autoformatted files

2024-10-29 08:55:56 +01:00 · 2024-10-29 08:55:56 +01:00 · 9dc962a98c
commit 9dc962a98c
parent f7609d5cf2
20 changed files with 424 additions and 256 deletions
--- a/flake.nix
+++ b/flake.nix
@ -8,26 +8,43 @@
    sops-nix.url = "github:Mic92/sops-nix";
    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
  };
-  outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix, lanzaboote, microvm}@inputs: let 
-  imports = { imports = [
-	sops-nix.nixosModules.sops
-        passInputs mkLocalModsInput
+  outputs = {
+    self,
+    nixpkgs,
+    nixpkgs-unstable,
+    sops-nix,
+    lanzaboote,
+    microvm,
+  } @ inputs: let
+    imports = {
+      imports = [
+        sops-nix.nixosModules.sops
+        passInputs
+        mkLocalModsInput
        lanzaboote.nixosModules.lanzaboote
-	inputs.microvm.nixosModules.host
-	];};
-  passInputs = ({lib,config,...}:{
-    options.flakePath = lib.mkOption {type = lib.types.path;};
-    config.flakePath = ./.;
-    options.inputs = lib.mkOption {type = lib.types.attrs;};
-    config.inputs = inputs;
-    options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
-    config.pkgsInstances = {
-      unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
+        inputs.microvm.nixosModules.host
+      ];
+    };
+    passInputs = {
+      lib,
+      config,
+      ...
+    }: {
+      options.flakePath = lib.mkOption {type = lib.types.path;};
+      config.flakePath = ./.;
+      options.inputs = lib.mkOption {type = lib.types.attrs;};
+      config.inputs = inputs;
+      options.pkgsInstances = lib.mkOption {type = lib.types.attrs;};
+      config.pkgsInstances = {
+        unstable = import inputs.nixpkgs-unstable {system = config.nixpkgs.system;};
+      };
+    };
+    inherit (nixpkgs) lib;
+    mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
+    mkLocalModsInput = mkLocalMods {
+      prefix = ["lyn"];
+      dir = ./modules;
    };
-  });
-  inherit (nixpkgs) lib;
-  mkLocalMods = import ./meta/mkLocalMods.nix {inherit lib;};
-  mkLocalModsInput = (mkLocalMods {prefix = ["lyn"]; dir = ./modules;});
  in {
    nixosConfigurations = {
      "forgenite" = nixpkgs.lib.nixosSystem {
@ -35,28 +52,28 @@
        modules = [
          ./hosts/forgenite
          imports
-	      ];
+        ];
      };
      "forgejo-ci" = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./hosts/forgejo-ci
          imports
-	      ];
+        ];
      };
      "supernova" = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./hosts/supernova
-	        imports
-	        ];
+          imports
+        ];
      };
      "wg-gateway" = nixpkgs.lib.nixosSystem {
        system = "aarch64-linux";
        modules = [
          ./hosts/wg-gateway
-	        imports
-	      ];
+          imports
+        ];
      };
    };
  };
--- a/hosts/forgejo-ci/default.nix
+++ b/hosts/forgejo-ci/default.nix
@ -1,8 +1,14 @@
-{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
-  imports =
-    [
-      ./hardware-configuration.nix
-    ];
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+with config.lyn.lib; {
+  imports = [
+    ./hardware-configuration.nix
+  ];
  lyn.sops.secrets."hosts/forgejo-ci/forgejo_ci_token" = {};
  lyn.users.lyn.enable = true;
  lyn.kernel.latest.enable = true;
--- a/hosts/forgenite/default.nix
+++ b/hosts/forgenite/default.nix
@ -1,12 +1,17 @@
-{ config, pkgs, lib, inputs, ... }: {
-  imports =
-    [
-      ./hardware-configuration.nix
-    ];
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+  ];
  lyn.sops.secrets."hosts/forgenite/forgejo_db_password".owner = "forgejo";
  lyn.users.lyn.enable = true;
  lyn.kernel.latest.enable = true;
-  lyn.kernel.hardened.enable =true;
+  lyn.kernel.hardened.enable = true;
  lyn.profiles.base.enable = true;
  lyn.profiles.vm.enable = true;

@ -24,6 +29,4 @@
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "24.05"; # Did you read the comment?
- 
 }
-
--- a/hosts/supernova/default.nix
+++ b/hosts/supernova/default.nix
@ -1,9 +1,15 @@
-{ config, pkgs, lib, inputs, ... }: with config.lyn.lib; {
-    imports =
-    [
-      ./hardware-configuration.nix
-      ./virtualization.nix
-    ];
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+with config.lyn.lib; {
+  imports = [
+    ./hardware-configuration.nix
+    ./virtualization.nix
+  ];
  lyn.kernel.latest.enable = true;
  lyn.profiles.base.enable = true;
  lyn.profiles.headless.enable = true;
@ -30,26 +36,30 @@
  lyn.profiles.secureboot.enable = true;

  # FDE + initrd stuff
-  boot.kernelParams = [ "ip=dhcp" ];
+  boot.kernelParams = ["ip=dhcp"];
  boot.loader.timeout = 2;
  boot.initrd = {
-    availableKernelModules = [ "r8169" ];
+    availableKernelModules = ["r8169"];
    systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
    secrets = {"/root/initrd-ssh-key" = "/root/initrd-ssh-key";};
    network = {
-    enable = true;
-    ssh = {
      enable = true;
-      port = 2222;
-      # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
-      hostKeys = [ /root/initrd-ssh-key ];
-      # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
-      # authorizedKeys = [ "ssh-rsa ..." ];
-      authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
+      ssh = {
+        enable = true;
+        port = 2222;
+        # WARNING: this key will be globally accessible through Nix store. Don't use the booted/decrypted systems host key here.
+        hostKeys = [/root/initrd-ssh-key];
+        # this includes the ssh keys of all users in the wheel group, but you can just specify some keys manually
+        # authorizedKeys = [ "ssh-rsa ..." ];
+        authorizedKeys = with lib;
+          concatLists (mapAttrsToList (name: user:
+            if elem "wheel" user.extraGroups
+            then user.openssh.authorizedKeys.keys
+            else [])
+          config.users.users);
+      };
    };
  };
-  };
-

  system.stateVersion = "24.05";
 }
--- a/hosts/supernova/hardware-configuration.nix
+++ b/hosts/supernova/hardware-configuration.nix
@ -1,41 +1,45 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
-  boot.initrd.kernelModules = [ "dm-snapshot" ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod"];
+  boot.initrd.kernelModules = ["dm-snapshot"];
+  boot.kernelModules = ["kvm-amd"];
+  boot.extraModulePackages = [];

  boot.initrd.systemd.enable = true;
  boot.initrd.luks.devices."root".device = "/dev/disk/by-uuid/db8a5cf9-c54b-4e6a-b3f9-e6323eb962a6";
  # doubles SSD performance because r/w queue is unnecessary here
  boot.initrd.luks.devices."root".bypassWorkqueues = true;

-  fileSystems."/" =
-    { device = "/dev/mapper/vg-root";
-      fsType = "btrfs";
-      options = ["x-systemd.device-timeout=0"];
-    };
+  fileSystems."/" = {
+    device = "/dev/mapper/vg-root";
+    fsType = "btrfs";
+    options = ["x-systemd.device-timeout=0"];
+  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/0374-0967";
-      fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/0374-0967";
+    fsType = "vfat";
+    options = ["fmask=0022" "dmask=0022" "umask=0077" "x-systemd.device-timeout=0"];
+  };

-  swapDevices =
-    [ { 
+  swapDevices = [
+    {
      device = "/dev/mapper/vg-swap";
      options = ["x-systemd.device-timeout=0"];
    }
-    ];
+  ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
--- a/hosts/supernova/virtualization.nix
+++ b/hosts/supernova/virtualization.nix
@ -1,4 +1,3 @@
-{ ... }:{
+{...}: {
  lyn.profiles.hypervisor.enable = true;
-  
 }
--- a/hosts/wg-gateway/default.nix
+++ b/hosts/wg-gateway/default.nix
@ -1,32 +1,35 @@
-{ config, lib, pkgs, ... }:
-
 {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
-    boot.loader.systemd-boot.enable = true;
-    boot.loader.efi.canTouchEfiVariables = true;
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;

-    lyn.kernel.latest.enable = true;
-    lyn.profiles.base.enable = true;
-    lyn.profiles.secureboot.enable = true;
-    lyn.users.lyn.enable = true;
+  lyn.kernel.latest.enable = true;
+  lyn.profiles.base.enable = true;
+  lyn.profiles.secureboot.enable = true;
+  lyn.users.lyn.enable = true;

-    # network
-    networking.useDHCP = false;
-    networking.hostName = "wg-gateway"; # Define your hostname.
-    systemd.network.enable = true;
-    systemd.network.networks."10-wan" = {
+  # network
+  networking.useDHCP = false;
+  networking.hostName = "wg-gateway"; # Define your hostname.
+  systemd.network.enable = true;
+  systemd.network.networks."10-wan" = {
    matchConfig.Name = "enp1s0";
    networkConfig.DHCP = "ipv4";
    address = [
      "2a01:4f8:1c1b:d2db::/64"
    ];
    routes = [
-      { routeConfig.Gateway = "fe80::1"; }
+      {routeConfig.Gateway = "fe80::1";}
    ];
  };

-    system.stateVersion = "24.05";  
+  system.stateVersion = "24.05";
 }
--- a/hosts/wg-gateway/hardware-configuration.nix
+++ b/hosts/wg-gateway/hardware-configuration.nix
@ -1,32 +1,36 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
-
 {
-  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
-    ];
-  boot.initrd.kernelModules = [ "virtio_gpu" ];
-  boot.kernelParams = [ "console=tty" ];
-  boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_scsi" "sr_mod" ];
-  boot.kernelModules = [ ];
-  boot.extraModulePackages = [ ];
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+  boot.initrd.kernelModules = ["virtio_gpu"];
+  boot.kernelParams = ["console=tty"];
+  boot.initrd.availableKernelModules = ["xhci_pci" "virtio_scsi" "sr_mod"];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/7cb49846-af34-40ec-b144-decc9c284e94";
+    fsType = "ext4";
+  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/BEFA-C7BC";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/BEFA-C7BC";
+    fsType = "vfat";
+    options = ["fmask=0077" "dmask=0077"];
+  };

-  swapDevices =
-    [ { device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710"; }
-    ];
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/63e6e56c-9fbd-4bc2-a0e7-8be171565710";}
+  ];

  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;

--- a/meta/default.nix
+++ b/meta/default.nix
@ -1,6 +1,5 @@
 {
-    imports = [
-	./mkLocalMods.nix
-    ];
+  imports = [
+    ./mkLocalMods.nix
+  ];
 }
-
--- a/meta/mkLocalMods.nix
+++ b/meta/mkLocalMods.nix
@ -1,54 +1,107 @@
-{lib, ...}:
-let
-inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;} ) packagesFromDirectoryRecursive;
-	mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
-	#kv = key: value: {inherit key value;};
-	recurseNaive = curPath: fn: mapAttrKVs (k: v: let 
-		match = builtins.match "(.*)[.]nix" k;
-	in if v == "regular" && match != null then {key = builtins.elemAt match 0; value = fn (curPath + ("/" + k));}
-		else if v == "directory" then {key = k; value = recurseNaive (curPath + ("/" + k)) fn;}
-		else {key = null; value = null;}
-	) (builtins.readDir curPath);
+{lib, ...}: let
+  inherit (import ./packagesFromDirectoryRecursive.nix {inherit lib;}) packagesFromDirectoryRecursive;
+  mapAttrKVs = mapFn: attrs: builtins.foldl' (acc: cur: acc // {${cur.key} = cur.value;}) {} (builtins.attrValues (builtins.mapAttrs mapFn attrs));
+  #kv = key: value: {inherit key value;};
+  recurseNaive = curPath: fn:
+    mapAttrKVs (
+      k: v: let
+        match = builtins.match "(.*)[.]nix" k;
+      in
+        if v == "regular" && match != null
+        then {
+          key = builtins.elemAt match 0;
+          value = fn (curPath + ("/" + k));
+        }
+        else if v == "directory"
+        then {
+          key = k;
+          value = recurseNaive (curPath + ("/" + k)) fn;
+        }
+        else {
+          key = null;
+          value = null;
+        }
+    ) (builtins.readDir curPath);

-	getAttrKVsRec = prefix: as: lib.flatten (lib.mapAttrsToList (k: v:
-		if lib.isAttrs v then getAttrKVsRec (prefix ++ [k]) v
-		else [{path = prefix ++ [k]; value = v;}]
-	) as);
+  getAttrKVsRec = prefix: as:
+    lib.flatten (lib.mapAttrsToList (
+        k: v:
+          if lib.isAttrs v
+          then getAttrKVsRec (prefix ++ [k]) v
+          else [
+            {
+              path = prefix ++ [k];
+              value = v;
+            }
+          ]
+      )
+      as);

-	getPathKVsRec = prefix: dir: getAttrKVsRec prefix (packagesFromDirectoryRecursive { callPackage = path: x: path; directory = dir; });
+  getPathKVsRec = prefix: dir:
+    getAttrKVsRec prefix (packagesFromDirectoryRecursive {
+      callPackage = path: x: path;
+      directory = dir;
+    });

-	unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
-	transformLocalMod = {path, value}: let 
-	modFn = if lib.isFunction (import value) then import value else (p: import value);
-	newMod = p: let
-		paramNew = p // {
-			cfg = lib.getAttrFromPath path p.config;
-		};
+  unifyMod = (import ./modules-extracted.nix {lib = lib;}).unifyModuleSyntax;
+  transformLocalMod = {
+    path,
+    value,
+  }: let
+    modFn =
+      if lib.isFunction (import value)
+      then import value
+      else (p: import value);
+    newMod = p: let
+      paramNew =
+        p
+        // {
+          cfg = lib.getAttrFromPath path p.config;
+        };

-		pathStr = builtins.concatStringsSep "." path;
-		modRaw = modFn paramNew;
-		modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);
+      pathStr = builtins.concatStringsSep "." path;
+      modRaw = modFn paramNew;
+      modUni = unifyMod pathStr pathStr (builtins.removeAttrs modRaw ["opt" "mod"]);

-		mod = modRaw.mod or {};
-		fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
-		enablePath = path ++ ["enable"];
+      mod = modRaw.mod or {};
+      fileCtx = str: "${modUni._file} (mkLocalMods ${str})";
+      enablePath = path ++ ["enable"];

-		imports = [ {
-			_file = fileCtx "`opt` processor";
-			key = fileCtx "`opt` processor";
-			options = lib.setAttrByPath path (modRaw.opt or {});
-		} {
-			_file = fileCtx "`enable` definition";
-			key = fileCtx "`enable` definition";
-			options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
-		} ({config, ...}: {
-			_file = fileCtx "config wrapper";
-			key = fileCtx "config wrapper";
-			config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config; 
-		})];
+      imports = [
+        {
+          _file = fileCtx "`opt` processor";
+          key = fileCtx "`opt` processor";
+          options = lib.setAttrByPath path (modRaw.opt or {});
+        }
+        {
+          _file = fileCtx "`enable` definition";
+          key = fileCtx "`enable` definition";
+          options = lib.setAttrByPath enablePath (lib.mkEnableOption (mod.desc or mod.description or mod.name or pathStr));
+        }
+        ({config, ...}: {
+          _file = fileCtx "config wrapper";
+          key = fileCtx "config wrapper";
+          config = lib.mkIf (lib.getAttrFromPath enablePath config) modUni.config;
+        })
+      ];

-		newMod = modUni // { imports = modUni.imports ++ imports; config = {}; };
-	in newMod; in lib.mirrorFunctionArgs modFn newMod;
+      newMod =
+        modUni
+        // {
+          imports = modUni.imports ++ imports;
+          config = {};
+        };
+    in
+      newMod;
+  in
+    lib.mirrorFunctionArgs modFn newMod;

-	mkLocalMods = {prefix ? [], dir}: { _file = "mkLocalMods collector"; imports = builtins.map transformLocalMod (getPathKVsRec prefix dir); };
-in mkLocalMods
+  mkLocalMods = {
+    prefix ? [],
+    dir,
+  }: {
+    _file = "mkLocalMods collector";
+    imports = builtins.map transformLocalMod (getPathKVsRec prefix dir);
+  };
+in
+  mkLocalMods
--- a/meta/modules-extracted.nix
+++ b/meta/modules-extracted.nix
@ -1,8 +1,8 @@
 # https://github.com/NixOS/nixpkgs/blob/a5cfe012401cfebb4b2c28e74857b8ffe1402b4b/lib/modules.nix
-{ lib }:
-with lib.modules;
-let
-  inherit (lib)
+{lib}:
+with lib.modules; let
+  inherit
+    (lib)
    addErrorContext
    all
    any
@ -36,7 +36,8 @@ let
    optionalAttrs
    optionalString
    recursiveUpdate
-    reverseList sort
+    reverseList
+    sort
    seq
    setAttrByPath
    substring
@ -50,7 +51,8 @@ let
    zipAttrs
    zipAttrsWith
    ;
-  inherit (lib.options)
+  inherit
+    (lib.options)
    isOption
    mkOption
    showDefs
@ -58,36 +60,41 @@ let
    showOption
    unknownModule
    ;
-  inherit (lib.strings)
+  inherit
+    (lib.strings)
    isConvertibleWithToString
    ;

-  unifyModuleSyntax = file: key: m:
-    let
-      addMeta = config: if m ? meta
-        then mkMerge [ config { meta = m.meta; } ]
-        else config;
-      addFreeformType = config: if m ? freeformType
-        then mkMerge [ config { _module.freeformType = m.freeformType; } ]
-        else config;
+  unifyModuleSyntax = file: key: m: let
+    addMeta = config:
+      if m ? meta
+      then mkMerge [config {meta = m.meta;}]
+      else config;
+    addFreeformType = config:
+      if m ? freeformType
+      then mkMerge [config {_module.freeformType = m.freeformType;}]
+      else config;
+  in
+    if m ? config || m ? options
+    then let
+      badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"];
    in
-    if m ? config || m ? options then
-      let badAttrs = removeAttrs m ["_class" "_file" "key" "disabledModules" "imports" "options" "config" "meta" "freeformType"]; in
-      if badAttrs != {} then
-        throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
-      else
-        { _file = toString m._file or file;
-          _class = m._class or null;
-          key = toString m.key or key;
-          disabledModules = m.disabledModules or [];
-          imports = m.imports or [];
-          options = m.options or {};
-          config = addFreeformType (addMeta (m.config or {}));
-        }
+      if badAttrs != {}
+      then throw "Module `${key}' has an unsupported attribute `${head (attrNames badAttrs)}'. This is caused by introducing a top-level `config' or `options' attribute. Add configuration attributes immediately on the top level instead, or move all of them (namely: ${toString (attrNames badAttrs)}) into the explicit `config' attribute."
+      else {
+        _file = toString m._file or file;
+        _class = m._class or null;
+        key = toString m.key or key;
+        disabledModules = m.disabledModules or [];
+        imports = m.imports or [];
+        options = m.options or {};
+        config = addFreeformType (addMeta (m.config or {}));
+      }
    else
      # shorthand syntax
      throwIfNot (isAttrs m) "module ${file} (${key}) does not look like a module."
-      { _file = toString m._file or file;
+      {
+        _file = toString m._file or file;
        _class = m._class or null;
        key = toString m.key or key;
        disabledModules = m.disabledModules or [];
@ -95,6 +102,4 @@ let
        options = {};
        config = addFreeformType (removeAttrs m ["_class" "_file" "key" "disabledModules" "require" "imports" "freeformType"]);
      };
-
-
 in {inherit unifyModuleSyntax;}
--- a/modules/profiles/base.nix
+++ b/modules/profiles/base.nix
@ -36,6 +36,32 @@
    htop
  ];

+  # Use encrypted Quad9 DNS
+  nameservers = [ "127.0.0.1" "::1" ];
+  services.dnscrypt-proxy2 = {
+    enable = true;
+    settings = {
+      ipv6_servers = true;
+      require_dnssec = true;
+
+      sources.public-resolvers = {
+        urls = [
+          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
+          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
+        ];
+        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
+        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
+      };
+
+      # You can choose a specific set of servers from https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
+     server_names = [ 'quad9-dnscrypt-ip4-nofilter-pri', 'quad9-dnscrypt-ip6-nofilter-pri'];
+    };
+  };
+
+  systemd.services.dnscrypt-proxy2.serviceConfig = {
+    StateDirectory = "dnscrypt-proxy";
+  };
+
  nix.gc = {
    automatic = true;
    persistent = true;
--- a/modules/profiles/hypervisor.nix
+++ b/modules/profiles/hypervisor.nix
@ -1,4 +1,8 @@
-{inputs, lib, ...}: {
-    microvm.host.enable = true;
-    networking.useNetworkd = true;
+{
+  inputs,
+  lib,
+  ...
+}: {
+  microvm.host.enable = true;
+  networking.useNetworkd = true;
 }
--- a/modules/profiles/secureboot.nix
+++ b/modules/profiles/secureboot.nix
@ -1,5 +1,9 @@
-{ config, pkgs, lib, ... }:
 {
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
  environment.systemPackages = [
    # For debugging and troubleshooting Secure Boot.
    pkgs.sbctl
@ -9,5 +13,4 @@
    enable = true;
    pkiBundle = "/etc/secureboot";
  };
-  
 }
--- a/modules/profiles/vm.nix
+++ b/modules/profiles/vm.nix
@ -1,5 +1,10 @@
-{ config, pkgs, lib, modulesPath, ... }:
 {
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}: {
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];
--- a/modules/services/forgejo-ci.nix
+++ b/modules/services/forgejo-ci.nix
@ -1,8 +1,14 @@
-{ config, pkgs, lib, inputs, cfg, ... }:
 {
+  config,
+  pkgs,
+  lib,
+  inputs,
+  cfg,
+  ...
+}: {
  environment.systemPackages = with pkgs; [
    docker
-];
+  ];

  # Enable docker
  virtualisation.docker = {
@ -20,10 +26,10 @@
    instances = {
      "${cfg.instancename}" = {
        enable = true;
-            url = "https://${cfg.domain}";
-            name = cfg.instancename;
-            tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
-            labels = [];
+        url = "https://${cfg.domain}";
+        name = cfg.instancename;
+        tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci_token".path;
+        labels = [];
      };
    };
  };
--- a/modules/services/forgejo.nix
+++ b/modules/services/forgejo.nix
@ -1,5 +1,12 @@
-{pkgs, lib, config, cfg, ...}:
-with lib; with builtins; {
+{
+  pkgs,
+  lib,
+  config,
+  cfg,
+  ...
+}:
+with lib;
+with builtins; {
  opt.domain = lib.mkOption {type = lib.types.str;};
  services.forgejo = {
    enable = true;
@ -11,20 +18,20 @@ with lib; with builtins; {
      OFFLINE_MODE = true; # disable gravatar, CDN
    };
    settings.actions = {
-       ENABLED = true;
+      ENABLED = true;
    };
    settings."repository.upload" = {
-	FILE_MAX_SIZE = 4095;
-	MAX_FILES = 20;
+      FILE_MAX_SIZE = 4095;
+      MAX_FILES = 20;
    };
    settings."attachment" = {
-        MAX_SIZE = 4095;
-        MAX_FILES = 20;
+      MAX_SIZE = 4095;
+      MAX_FILES = 20;
    };

    settings.service = {
-	DISABLE_REGISTRATION = true;
-	DEFAULT_KEEP_EMAIL_PRIVATE = true;
+      DISABLE_REGISTRATION = true;
+      DEFAULT_KEEP_EMAIL_PRIVATE = true;
    };
    database = {
      user = "forgejo";
--- a/modules/sops/default.nix
+++ b/modules/sops/default.nix
@ -1,23 +1,27 @@
-{ pkgs, lib, config, ... }:
-let
-  cfg = config.lyn.sops;
-in
 {
+  pkgs,
+  lib,
+  config,
+  ...
+}: let
+  cfg = config.lyn.sops;
+in {
  options.lyn.sops = with lib; {
    secrets = mkOption {
      type = types.attrs;
-      default = { };
+      default = {};
    };
  };
  config = {
-    sops.secrets = lib.mapAttrs
-      (name: value:
-        let
-          name_split = lib.splitString "/" name;
-        in
+    sops.secrets =
+      lib.mapAttrs
+      (name: value: let
+        name_split = lib.splitString "/" name;
+      in
        {
          sopsFile = config.flakePath + /secrets/${builtins.elemAt name_split 0}/${builtins.elemAt name_split 1}.yaml;
-        } // value)
+        }
+        // value)
      cfg.secrets;
  };
 }
--- a/modules/users/lyn/default.nix
+++ b/modules/users/lyn/default.nix
@ -1,11 +1,17 @@
-{lib,pkgs, config, cfg, ...}:{
-    imports = [
-	./ssh.nix
-    ];
-    users.users.lyn = {   
+{
+  lib,
+  pkgs,
+  config,
+  cfg,
+  ...
+}: {
+  imports = [
+    ./ssh.nix
+  ];
+  users.users.lyn = {
    isNormalUser = true;
-   	extraGroups = [ "wheel"];
-	  packages = with pkgs; [
+    extraGroups = ["wheel"];
+    packages = with pkgs; [
    ];
-    };
+  };
 }
--- a/modules/users/lyn/ssh.nix
+++ b/modules/users/lyn/ssh.nix
@ -1,3 +1,7 @@
-{lib, config, ...}: {
-    users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
+{
+  lib,
+  config,
+  ...
+}: {
+  users.users.lyn.openssh.authorizedKeys.keys = ["ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC7NUaBJOYgMnT2uUUUSB7gKaqqbgxXDghBkRqSGuZrAZzZYHlHH7nM6Re7+yOYMSoJGLaB4iaUDLSBBnyA6pLI= nixos_gitea@secretive.MacBook-Pro-(2).local"];
 }