about summary refs log tree commit diff
path: root/nix/hosts/corrino
diff options
context:
space:
mode:
Diffstat (limited to 'nix/hosts/corrino')
-rw-r--r--nix/hosts/corrino/configuration.nix203
-rw-r--r--nix/hosts/corrino/default.nix4
-rw-r--r--nix/hosts/corrino/emile.space.nix2
-rw-r--r--nix/hosts/corrino/hardware-configuration.nix36
-rw-r--r--nix/hosts/corrino/ports.nix76
-rw-r--r--nix/hosts/corrino/www/cs.emile.space.nix85
-rw-r--r--nix/hosts/corrino/www/ctf.emile.space.nix4
-rw-r--r--nix/hosts/corrino/www/db.emile.space.nix2
-rw-r--r--nix/hosts/corrino/www/git/cgit.nix1150
-rw-r--r--nix/hosts/corrino/www/git/default.nix4
-rw-r--r--nix/hosts/corrino/www/git/git.nix44
-rw-r--r--nix/hosts/corrino/www/grafana.emile.space.nix8
-rw-r--r--nix/hosts/corrino/www/grafana_full.emile.space.nix17
-rw-r--r--nix/hosts/corrino/www/hydra.emile.space.nix9
-rw-r--r--nix/hosts/corrino/www/irc.emile.space.nix280
-rw-r--r--nix/hosts/corrino/www/magic-hash.emile.space.nix4
-rw-r--r--nix/hosts/corrino/www/netbox.emile.space.nix3
-rw-r--r--nix/hosts/corrino/www/nix-cache/default.nix4
-rw-r--r--nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix54
-rw-r--r--nix/hosts/corrino/www/photo/default.nix8
-rw-r--r--nix/hosts/corrino/www/s3.emile.space.nix22
-rw-r--r--nix/hosts/corrino/www/social.emile.space.nix129
-rw-r--r--nix/hosts/corrino/www/sso.emile.space.nix418
-rw-r--r--nix/hosts/corrino/www/tickets.emile.space.nix5
-rw-r--r--nix/hosts/corrino/www/tmp.emile.space.nix2
25 files changed, 1318 insertions, 1255 deletions
diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix
index 5f012b0..9ba6c55 100644
--- a/nix/hosts/corrino/configuration.nix
+++ b/nix/hosts/corrino/configuration.nix
@@ -5,60 +5,61 @@ let
   # keys = key;
   keys = {
     emile = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzY3eCD6D07Kc8iBIO3nLRsqaOZ+Q+RKykXLefT26eU shortcuts@caladan"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoHWyC9r0LVk6UlkhBWAJph0F6KHYHh83EI5U9wtfq2 shortcuts@ginaz"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzY3eCD6D07Kc8iBIO3nLRsqaOZ+Q+RKykXLefT26eU shortcuts@caladan"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMoHWyC9r0LVk6UlkhBWAJph0F6KHYHh83EI5U9wtfq2 shortcuts@ginaz"
     ];
   };
-in {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
+in
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
 
-      ./ports.nix
+    ./ports.nix
 
-      ./www/git
-      ./www/nix-cache
+    ./www/git
+    ./www/nix-cache
 
-      # screego
+    # screego
 
-      # web
-      ./www/emile.space.nix
-      ./www/tmp.emile.space.nix
-      ./www/hydra.emile.space.nix
-      ./www/netbox.emile.space.nix
-      ./www/grafana.emile.space.nix
+    # web
+    ./www/emile.space.nix
+    ./www/tmp.emile.space.nix
+    ./www/hydra.emile.space.nix
+    ./www/netbox.emile.space.nix
+    ./www/grafana.emile.space.nix
 
-      # ./www/photo.emile.space.nix
-      # ./www/photo
+    # ./www/photo.emile.space.nix
+    # ./www/photo
 
-      ./www/tickets.emile.space.nix
-      ./www/talks.emile.space.nix
-      ./www/stream.emile.space.nix
-      ./www/md.emile.space.nix
-      ./www/social.emile.space.nix
-      ./www/sso.emile.space.nix
-      ./www/s3.emile.space.nix
-      ./www/cs.emile.space.nix
-      ./www/irc.emile.space.nix
-      ./www/db.emile.space.nix
+    ./www/tickets.emile.space.nix
+    ./www/talks.emile.space.nix
+    ./www/stream.emile.space.nix
+    ./www/md.emile.space.nix
+    ./www/social.emile.space.nix
+    ./www/sso.emile.space.nix
+    ./www/s3.emile.space.nix
+    ./www/cs.emile.space.nix
+    ./www/irc.emile.space.nix
+    ./www/db.emile.space.nix
 
-      # ./www/irc.emile.space.nix
-      # ./www/irc
+    # ./www/irc.emile.space.nix
+    # ./www/irc
 
-      ./www/ctf.emile.space.nix
-      # ./www/magic-hash.emile.space.nix
+    ./www/ctf.emile.space.nix
+    # ./www/magic-hash.emile.space.nix
 
-      # gemini
-      ./gemini/emile.space.nix
+    # gemini
+    ./gemini/emile.space.nix
 
-      # general purpose modules
+    # general purpose modules
 
-      # r2wars
-      ./www/r2wa.rs.nix
+    # r2wars
+    ./www/r2wa.rs.nix
 
-      # containers
-    ];
+    # containers
+  ];
 
   # Use GRUB2 as the boot loader.
   # We don't use systemd-boot because Hetzner uses BIOS legacy boot.
@@ -71,21 +72,30 @@ in {
       efiSupport = false;
       enableCryptodisk = true;
       device = "nodev";
-      devices = [ "/dev/nvme0n1" "/dev/nvme1n1"];
+      devices = [
+        "/dev/nvme0n1"
+        "/dev/nvme1n1"
+      ];
     };
 
-    kernelParams = [ "ip=135.181.142.139::135.181.142.129:255.255.255.192:corrino:enp35s0:off:8.8.8.8:8.8.4.4:" ];
+    kernelParams = [
+      "ip=135.181.142.139::135.181.142.129:255.255.255.192:corrino:enp35s0:off:8.8.8.8:8.8.4.4:"
+    ];
 
     initrd = {
       kernelModules = [ "dm-snapshot" ];
 
-      availableKernelModules = [ "cryptd" "aesni_intel" "igb" ];#"FIXME Your network driver" ];
+      availableKernelModules = [
+        "cryptd"
+        "aesni_intel"
+        "igb"
+      ]; # "FIXME Your network driver" ];
 
       network = {
         enable = true;
         ssh = {
           enable = true;
-      
+
           # ssh port during boot for luks decryption
           port = config.emile.ports.initrd_ssh;
           authorizedKeys = config.users.users.root.openssh.authorizedKeys.keys;
@@ -106,7 +116,7 @@ in {
           };
         };
       };
-                  
+
       secrets = {
         "/initrd_ssh_host_ecdsa_key" = "/initrd_ssh_host_ecdsa_key";
       };
@@ -203,8 +213,14 @@ in {
     description = "Automatic connection to Tailscale";
 
     # make sure tailscale is running before trying to connect to tailscale
-    after = [ "network-pre.target" "tailscale.service" ];
-    wants = [ "network-pre.target" "tailscale.service" ];
+    after = [
+      "network-pre.target"
+      "tailscale.service"
+    ];
+    wants = [
+      "network-pre.target"
+      "tailscale.service"
+    ];
     wantedBy = [ "multi-user.target" ];
 
     # set this service as a oneshot job
@@ -225,7 +241,7 @@ in {
       ${tailscale}/bin/tailscale up \
         --advertise-exit-node --exit-node
     '';
-      # -authkey ${config.age.secrets.tailscale_authkey}
+    # -authkey ${config.age.secrets.tailscale_authkey}
   };
 
   networking = {
@@ -237,18 +253,30 @@ in {
     interfaces = {
       "enp35s0" = {
         ipv4.addresses = [
-          { address = "135.181.142.139"; prefixLength = 26; }
+          {
+            address = "135.181.142.139";
+            prefixLength = 26;
+          }
         ];
       };
       "enp35s0".ipv6.addresses = [
-        { address = "2a01:4f9:3a:16a4::1"; prefixLength = 64; }
+        {
+          address = "2a01:4f9:3a:16a4::1";
+          prefixLength = 64;
+        }
       ];
     };
 
     defaultGateway = "135.181.142.129";
-    defaultGateway6 = { address = "fe80::1"; interface = "enp35s0"; };
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "enp35s0";
+    };
 
-    nameservers = [ "8.8.8.8" "8.8.4.4" ];
+    nameservers = [
+      "8.8.8.8"
+      "8.8.4.4"
+    ];
 
     # incus doesn't support iptables, so we're using nftables here 
     nftables.enable = true;
@@ -257,13 +285,17 @@ in {
       enable = true;
       allowedTCPPorts = [
         config.emile.ports.gitDaemon # gitDaemon
-        80 443 # normal web
+        80
+        443 # normal web
       ];
       allowedUDPPorts = [
         51820 # wireguard
       ];
       allowedUDPPortRanges = [
-        { from = 60000; to = 61000; } # mosh
+        {
+          from = 60000;
+          to = 61000;
+        } # mosh
       ];
 
       interfaces."tailscale0".allowedTCPPorts = [
@@ -275,7 +307,10 @@ in {
       enable = true;
       enableIPv6 = true;
       externalInterface = "enp35s0";
-      internalInterfaces = [ "wg0" "ve-+"];
+      internalInterfaces = [
+        "wg0"
+        "ve-+"
+      ];
     };
 
     wireguard = {
@@ -298,12 +333,14 @@ in {
 
         peers = [
           # List of allowed peers.
-          { # Emiles-MBA
+          {
+            # Emiles-MBA
             publicKey = "Ebsjn7w2FeUs5lUN6ALoUcF/o9/+SopDL324YJPSCDY=";
             # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
             allowedIPs = [ "10.87.0.2/32" ];
           }
-          { # Emiles-IphoneX
+          {
+            # Emiles-IphoneX
             publicKey = "xGfmwraI0Eh3eFEXjJrd2AYCgUM1uK4Y+FX5ACAQZ3M=";
             # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing.
             allowedIPs = [ "10.87.0.3/32" ];
@@ -317,7 +354,7 @@ in {
   users.users = {
     root = {
       initialHashedPassword = "";
-      openssh.authorizedKeys.keys = [] ++ keys.emile;
+      openssh.authorizedKeys.keys = [ ] ++ keys.emile;
       packages = with pkgs; [
         mdadm
         tailscale
@@ -326,15 +363,22 @@ in {
         htop
         git
         vim
-        fd ripgrep
+        fd
+        ripgrep
+      ];
+      extraGroups = [
+        "docker"
+        "libvirtd"
       ];
-      extraGroups = [ "docker" "libvirtd" ];
     };
 
     hack = {
       isNormalUser = true;
-      openssh.authorizedKeys.keys = [] ++ keys.emile;
-      extraGroups = [ "docker" "libvirtd" ];
+      openssh.authorizedKeys.keys = [ ] ++ keys.emile;
+      extraGroups = [
+        "docker"
+        "libvirtd"
+      ];
     };
 
     tmpuser1 = {
@@ -343,7 +387,7 @@ in {
       # TODO(emile): read after the whole user system is setup
       # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMMq7gVuOuJEuarcsss2pb4JJS39zW/Fuow0foyqlV5 noobtracker@noobtracker-linux"
 
-      openssh.authorizedKeys.keys = [] ++ keys.emile;
+      openssh.authorizedKeys.keys = [ ] ++ keys.emile;
     };
   };
 
@@ -371,9 +415,12 @@ in {
       useRoutingFeatures = "both";
     };
   };
-  
+
   nix = {
-    settings.experimental-features = [ "nix-command" "flakes" ];
+    settings.experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
 
     gc = {
       automatic = true;
@@ -419,7 +466,7 @@ in {
       builders-use-substitutes = true
       allowed-uris = http:// https://
     '';
-      # allowed-uris = ssh://git@git.emile.space/hefe-internal git.emile.space git@git.emile.space ssh://git@git.emile.space
+    # allowed-uris = ssh://git@git.emile.space/hefe-internal git.emile.space git@git.emile.space ssh://git@git.emile.space
     # allowed-uris = git.emile.space: gitea@git.emile.space: ssh://gitea@git.emile.space/hanemile/hefe-internal.git git+ssh: git+https:
 
     # settings.allowed-uris = [
@@ -432,7 +479,12 @@ in {
         system = "x86_64-linux";
         protocol = "ssh-ng";
         maxJobs = 1;
-        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+        supportedFeatures = [
+          "nixos-test"
+          "benchmark"
+          "big-parallel"
+          "kvm"
+        ];
       }
       {
         hostName = "caladan.pinto-pike.ts.net";
@@ -440,12 +492,17 @@ in {
         protocol = "ssh-ng";
         maxJobs = 1;
         speedFactor = 2;
-        supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
+        supportedFeatures = [
+          "nixos-test"
+          "benchmark"
+          "big-parallel"
+          "kvm"
+        ];
         mandatoryFeatures = [ ];
       }
     ];
 
-  	distributedBuilds = true;
+    distributedBuilds = true;
   };
 
   nixpkgs.config = {
@@ -491,7 +548,10 @@ in {
   fileSystems."/proc" = {
     device = "/proc";
     options = [
-      "nosuid" "nodev" "noexec" "relatime" # normal foo
+      "nosuid"
+      "nodev"
+      "noexec"
+      "relatime" # normal foo
       "hidepid=2" # this makes sure users can only see their own processes
     ];
   };
@@ -502,7 +562,8 @@ in {
     options =
       let
         automount_opts = "_netdev,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
-      in ["${automount_opts},credentials=${config.age.secrets.storage_box_bx11_password.path}"];
+      in
+      [ "${automount_opts},credentials=${config.age.secrets.storage_box_bx11_password.path}" ];
   };
 
   # FIXME
diff --git a/nix/hosts/corrino/default.nix b/nix/hosts/corrino/default.nix
index 87486c5..157af45 100644
--- a/nix/hosts/corrino/default.nix
+++ b/nix/hosts/corrino/default.nix
@@ -1,3 +1 @@
-{
-	sshKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFzoWTW3c7CKWx5t0OZzTfKTlC6R2VHXczVatgYI57N";
-}
+{ sshKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFzoWTW3c7CKWx5t0OZzTfKTlC6R2VHXczVatgYI57N"; }
diff --git a/nix/hosts/corrino/emile.space.nix b/nix/hosts/corrino/emile.space.nix
index 9cca880..d30c29f 100644
--- a/nix/hosts/corrino/emile.space.nix
+++ b/nix/hosts/corrino/emile.space.nix
@@ -10,7 +10,7 @@
         root = "/var/www/emile.space";
         extraConfig = ''
           add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-        ''; 
+        '';
       };
 
       #"/.well-known" = {
diff --git a/nix/hosts/corrino/hardware-configuration.nix b/nix/hosts/corrino/hardware-configuration.nix
index b4e8c1e..ed55c25 100644
--- a/nix/hosts/corrino/hardware-configuration.nix
+++ b/nix/hosts/corrino/hardware-configuration.nix
@@ -1,28 +1,34 @@
-
-	# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
 
-  boot.initrd.availableKernelModules = [ "ahci" "nvme" ];
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "nvme"
+  ];
   boot.initrd.kernelModules = [ "dm-snapshot" ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/4d372699-9d47-44bf-a68e-eeb126fb7ad6";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/4d372699-9d47-44bf-a68e-eeb126fb7ad6";
+    fsType = "ext4";
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/726db4ba-5b90-47e2-b924-72623f02585a";
-      fsType = "ext4";
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/726db4ba-5b90-47e2-b924-72623f02585a";
+    fsType = "ext4";
+  };
 
   swapDevices = [ ];
 
diff --git a/nix/hosts/corrino/ports.nix b/nix/hosts/corrino/ports.nix
index 6f17be5..0c2bd2a 100644
--- a/nix/hosts/corrino/ports.nix
+++ b/nix/hosts/corrino/ports.nix
@@ -1,40 +1,40 @@
 {
-	emile.ports = {
-		stream_rtmp = 1935;
-		initrd_ssh = 2222;
-		photo = {
-			photoprism = 2342;
-			immich = 2343;
-		};
-		git = 3000;
-		hydra = 3001;
-		grafana = 3002;
-		md = 3003;
-		gotosocial = 3004;
-		harmonia = 5000;
-		irc = {
-			 clear = 6667;
-			 ssl = 6697;
-		};
-		hound = 6080;
-		stream = 8080;
-		netbox = 8001;
-		restic = 8002;
-		nocodb = 8003;
-		r2wars-web = 8089;
-		ctf = 8338;
-		magic-hash = 8339;
-		tickets = 8349;
-		talks = 8350;
-		minio = {
-			s3 = 9000;
-			web = 9001;
-		};
-		authelia = 9091;
-		prometheus = 9003;
-		gitDaemon = 9418;
-		prometheus_node_exporter = 9002;
-		prometheus_systemd_exporter = 9558;
-		prometheus_smartctl_exporter = 9633;
-	};
+  emile.ports = {
+    stream_rtmp = 1935;
+    initrd_ssh = 2222;
+    photo = {
+      photoprism = 2342;
+      immich = 2343;
+    };
+    git = 3000;
+    hydra = 3001;
+    grafana = 3002;
+    md = 3003;
+    gotosocial = 3004;
+    harmonia = 5000;
+    irc = {
+      clear = 6667;
+      ssl = 6697;
+    };
+    hound = 6080;
+    stream = 8080;
+    netbox = 8001;
+    restic = 8002;
+    nocodb = 8003;
+    r2wars-web = 8089;
+    ctf = 8338;
+    magic-hash = 8339;
+    tickets = 8349;
+    talks = 8350;
+    minio = {
+      s3 = 9000;
+      web = 9001;
+    };
+    authelia = 9091;
+    prometheus = 9003;
+    gitDaemon = 9418;
+    prometheus_node_exporter = 9002;
+    prometheus_systemd_exporter = 9558;
+    prometheus_smartctl_exporter = 9633;
+  };
 }
diff --git a/nix/hosts/corrino/www/cs.emile.space.nix b/nix/hosts/corrino/www/cs.emile.space.nix
index 4f1b91e..7aefc64 100644
--- a/nix/hosts/corrino/www/cs.emile.space.nix
+++ b/nix/hosts/corrino/www/cs.emile.space.nix
@@ -2,53 +2,58 @@
 
 let
 
-	# get's all repos configured in cgit and converts them into some JSON that is used by hound
-	repos = builtins.toJSON
-		(lib.mergeAttrsList
-			(map
-				(x: {"${x.name}" = { url = "file://${x.path}"; }; })
-				(lib.mapAttrsToList
-					(name: value: value // { name = "${name}"; })
-					config.services.cgit.main.repos)));
-in {
-	services.nginx.virtualHosts."cs.emile.space" = {
-		forceSSL = true;
-		enableACME = true;
-		locations = {
-			"/" = {
+  # get's all repos configured in cgit and converts them into some JSON that is used by hound
+  repos = builtins.toJSON (
+    lib.mergeAttrsList (
+      map
+        (x: {
+          "${x.name}" = {
+            url = "file://${x.path}";
+          };
+        })
+        (lib.mapAttrsToList (name: value: value // { name = "${name}"; }) config.services.cgit.main.repos)
+    )
+  );
+in
+{
+  services.nginx.virtualHosts."cs.emile.space" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/" = {
         proxyPass = "http://${config.services.hound.listen}";
-			};
-		};
-	};
+      };
+    };
+  };
 
-	# add hound user to git group so the local repos can be read
+  # add hound user to git group so the local repos can be read
   # users.users.hound.extraGroups = [ "git" ];
 
-	users.groups."git".members = [ "hound" ];
+  users.groups."git".members = [ "hound" ];
 
-	# The `.gitignore` of the user `hound` should contain the following:
-	#
-	# [safe]
+  # The `.gitignore` of the user `hound` should contain the following:
+  #
+  # [safe]
   #       directory = /var/lib/git/repositories/*
   #       directory = /var/lib/git/repositories/faila.git
   #       directory = /var/lib/git/repositories/faila2.git
 
-	services.hound = {
-		enable = true;
-
-		config = ''
-			{
-			  "dbpath": "/var/lib/hound/data",
-			  "max-concurrent-indexers" : 6,
-		    "vcs-config" : {
-	        "git" : {
-            "detect-ref" : true
-	        }
-		    },
-			  "repos" : ${repos}
-			}
-		'';
-
-		listen = "127.0.0.1:${toString config.emile.ports.hound}";
-	};
+  services.hound = {
+    enable = true;
+
+    config = ''
+      			{
+      			  "dbpath": "/var/lib/hound/data",
+      			  "max-concurrent-indexers" : 6,
+      		    "vcs-config" : {
+      	        "git" : {
+                  "detect-ref" : true
+      	        }
+      		    },
+      			  "repos" : ${repos}
+      			}
+      		'';
+
+    listen = "127.0.0.1:${toString config.emile.ports.hound}";
+  };
 }
diff --git a/nix/hosts/corrino/www/ctf.emile.space.nix b/nix/hosts/corrino/www/ctf.emile.space.nix
index 6eee75f..28c9419 100644
--- a/nix/hosts/corrino/www/ctf.emile.space.nix
+++ b/nix/hosts/corrino/www/ctf.emile.space.nix
@@ -17,9 +17,7 @@
     containers = {
       "ctfd" = {
         image = "ctfd/ctfd";
-        ports = [
-          "${toString config.emile.ports.ctf}:8000"
-        ];
+        ports = [ "${toString config.emile.ports.ctf}:8000" ];
       };
     };
   };
diff --git a/nix/hosts/corrino/www/db.emile.space.nix b/nix/hosts/corrino/www/db.emile.space.nix
index 7cb365e..3385319 100644
--- a/nix/hosts/corrino/www/db.emile.space.nix
+++ b/nix/hosts/corrino/www/db.emile.space.nix
@@ -15,7 +15,7 @@
     containers = {
       "noco" = {
         image = "nocodb/nocodb:latest";
-				volumes = [ "nocodb:/usr/app/data" ];
+        volumes = [ "nocodb:/usr/app/data" ];
         ports = [ "${toString config.emile.ports.nocodb}:8080" ];
       };
     };
diff --git a/nix/hosts/corrino/www/git/cgit.nix b/nix/hosts/corrino/www/git/cgit.nix
index b48157a..edbbe2f 100644
--- a/nix/hosts/corrino/www/git/cgit.nix
+++ b/nix/hosts/corrino/www/git/cgit.nix
@@ -1,603 +1,607 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
-	repodirs = builtins.concatStringsSep "\n"
-		(map
-			(x: "directory = ${x}")
-			(lib.lists.flatten
-				(map
-					(x: lib.attrValues (lib.getAttrs [ "path" ] x))
-					(lib.mapAttrsToList
-						(name: value: value)
-						config.services.cgit.main.repos))));
+  repodirs = builtins.concatStringsSep "\n" (
+    map (x: "directory = ${x}") (
+      lib.lists.flatten (
+        map (x: lib.attrValues (lib.getAttrs [ "path" ] x)) (
+          lib.mapAttrsToList (name: value: value) config.services.cgit.main.repos
+        )
+      )
+    )
+  );
 in
 {
   environment.systemPackages = with pkgs; [
-	  md4c # used to get md2html for rendering the READMEs within cgit-pink
-	];
-
-	# set all the repos as safe
-	environment.etc = {
-	  gitconfig = {
-	    text = ''
-				[http]
-					sslCAinfo = /etc/ssl/certs/ca-certificates.crt
-				[safe]
-					${repodirs}
-	    '';
-		};
-	};
-	
+    md4c # used to get md2html for rendering the READMEs within cgit-pink
+  ];
+
+  # set all the repos as safe
+  environment.etc = {
+    gitconfig = {
+      text = ''
+        			[http]
+        				sslCAinfo = /etc/ssl/certs/ca-certificates.crt
+        			[safe]
+        				${repodirs}
+            '';
+    };
+  };
+
   services = {
-	  nginx.virtualHosts."git.emile.space" = {
-	    forceSSL = true;
-	    enableACME = true;
-	  };
-
-		cgit.main = {
-			enable = true;
-	 		package = pkgs.cgit-pink;
-			nginx.virtualHost = "git.emile.space";
-			nginx.location = "/";
-			repos = {
+    nginx.virtualHosts."git.emile.space" = {
+      forceSSL = true;
+      enableACME = true;
+    };
+
+    cgit.main = {
+      enable = true;
+      package = pkgs.cgit-pink;
+      nginx.virtualHost = "git.emile.space";
+      nginx.location = "/";
+      repos = {
 
         # ops
-				hefe = {
-					desc = "Yet another monorepo (the big nix config)";	
-					path = "/var/lib/git/repositories/hefe.git";
-					section = "Infra";
-					owner = "emile";
-				};
-				vokobe = {
-					desc = "A custom static site generator written in rust";	
-					path = "/var/lib/git/repositories/vokobe.git";
-					section = "Infra";
-					owner = "emile";
-				};
-				massscan-docker = {
-					desc = "A Dockerfile for massscan";	
-					path = "/var/lib/git/repositories/massscan-docker.git";
-					section = "Infra";
-					owner = "emile";
-				};
-				metrics-bundler = {
-					desc = "A super basic metrics bundler";	
-					path = "/var/lib/git/repositories/metrics-bundler.git";
-					section = "Infra";
-					owner = "emile";
-				};
-
-				# matrix
-				matrix-sdk = {
-					desc = "A simpler matrix sdk";	
-					path = "/var/lib/git/repositories/matrix-sdk.git";
-					section = "Matrix";
-					owner = "emile";
-				};
-				matrix-weather-bot = {
-					desc = "A basic weather bot using matrix-sdk";	
-					path = "/var/lib/git/repositories/matrix-weather-bot.git";
-					section = "Matrix";
-					owner = "emile";
-				};
-				
+        hefe = {
+          desc = "Yet another monorepo (the big nix config)";
+          path = "/var/lib/git/repositories/hefe.git";
+          section = "Infra";
+          owner = "emile";
+        };
+        vokobe = {
+          desc = "A custom static site generator written in rust";
+          path = "/var/lib/git/repositories/vokobe.git";
+          section = "Infra";
+          owner = "emile";
+        };
+        massscan-docker = {
+          desc = "A Dockerfile for massscan";
+          path = "/var/lib/git/repositories/massscan-docker.git";
+          section = "Infra";
+          owner = "emile";
+        };
+        metrics-bundler = {
+          desc = "A super basic metrics bundler";
+          path = "/var/lib/git/repositories/metrics-bundler.git";
+          section = "Infra";
+          owner = "emile";
+        };
+
+        # matrix
+        matrix-sdk = {
+          desc = "A simpler matrix sdk";
+          path = "/var/lib/git/repositories/matrix-sdk.git";
+          section = "Matrix";
+          owner = "emile";
+        };
+        matrix-weather-bot = {
+          desc = "A basic weather bot using matrix-sdk";
+          path = "/var/lib/git/repositories/matrix-weather-bot.git";
+          section = "Matrix";
+          owner = "emile";
+        };
 
         # radare2
-				radare2-GoReSym = {
-					desc = "A script to load goresym symbols into radare2";	
-					path = "/var/lib/git/repositories/radare2-GoReSym.git";
-					section = "Radare2";
-					owner = "emile";
-				};
-				r2wars = {
-					desc = "A golang implementation of radare2";	
-					path = "/var/lib/git/repositories/r2wars.git";
-					section = "Radare2";
-					owner = "emile";
-				};
-				r2wars-web = {
-					desc = "The software behind https://r2wa.rs";	
-					path = "/var/lib/git/repositories/r2wars-web.git";
-					section = "Radare2";
-					owner = "emile";
-				};
-				r2wars-rs = {
-					desc = "A rust implementation of radare2";	
-					path = "/var/lib/git/repositories/r2wars-rs.git";
-					section = "Radare2";
-					owner = "emile";
-				};
-
-				# ctf
-				ctf_clusters = {
-					desc = "visualizing CTF clusters at DEFCON CTF Finals 2022";
-					path = "/var/lib/git/repositories/ctf_clusters.git";
-					section = "CTF";
-					owner = "emile";
-				};
-				lambda = {
-					desc = "hacktm ctf 2023 / misc / know your lambda calculus";
-					path = "/var/lib/git/repositories/lambda.git";
-					section = "CTF";
-					owner = "emile";
-				};
-				ctfdget = {
-					desc = "Simply fetch all challenges from a CTF from CTFd.";
-					path = "/var/lib/git/repositories/ctfdget.git";
-					section = "CTF";
-					owner = "emile";
-				};
+        radare2-GoReSym = {
+          desc = "A script to load goresym symbols into radare2";
+          path = "/var/lib/git/repositories/radare2-GoReSym.git";
+          section = "Radare2";
+          owner = "emile";
+        };
+        r2wars = {
+          desc = "A golang implementation of radare2";
+          path = "/var/lib/git/repositories/r2wars.git";
+          section = "Radare2";
+          owner = "emile";
+        };
+        r2wars-web = {
+          desc = "The software behind https://r2wa.rs";
+          path = "/var/lib/git/repositories/r2wars-web.git";
+          section = "Radare2";
+          owner = "emile";
+        };
+        r2wars-rs = {
+          desc = "A rust implementation of radare2";
+          path = "/var/lib/git/repositories/r2wars-rs.git";
+          section = "Radare2";
+          owner = "emile";
+        };
+
+        # ctf
+        ctf_clusters = {
+          desc = "visualizing CTF clusters at DEFCON CTF Finals 2022";
+          path = "/var/lib/git/repositories/ctf_clusters.git";
+          section = "CTF";
+          owner = "emile";
+        };
+        lambda = {
+          desc = "hacktm ctf 2023 / misc / know your lambda calculus";
+          path = "/var/lib/git/repositories/lambda.git";
+          section = "CTF";
+          owner = "emile";
+        };
+        ctfdget = {
+          desc = "Simply fetch all challenges from a CTF from CTFd.";
+          path = "/var/lib/git/repositories/ctfdget.git";
+          section = "CTF";
+          owner = "emile";
+        };
 
         # keyboard
-				zmk-config = {
-					desc = "ferris sweep zmk config";
-					path = "/var/lib/git/repositories/zmk-config.git";
-					section = "Keyboard";
-					owner = "emile";
-				};
-
-				# chaosdorf
-				map = {
-					desc = "A map of the chaosdorf hackspace";
-					path = "/var/lib/git/repositories/map.git";
-					section = "Chaosdorf";
-					owner = "emile";
-				};
-				freitagsfoo = {
-					desc = "A service to submit talks for freitagsfoo";
-					path = "/var/lib/git/repositories/freitagsfoo.git";
-					section = "Chaosdorf";
-					owner = "emile";
-				};
-				inventory = {
-					desc = "A common-lisp mapping and inventory system";
-					path = "/var/lib/git/repositories/inventory.git";
-					section = "Chaosdorf";
-					owner = "emile";
-				};
-
-				# jugend forscht
-				SatelliteComputation = {
-					desc = "Estimating possible Satellite collisions";
-					path = "/var/lib/git/repositories/SatelliteComputation.git";
-					section = "Jugend Forscht 2017";
-					owner = "emile";
-				};
-				GalaxyGeneration = {
-					desc = "Generating Galaxies";
-					path = "/var/lib/git/repositories/GalaxyGeneration.git";
-					section = "Jugend Forscht 2018";
-					owner = "emile";
-				};
-				
-				brute-force = {
-					desc = "A simple benchmark showing how slow this can be";
-					path = "/var/lib/git/repositories/galaxy-sim-brute-force.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				generatePointcloud = {
-					desc = "Generate pointclouds using the NFW profile";
-					path = "/var/lib/git/repositories/generatePointcloud.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				quadtree = {
-					desc = "Simple quadtree implementation";
-					path = "/var/lib/git/repositories/quadtree.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				viewer = {
-					desc = "A viewer for galaxies stored in trees";
-					path = "/var/lib/git/repositories/viewer.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				structs = {
-					desc = "All of the structures used in the GalaxySimulator";
-					path = "/var/lib/git/repositories/structs.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				simulator-container-rewrite = {
-					desc = "Clean rewrite of the simulator-container";
-					path = "/var/lib/git/repositories/simulator-container-rewrite.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				simulator-container = {
-					desc = "Simulating the new position of a galaxye";
-					path = "/var/lib/git/repositories/simulator-container.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				pres = {
-					desc = "Presentation material";
-					path = "/var/lib/git/repositories/pres.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				manager-container = {
-					desc = "The overall manager";
-					path = "/var/lib/git/repositories/manager-container.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				generator-container = {
-					desc = "Generates point clouds using the NFW profile";					
-					path = "/var/lib/git/repositories/generator-container.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				frontpage = {
-					desc = "Web page showing people what the project is about";					
-					path = "/var/lib/git/repositories/frontpage.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				distributor = {
-					desc = "Distributing tasks";					
-					path = "/var/lib/git/repositories/distributor-container.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				db-controller = {
-					desc = "Interaction with the Database";					
-					path = "/var/lib/git/repositories/db-controller.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				db-container = {
-					desc = "The main database";					
-					path = "/var/lib/git/repositories/db-container.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				db-actions = {
-					desc = "Actions to be performed on the batabase";					
-					path = "/var/lib/git/repositories/db-actions.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				Writeup = {
-					desc = "Writeups using LaTeX";					
-					path = "/var/lib/git/repositories/Writeup.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				Source = {
-					desc = "Code from the beginning";					
-					path = "/var/lib/git/repositories/Source.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-				NFW-container = {
-					desc = "A container purely for generating galaxies";					
-					path = "/var/lib/git/repositories/NFW-container.git";
-					section = "Jugend Forscht 2019";
-					owner = "emile";
-				};
-
-				# games
-				"0h-gamejam-game" = {
-					desc = "Created a game in 0 hours";
-					path = "/var/lib/git/repositories/0hour-gamejam-game.git";
-					section = "Games";
-					owner = "emile";
-				};
-
-				# 3D
-				"3D" = {
-					desc = "3D models";
-					path = "/var/lib/git/repositories/3D.git";
-					section = "3D";
-					owner = "emile";
-				};
-
-				# http
-				faila = {
-					desc = "The caddy fileserver look, but int pure golang";
-					path = "/var/lib/git/repositories/faila.git";
-					section = "HTTP";
-					owner = "emile";
-				};
-				faila2 = {
-					desc = "faila, but simpler";
-					path = "/var/lib/git/repositories/faila2.git";
-					section = "HTTP";
-					owner = "emile";
-				};
-				gofuzz = {
-					desc = "wfuzz, but in go. Didn't know ffuf at the time";
-					path = "/var/lib/git/repositories/gofuzz.git";
-					section = "HTTP";
-					owner = "emile";
-				};
-				graphClicker = {
-					desc = "A metrics bundler, but with a simple web interface";
-					path = "/var/lib/git/repositories/graphClicker.git";
-					section = "HTTP";
-					owner = "emile";
-				};
-				randomHttp = {
-					desc = "A simple HTTP server returning random HTTP codes";
-					path = "/var/lib/git/repositories/randomHTTP.git";
-					section = "HTTP";
-					owner = "emile";
-				};
-				redir = {
-					desc = "A webserver with the soul purpose of redirecting.";
-					path = "/var/lib/git/repositories/redir.git";
-					section = "HTTP";
-					owner = "emile";
-				};
-				reqlog = {
-					desc = "A simple request logger";
-					path = "/var/lib/git/repositories/reqlog.git";
-					section = "HTTP";
-					owner = "emile";
-				};
-
-				# honeypot
-				ssh-catch-test = {
-					desc = "A simple honeypot emulating an ssh server.";
-					path = "/var/lib/git/repositories/ssh-catch-test.git";
-					section = "Honeypot";
-					owner = "emile";
-				};
-				honeypot-monitoring = {
-					desc = "Grafana + Prometheus monitoring";	
-					path = "/var/lib/git/repositories/honeypot-monitoring.git";
-					section = "Honeypot";
-					owner = "emile";
-				};
-				ftp-grab-password = {
-					desc = "Grab ftp creds (made by twink0r)";	
-					path = "/var/lib/git/repositories/ftp-grab-password.git";
-					section = "Honeypot";
-					owner = "emile";
-				};
-				log-analyzer = {
-					desc = "Analyse the logs";	
-					path = "/var/lib/git/repositories/honeypot-log-analyzer.git";
-					section = "Honeypot";
-					owner = "emile";
-				};
-				http-grab-basicauth = {
-					desc = "Grab basicauth creds (made by maride)";	
-					path = "/var/lib/git/repositories/http-grab-basicauth.git";
-					section = "Honeypot";
-					owner = "emile";
-				};
-				http-grab-url = {
-					desc = "Grab urls (made by twink0r)";	
-					path = "/var/lib/git/repositories/http-grab-url.git";
-					section = "Honeypot";
-					owner = "emile";
-				};
-				ssh-grab-keypass = {
-					desc = "Grab keys from ssh logins (made by maride)";	
-					path = "/var/lib/git/repositories/ssh-grab-keypass.git";
-					section = "Honeypot";
-					owner = "emile";
-				};
-				ssh-grab-passwords = {
-					desc = "Grab passwords from ssh logins (made by maride)";	
-					path = "/var/lib/git/repositories/ssh-grab-passwords.git";
-					section = "Honeypot";
-					owner = "emile";
-				};
-				ssh-grab-passwords-map = {
-					desc = "A nice visual map of the login attempts";	
-					path = "/var/lib/git/repositories/ssh-grab-passwords-map.git";
-					section = "Honeypot";
-					owner = "emile";
-				};
+        zmk-config = {
+          desc = "ferris sweep zmk config";
+          path = "/var/lib/git/repositories/zmk-config.git";
+          section = "Keyboard";
+          owner = "emile";
+        };
+
+        # chaosdorf
+        map = {
+          desc = "A map of the chaosdorf hackspace";
+          path = "/var/lib/git/repositories/map.git";
+          section = "Chaosdorf";
+          owner = "emile";
+        };
+        freitagsfoo = {
+          desc = "A service to submit talks for freitagsfoo";
+          path = "/var/lib/git/repositories/freitagsfoo.git";
+          section = "Chaosdorf";
+          owner = "emile";
+        };
+        inventory = {
+          desc = "A common-lisp mapping and inventory system";
+          path = "/var/lib/git/repositories/inventory.git";
+          section = "Chaosdorf";
+          owner = "emile";
+        };
+
+        # jugend forscht
+        SatelliteComputation = {
+          desc = "Estimating possible Satellite collisions";
+          path = "/var/lib/git/repositories/SatelliteComputation.git";
+          section = "Jugend Forscht 2017";
+          owner = "emile";
+        };
+        GalaxyGeneration = {
+          desc = "Generating Galaxies";
+          path = "/var/lib/git/repositories/GalaxyGeneration.git";
+          section = "Jugend Forscht 2018";
+          owner = "emile";
+        };
+
+        brute-force = {
+          desc = "A simple benchmark showing how slow this can be";
+          path = "/var/lib/git/repositories/galaxy-sim-brute-force.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        generatePointcloud = {
+          desc = "Generate pointclouds using the NFW profile";
+          path = "/var/lib/git/repositories/generatePointcloud.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        quadtree = {
+          desc = "Simple quadtree implementation";
+          path = "/var/lib/git/repositories/quadtree.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        viewer = {
+          desc = "A viewer for galaxies stored in trees";
+          path = "/var/lib/git/repositories/viewer.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        structs = {
+          desc = "All of the structures used in the GalaxySimulator";
+          path = "/var/lib/git/repositories/structs.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        simulator-container-rewrite = {
+          desc = "Clean rewrite of the simulator-container";
+          path = "/var/lib/git/repositories/simulator-container-rewrite.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        simulator-container = {
+          desc = "Simulating the new position of a galaxye";
+          path = "/var/lib/git/repositories/simulator-container.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        pres = {
+          desc = "Presentation material";
+          path = "/var/lib/git/repositories/pres.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        manager-container = {
+          desc = "The overall manager";
+          path = "/var/lib/git/repositories/manager-container.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        generator-container = {
+          desc = "Generates point clouds using the NFW profile";
+          path = "/var/lib/git/repositories/generator-container.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        frontpage = {
+          desc = "Web page showing people what the project is about";
+          path = "/var/lib/git/repositories/frontpage.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        distributor = {
+          desc = "Distributing tasks";
+          path = "/var/lib/git/repositories/distributor-container.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        db-controller = {
+          desc = "Interaction with the Database";
+          path = "/var/lib/git/repositories/db-controller.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        db-container = {
+          desc = "The main database";
+          path = "/var/lib/git/repositories/db-container.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        db-actions = {
+          desc = "Actions to be performed on the batabase";
+          path = "/var/lib/git/repositories/db-actions.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        Writeup = {
+          desc = "Writeups using LaTeX";
+          path = "/var/lib/git/repositories/Writeup.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        Source = {
+          desc = "Code from the beginning";
+          path = "/var/lib/git/repositories/Source.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+        NFW-container = {
+          desc = "A container purely for generating galaxies";
+          path = "/var/lib/git/repositories/NFW-container.git";
+          section = "Jugend Forscht 2019";
+          owner = "emile";
+        };
+
+        # games
+        "0h-gamejam-game" = {
+          desc = "Created a game in 0 hours";
+          path = "/var/lib/git/repositories/0hour-gamejam-game.git";
+          section = "Games";
+          owner = "emile";
+        };
+
+        # 3D
+        "3D" = {
+          desc = "3D models";
+          path = "/var/lib/git/repositories/3D.git";
+          section = "3D";
+          owner = "emile";
+        };
+
+        # http
+        faila = {
+          desc = "The caddy fileserver look, but int pure golang";
+          path = "/var/lib/git/repositories/faila.git";
+          section = "HTTP";
+          owner = "emile";
+        };
+        faila2 = {
+          desc = "faila, but simpler";
+          path = "/var/lib/git/repositories/faila2.git";
+          section = "HTTP";
+          owner = "emile";
+        };
+        gofuzz = {
+          desc = "wfuzz, but in go. Didn't know ffuf at the time";
+          path = "/var/lib/git/repositories/gofuzz.git";
+          section = "HTTP";
+          owner = "emile";
+        };
+        graphClicker = {
+          desc = "A metrics bundler, but with a simple web interface";
+          path = "/var/lib/git/repositories/graphClicker.git";
+          section = "HTTP";
+          owner = "emile";
+        };
+        randomHttp = {
+          desc = "A simple HTTP server returning random HTTP codes";
+          path = "/var/lib/git/repositories/randomHTTP.git";
+          section = "HTTP";
+          owner = "emile";
+        };
+        redir = {
+          desc = "A webserver with the soul purpose of redirecting.";
+          path = "/var/lib/git/repositories/redir.git";
+          section = "HTTP";
+          owner = "emile";
+        };
+        reqlog = {
+          desc = "A simple request logger";
+          path = "/var/lib/git/repositories/reqlog.git";
+          section = "HTTP";
+          owner = "emile";
+        };
+
+        # honeypot
+        ssh-catch-test = {
+          desc = "A simple honeypot emulating an ssh server.";
+          path = "/var/lib/git/repositories/ssh-catch-test.git";
+          section = "Honeypot";
+          owner = "emile";
+        };
+        honeypot-monitoring = {
+          desc = "Grafana + Prometheus monitoring";
+          path = "/var/lib/git/repositories/honeypot-monitoring.git";
+          section = "Honeypot";
+          owner = "emile";
+        };
+        ftp-grab-password = {
+          desc = "Grab ftp creds (made by twink0r)";
+          path = "/var/lib/git/repositories/ftp-grab-password.git";
+          section = "Honeypot";
+          owner = "emile";
+        };
+        log-analyzer = {
+          desc = "Analyse the logs";
+          path = "/var/lib/git/repositories/honeypot-log-analyzer.git";
+          section = "Honeypot";
+          owner = "emile";
+        };
+        http-grab-basicauth = {
+          desc = "Grab basicauth creds (made by maride)";
+          path = "/var/lib/git/repositories/http-grab-basicauth.git";
+          section = "Honeypot";
+          owner = "emile";
+        };
+        http-grab-url = {
+          desc = "Grab urls (made by twink0r)";
+          path = "/var/lib/git/repositories/http-grab-url.git";
+          section = "Honeypot";
+          owner = "emile";
+        };
+        ssh-grab-keypass = {
+          desc = "Grab keys from ssh logins (made by maride)";
+          path = "/var/lib/git/repositories/ssh-grab-keypass.git";
+          section = "Honeypot";
+          owner = "emile";
+        };
+        ssh-grab-passwords = {
+          desc = "Grab passwords from ssh logins (made by maride)";
+          path = "/var/lib/git/repositories/ssh-grab-passwords.git";
+          section = "Honeypot";
+          owner = "emile";
+        };
+        ssh-grab-passwords-map = {
+          desc = "A nice visual map of the login attempts";
+          path = "/var/lib/git/repositories/ssh-grab-passwords-map.git";
+          section = "Honeypot";
+          owner = "emile";
+        };
 
         # fuzzing
-				stdin-to-tcp = {
-					desc = "Bending stdin to tcp";
-					path = "/var/lib/git/repositories/stdin-to-tcp.git";
-					section = "Fuzzing";
-					owner = "emile";
-				};
-
-				# firmware
-				firmware = {
-					desc = "Gathering firmware via nix";
-					path = "/var/lib/git/repositories/firmware.git";
-					section = "Firmware";
-					owner = "emile";
-				};
-
-				# crypto
-				Substitution-Cracker = {
-					desc = "Some code for cracking substitution ciphers";
-					path = "/var/lib/git/repositories/Substitution-Cracker.git";
-					section = "Crypto";
-					owner = "emile";
-				};
-
-				# fun
-				giff = {
-					desc = "A party service: give it gifs and it'll play them";
-					path = "/var/lib/git/repositories/giff.git";
-					section = "Fun";
-					owner = "emile";
-				};
-				pixeltsunami = {
-					desc = "The obligatory pixelflut client";
-					path = "/var/lib/git/repositories/pixeltsunami.git";
-					section = "Fun";
-					owner = "emile";
-				};
-
-				# circus
-				companion = {
-					desc = "The companion spawned for one user.";
-					path = "/var/lib/git/repositories/companion.git";
-					section = "Circus";
-					owner = "emile";
-				};
-				compose = {
-					desc = "The docker-compose foo";
-					path = "/var/lib/git/repositories/compose.git";
-					section = "Circus";
-					owner = "emile";
-				};
-				container-manager = {
-					desc = "The meta container managemer";
-					path = "/var/lib/git/repositories/container-manager.git";
-					section = "Circus";
-					owner = "emile";
-				};
-				landingpage = {
-					desc = "The landing page";
-					path = "/var/lib/git/repositories/landingpage.git";
-					section = "Circus";
-					owner = "emile";
-				};
-				manager = {
-					desc = "The manager";
-					path = "/var/lib/git/repositories/manager.git";
-					section = "Circus";
-					owner = "emile";
-				};
-				register = {
-					desc = "The registration";
-					path = "/var/lib/git/repositories/register.git";
-					section = "Circus";
-					owner = "emile";
-				};
-				scoreboard = {
-					desc = "The scoreboard";
-					path = "/var/lib/git/repositories/scoreboard.git";
-					section = "Circus";
-					owner = "emile";
-				};
-				static = {
-					desc = "Some static files";
-					path = "/var/lib/git/repositories/static.git";
-					section = "Circus";
-					owner = "emile";
-				};
-				vpn = {
-					desc = "The VPN stuff";
-					path = "/var/lib/git/repositories/vpn.git";
-					section = "Circus";
-					owner = "emile";
-				};
-
-				# articles
-				barnes-hut = {
-					desc = "A one pager compressing the JuFo19 project";
-					path = "/var/lib/git/repositories/barnes-hut.git";
-					section = "Articles";
-					owner = "emile";
-				};
-
-				# satellite
-				tle = {
-					desc = "golang tle lib";
-					path = "/var/lib/git/repositories/tle.git";
-					section = "Satellite";
-					owner = "emile";
-				};
-				tle2json = {
-					desc = "golang tle to json";
-					path = "/var/lib/git/repositories/tle2json.git";
-					section = "Satellite";
-					owner = "emile";
-				};
-			};
-			settings = {
-				css = "https://emile.space/cgit.css";
-				root-title = "git.emile.space";
-				root-desc = "";
-
-				enable-index-owner = 0; # why show this? I own 'em all!
-		    enable-commit-graph = 1;
-				max-repo-count = 5000; # like: why not?
-
-			  readme = ":README.md";
-				about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh";
-				source-filter = "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py";
-
-				summary-log = 50;
+        stdin-to-tcp = {
+          desc = "Bending stdin to tcp";
+          path = "/var/lib/git/repositories/stdin-to-tcp.git";
+          section = "Fuzzing";
+          owner = "emile";
+        };
+
+        # firmware
+        firmware = {
+          desc = "Gathering firmware via nix";
+          path = "/var/lib/git/repositories/firmware.git";
+          section = "Firmware";
+          owner = "emile";
+        };
+
+        # crypto
+        Substitution-Cracker = {
+          desc = "Some code for cracking substitution ciphers";
+          path = "/var/lib/git/repositories/Substitution-Cracker.git";
+          section = "Crypto";
+          owner = "emile";
+        };
+
+        # fun
+        giff = {
+          desc = "A party service: give it gifs and it'll play them";
+          path = "/var/lib/git/repositories/giff.git";
+          section = "Fun";
+          owner = "emile";
+        };
+        pixeltsunami = {
+          desc = "The obligatory pixelflut client";
+          path = "/var/lib/git/repositories/pixeltsunami.git";
+          section = "Fun";
+          owner = "emile";
+        };
+
+        # circus
+        companion = {
+          desc = "The companion spawned for one user.";
+          path = "/var/lib/git/repositories/companion.git";
+          section = "Circus";
+          owner = "emile";
+        };
+        compose = {
+          desc = "The docker-compose foo";
+          path = "/var/lib/git/repositories/compose.git";
+          section = "Circus";
+          owner = "emile";
+        };
+        container-manager = {
+          desc = "The meta container managemer";
+          path = "/var/lib/git/repositories/container-manager.git";
+          section = "Circus";
+          owner = "emile";
+        };
+        landingpage = {
+          desc = "The landing page";
+          path = "/var/lib/git/repositories/landingpage.git";
+          section = "Circus";
+          owner = "emile";
+        };
+        manager = {
+          desc = "The manager";
+          path = "/var/lib/git/repositories/manager.git";
+          section = "Circus";
+          owner = "emile";
+        };
+        register = {
+          desc = "The registration";
+          path = "/var/lib/git/repositories/register.git";
+          section = "Circus";
+          owner = "emile";
+        };
+        scoreboard = {
+          desc = "The scoreboard";
+          path = "/var/lib/git/repositories/scoreboard.git";
+          section = "Circus";
+          owner = "emile";
+        };
+        static = {
+          desc = "Some static files";
+          path = "/var/lib/git/repositories/static.git";
+          section = "Circus";
+          owner = "emile";
+        };
+        vpn = {
+          desc = "The VPN stuff";
+          path = "/var/lib/git/repositories/vpn.git";
+          section = "Circus";
+          owner = "emile";
+        };
+
+        # articles
+        barnes-hut = {
+          desc = "A one pager compressing the JuFo19 project";
+          path = "/var/lib/git/repositories/barnes-hut.git";
+          section = "Articles";
+          owner = "emile";
+        };
+
+        # satellite
+        tle = {
+          desc = "golang tle lib";
+          path = "/var/lib/git/repositories/tle.git";
+          section = "Satellite";
+          owner = "emile";
+        };
+        tle2json = {
+          desc = "golang tle to json";
+          path = "/var/lib/git/repositories/tle2json.git";
+          section = "Satellite";
+          owner = "emile";
+        };
+      };
+      settings = {
+        css = "https://emile.space/cgit.css";
+        root-title = "git.emile.space";
+        root-desc = "";
+
+        enable-index-owner = 0; # why show this? I own 'em all!
+        enable-commit-graph = 1;
+        max-repo-count = 5000; # like: why not?
+
+        readme = ":README.md";
+        about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh";
+        source-filter = "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py";
+
+        summary-log = 50;
 
         # mobile friendly
-				head-include = builtins.toFile "cgit_head.html" ''
-				  <meta name="viewport" content="width=device-width initial-scale=1.0"/>
-				'';
-
-				footer = builtins.toFile "cgit_footer.html" ''
-				  <div class="footer">
-						<div class="float-left">
-							generated by <a href='https://git.causal.agency/cgit-pink/'>cgit-pink ${pkgs.cgit-pink.version}</a>
-						</div>
-						<div class="float-right">
-							<a href="https://social.emile.space/@hanemile/feed.rss" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/rss.svg" alt="rss feed of @hanemile@chaos.social mastodon" height="32px"></a>
-							<a href="https://lieu.cblgh.org/" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/lieu.svg" alt="lieu webring search engine" height="32px"></a>
-							<a href="https://webring.xxiivv.com/#emile" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/webring.svg" alt="XXIIVV webring" height="32px"></a>
-							<a rel="me" href="https://social.emile.space/@hanemile" target="_blank" class="icon"><img class="webring" src="https://emile.space/activitypub.svg" alt="activitypub" height="32px"/></a>
-					</div>
-				'';
-
-			};
-		};
-
-		# access control
-		gitolite = {
-		  enable = true;
-
-			dataDir = "/var/lib/git";
-
-			user = "git";
-			group = "git";
-
-			description = "emile";
-
-	    adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan";
-	    extraGitoliteRc = ''
-		    $RC{UMASK} = 0027;
-		    $RC{GIT_CONFIG_KEYS} = '.*';
-		  '';
-		};
-
-		# exposing stuff
-		gitDaemon = {
-			enable = false;
-
-			user = "git";
-			group = "git";
-
-			repositories = []; # use all repos under basePath
-			exportAll = true;
-			basePath = "/var/lib/git/repositories";
-
-			listenAddress = "git.emile.space";
-			port = config.emile.ports.gitDaemon;
-
-			options = "--timeout=30"; # extra Config
-		};
-	};
+        head-include = builtins.toFile "cgit_head.html" ''
+            <meta name="viewport" content="width=device-width initial-scale=1.0"/>
+        '';
+
+        footer = builtins.toFile "cgit_footer.html" ''
+            <div class="footer">
+          		<div class="float-left">
+          			generated by <a href='https://git.causal.agency/cgit-pink/'>cgit-pink ${pkgs.cgit-pink.version}</a>
+          		</div>
+          		<div class="float-right">
+          			<a href="https://social.emile.space/@hanemile/feed.rss" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/rss.svg" alt="rss feed of @hanemile@chaos.social mastodon" height="32px"></a>
+          			<a href="https://lieu.cblgh.org/" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/lieu.svg" alt="lieu webring search engine" height="32px"></a>
+          			<a href="https://webring.xxiivv.com/#emile" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/webring.svg" alt="XXIIVV webring" height="32px"></a>
+          			<a rel="me" href="https://social.emile.space/@hanemile" target="_blank" class="icon"><img class="webring" src="https://emile.space/activitypub.svg" alt="activitypub" height="32px"/></a>
+          	</div>
+        '';
+
+      };
+    };
+
+    # access control
+    gitolite = {
+      enable = true;
+
+      dataDir = "/var/lib/git";
+
+      user = "git";
+      group = "git";
+
+      description = "emile";
+
+      adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan";
+      extraGitoliteRc = ''
+          $RC{UMASK} = 0027;
+          $RC{GIT_CONFIG_KEYS} = '.*';
+      '';
+    };
+
+    # exposing stuff
+    gitDaemon = {
+      enable = false;
+
+      user = "git";
+      group = "git";
+
+      repositories = [ ]; # use all repos under basePath
+      exportAll = true;
+      basePath = "/var/lib/git/repositories";
+
+      listenAddress = "git.emile.space";
+      port = config.emile.ports.gitDaemon;
+
+      options = "--timeout=30"; # extra Config
+    };
+  };
 
   users.extraUsers.nginx.extraGroups = [ "git" ];
 
-	# Have to use lib.mkForce below, as the gitolite and gitDaemon user both
-	# configure the git user and group (differently)
+  # Have to use lib.mkForce below, as the gitolite and gitDaemon user both
+  # configure the git user and group (differently)
 
   users.users.git = {
     isSystemUser = true;
     useDefaultShell = true;
-		description = lib.mkForce "cgit-pink, gitolite and gitDaemon";
+    description = lib.mkForce "cgit-pink, gitolite and gitDaemon";
     group = "git";
     extraGroups = [ "gitea" ];
     home = "/var/lib/git";
     uid = lib.mkForce 127;
   };
   users.groups.git = {
-		gid = lib.mkForce 127;
-	};
+    gid = lib.mkForce 127;
+  };
 }
diff --git a/nix/hosts/corrino/www/git/default.nix b/nix/hosts/corrino/www/git/default.nix
index 9c76441..92fb85b 100644
--- a/nix/hosts/corrino/www/git/default.nix
+++ b/nix/hosts/corrino/www/git/default.nix
@@ -1,7 +1,5 @@
 { ... }:
 
 {
-	imports = [
-		./cgit.nix
-	];
+  imports = [ ./cgit.nix ];
 }
diff --git a/nix/hosts/corrino/www/git/git.nix b/nix/hosts/corrino/www/git/git.nix
index d815f9c..3a2b9da 100644
--- a/nix/hosts/corrino/www/git/git.nix
+++ b/nix/hosts/corrino/www/git/git.nix
@@ -1,8 +1,14 @@
-{ lib, pkgs, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
 
 let
   cfg = config.services.gitea;
-in {
+in
+{
   services.nginx.virtualHosts."git.emile.space" = {
     forceSSL = true;
     enableACME = true;
@@ -21,24 +27,22 @@ in {
     };
   };
 
-	# auth via authelia
-	services.authelia.instances.main.settings.identity_providers.oidc.clients = [
-  	{
-  		id = "git";
-
-  		# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
-  		secret = "$pbkdf2-sha512$310000$4bi9wRkfcqnjbdmgt7rU.g$pQ2mC6GW4.BQwanGKKFhFyIx6Y.WY80xd/YpmlYOPnlnGBWpp0dSOTv6a/2yqSA5D.EuRkGCyeexSE5FdCK2TA";
-  		public = false;
-  		authorization_policy = "two_factor";
-  		redirect_uris = [
-  			"https://git.emile.space/user/oauth2/authelia/callback"
-  		];
-  		scopes = [
-  			"openid"
-  			"email"
-  			"profile"
-  		];
-  	}
+  # auth via authelia
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [
+    {
+      id = "git";
+
+      # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+      secret = "$pbkdf2-sha512$310000$4bi9wRkfcqnjbdmgt7rU.g$pQ2mC6GW4.BQwanGKKFhFyIx6Y.WY80xd/YpmlYOPnlnGBWpp0dSOTv6a/2yqSA5D.EuRkGCyeexSE5FdCK2TA";
+      public = false;
+      authorization_policy = "two_factor";
+      redirect_uris = [ "https://git.emile.space/user/oauth2/authelia/callback" ];
+      scopes = [
+        "openid"
+        "email"
+        "profile"
+      ];
+    }
   ];
 
   services.gitea = rec {
diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix
index eaf88b5..8e7d529 100644
--- a/nix/hosts/corrino/www/grafana.emile.space.nix
+++ b/nix/hosts/corrino/www/grafana.emile.space.nix
@@ -7,16 +7,16 @@
         addSSL = true;
         enableACME = true;
         locations."/" = {
-            proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/";
-            proxyWebsockets = true;
+          proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/";
+          proxyWebsockets = true;
         };
       };
       "prometheus.emile.space" = {
         addSSL = true;
         enableACME = true;
         locations."/" = {
-            proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}/";
-            proxyWebsockets = true;
+          proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}/";
+          proxyWebsockets = true;
         };
       };
     };
diff --git a/nix/hosts/corrino/www/grafana_full.emile.space.nix b/nix/hosts/corrino/www/grafana_full.emile.space.nix
index 8a9aa02..3dc05dc 100644
--- a/nix/hosts/corrino/www/grafana_full.emile.space.nix
+++ b/nix/hosts/corrino/www/grafana_full.emile.space.nix
@@ -2,7 +2,8 @@
 
 let
   cfg = config.services.grafana;
-in {
+in
+{
   services.nginx.virtualHosts."git.emile.space" = {
     forceSSL = true;
     enableACME = true;
@@ -69,7 +70,7 @@ in {
           allow_sign_up = false;
 
           # Set to false to prohibit users from creating new organizations.
-          allow_org_create = false; 
+          allow_org_create = false;
         };
 
         smtp = {
@@ -79,11 +80,11 @@ in {
           # StartTLS policy when connecting to server.
           # null or one of "OpportunisticStartTLS", "MandatoryStartTLS", "NoStartTLS"
           startTLS_policy = null;
-        
+
           # Verify SSL for SMTP server.
           skip_verify = false;
 
-        # Password used for authentication. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
+          # Password used for authentication. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider
           password = "";
 
           # File path to a key file.
@@ -201,13 +202,13 @@ in {
           disable_brute_force_login_protection = false;
 
           # Define a whitelist of allowed IP addresses or domains, with ports, to be used in data source URLs with the Grafana data source proxy. Format: ip_or_domain:port separated by spaces. PostgreSQL, MySQL, and MSSQL data sources do not use the proxy and are therefore unaffected by this setting.
-          data_source_proxy_whitelist = [];
+          data_source_proxy_whitelist = [ ];
 
           # List of additional allowed URLs to pass by the CSRF check. Suggested when authentication comes from an IdP.
-          csrf_trusted_origins = [];
+          csrf_trusted_origins = [ ];
 
           # List of allowed headers to be set by the user. Suggested to use for if authentication lives behind reverse proxies.
-          csrf_additional_headers = [];
+          csrf_additional_headers = [ ];
 
           # Set to true if you host Grafana behind HTTPS.
           cookie_secure = true;
@@ -437,4 +438,4 @@ in {
     };
   };
 
-}
\ No newline at end of file
+}
diff --git a/nix/hosts/corrino/www/hydra.emile.space.nix b/nix/hosts/corrino/www/hydra.emile.space.nix
index 6628a67..e89888b 100644
--- a/nix/hosts/corrino/www/hydra.emile.space.nix
+++ b/nix/hosts/corrino/www/hydra.emile.space.nix
@@ -22,9 +22,7 @@
     enable = true;
 
     package = pkgs.hydra_unstable.overrideAttrs (old: {
-      patches = (if old ? patches then old.patches else []) ++ [
-        ./hydra.patch
-      ];
+      patches = (if old ? patches then old.patches else [ ]) ++ [ ./hydra.patch ];
     });
 
     listenHost = "*";
@@ -35,11 +33,10 @@
     gcRootsDir = "/nix/var/nix/gcroots/hydra";
 
     # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/hosts
-    buildMachinesFiles = [];
+    buildMachinesFiles = [ ];
     # you will probably also want, otherwise *everything* will be built from scratch
     useSubstitutes = true;
 
-
     # notification settings
     smtpHost = "mail.emile.space";
     notificationSender = "hydra@emile.space";
@@ -59,6 +56,6 @@
       </git-input>
       binary_cache_public_uri = https://nix-cache.emile.space
     '';
-      # evaluator_restrict_eval = false
+    # evaluator_restrict_eval = false
   };
 }
diff --git a/nix/hosts/corrino/www/irc.emile.space.nix b/nix/hosts/corrino/www/irc.emile.space.nix
index f738d62..ac00445 100644
--- a/nix/hosts/corrino/www/irc.emile.space.nix
+++ b/nix/hosts/corrino/www/irc.emile.space.nix
@@ -1,155 +1,155 @@
 { config, ... }:
 
 {
-	# Create a tls cert for the irc server
-	security.acme.certs = {
-		"irc.emile.space" = {
-			webroot = "/var/lib/acme/acme-challenge/";
-			email = "acme@emile.space";
-			postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service";
-		};
-	};
+  # Create a tls cert for the irc server
+  security.acme.certs = {
+    "irc.emile.space" = {
+      webroot = "/var/lib/acme/acme-challenge/";
+      email = "acme@emile.space";
+      postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service";
+    };
+  };
 
-	# Allow ergo to access the created cert
-	# The systemd server runs using a dynamic user, so the below inserts the .pem files
-	#   into "/run/credentials/ergochat.service/key.pem"
-	systemd.services.ergochat.serviceConfig = {
-		LoadCredential = [
-			"fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem"
-			"key.pem:/var/lib/acme/irc.emile.space/key.pem"
-		];
-	};
+  # Allow ergo to access the created cert
+  # The systemd server runs using a dynamic user, so the below inserts the .pem files
+  #   into "/run/credentials/ergochat.service/key.pem"
+  systemd.services.ergochat.serviceConfig = {
+    LoadCredential = [
+      "fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem"
+      "key.pem:/var/lib/acme/irc.emile.space/key.pem"
+    ];
+  };
 
-	# allow connections to the port from the "outside"
+  # allow connections to the port from the "outside"
   networking.firewall.allowedTCPPorts = [ config.emile.ports.irc.ssl ];
 
-	services.ergochat = {
-		enable = true;
+  services.ergochat = {
+    enable = true;
 
-		# https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml
-		settings = {
-		  accounts = {
-		    authentication-enabled = true;
-		    multiclient = {
-		      allowed-by-default = true;
-		      always-on = "opt-out";
-		      auto-away = "opt-out";
-		      enabled = true;
-		    };
-		    registration = {
-		      enabled = true;
-		      allow-before-connect = true;
-		      bcrypt-cost = 4;
-		      email-verification = {
-		        enabled = false;
-		      };
-		      throttling = {
-		        duration = "10m";
-		        enabled = true;
-		        max-attempts = 30;
-		      };
-		    };
-		  };
-		  channels = {
-		    default-modes = "+ntC";
-		    registration = {
-		      enabled = true;
-		    };
-		  };
-		  datastore = {
-		    autoupgrade = true;
-		    path = "/var/lib/ergo/ircd.db";
-		  };
-		  history = {
-		    enabled = true;
-		    autoreplay-on-join = 0;
-		    autoresize-window = "3d";
-		    channel-length = 2048;
-		    chathistory-maxmessages = 100;
-		    client-length = 256;
-		    restrictions = {
-		      expire-time = "1w";
-		      grace-period = "1h";
-		      query-cutoff = "none";
-		    };
-		    retention = {
-		      allow-individual-delete = false;
-		      enable-account-indexing = false;
-		    };
-		    tagmsg-storage = {
-		      default = false;
-		      whitelist = [
-		        "+draft/react"
-		        "+react"
-		      ];
-		    };
-		    znc-maxmessages = 2048;
-		  };
-		  limits = {
-		    awaylen = 390;
-		    channellen = 64;
-		    identlen = 20;
-		    kicklen = 390;
-		    nicklen = 32;
-		    topiclen = 390;
-		  };
-		  network = {
-		    name = "emilespace";
-		  };
-		  server = {
-		    casemapping = "permissive";
-		    check-ident = false;
-		    enforce-utf = true;
-		    forward-confirm-hostnames = false;
-		    ip-cloaking = {
-		      enabled = false;
-		    };
-		    ip-limits = {
-		      count = false;
-		      throttle = false;
-		    };
-		    listeners = {
-					# sts only port
-		      ":6667".sts-only = true;
+    # https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml
+    settings = {
+      accounts = {
+        authentication-enabled = true;
+        multiclient = {
+          allowed-by-default = true;
+          always-on = "opt-out";
+          auto-away = "opt-out";
+          enabled = true;
+        };
+        registration = {
+          enabled = true;
+          allow-before-connect = true;
+          bcrypt-cost = 4;
+          email-verification = {
+            enabled = false;
+          };
+          throttling = {
+            duration = "10m";
+            enabled = true;
+            max-attempts = 30;
+          };
+        };
+      };
+      channels = {
+        default-modes = "+ntC";
+        registration = {
+          enabled = true;
+        };
+      };
+      datastore = {
+        autoupgrade = true;
+        path = "/var/lib/ergo/ircd.db";
+      };
+      history = {
+        enabled = true;
+        autoreplay-on-join = 0;
+        autoresize-window = "3d";
+        channel-length = 2048;
+        chathistory-maxmessages = 100;
+        client-length = 256;
+        restrictions = {
+          expire-time = "1w";
+          grace-period = "1h";
+          query-cutoff = "none";
+        };
+        retention = {
+          allow-individual-delete = false;
+          enable-account-indexing = false;
+        };
+        tagmsg-storage = {
+          default = false;
+          whitelist = [
+            "+draft/react"
+            "+react"
+          ];
+        };
+        znc-maxmessages = 2048;
+      };
+      limits = {
+        awaylen = 390;
+        channellen = 64;
+        identlen = 20;
+        kicklen = 390;
+        nicklen = 32;
+        topiclen = 390;
+      };
+      network = {
+        name = "emilespace";
+      };
+      server = {
+        casemapping = "permissive";
+        check-ident = false;
+        enforce-utf = true;
+        forward-confirm-hostnames = false;
+        ip-cloaking = {
+          enabled = false;
+        };
+        ip-limits = {
+          count = false;
+          throttle = false;
+        };
+        listeners = {
+          # sts only port
+          ":6667".sts-only = true;
 
-					# loopback listeners
-		      # "127.0.0.1:6668" = {};
-		      # "[::]:6668" = {};
+          # loopback listeners
+          # "127.0.0.1:6668" = {};
+          # "[::]:6668" = {};
 
-		      ":${toString config.emile.ports.irc.ssl}" = {
-						tls = {
-							cert = "/run/credentials/ergochat.service/fullchain.pem";
-							key = "/run/credentials/ergochat.service/key.pem";
-						};
+          ":${toString config.emile.ports.irc.ssl}" = {
+            tls = {
+              cert = "/run/credentials/ergochat.service/fullchain.pem";
+              key = "/run/credentials/ergochat.service/key.pem";
+            };
 
-						# for cloud load balancers setting a PROXY header, NOT reverse proxies...
-						proxy = false;
+            # for cloud load balancers setting a PROXY header, NOT reverse proxies...
+            proxy = false;
 
-						min-tls-version = 1.2;
-					};
-		    };
-		    lookup-hostnames = false;
-		    max-sendq = "1M";
-		    name = "emile.space";
-		    relaymsg = {
-		      enabled = false;
-		    };
-				sts = {
-					enabled = true; # redirect from plain to tls if supported
+            min-tls-version = 1.2;
+          };
+        };
+        lookup-hostnames = false;
+        max-sendq = "1M";
+        name = "emile.space";
+        relaymsg = {
+          enabled = false;
+        };
+        sts = {
+          enabled = true; # redirect from plain to tls if supported
 
-					# how long clients should be forced to use TLS for.
-					# (Emile): no clue why, can I set something like \infty here?
-					duration = "12m";
+          # how long clients should be forced to use TLS for.
+          # (Emile): no clue why, can I set something like \infty here?
+          duration = "12m";
 
-				};
-		  };
-			logging = [
-				{
-					method = "stderr";
-					type = "* -userinput -useroutput";
-					level = "debug";
-				}
-			];
-		};
-	};
+        };
+      };
+      logging = [
+        {
+          method = "stderr";
+          type = "* -userinput -useroutput";
+          level = "debug";
+        }
+      ];
+    };
+  };
 }
diff --git a/nix/hosts/corrino/www/magic-hash.emile.space.nix b/nix/hosts/corrino/www/magic-hash.emile.space.nix
index f41fb80..48d0f47 100644
--- a/nix/hosts/corrino/www/magic-hash.emile.space.nix
+++ b/nix/hosts/corrino/www/magic-hash.emile.space.nix
@@ -17,9 +17,7 @@
     containers = {
       "ctfd" = {
         image = "magic-hash";
-        ports = [
-          "${toString config.emile.ports.magic-hash}:80"
-        ];
+        ports = [ "${toString config.emile.ports.magic-hash}:80" ];
         environment = {
 
           # this is not encouraged, but should work for the weekend (this is a
diff --git a/nix/hosts/corrino/www/netbox.emile.space.nix b/nix/hosts/corrino/www/netbox.emile.space.nix
index fdfadc0..25ea7e3 100644
--- a/nix/hosts/corrino/www/netbox.emile.space.nix
+++ b/nix/hosts/corrino/www/netbox.emile.space.nix
@@ -23,7 +23,7 @@
     dataDir = "/var/lib/netbox";
     settings.ALLOWED_HOSTS = [ "*" ];
     enableLdap = false;
-    settings = {};
+    settings = { };
     secretKeyFile = config.age.secrets.netbox_secret.path;
     port = config.emile.ports.netbox;
     listenAddress = "[::1]";
@@ -60,4 +60,3 @@
   # };
   # users.users.nginx.extraGroups = [ "netbox" ];
 }
-
diff --git a/nix/hosts/corrino/www/nix-cache/default.nix b/nix/hosts/corrino/www/nix-cache/default.nix
index da2537c..de4a849 100644
--- a/nix/hosts/corrino/www/nix-cache/default.nix
+++ b/nix/hosts/corrino/www/nix-cache/default.nix
@@ -1,7 +1,5 @@
 { ... }:
 
 {
-	imports = [
-		./nix-cache.emile.space.nix
-	];
+  imports = [ ./nix-cache.emile.space.nix ];
 }
diff --git a/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix
index 690e422..c8f7264 100644
--- a/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix
+++ b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix
@@ -1,10 +1,10 @@
 { ... }:
 
 {
-	services.nginx.virtualHosts."nix-cache.emile.space" = {
-		forceSSL = false;
-		enableACME = false;
-	};
+  services.nginx.virtualHosts."nix-cache.emile.space" = {
+    forceSSL = false;
+    enableACME = false;
+  };
   #   locations = {
   #     "/" = {
   #       root = "/var/www/emile.space";
@@ -12,10 +12,10 @@
   #         add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
   #       ''; 
   #     };
-		# };
-		# locations."= /" = {
-		# 	index = "/index.txt";
-		# };
+  # };
+  # locations."= /" = {
+  # 	index = "/index.txt";
+  # };
   #   locations."= /index.txt" = {
   #     root = ./index.txt;
   #   };
@@ -32,27 +32,27 @@
   #     '';
   #   };
   #   locations."/" = {
-		# 	proxyPass = "http://${config.services.harmonia.settings.bind}";
-		# 	extraConfig = ''
-	 #      proxy_set_header Host $host;
-	 #      proxy_redirect http:// https://;
-	 #      proxy_http_version 1.1;
-	 #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	 #      proxy_set_header Upgrade $http_upgrade;
-	 #      proxy_set_header Connection $connection_upgrade;
+  # 	proxyPass = "http://${config.services.harmonia.settings.bind}";
+  # 	extraConfig = ''
+  #      proxy_set_header Host $host;
+  #      proxy_redirect http:// https://;
+  #      proxy_http_version 1.1;
+  #      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  #      proxy_set_header Upgrade $http_upgrade;
+  #      proxy_set_header Connection $connection_upgrade;
 
-	 #      zstd on;
-	 #      zstd_types application/x-nix-archive;
-		# 	'';
-		# };
-	# };
+  #      zstd on;
+  #      zstd_types application/x-nix-archive;
+  # 	'';
+  # };
+  # };
 
- #  services.harmonia = {
-	# 	enable = true;
+  #  services.harmonia = {
+  # 	enable = true;
 
-	# 	# TODO(emile): manage this using age
-	# 	signKeyPath = "/var/lib/secrets/harmonia.secret";
+  # 	# TODO(emile): manage this using age
+  # 	signKeyPath = "/var/lib/secrets/harmonia.secret";
 
- #    settings.bind = "[::1]:${toString config.emile.ports.harmonia}";
-	# };
+  #    settings.bind = "[::1]:${toString config.emile.ports.harmonia}";
+  # };
 }
diff --git a/nix/hosts/corrino/www/photo/default.nix b/nix/hosts/corrino/www/photo/default.nix
index dd555e4..46266ae 100644
--- a/nix/hosts/corrino/www/photo/default.nix
+++ b/nix/hosts/corrino/www/photo/default.nix
@@ -1,8 +1,8 @@
 { ... }:
 
 {
-	imports = [
-		./photoprism.nix
-		# ./immich.nix
-	];
+  imports = [
+    ./photoprism.nix
+    # ./immich.nix
+  ];
 }
diff --git a/nix/hosts/corrino/www/s3.emile.space.nix b/nix/hosts/corrino/www/s3.emile.space.nix
index f1300f7..b4646ad 100644
--- a/nix/hosts/corrino/www/s3.emile.space.nix
+++ b/nix/hosts/corrino/www/s3.emile.space.nix
@@ -21,19 +21,19 @@
     };
   };
 
-	services.minio = {
-		enable = true;
-		region = "eu-north-1-hel-1a"; # corrino is in the helsinki hetzner dc
+  services.minio = {
+    enable = true;
+    region = "eu-north-1-hel-1a"; # corrino is in the helsinki hetzner dc
 
-		listenAddress = "[::1]:${toString config.emile.ports.minio.s3}";
+    listenAddress = "[::1]:${toString config.emile.ports.minio.s3}";
 
-		browser = true;
-		consoleAddress = "[::1]:${toString config.emile.ports.minio.web}";
+    browser = true;
+    consoleAddress = "[::1]:${toString config.emile.ports.minio.web}";
 
-		dataDir = [ "/minio/data" ];
-		configDir = "/minio/config";
+    dataDir = [ "/minio/data" ];
+    configDir = "/minio/config";
 
-		rootCredentialsFile = config.age.secrets.minio_root_credz.path;
-		# accessKey
-	};
+    rootCredentialsFile = config.age.secrets.minio_root_credz.path;
+    # accessKey
+  };
 }
diff --git a/nix/hosts/corrino/www/social.emile.space.nix b/nix/hosts/corrino/www/social.emile.space.nix
index 9f9a6f1..47c5015 100644
--- a/nix/hosts/corrino/www/social.emile.space.nix
+++ b/nix/hosts/corrino/www/social.emile.space.nix
@@ -2,14 +2,14 @@
 
 {
 
-	# the reverse proxy to gotosocial
+  # the reverse proxy to gotosocial
   services.nginx.virtualHosts."social.emile.space" = {
     forceSSL = true;
     enableACME = true;
     locations = {
       "/" = {
         proxyPass = "http://127.0.0.1:${toString config.emile.ports.gotosocial}";
-				proxyWebsockets = true;
+        proxyWebsockets = true;
         extraConfig = ''
           client_max_body_size 40M;
         '';
@@ -18,79 +18,74 @@
     };
   };
 
-	# Redirects from emile.space to social.emile.space
-	# Without this, other instances have problems getting from the username
-	#   @hanemile@emile.space to the host social.emile.space
-	# https://docs.gotosocial.org/en/latest/advanced/host-account-domain/
+  # Redirects from emile.space to social.emile.space
+  # Without this, other instances have problems getting from the username
+  #   @hanemile@emile.space to the host social.emile.space
+  # https://docs.gotosocial.org/en/latest/advanced/host-account-domain/
   services.nginx.virtualHosts."emile.space" = {
     locations = {
-		  "/.well-known/webfinger".extraConfig = ''
-		    rewrite ^.*$ https://social.emile.space/.well-known/webfinger permanent;
+      "/.well-known/webfinger".extraConfig = ''
+        rewrite ^.*$ https://social.emile.space/.well-known/webfinger permanent;
       '';
 
-		  "/.well-known/host-meta".extraConfig = ''
-	      rewrite ^.*$ https://social.emile.space/.well-known/host-meta permanent;
-			'';
+      "/.well-known/host-meta".extraConfig = ''
+              rewrite ^.*$ https://social.emile.space/.well-known/host-meta permanent;
+        		'';
 
-		  "/.well-known/nodeinfo".extraConfig = ''
-	      rewrite ^.*$ https://social.emile.space/.well-known/nodeinfo permanent;
-			'';
-		};
-	};
+      "/.well-known/nodeinfo".extraConfig = ''
+              rewrite ^.*$ https://social.emile.space/.well-known/nodeinfo permanent;
+        		'';
+    };
+  };
 
+  # auth via authelia
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [
+    {
+      id = "gotosocial";
 
-	# auth via authelia
-	services.authelia.instances.main.settings.identity_providers.oidc.clients = [
-		{
-			id = "gotosocial";
+      # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+      secret = "$pbkdf2-sha512$310000$oDpZ5FuO965TbjPoophJXw$dbkAwWFvLN1h1Zh9US2ZOE5ilPRdEHMdGF/x0uorou2UqURrXF0KQmXxsV38F2yYMS7u/ecramKlvfMwsqHOcg";
+      public = false;
+      authorization_policy = "two_factor";
+      redirect_uris = [ "https://social.emile.space/auth/callback" ];
+      scopes = [
+        "openid"
+        "email"
+        "profile"
+        "groups"
+      ];
+      grant_types = [
+        "refresh_token"
+        "authorization_code"
+      ];
+      response_types = [ "code" ];
+      response_modes = [
+        "form_post"
+        "query"
+        "fragment"
+      ];
+    }
+  ];
 
-			# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
-			secret = "$pbkdf2-sha512$310000$oDpZ5FuO965TbjPoophJXw$dbkAwWFvLN1h1Zh9US2ZOE5ilPRdEHMdGF/x0uorou2UqURrXF0KQmXxsV38F2yYMS7u/ecramKlvfMwsqHOcg"; 
-			public = false;
-			authorization_policy = "two_factor";
-			redirect_uris = [
-				"https://social.emile.space/auth/callback"
-			];
-			scopes = [
-				"openid"
-				"email"
-				"profile"
-				"groups"
-			];
-			grant_types = [
-				"refresh_token"
-				"authorization_code"
-			];
-			response_types = [
-				"code"
-			];
-			response_modes = [
-				"form_post"
-				"query"
-				"fragment"
-			];
-		}
-	];
-					
-	services.gotosocial = {
-		enable = true;
-		package = pkgs.gotosocial;
-		settings = {
-			host = "social.emile.space";
-			port = config.emile.ports.gotosocial;
-			bind-address = "127.0.0.1";
-			account-domain = "emile.space";
-			db-type = "sqlite";
-			db-address = "/var/lib/gotosocial/database.sqlite";
-			protocol = "https";
-			storage-local-base-path = "/var/lib/gotosocial/storage";
-			oidc-idp-name = "authelia";
-			oidc-client-id = "gotosocial";
-			advanced-rate-limit-requests = 0;
-			accounts-allow-custom-css = true;
-		};
-		environmentFile = config.age.secrets.gotosocial_environment_file.path;
-	};
+  services.gotosocial = {
+    enable = true;
+    package = pkgs.gotosocial;
+    settings = {
+      host = "social.emile.space";
+      port = config.emile.ports.gotosocial;
+      bind-address = "127.0.0.1";
+      account-domain = "emile.space";
+      db-type = "sqlite";
+      db-address = "/var/lib/gotosocial/database.sqlite";
+      protocol = "https";
+      storage-local-base-path = "/var/lib/gotosocial/storage";
+      oidc-idp-name = "authelia";
+      oidc-client-id = "gotosocial";
+      advanced-rate-limit-requests = 0;
+      accounts-allow-custom-css = true;
+    };
+    environmentFile = config.age.secrets.gotosocial_environment_file.path;
+  };
 
   systemd.services.gotosocial = {
     after = [ "authelia-main.service" ];
diff --git a/nix/hosts/corrino/www/sso.emile.space.nix b/nix/hosts/corrino/www/sso.emile.space.nix
index 0f77197..e51db9a 100644
--- a/nix/hosts/corrino/www/sso.emile.space.nix
+++ b/nix/hosts/corrino/www/sso.emile.space.nix
@@ -1,214 +1,212 @@
 { config, pkgs, ... }:
 
 let
-	authelia_port = config.services.authelia.instances.main.settings.server.port;
-in {
-
-	services.nginx.virtualHosts."sso.emile.space" = {
-		forceSSL = true;
-		enableACME = true;
-
-		locations = {
-			"/" = {
-				proxyPass = "http://127.0.0.1:${toString authelia_port}";
-
-				extraConfig = ''
-					## Headers
-					proxy_set_header Host $host;
-					proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-					proxy_set_header X-Forwarded-Proto $scheme;
-					proxy_set_header X-Forwarded-Host $http_host;
-					proxy_set_header X-Forwarded-URI $request_uri;
-					proxy_set_header X-Forwarded-Ssl on;
-					proxy_set_header X-Forwarded-For $remote_addr;
-					proxy_set_header X-Real-IP $remote_addr;
-
-					## Basic Proxy Configuration
-					client_body_buffer_size 128k;
-					proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
-					proxy_redirect  http://  $scheme://;
-					proxy_http_version 1.1;
-					proxy_cache_bypass $cookie_session;
-					proxy_no_cache $cookie_session;
-					proxy_buffers 64 256k;
-
-					## Trusted Proxies Configuration
-					## Please read the following documentation before configuring this:
-					##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
-					# set_real_ip_from 10.0.0.0/8;
-					# set_real_ip_from 172.16.0.0/12;
-					# set_real_ip_from 192.168.0.0/16;
-					# set_real_ip_from fc00::/7;
-					set_real_ip_from 127.0.0.1/32;
-					real_ip_header X-Forwarded-For;
-					real_ip_recursive on;
-
-					## Advanced Proxy Configuration
-					send_timeout 5m;
-					proxy_read_timeout 360;
-					proxy_send_timeout 360;
-					proxy_connect_timeout 360;
-				'';
-			};
-
-			"/api/verify" = {
-				proxyPass = "http://127.0.0.1:${toString authelia_port}";
-	    };
-
-	    "/api/authz/" = {
-				proxyPass = "http://127.0.0.1:${toString authelia_port}";
-	    };
-		};
-	};
-
-	# set the permissions for the secrets...
-	age.secrets = {
-		# ... passwed via environment vars
-		authelia_session_secret.owner = "authelia-main";
-		authelia_session_secret.group = "authelia-main";
-		authelia_mail_password.owner = "authelia-main";
-		authelia_mail_password.group = "authelia-main";
-
-		# ... passed via the services.authelia.instances.main.secrets attribute
-		authelia_storage_encryption_key.owner = "authelia-main";
-		authelia_storage_encryption_key.group = "authelia-main";
-		authelia_jwt_secret.owner = "authelia-main";
-		authelia_jwt_secret.group = "authelia-main";
-		authelia_oidc_issuer_private_key.owner = "authelia-main";
-		authelia_oidc_issuer_private_key.group = "authelia-main";
-		authelia_oidc_hmac_secret.owner = "authelia-main";
-		authelia_oidc_hmac_secret.group = "authelia-main";
-	};
-
-
-	services.authelia.instances = {
-		main = {
-			enable = true;
-			package = pkgs.authelia;
-
-			# pass some of the secrets in as env-vars
-			environmentVariables = with config.age.secrets; {
-				AUTHELIA_SESSION_SECRET_FILE = authelia_session_secret.path;
-				AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = authelia_mail_password.path;
-			};
-			secrets = with config.age.secrets; {
-				manual = true;
-
-				# some other secrets can be defined here, but not all...
-				storageEncryptionKeyFile = authelia_storage_encryption_key.path;
-				jwtSecretFile = authelia_jwt_secret.path;
-				oidcIssuerPrivateKeyFile = authelia_oidc_issuer_private_key.path;
-				oidcHmacSecretFile = authelia_oidc_hmac_secret.path;
-			};
-			settings = {
-				theme = "dark";
-
-				server = {
-					host = "127.0.0.1";
-					port = config.emile.ports.authelia;
-				};
-
-				# we're using a file to store the user information
-				authentication_backend = {
-					refresh_interval = "20s";
-					file = {
-						path = "/var/lib/authelia-main/user.yml";
-						watch = true;
-						password = {
-							algorithm = "argon2id";
-							iterations = 3;
-							key_length = 32;
-							salt_length = 16;
-							memory = 65;
-							parallelism = 4;
-						};
-					};
-				};
-
-				storage.local.path = "/var/lib/authelia-main/db.sqlite";
-
-				session = {
-					domain = "sso.emile.space";
-					expiration = 3600; # 1 hour
-					inactivity = 300; # 5 minutes
-				};
-
-				notifier = {
-					disable_startup_check = false;
-					smtp = {
-						host = "mail.emile.space";
-						port = 587;
-						timeout = "30s";
-						username = "mail@emile.space";
-
-						sender = "mail@emile.space";
-						subject = "[Authelia] {title}";
-
-						disable_require_tls = false;
-						disable_starttls = false;
-						disable_html_emails = true;
-
-						tls = {
-							server_name = "mail.emile.space";
-							skip_verify = true;
-							minimum_version = "TLS1.3";
-						};
-					};
-				};
-
-				identity_providers = {
-					oidc = {
-							# regenerate keys like this:
-							# ; nix run nixpkgs#authelia -- crypto certificate rsa generate
-							# current serial: deb83f17e27e663f544a16ad2947631d
-
-							enable_client_debug_messages = false;
-							minimum_parameter_entropy = 8;
-							enforce_pkce = "public_clients_only";
-							enable_pkce_plain_challenge = false;
-							cors = {
-							endpoints = [
-								"authorization"
-								"token"
-								"revocation"
-								"introspection"
-							];
-							allowed_origins = [
-								"https://emile.space"
-							];
-							allowed_origins_from_client_redirect_uris = false;
-						};
-					};
-				};
-
-				access_control = {
-					default_policy = "deny";
-					rules = [
-						{
-							domain = "*.emile.space";
-							policy = "two_factor";
-						}
-					];
-				};
-
-				totp = {
-				  disable = false;
-				  issuer = "sso.emile.space";
-				  algorithm = "sha1";
-				  digits = 6;
-				  period = 30;
-				  skew = 1;
-				  secret_size = 32;
-				};
-
-				ntp = {
-				  address = "time.cloudflare.com:123";
-				  version = 3;
-				  max_desync = "3s";
-				  disable_startup_check = false;
-				  disable_failure = false;
-				};
-			};
-		};
-	};
+  authelia_port = config.services.authelia.instances.main.settings.server.port;
+in
+{
+
+  services.nginx.virtualHosts."sso.emile.space" = {
+    forceSSL = true;
+    enableACME = true;
+
+    locations = {
+      "/" = {
+        proxyPass = "http://127.0.0.1:${toString authelia_port}";
+
+        extraConfig = ''
+          	## Headers
+          	proxy_set_header Host $host;
+          	proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+          	proxy_set_header X-Forwarded-Proto $scheme;
+          	proxy_set_header X-Forwarded-Host $http_host;
+          	proxy_set_header X-Forwarded-URI $request_uri;
+          	proxy_set_header X-Forwarded-Ssl on;
+          	proxy_set_header X-Forwarded-For $remote_addr;
+          	proxy_set_header X-Real-IP $remote_addr;
+
+          	## Basic Proxy Configuration
+          	client_body_buffer_size 128k;
+          	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+          	proxy_redirect  http://  $scheme://;
+          	proxy_http_version 1.1;
+          	proxy_cache_bypass $cookie_session;
+          	proxy_no_cache $cookie_session;
+          	proxy_buffers 64 256k;
+
+          	## Trusted Proxies Configuration
+          	## Please read the following documentation before configuring this:
+          	##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
+          	# set_real_ip_from 10.0.0.0/8;
+          	# set_real_ip_from 172.16.0.0/12;
+          	# set_real_ip_from 192.168.0.0/16;
+          	# set_real_ip_from fc00::/7;
+          	set_real_ip_from 127.0.0.1/32;
+          	real_ip_header X-Forwarded-For;
+          	real_ip_recursive on;
+
+          	## Advanced Proxy Configuration
+          	send_timeout 5m;
+          	proxy_read_timeout 360;
+          	proxy_send_timeout 360;
+          	proxy_connect_timeout 360;
+        '';
+      };
+
+      "/api/verify" = {
+        proxyPass = "http://127.0.0.1:${toString authelia_port}";
+      };
+
+      "/api/authz/" = {
+        proxyPass = "http://127.0.0.1:${toString authelia_port}";
+      };
+    };
+  };
+
+  # set the permissions for the secrets...
+  age.secrets = {
+    # ... passwed via environment vars
+    authelia_session_secret.owner = "authelia-main";
+    authelia_session_secret.group = "authelia-main";
+    authelia_mail_password.owner = "authelia-main";
+    authelia_mail_password.group = "authelia-main";
+
+    # ... passed via the services.authelia.instances.main.secrets attribute
+    authelia_storage_encryption_key.owner = "authelia-main";
+    authelia_storage_encryption_key.group = "authelia-main";
+    authelia_jwt_secret.owner = "authelia-main";
+    authelia_jwt_secret.group = "authelia-main";
+    authelia_oidc_issuer_private_key.owner = "authelia-main";
+    authelia_oidc_issuer_private_key.group = "authelia-main";
+    authelia_oidc_hmac_secret.owner = "authelia-main";
+    authelia_oidc_hmac_secret.group = "authelia-main";
+  };
+
+  services.authelia.instances = {
+    main = {
+      enable = true;
+      package = pkgs.authelia;
+
+      # pass some of the secrets in as env-vars
+      environmentVariables = with config.age.secrets; {
+        AUTHELIA_SESSION_SECRET_FILE = authelia_session_secret.path;
+        AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = authelia_mail_password.path;
+      };
+      secrets = with config.age.secrets; {
+        manual = true;
+
+        # some other secrets can be defined here, but not all...
+        storageEncryptionKeyFile = authelia_storage_encryption_key.path;
+        jwtSecretFile = authelia_jwt_secret.path;
+        oidcIssuerPrivateKeyFile = authelia_oidc_issuer_private_key.path;
+        oidcHmacSecretFile = authelia_oidc_hmac_secret.path;
+      };
+      settings = {
+        theme = "dark";
+
+        server = {
+          host = "127.0.0.1";
+          port = config.emile.ports.authelia;
+        };
+
+        # we're using a file to store the user information
+        authentication_backend = {
+          refresh_interval = "20s";
+          file = {
+            path = "/var/lib/authelia-main/user.yml";
+            watch = true;
+            password = {
+              algorithm = "argon2id";
+              iterations = 3;
+              key_length = 32;
+              salt_length = 16;
+              memory = 65;
+              parallelism = 4;
+            };
+          };
+        };
+
+        storage.local.path = "/var/lib/authelia-main/db.sqlite";
+
+        session = {
+          domain = "sso.emile.space";
+          expiration = 3600; # 1 hour
+          inactivity = 300; # 5 minutes
+        };
+
+        notifier = {
+          disable_startup_check = false;
+          smtp = {
+            host = "mail.emile.space";
+            port = 587;
+            timeout = "30s";
+            username = "mail@emile.space";
+
+            sender = "mail@emile.space";
+            subject = "[Authelia] {title}";
+
+            disable_require_tls = false;
+            disable_starttls = false;
+            disable_html_emails = true;
+
+            tls = {
+              server_name = "mail.emile.space";
+              skip_verify = true;
+              minimum_version = "TLS1.3";
+            };
+          };
+        };
+
+        identity_providers = {
+          oidc = {
+            # regenerate keys like this:
+            # ; nix run nixpkgs#authelia -- crypto certificate rsa generate
+            # current serial: deb83f17e27e663f544a16ad2947631d
+
+            enable_client_debug_messages = false;
+            minimum_parameter_entropy = 8;
+            enforce_pkce = "public_clients_only";
+            enable_pkce_plain_challenge = false;
+            cors = {
+              endpoints = [
+                "authorization"
+                "token"
+                "revocation"
+                "introspection"
+              ];
+              allowed_origins = [ "https://emile.space" ];
+              allowed_origins_from_client_redirect_uris = false;
+            };
+          };
+        };
+
+        access_control = {
+          default_policy = "deny";
+          rules = [
+            {
+              domain = "*.emile.space";
+              policy = "two_factor";
+            }
+          ];
+        };
+
+        totp = {
+          disable = false;
+          issuer = "sso.emile.space";
+          algorithm = "sha1";
+          digits = 6;
+          period = 30;
+          skew = 1;
+          secret_size = 32;
+        };
+
+        ntp = {
+          address = "time.cloudflare.com:123";
+          version = 3;
+          max_desync = "3s";
+          disable_startup_check = false;
+          disable_failure = false;
+        };
+      };
+    };
+  };
 }
diff --git a/nix/hosts/corrino/www/tickets.emile.space.nix b/nix/hosts/corrino/www/tickets.emile.space.nix
index a53b878..fb12961 100644
--- a/nix/hosts/corrino/www/tickets.emile.space.nix
+++ b/nix/hosts/corrino/www/tickets.emile.space.nix
@@ -17,7 +17,10 @@
     pretix = {
       enable = true;
       package = pkgs.pretix;
-      plugins = with config.services.pretix.package.plugins; [ passbook pages ];
+      plugins = with config.services.pretix.package.plugins; [
+        passbook
+        pages
+      ];
       user = "pretix";
       group = "pretix";
       gunicorn.extraArgs = [
diff --git a/nix/hosts/corrino/www/tmp.emile.space.nix b/nix/hosts/corrino/www/tmp.emile.space.nix
index eeb7f8b..395c4dd 100644
--- a/nix/hosts/corrino/www/tmp.emile.space.nix
+++ b/nix/hosts/corrino/www/tmp.emile.space.nix
@@ -10,7 +10,7 @@
         extraConfig = ''
           add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
           autoindex on;
-        ''; 
+        '';
       };
     };
   };