgs/mkNextcloudApp.nix
@@ -1,5 +1,7 @@
-{ fetchNextcloudApp, lib }:
-source:
+{ fetchNextcloudApp
+, lib
+,
+}: source:
 fetchNextcloudApp {
   url = source.src.url;
   sha256 = source.src.sha256;
diff --git a/pkgs/prometheus/fail2ban-exporter.nix b/pkgs/prometheus/fail2ban-exporter.nix
index dc22b6c..b74e35d 100644
--- a/pkgs/prometheus/fail2ban-exporter.nix
+++ b/pkgs/prometheus/fail2ban-exporter.nix
@@ -1,4 +1,7 @@
-{ buildGoModule, sources }:
+{ buildGoModule
+, sources
+,
+}:
 buildGoModule {
   inherit (sources.prometheus-fail2ban-exporter) pname src version;
   vendorHash = "sha256-5o8p5p0U/c0WAIV5dACnWA3ThzSh2tt5LIFMb59i9GY=";
diff --git a/pkgs/starbound/default.nix b/pkgs/starbound/default.nix
index 26f2184..a8689f3 100644
--- a/pkgs/starbound/default.nix
+++ b/pkgs/starbound/default.nix
@@ -1,21 +1,19 @@
-{
-  stdenv,
-  lib,
-  makeWrapper,
-  patchelf,
-  steamPackages,
-  replace-secret,
+{ stdenv
+, lib
+, makeWrapper
+, patchelf
+, steamPackages
+, replace-secret
+,
 }:
 let
   # Use the directory in which starbound is installed so steamcmd
   # doesn't have to be reinstalled constantly (we're using DynamicUser
   # with StateDirectory to persist this).
-  steamcmd = steamPackages.steamcmd.override { steamRoot = "/var/lib/starbound/.steamcmd"; };
-  wrapperPath = lib.makeBinPath [
-    patchelf
-    steamcmd
-    replace-secret
-  ];
+  steamcmd = steamPackages.steamcmd.override {
+    steamRoot = "/var/lib/starbound/.steamcmd";
+  };
+  wrapperPath = lib.makeBinPath [ patchelf steamcmd replace-secret ];
 in
 stdenv.mkDerivation {
   name = "starbound-update-script";