updates, tidying, hetzner-vm container scripts, better cryptsetup unlock with plymouth

flake.lock

@@ -47,11 +47,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1689068808,
-        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
+        "lastModified": 1692799911,
+        "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
+        "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690567562,
-        "narHash": "sha256-a8oa6X4R5MXAW2ZlMTvRGknxFnyZtDSpT+LbQNiSRgU=",
+        "lastModified": 1693523992,
+        "narHash": "sha256-I2wtOLO6k1oAYx6V7qZZjELvPpk0ynY+dHFhyt8BieE=",
         "owner": "ChaotiCryptidz",
         "repo": "gitlab_archiver",
-        "rev": "a4e339868f7e33364892790e6b8384ed550f713c",
+        "rev": "12fc4d1be08870134c58c4dec7e6ac1605d83c12",
         "type": "gitlab"
       },
       "original": {
@@ -99,11 +99,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1690572151,
-        "narHash": "sha256-J2eueGHL1EiFI3/jtJ1d9gRLz28PiOkzwlquFmNDUg4=",
+        "lastModified": 1693524103,
+        "narHash": "sha256-FjrSp0Nr/4t/z1ABX90S1EHEPqmNWhx5/RGodX5TBMA=",
         "owner": "ChaotiCryptidz",
         "repo": "gitlab_artifacts_sync",
-        "rev": "99656b78ba1c97aedb23ee6bebb1f696f2bce781",
+        "rev": "affa1e00a30ce3f5880a8bfd4e2ae30bda4a93a8",
         "type": "gitlab"
       },
       "original": {
@@ -119,11 +119,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1692260837,
-        "narHash": "sha256-2FpkX1zl+7ni7djK7NeE1ZGupRUwZgjW+RPCSBgDf4k=",
+        "lastModified": 1693399033,
+        "narHash": "sha256-yXhiMo8MnE86sGtPIHAKaLHhmhe8v9tqGGotlUgKJvY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6a94c1a59737783c282c4031555a289c28b961e4",
+        "rev": "f5c15668f9842dd4d5430787d6aa8a28a07f7c10",
         "type": "github"
       },
       "original": {
@@ -145,11 +145,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1691616912,
-        "narHash": "sha256-Cez6EVjpD+imIYVJbDwg9RkT18eXvaVg+cPmLvuQrYs=",
+        "lastModified": 1693522376,
+        "narHash": "sha256-xufWyWSV7k31C3xm5cClyKczPG9w+2VGFgejSf7qTIo=",
         "owner": "ChaotiCryptidz",
         "repo": "musicutil",
-        "rev": "7ef7093eb794a89421a3743396a29ba4d8ae0363",
+        "rev": "190f47d6efeb4b1b884ef437f0dbdd801c4e50dd",
         "type": "gitlab"
       },
       "original": {
@@ -160,11 +160,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1692264070,
-        "narHash": "sha256-WepAkIL2UcHOj7JJiaFS/vxrA9lklQHv8p+xGL+7oQ0=",
+        "lastModified": 1693377291,
+        "narHash": "sha256-vYGY9bnqEeIncNarDZYhm6KdLKgXMS+HA2mTRaWEc80=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "42c25608aa2ad4e5d3716d8d63c606063513ba33",
+        "rev": "e7f38be3775bab9659575f192ece011c033655f0",
         "type": "github"
       },
       "original": {
@@ -176,11 +176,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1692376909,
-        "narHash": "sha256-fcwKrjaYBixuTP+fcxScag0ELfE3xunAbjcEsyPpb2o=",
+        "lastModified": 1693508393,
+        "narHash": "sha256-FagQkHWoo91Lm0oT2wMPHqVIg6/RGeJg5M/sL2glg90=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "5723f9666abf2a45d0972db5dd1f9a5b0ac90f1a",
+        "rev": "2193de091ecd925af783069b8393a80cd6cc8a29",
         "type": "github"
       },
       "original": {

home/gui/environments/gnome/default.nix

@@ -5,7 +5,7 @@
   inputs,
   ...
 }: let
-  hm = inputs.home-manager.lib.hm;
+  hm-lib = inputs.home-manager.lib.hm;
 
   font-sizes-all = {
     default = {
@@ -56,7 +56,7 @@ in {
     };
     "org/gnome/desktop/input-sources" = {
       # TODO: see if this changes when using gnome wayland?
-      sources = [(hm.gvariant.mkTuple ["xkb" "gb"])];
+      sources = [(hm-lib.gvariant.mkTuple ["xkb" "gb"])];
       per-window = false;
     };
     "org/gnome/desktop/media-handling" = {

hosts/buildbox/hardware.nix

@@ -19,7 +19,6 @@
   boot.loader.grub = {
     enable = true;
     efiSupport = false;
-    version = 2;
     device = "nodev";
     devices = ["/dev/sda" "/dev/sdb"];
   };

hosts/hetzner-vm/containers/piped/modules/piped/backend.nix

@@ -107,18 +107,13 @@ in {
       wants = ["postgresql.service"];
       after = ["postgresql.service"];
       script = ''
-        systemd-run \
-           -u piped-password-psql.service \
-           -p Group=postgresql \
-           -p User=postgresql \
-           -q -t -G --wait --service-type=exec \
-             ${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD '${
+        ${pkgs.postgresql}/bin/psql -c "ALTER USER piped WITH PASSWORD '${
           if cfg.postgresPasswordFile != null
           then "$(cat ${cfg.postgresPasswordFile} | sed \"s#'#\\\'#\")"
           else cfg.postgresPassword
         }';"
       '';
-      serviceConfig.User = "root";
+      serviceConfig.User = "postgres";
     };
 
     services.postgresql = lib.mkIf (!cfg.disablePostgres) {

hosts/hetzner-vm/containers/storage/storage.nix

@@ -46,7 +46,8 @@ in {
           profiles.rclone-configs
           profiles.rclone-serve
           profiles.rclone-sync
-          profiles.storage-mount
+          # doesn't work in container
+          # profiles.storage-mount
           profiles.users
         ]);
 

hosts/hetzner-vm/hetzner-vm.nix

@@ -30,14 +30,35 @@
     ./secrets.nix
   ];
 
-  environment.systemPackages = with pkgs; [
-    (pkgs.writeShellScriptBin "journalctl-vaccum-all" ''
-      journalctl --vacuum-size=100M
-      ${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: ''
-        journalctl --vacuum-size=100M --root /var/lib/nixos-containers/${name}
-      ''))}
-    '')
-  ];
+  environment.systemPackages = with pkgs;
+    [
+      (pkgs.writeShellScriptBin "journalctl-vaccum-all" ''
+        journalctl --vacuum-size=100M
+        ${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: ''
+          journalctl --vacuum-size=100M --root /var/lib/nixos-containers/${name}
+        ''))}
+      '')
+      (pkgs.writeShellScriptBin "systemctl-list-failed-all" ''
+        echo "Host: "
+        systemctl --failed
+        ${lib.concatStringsSep "\n" (lib.forEach (lib.attrNames config.containers) (name: ''
+          echo "Container: "
+          systemctl -M ${name} --failed
+        ''))}
+      '')
+    ]
+    ++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "journalctl-vaccum-${name}" ''
+      journalctl --vacuum-size=100M --root /var/lib/nixos-containers/${name}
+    ''))
+    ++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "systemctl-machine-${name}" ''
+      systemctl -M ${name} $@
+    ''))
+    ++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "journalctl-machine-${name}" ''
+      journalctl -M ${name} $@
+    ''))
+    ++ lib.forEach (lib.attrNames config.containers) (name: (pkgs.writeShellScriptBin "shell-enter-${name}" ''
+      machinectl shell ${name}
+    ''));
 
   # For Containers
   networking.nat = {

modules/nixos/rclone-serve.nix

@@ -10,7 +10,7 @@ with lib; let
   makeNameSafe = name: builtins.replaceStrings ["/"] ["-"] name;
 
   daemonService = serve_config:
-    lib.mkMerge [
+    mkMerge [
       {
         wantedBy = ["multi-user.target"];
 
@@ -28,7 +28,7 @@ with lib; let
             else "root";
 
           ExecStart = "${pkgs.rclone}/bin/rclone serve ${serve_config.type} ${serve_config.remote} ${
-            lib.concatStringsSep " " serve_config.extraArgs
+            concatStringsSep " " serve_config.extraArgs
           }";
         };
       }

overlay/default.nix

@@ -22,9 +22,9 @@ final: prev: {
     owner = "superseriousbusiness";
     repo = "gotosocial";
 
-    version = "0.11.0";
-    source-hash = "sha256-qbq5pDvG2L1s6BG+sh7eagcFNH/DWyANMQaAl2WcQzE=";
-    web-assets-hash = "sha256-NK5m+ERZQtl5Stq2+bWw0LS2SbmlhEJDZjTTxYciemE=";
+    version = "0.11.1";
+    source-hash = "sha256-qsgrHPQae1+LKF2y6e256ZfYR+a9ffe7oq1W3GJA1do=";
+    web-assets-hash = "sha256-xPdSwsXjyjodgEHlwl4X32Pb6TniwM9Q+u56xAoY7SQ=";
 
     web-assets = final.fetchurl {
       url = "https://github.com/${owner}/${repo}/releases/download/v${version}/${repo}_${version}_web-assets.tar.gz";
@@ -32,12 +32,15 @@ final: prev: {
     };
   in {
     inherit version;
+
     src = final.fetchFromGitHub {
       inherit owner repo;
       rev = "refs/tags/v${version}";
       hash = source-hash;
     };
 
+    passthru.web-assets = web-assets;
+
     ldflags = ["-s" "-w" "-X main.Version=${version}"];
 
     doCheck = false;

overlay/piped/meta.json

@@ -1,15 +1,15 @@
 {
   "frontend": {
-    "rev": "4de41cd819d4bf49723de03a70ff48b2e5972fde",
-    "sha256": "sha256-ehFJp2X8UMu4Y/i1TgT85fQPrBzet2896sDXKJc5A+A="
+    "rev": "8bba3779df2e81bcc6b7fb37ac37eb60f64b90c1",
+    "sha256": "sha256-ijuVaD788K+zxEpuMp6mg7q45+qaPZC3NInD05M8+tw="
   },
   "backend": {
-    "rev": "8e2564bc1d3acab50f4a0734f01b81447a716121",
-    "sha256": "sha256-TpIXwrkSbhU/w6suukiLQyajw59NvW0dqQWHoscpFio=",
-    "deps-sha256": "sha256-GUkweG2ftIdalX20mQ9xkHiDP5aQ5WYNkB8shblKC/M="
+    "rev": "3b1bef532b6548bdbdc34a570954af51db475a35",
+    "sha256": "sha256-/XkXsSsWyqIuLPKaftD55ms9YtWbjyqnofg+ZaSA3dQ=",
+    "deps-sha256": "sha256-CS6gu7U8loktSh5xLq98vnBFWHuuv9sLYmgAZtrdP4Y="
   },
   "proxy": {
-    "rev": "fe8fef85c63f9c54ef167fe77ef42e5fb52ef8a9",
-    "sha256": "sha256-vlR+pbm8J32F/BKsmSlgEhb8JJ/8WNiF7cYXJKEmSsQ="
+    "rev": "b6bde9e31a312ff74ad70dc6c56b414a3570833b",
+    "sha256": "sha256-qHpi0h5gW2V4c+46rIPiOoGFaiy7eojAwQj3vHs3vMY="
   }
 }

overlay/piped/update.sh

@@ -26,8 +26,7 @@ if [ "$new_frontend_rev" != "$old_frontend_rev" ] || [ "${FORCE_UPDATE-}" != ""
         git clone https://github.com/TeamPiped/Piped
         pushd Piped
             git reset --hard "$new_frontend_rev"
-            # Missing from generated lockfile, 
-            yarn install --no-lockfile
+            #yarn install --no-lockfile
             yarn install --mode update-lockfile
             nix run "github:NixOS/nixpkgs/nixos-unstable#yarn2nix" > "${BASE_DIR}/frontend/yarn.nix"
             cp yarn.lock "${BASE_DIR}/frontend/yarn.lock"
@@ -43,7 +42,7 @@ if [ "$new_backend_rev" != "$old_backend_rev" ] || [ "${FORCE_UPDATE-}" != "" ];
     echo "Backend is out of date. Updating..."
     json_set '.backend.rev' "$new_backend_rev"
     json_set '.backend.sha256' ""
-    json_set '.backend.deps-sha256' ""
+    json_set '.backend."deps-sha256"' ""
 fi
 
 # Proxy
@@ -55,4 +54,10 @@ if [ "$new_proxy_rev" != "$old_proxy_rev" ] || [ "${FORCE_UPDATE-}" != "" ]; the
     json_set '.proxy.sha256' ""
 fi
 
+# gotta manually update shasums using output from these 
+echo "building frontend"
+nix build .#piped-frontend || true
+
+echo "building backend"
+nix build .#piped-backend || true
 

presets/nixos/dual-encrypted-drive.nix

@@ -25,13 +25,33 @@ in {
 
       while !(test -b ${usb_data.encrypted_path})
       do
-        echo "Please Plug In USB"
+        ${
+        if config.boot.plymouth.enable
+        then ''
+          ${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
+        ''
+        else ''
+          echo "Please Plug In USB"
+        ''
+      }
         sleep 1
       done
 
-      echo "Please Decrypt USB"
+      ${
+        if config.boot.plymouth.enable
+        then ''
+          ${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"
 
-      cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
+          ${pkgs.plymouth}/bin/plymouth ask-for-password \
+            --prompt="Please Decrypt USB" \
+            --command="cryptsetup -T1 open ${usb_data.encrypted_path} ${usb_data.mapper_name}" \
+            --number-of-tries=3
+        ''
+        else ''
+          echo "Please Decrypt USB"
+          cryptsetup open ${usb_data.encrypted_path} ${usb_data.mapper_name}
+        ''
+      }
 
       mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
 

presets/nixos/normal-encrypted-drive.nix

@@ -25,13 +25,33 @@ in {
 
       while !(test -b ${usb_data.encrypted_path})
       do
-        echo "Please Plug In USB"
+        ${
+        if config.boot.plymouth.enable
+        then ''
+          ${pkgs.plymouth}/bin/plymouth display-message --text="Please Plug In USB"
+        ''
+        else ''
+          echo "Please Plug In USB"
+        ''
+      }
         sleep 1
       done
 
-      echo "Please Decrypt USB"
+      ${
+        if config.boot.plymouth.enable
+        then ''
+          ${pkgs.plymouth}/bin/plymouth hide-message --text="Please Plug In USB"
 
-      cryptsetup luksOpen ${usb_data.encrypted_path} ${usb_data.mapper_name}
+          ${pkgs.plymouth}/bin/plymouth ask-for-password \
+            --prompt="Please Decrypt USB" \
+            --command="cryptsetup -T1 open ${usb_data.encrypted_path} ${usb_data.mapper_name}" \
+            --number-of-tries=3
+        ''
+        else ''
+          echo "Please Decrypt USB"
+          cryptsetup open ${usb_data.encrypted_path} ${usb_data.mapper_name}
+        ''
+      }
 
       mount -n -t ${usb_data.unencrypted_fs_type} -o ro ${usb_data.mapper_path} ${usb_data.mountpoint}
 

presets/nixos/server-encrypted-drive.nix

@@ -11,7 +11,6 @@
     loader.grub = {
       enable = true;
       efiSupport = false;
-      version = 2;
       enableCryptodisk = true;
       device = "/dev/sda";
     };

profiles/base/access.nix

@@ -2,7 +2,9 @@
   lib,
   pkgs,
   ...
-}: {
+}: let
+  inherit (lib.modules) mkForce;
+in {
   users.defaultUserShell = pkgs.zsh;
-  security.sudo.wheelNeedsPassword = lib.mkForce false;
+  security.sudo.wheelNeedsPassword = mkForce false;
 }

profiles/base/home.nix

@@ -4,14 +4,17 @@
   config,
   lib,
   ...
-}:
-with lib; {
+}: let
+  inherit (lib.modules) mkIf;
+  inherit (lib.lists) flatten forEach;
+  inherit (lib.options) mkOption;
+  inherit (lib.types) attrsOf submoduleWith;
+in {
   options.home-manager.users = mkOption {
-    type = types.attrsOf (types.submoduleWith {
+    type = attrsOf (submoduleWith {
       modules = [];
       specialArgs = {
         inherit inputs tree;
-        nixos = config;
       };
     });
   };
@@ -21,7 +24,7 @@ with lib; {
       useUserPackages = true;
       sharedModules = with tree; [modules.home.vscode-mod-module];
     };
-    systemd.tmpfiles.rules = lib.mkIf config.boot.isContainer (lib.flatten (lib.forEach (builtins.attrNames config.home-manager.users) (user: [
+    systemd.tmpfiles.rules = mkIf config.boot.isContainer (flatten (forEach (builtins.attrNames config.home-manager.users) (user: [
       "d /nix/var/nix/profiles/per-user/${user} - ${config.users.users."${user}".group} - - -"
       "d /nix/var/nix/gcroots/per-user/${user} - ${config.users.users."${user}".group} - - -"
     ])));

profiles/base/nix.nix

@@ -3,12 +3,14 @@
   config,
   lib,
   ...
-}: {
+}: let
+  inherit (lib.strings) optionalString versionAtLeast;
+in {
   nix = {
     nixPath = ["nixpkgs=${inputs.nixpkgs}"];
     extraOptions =
-      lib.optionalString
-      (lib.versionAtLeast config.nix.package.version "2.4") ''
+      optionalString
+      (versionAtLeast config.nix.package.version "2.4") ''
         experimental-features = nix-command flakes
       '';
     settings.trusted-users = ["root" "@wheel"];

profiles/connectivity/network_manager/nm.nix

@@ -1,9 +1,10 @@
-{lib, ...}: {
+{lib, ...}: let
+  inherit (lib.modules) mkForce;
+in {
   networking = {
     networkmanager = {
       enable = true;
-      connectionConfig = {"ipv6.ip6-privacy" = lib.mkForce 1;};
+      connectionConfig = {"ipv6.ip6-privacy" = mkForce 1;};
     };
   };
-  programs.nm-applet.enable = true;
 }

profiles/cross/arm64.nix

@@ -2,11 +2,13 @@
   pkgs,
   lib,
   ...
-}: {
+}: let
+  inherit (lib.modules) mkForce;
+in {
   boot.binfmt = {
     emulatedSystems = ["aarch64-linux"];
     registrations.aarch64-linux = {
-      interpreter = lib.mkForce "${pkgs.qemu}/bin/qemu-aarch64";
+      interpreter = mkForce "${pkgs.qemu}/bin/qemu-aarch64";
     };
   };
   nix.settings.extra-sandbox-paths = ["/run/binfmt" "${pkgs.qemu}"];

profiles/dnscrypt/dnscrypt.nix

@@ -1,39 +0,0 @@
-{...}: {
-  networking = {
-    resolvconf.useLocalResolver = true;
-    networkmanager.dns = "none";
-  };
-
-  #networking.nameservers = lib.mkForce [ "127.0.0.1.5353" ];
-
-  services.dnscrypt-proxy2 = {
-    enable = true;
-    settings = {
-      #listen_addresses = ["127.0.0.1:5353" "[::1]:5353"];
-
-      ipv6_servers = true;
-      require_dnssec = true;
-
-      sources.public-resolvers = {
-        urls = [
-          "https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md"
-          "https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md"
-        ];
-        cache_file = "/var/lib/dnscrypt-proxy2/public-resolvers.md";
-        minisign_key = "RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3";
-      };
-
-      server_names = [
-        "cloudflare"
-        #"acsacsar-ams-ipv4"
-        #"acsacsar-ams-ipv6"
-        #"dnscrypt.eu-dk"
-        #"dnscrypt.eu-dk-ipv6"
-        #"dnscrypt.eu-nl"
-        #"dnscrypt.eu-nl-ipv6"
-        #"meganerd"
-        #"meganerd-ipv6"
-      ];
-    };
-  };
-}

profiles/force_dns/force_dns.nix

@@ -1,7 +1,9 @@
-{lib, ...}: {
+{lib, ...}: let
+  inherit (lib.modules) mkForce;
+in {
   networking = {
     resolvconf.useLocalResolver = false;
     networkmanager.dns = "none";
   };
-  networking.nameservers = lib.mkForce ["1.1.1.1"];
+  networking.nameservers = mkForce ["1.1.1.1"];
 }

profiles/gui/base/default.nix

@@ -1,8 +1,15 @@
-{pkgs, ...}: {
+{pkgs, lib, config, ...}: let 
+  inherit (lib.modules) mkIf;
+  
+  networkManagerEnabled = config.networking.networkmanager.enable;
+in {
   environment.systemPackages = with pkgs; [
     gnome3.adwaita-icon-theme
+    (mkIf networkManagerEnabled pkgs.networkmanagerapplet)
   ];
 
+  programs.nm-applet.enable = networkManagerEnabled;
+
   fonts = {
     packages = with pkgs; [comic-sans comic-code];
     fontconfig = {

profiles/gui/environments/gnome/default.nix

@@ -3,6 +3,8 @@
   lib,
   ...
 }: let
+  inherit (lib.modules) mkIf mkForce;
+
   isWayland = true;
 in {
   services.xserver = {
@@ -24,7 +26,7 @@ in {
       if isWayland
       then "wayland"
       else "x11";
-    _JAVA_AWT_WM_NONREPARENTING = lib.mkIf isWayland "1";
+    _JAVA_AWT_WM_NONREPARENTING = mkIf isWayland "1";
   };
 
   security.polkit.extraConfig = ''
@@ -66,7 +68,7 @@ in {
   services.udev.packages = with pkgs; [gnome3.gnome-settings-daemon];
 
   services.power-profiles-daemon.enable = true;
-  hardware.pulseaudio.enable = lib.mkForce false;
+  hardware.pulseaudio.enable = mkForce false;
 
   programs.dconf.enable = true;
 

profiles/nginx.nix

@@ -2,11 +2,15 @@
   pkgs,
   lib,
   ...
-}: {
+}: let
+  inherit (lib.options) mkOption;
+  inherit (lib.modules) mkDefault;
+  inherit (lib.types) submodule attrsOf;
+in {
   options = {
-    services.nginx.virtualHosts = lib.mkOption {
-      type = lib.types.attrsOf (lib.types.submodule {
-        config.http3 = lib.mkDefault true;
+    services.nginx.virtualHosts = mkOption {
+      type = attrsOf (submodule {
+        config.http3 = mkDefault true;
       });
     };
   };

profiles/sound/pulseaudio/pulse-bluetooth.nix

@@ -3,12 +3,14 @@
   tree,
   lib,
   ...
-}: {
+}: let
+  inherit (lib.modules) mkForce;
+in {
   imports = with tree; [profiles.connectivity.bluetooth];
 
   hardware.pulseaudio = {
     extraModules = with pkgs; [pkgs.pulseaudio-modules-bt];
-    package = lib.mkForce pkgs.pulseaudioFull;
+    package = mkForce pkgs.pulseaudioFull;
     extraConfig = "load-module module-switch-on-connect";
   };
 }

profiles/sshd/sshd.nix

@@ -1,10 +1,12 @@
-{lib, ...}: {
+{lib, ...}: let
+  inherit (lib.modules) mkDefault;
+in {
   services.openssh = {
     enable = true;
     settings = {
       PermitRootLogin = "prohibit-password";
       PasswordAuthentication = false;
-      KbdInteractiveAuthentication = lib.mkDefault false;
+      KbdInteractiveAuthentication = mkDefault false;
       StreamLocalBindUnlink = true;
       KexAlgorithms = ["curve25519-sha256@libssh.org"];
       LogLevel = "VERBOSE";