Format tree with treefmt

modules/dns/authoritative.nix

@@ -33,17 +33,49 @@ in
     # Including the key via keyFiles keeps the secret out of the Nix store.
     keyFiles = [ config.clan.core.vars.generators.dns-tsig.files."tsig.conf".path ];
     settings = {
-      server.listen = [ "0.0.0.0@53" "::@53" ];
-      log = [ { target = "syslog"; any = "info"; } ];
+      server.listen = [
+        "0.0.0.0@53"
+        "::@53"
+      ];
+      log = [
+        {
+          target = "syslog";
+          any = "info";
+        }
+      ];
 
       remote = [
-        { id = "ns1"; address = [ ns1zt ]; key = "cnx_xfr"; }
-        { id = "ns2"; address = [ ns2zt ]; key = "cnx_xfr"; }
+        {
+          id = "ns1";
+          address = [ ns1zt ];
+          key = "cnx_xfr";
+        }
+        {
+          id = "ns2";
+          address = [ ns2zt ];
+          key = "cnx_xfr";
+        }
       ];
 
       acl = [
-        { id = "acl_ns1"; address = [ ns1zt ]; key = "cnx_xfr"; action = [ "transfer" "notify" ]; }
-        { id = "acl_ns2"; address = [ ns2zt ]; key = "cnx_xfr"; action = [ "transfer" "notify" ]; }
+        {
+          id = "acl_ns1";
+          address = [ ns1zt ];
+          key = "cnx_xfr";
+          action = [
+            "transfer"
+            "notify"
+          ];
+        }
+        {
+          id = "acl_ns2";
+          address = [ ns2zt ];
+          key = "cnx_xfr";
+          action = [
+            "transfer"
+            "notify"
+          ];
+        }
       ];
     };
   };

modules/hetzner-firewall-rules.nix

@@ -4,7 +4,10 @@
 # Public SSH (22) is intentionally absent: admin access rides the ZeroTier mesh
 # (inside UDP 9993), with emergency-access as the console fallback.
 let
-  world = [ "0.0.0.0/0" "::/0" ];
+  world = [
+    "0.0.0.0/0"
+    "::/0"
+  ];
 
   zerotier = {
     direction = "in";
@@ -22,14 +25,29 @@ let
   };
 
   dnsRules = [
-    { direction = "in"; protocol = "udp"; port = "53"; source_ips = world; description = "DNS (UDP)"; }
-    { direction = "in"; protocol = "tcp"; port = "53"; source_ips = world; description = "DNS (TCP)"; }
+    {
+      direction = "in";
+      protocol = "udp";
+      port = "53";
+      source_ips = world;
+      description = "DNS (UDP)";
+    }
+    {
+      direction = "in";
+      protocol = "tcp";
+      port = "53";
+      source_ips = world;
+      description = "DNS (TCP)";
+    }
     zerotier
     ping
   ];
 in
 {
-  "clan-control" = [ zerotier ping ];
+  "clan-control" = [
+    zerotier
+    ping
+  ];
   "clan-ns1" = dnsRules;
   "clan-ns2" = dnsRules;
 }

modules/hetzner-firewall.nix

@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 let
   cfg = config.cnx.hetznerFirewall;
 in
@@ -29,8 +34,7 @@ in
     tokenFile = lib.mkOption {
       type = lib.types.path;
       default = config.clan.core.vars.generators.hetzner-firewall.files.token.path;
-      defaultText = lib.literalExpression
-        "config.clan.core.vars.generators.hetzner-firewall.files.token.path";
+      defaultText = lib.literalExpression "config.clan.core.vars.generators.hetzner-firewall.files.token.path";
       description = "File holding the Hetzner Cloud API token (Read & Write).";
     };
   };
@@ -48,7 +52,11 @@ in
       description = "Sync Hetzner Cloud firewall rules from Nix config";
       after = [ "network-online.target" ];
       wants = [ "network-online.target" ];
-      path = [ pkgs.curl pkgs.jq pkgs.coreutils ];
+      path = [
+        pkgs.curl
+        pkgs.jq
+        pkgs.coreutils
+      ];
       environment.SSL_CERT_FILE = "/etc/ssl/certs/ca-certificates.crt";
       serviceConfig = {
         Type = "oneshot";
@@ -71,20 +79,22 @@ in
           curl -fsS -H @"$hdr" -H "Content-Type: application/json" "$@"
         }
 
-        ${lib.concatStringsSep "\n" (lib.mapAttrsToList (fwName: rules: ''
-          name=${lib.escapeShellArg fwName}
-          rules=${lib.escapeShellArg (builtins.toJSON rules)}
-          id="$(hapi "$api/firewalls?name=$name" | jq -r '.firewalls[0].id // empty')"
-          if [ -z "$id" ]; then
-            echo "hetzner-firewall: creating $name"
-            jq -n --arg name "$name" --argjson rules "$rules" '{name: $name, rules: $rules}' \
-              | hapi -X POST --data-binary @- "$api/firewalls" > /dev/null
-          else
-            echo "hetzner-firewall: setting rules on $name (id $id)"
-            jq -n --argjson rules "$rules" '{rules: $rules}' \
-              | hapi -X POST --data-binary @- "$api/firewalls/$id/actions/set_rules" > /dev/null
-          fi
-        '') cfg.firewalls)}
+        ${lib.concatStringsSep "\n" (
+          lib.mapAttrsToList (fwName: rules: ''
+            name=${lib.escapeShellArg fwName}
+            rules=${lib.escapeShellArg (builtins.toJSON rules)}
+            id="$(hapi "$api/firewalls?name=$name" | jq -r '.firewalls[0].id // empty')"
+            if [ -z "$id" ]; then
+              echo "hetzner-firewall: creating $name"
+              jq -n --arg name "$name" --argjson rules "$rules" '{name: $name, rules: $rules}' \
+                | hapi -X POST --data-binary @- "$api/firewalls" > /dev/null
+            else
+              echo "hetzner-firewall: setting rules on $name (id $id)"
+              jq -n --argjson rules "$rules" '{rules: $rules}' \
+                | hapi -X POST --data-binary @- "$api/firewalls/$id/actions/set_rules" > /dev/null
+            fi
+          '') cfg.firewalls
+        )}
       '';
     };