TLATER · TLATER · Jan 15, 2026 · Jan 15, 2026 · Jan 15, 2026
diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
@@ -4,3 +4,5 @@
 ba4f3ffb1956acd35a2d4a71a8775d2f520497d1
 # Switched to `nix-ast-lint`
 8581934d6669224eed540123af826deec67b400c
+# Fixed a bug in `nix-ast-lint`
+66cb0c4ec188b9623edffee834cad6d6ab07c0e5
diff --git a/checks/default.nix b/checks/default.nix
@@ -15,7 +15,7 @@ in
     };
 
     script = ''
-      nix-ast-lint --error --off=empty-let-in
+      nix-ast-lint --error
       deadnix --fail **/*.nix
       nixfmt --check --strict **/*.nix
     '';

diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -30,8 +30,10 @@
 
     emacs-overlay = {
       url = "github:nix-community/emacs-overlay";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.nixpkgs-stable.follows = "nixpkgs";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        nixpkgs-stable.follows = "nixpkgs";
+      };
     };
 
     tree-sitter-sieve = {

diff --git a/home-config/applications/tty/default.nix b/home-config/applications/tty/default.nix
@@ -9,25 +9,27 @@
 
   home.packages = [ flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.topiary ];
 
-  programs.bottom = {
-    enable = true;
-    settings.flags.group_processes = true;
-  };
+  programs = {
+    bottom = {
+      enable = true;
+      settings.flags.group_processes = true;
+    };
 
-  programs.git.settings =
-    let
-      mergiraf-attributes =
-        pkgs.runCommandLocal "gitattributes" { nativeBuildInputs = [ pkgs.mergiraf ]; }
-          ''
-            mergiraf languages --gitattributes >> $out
-          '';
-    in
-    {
-      core.attributesfile = mergiraf-attributes.outPath;
+    git.settings =
+      let
+        mergiraf-attributes =
+          pkgs.runCommandLocal "gitattributes" { nativeBuildInputs = [ pkgs.mergiraf ]; }
+            ''
+              mergiraf languages --gitattributes >> $out
+            '';
+      in
+      {
+        core.attributesfile = mergiraf-attributes.outPath;
 
-      merge.mergiraf = {
-        name = "mergiraf";
-        driver = "${lib.getExe pkgs.mergiraf} merge --git %O %A %B -s %S -x %X -y %Y -p %P -l %L";
+        merge.mergiraf = {
+          name = "mergiraf";
+          driver = "${lib.getExe pkgs.mergiraf} merge --git %O %A %B -s %S -x %X -y %Y -p %P -l %L";
+        };
       };
-    };
+  };
 }
diff --git a/home-config/desktop/sway.nix b/home-config/desktop/sway.nix
@@ -55,8 +55,10 @@ in
     enable = true;
     package = null;
     config = null;
-    systemd.enable = false;
-    systemd.xdgAutostart = false;
+    systemd = {
+      enable = false;
+      xdgAutostart = false;
+    };
     extraConfigEarly =
       let
         theme = "${

diff --git a/home-config/personal/keepassxc.nix b/home-config/personal/keepassxc.nix
@@ -11,41 +11,43 @@ in
 {
   home.packages = with pkgs; [ keepassxc ];
 
-  systemd.user.services.keepass-sync = {
-    Unit = {
-      Description = "KeepassXC synchronization";
-      ConditionEnvironment = [ "DBUS_SESSION_BUS_ADDRESS" ];
-    };
-    Service = {
-      Type = "oneshot";
+  systemd.user = {
+    services.keepass-sync = {
+      Unit = {
+        Description = "KeepassXC synchronization";
+        ConditionEnvironment = [ "DBUS_SESSION_BUS_ADDRESS" ];
+      };
+      Service = {
+        Type = "oneshot";
 
-      ExecCondition = "${lib.getExe' pkgs.systemd "busctl"} --user status org.freedesktop.secrets";
+        ExecCondition = "${lib.getExe' pkgs.systemd "busctl"} --user status org.freedesktop.secrets";
 
-      ExecStart =
-        writeNuWith
-          {
-            packages = [
-              nextcloudcmd
-              pkgs.libsecret
-            ];
-          }
-          "sync-keepassxc"
-          ''
-            const url = 'https://nextcloud.tlater.net'
-            const nextcloud_dir = 'Backups/keepass'
-            let local_dir = $'($env.XDG_DATA_HOME | default ~/.local/share)/keepassxc/synced'
+        ExecStart =
+          writeNuWith
+            {
+              packages = [
+                nextcloudcmd
+                pkgs.libsecret
+              ];
+            }
+            "sync-keepassxc"
+            ''
+              const url = 'https://nextcloud.tlater.net'
+              const nextcloud_dir = 'Backups/keepass'
+              let local_dir = $'($env.XDG_DATA_HOME | default ~/.local/share)/keepassxc/synced'
 
-            let attributes = secret-tool search URL $url o+e>| parse "{attribute} = {value}" | transpose -rid
-            let password = secret-tool lookup URL $url
+              let attributes = secret-tool search URL $url o+e>| parse "{attribute} = {value}" | transpose -rid
+              let password = secret-tool lookup URL $url
 
-            $"($attributes.'attribute.UserName')\n($password)" | nextcloudcmd --path $nextcloud_dir $local_dir $url
-          '';
+              $"($attributes.'attribute.UserName')\n($password)" | nextcloudcmd --path $nextcloud_dir $local_dir $url
+            '';
+      };
     };
-  };
 
-  systemd.user.timers.keepass-sync = {
-    Unit.Description = "Periodic KeepassXC synchronization";
-    Timer.OnCalendar = "hourly";
-    Install.WantedBy = [ "timers.target" ];
+    timers.keepass-sync = {
+      Unit.Description = "Periodic KeepassXC synchronization";
+      Timer.OnCalendar = "hourly";
+      Install.WantedBy = [ "timers.target" ];
+    };
   };
 }
diff --git a/home-config/shell/default.nix b/home-config/shell/default.nix
@@ -77,8 +77,10 @@
         branch.autoSetupRebase = "always";
         checkout.defaultRemote = "origin";
 
-        pull.rebase = true;
-        pull.ff = "only";
+        pull = {
+          rebase = true;
+          ff = "only";
+        };
         push.default = "current";
 
         init.defaultBranch = "main";

diff --git a/home-config/shell/nushell.nix b/home-config/shell/nushell.nix
@@ -2,12 +2,14 @@
 {
   home.shell.enableNushellIntegration = true;
 
-  programs.nushell = {
-    enable = true;
-    configFile.source = ../dotfiles/nushell/config.nu;
+  programs = {
+    nushell = {
+      enable = true;
+      configFile.source = ../dotfiles/nushell/config.nu;
 
-    plugins = [ pkgs.nushellPlugins.query ];
-  };
+      plugins = [ pkgs.nushellPlugins.query ];
+    };
 
-  programs.carapace.enable = true;
+    carapace.enable = true;
+  };
 }
diff --git a/home-config/work/famedly.nix b/home-config/work/famedly.nix
@@ -44,10 +44,12 @@
 
   services.mpd.enable = lib.mkForce false;
 
-  home.packages = with pkgs; [
-    bitwarden-desktop
-    pre-commit
-  ];
+  home = {
+    packages = with pkgs; [
+      bitwarden-desktop
+      pre-commit
+    ];
 
-  home.file.".ssh/famedly-tlater.pub".source = "${flake-inputs.self}/keys/famedly-tlater.pub";
+    file.".ssh/famedly-tlater.pub".source = "${flake-inputs.self}/keys/famedly-tlater.pub";
+  };
 }
diff --git a/nixos-config/default.nix b/nixos-config/default.nix
@@ -54,25 +54,6 @@
 
   easyNvidia.desktopEnvironment = "wlroots";
 
-  hardware.nvidia =
-    let
-      inherit (flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}) nvidia;
-    in
-    {
-      package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
-        inherit (nvidia) version;
-        sha256_64bit = nvidia.src.outputHash;
-        openSha256 = nvidia.open.src.outputHash;
-        useSettings = false;
-        usePersistenced = false;
-      };
-
-      # Disabled because I don't use it and I can't be bothered to
-      # figure out how to get a hash for something nvidia don't seem to
-      # publish consistently.
-      nvidiaSettings = false;
-    };
-
   boot = {
     initrd.systemd.enable = true;
 
@@ -142,7 +123,10 @@
     nano.enable = false;
   };
 
-  security.sudo-rs.enable = true;
+  security = {
+    sudo-rs.enable = true;
+    rtkit.enable = true;
+  };
 
   fileSystems."/boot".options = [ "umask=0077" ];
 
@@ -165,30 +149,32 @@
     };
   };
 
-  # My systems never have usable root accounts anyway, so emergency
-  # mode just drops into a shell telling me it can't log into root
-  systemd.enableEmergencyMode = false;
-
-  systemd.services.angrr-touch = {
-    description = "`touch` gcroots that angrr shouldn't delete";
-    wantedBy = [ "angrr.service" ];
-    before = [ "angrr.service" ];
-
-    serviceConfig.ExecStart =
-      (flake-inputs.self.pkgs-lib.${pkgs.stdenv.hostPlatform.system}.writeNuWith
-        { packages = [ pkgs.fd ]; }
-        "angrr-touch"
-        ''
-          let roots = (fd --no-ignore -t d gcroots /home/tlater/.local/src /home/tlater/Documents/Projects
-             | split row "\n"
-             | each { ls -l $in }
-             | flatten
-             | where target =~ ^/nix/store)
-
-          print ($roots | select name accessed modified | update name { path relative-to /home/tlater })
-          $roots | each { touch --no-deref $in.name }
-        ''
-      ).outPath;
+  systemd = {
+    # My systems never have usable root accounts anyway, so emergency
+    # mode just drops into a shell telling me it can't log into root
+    enableEmergencyMode = false;
+
+    services.angrr-touch = {
+      description = "`touch` gcroots that angrr shouldn't delete";
+      wantedBy = [ "angrr.service" ];
+      before = [ "angrr.service" ];
+
+      serviceConfig.ExecStart =
+        (flake-inputs.self.pkgs-lib.${pkgs.stdenv.hostPlatform.system}.writeNuWith
+          { packages = [ pkgs.fd ]; }
+          "angrr-touch"
+          ''
+            let roots = (fd --no-ignore -t d gcroots /home/tlater/.local/src /home/tlater/Documents/Projects
+               | split row "\n"
+               | each { ls -l $in }
+               | flatten
+               | where target =~ ^/nix/store)
+
+            print ($roots | select name accessed modified | update name { path relative-to /home/tlater })
+            $roots | each { touch --no-deref $in.name }
+          ''
+        ).outPath;
+    };
   };
 
   services = {
@@ -277,18 +263,35 @@
     fstrim.enable = true;
     fwupd.enable = true;
     automatic-timezoned.enable = true;
+
+    # Necessary for opening links in gnome under certain conditions
+    gvfs.enable = true;
   };
 
   hardware = {
     bluetooth.enable = true;
     enableRedistributableFirmware = true;
     opentabletdriver.enable = true;
-  };
 
-  security.rtkit.enable = true;
+    nvidia =
+      let
+        inherit (flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}) nvidia;
+      in
+      {
+        package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
+          inherit (nvidia) version;
+          sha256_64bit = nvidia.src.outputHash;
+          openSha256 = nvidia.open.src.outputHash;
+          useSettings = false;
+          usePersistenced = false;
+        };
 
-  # Necessary for opening links in gnome under certain conditions
-  services.gvfs.enable = true;
+        # Disabled because I don't use it and I can't be bothered to
+        # figure out how to get a hash for something nvidia don't seem to
+        # publish consistently.
+        nvidiaSettings = false;
+      };
+  };
 
   system.stateVersion = "20.09";
 }
diff --git a/nixos-config/desktop/greeter/default.nix b/nixos-config/desktop/greeter/default.nix
@@ -49,14 +49,16 @@ in
     };
   };
 
-  environment.etc."greetd/environments".text = ''
-    sway-run
-  '';
+  environment = {
+    etc."greetd/environments".text = ''
+      sway-run
+    '';
 
-  environment.systemPackages = with pkgs; [
-    sway-run
-    pciutils
-  ];
+    systemPackages = with pkgs; [
+      sway-run
+      pciutils
+    ];
+  };
 
   fonts.packages = [ flake-inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.phosphor-icons ];