about summary refs log tree commit diff
path: root/ops
diff options
context:
space:
mode:
Diffstat (limited to 'ops')
-rw-r--r--ops/dns/default.nix5
-rw-r--r--ops/glesys/default.nix2
-rw-r--r--ops/journaldriver/default.nix4
-rw-r--r--ops/keycloak/default.nix2
-rw-r--r--ops/kontemplate/release.nix22
-rw-r--r--ops/machines/whitby/default.nix141
-rw-r--r--ops/modules/atward.nix3
-rw-r--r--ops/modules/auto-deploy.nix3
-rw-r--r--ops/modules/automatic-gc.nix3
-rw-r--r--ops/modules/clbot.nix7
-rw-r--r--ops/modules/default.nix2
-rw-r--r--ops/modules/gerrit-queue.nix3
-rw-r--r--ops/modules/git-serving.nix3
-rw-r--r--ops/modules/irccat.nix3
-rw-r--r--ops/modules/monorepo-gerrit.nix5
-rw-r--r--ops/modules/nixery.nix3
-rw-r--r--ops/modules/oauth2_proxy.nix3
-rw-r--r--ops/modules/owothia.nix3
-rw-r--r--ops/modules/panettone.nix40
-rw-r--r--ops/modules/paroxysm.nix3
-rw-r--r--ops/modules/quassel.nix5
-rw-r--r--ops/modules/restic.nix3
-rw-r--r--ops/modules/smtprelay.nix5
-rw-r--r--ops/modules/sourcegraph.nix6
-rw-r--r--ops/modules/tvl-buildkite.nix67
-rw-r--r--ops/modules/tvl-slapd/default.nix5
-rw-r--r--ops/pipelines/depot.nix8
-rw-r--r--ops/secrets/mkSecrets.nix6
-rw-r--r--ops/secrets/secrets.nix3
29 files changed, 209 insertions, 159 deletions
diff --git a/ops/dns/default.nix b/ops/dns/default.nix
index 136a4c58dca7..ad6e136f2756 100644
--- a/ops/dns/default.nix
+++ b/ops/dns/default.nix
@@ -2,11 +2,12 @@
 { depot, pkgs, ... }:
 
 let
-  checkZone = zone: file: pkgs.runCommandNoCC "${zone}-check" {} ''
+  checkZone = zone: file: pkgs.runCommandNoCC "${zone}-check" { } ''
     ${pkgs.bind}/bin/named-checkzone -i local ${zone} ${file} | tee $out
   '';
 
-in depot.nix.readTree.drvTargets {
+in
+depot.nix.readTree.drvTargets {
   nixery-dev = checkZone "nixery.dev" ./nixery.dev.zone;
   tvl-fyi = checkZone "tvl.fyi" ./tvl.fyi.zone;
   tvl-su = checkZone "tvl.su" ./tvl.su.zone;
diff --git a/ops/glesys/default.nix b/ops/glesys/default.nix
index f4c0478c5d89..2dfb505fb423 100644
--- a/ops/glesys/default.nix
+++ b/ops/glesys/default.nix
@@ -2,7 +2,7 @@
 
 depot.nix.readTree.drvTargets {
   # Provide a Terraform wrapper with the right provider installed.
-  terraform = pkgs.terraform.withPlugins(_: [
+  terraform = pkgs.terraform.withPlugins (_: [
     depot.third_party.terraform-provider-glesys
   ]);
 }
diff --git a/ops/journaldriver/default.nix b/ops/journaldriver/default.nix
index d2413e74cc92..a06a858fa12a 100644
--- a/ops/journaldriver/default.nix
+++ b/ops/journaldriver/default.nix
@@ -4,6 +4,8 @@ depot.third_party.naersk.buildPackage {
   src = ./.;
 
   buildInputs = with pkgs; [
-    pkgconfig openssl systemd.dev
+    pkgconfig
+    openssl
+    systemd.dev
   ];
 }
diff --git a/ops/keycloak/default.nix b/ops/keycloak/default.nix
index 96f0c40e5e2a..5757debd1a39 100644
--- a/ops/keycloak/default.nix
+++ b/ops/keycloak/default.nix
@@ -2,7 +2,7 @@
 
 depot.nix.readTree.drvTargets {
   # Provide a Terraform wrapper with the right provider installed.
-  terraform = pkgs.terraform.withPlugins(p: [
+  terraform = pkgs.terraform.withPlugins (p: [
     p.keycloak
   ]);
 }
diff --git a/ops/kontemplate/release.nix b/ops/kontemplate/release.nix
index 8a04109526cf..6a3dbd5efe87 100644
--- a/ops/kontemplate/release.nix
+++ b/ops/kontemplate/release.nix
@@ -10,13 +10,17 @@
 # This file is the Nix derivation used to build release binaries for
 # several different architectures and operating systems.
 
-let pkgs = import ((import <nixpkgs> {}).fetchFromGitHub {
-  owner = "NixOS";
-  repo = "nixpkgs-channels";
-  rev = "541d9cce8af7a490fb9085305939569567cb58e6";
-  sha256 = "0jgz72hhzkd5vyq5v69vpljjlnf0lqaz7fh327bvb3cvmwbfxrja";
-}) {};
-in with pkgs; buildGoPackage rec {
+let
+  pkgs = import
+    ((import <nixpkgs> { }).fetchFromGitHub {
+      owner = "NixOS";
+      repo = "nixpkgs-channels";
+      rev = "541d9cce8af7a490fb9085305939569567cb58e6";
+      sha256 = "0jgz72hhzkd5vyq5v69vpljjlnf0lqaz7fh327bvb3cvmwbfxrja";
+    })
+    { };
+in
+with pkgs; buildGoPackage rec {
   name = "kontemplate-${version}";
   version = "canon";
   src = ./.;
@@ -29,8 +33,8 @@ in with pkgs; buildGoPackage rec {
   # reason for setting the 'allowGoReference' flag.
   dontStrip = true; # Linker configuration handles stripping
   allowGoReference = true;
-  CGO_ENABLED="0";
-  GOCACHE="off";
+  CGO_ENABLED = "0";
+  GOCACHE = "off";
 
   # Configure release builds via the "build-matrix" script:
   buildInputs = [ git ];
diff --git a/ops/machines/whitby/default.nix b/ops/machines/whitby/default.nix
index a6a5a763177a..0aa61fda80cf 100644
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@@ -4,7 +4,8 @@
 let
   inherit (builtins) listToAttrs;
   inherit (lib) range;
-in {
+in
+{
   imports = [
     "${depot.path}/ops/modules/atward.nix"
     "${depot.path}/ops/modules/clbot.nix"
@@ -55,7 +56,13 @@ in {
 
     initrd = {
       availableKernelModules = [
-        "igb" "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sr_mod"
+        "igb"
+        "xhci_pci"
+        "nvme"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sr_mod"
       ];
 
       # Enable SSH in the initrd so that we can enter disk encryption
@@ -189,7 +196,7 @@ in {
         ++ lukegb.keys.all
         ++ [ grfn.keys.whitby ]
         ++ sterni.keys.all
-        ;
+      ;
     };
   };
 
@@ -205,7 +212,8 @@ in {
   age.secrets =
     let
       secretFile = name: depot.ops.secrets."${name}.age";
-    in {
+    in
+    {
       clbot.file = secretFile "clbot";
       gerrit-queue.file = secretFile "gerrit-queue";
       grafana.file = secretFile "grafana";
@@ -509,15 +517,16 @@ in {
       job_name = "node";
       scrape_interval = "5s";
       static_configs = [{
-        targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"];
+        targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
       }];
-    } {
-      job_name = "nginx";
-      scrape_interval = "5s";
-      static_configs = [{
-        targets = ["localhost:${toString config.services.prometheus.exporters.nginx.port}"];
+    }
+      {
+        job_name = "nginx";
+        scrape_interval = "5s";
+        static_configs = [{
+          targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
+        }];
       }];
-    }];
   };
 
   services.grafana = {
@@ -526,58 +535,62 @@ in {
     domain = "status.tvl.su";
     rootUrl = "https://status.tvl.su";
     analytics.reporting.enable = false;
-    extraOptions = let
-      options = {
-        auth = {
-          generic_oauth = {
-            enabled = true;
-            client_id = "grafana";
-            scopes = "openid profile email";
-            name = "TVL";
-            email_attribute_path = "mail";
-            login_attribute_path = "sub";
-            name_attribute_path = "displayName";
-            auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
-            token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
-            api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";
-
-            # Give lukegb, grfn, tazjin "Admin" rights.
-            role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
-
-            # Allow creating new Grafana accounts from OAuth accounts.
-            allow_sign_up = true;
-          };
-
-          anonymous = {
-            enabled = true;
-            org_name = "The Virus Lounge";
-            org_role = "Viewer";
+    extraOptions =
+      let
+        options = {
+          auth = {
+            generic_oauth = {
+              enabled = true;
+              client_id = "grafana";
+              scopes = "openid profile email";
+              name = "TVL";
+              email_attribute_path = "mail";
+              login_attribute_path = "sub";
+              name_attribute_path = "displayName";
+              auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
+              token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
+              api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";
+
+              # Give lukegb, grfn, tazjin "Admin" rights.
+              role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
+
+              # Allow creating new Grafana accounts from OAuth accounts.
+              allow_sign_up = true;
+            };
+
+            anonymous = {
+              enabled = true;
+              org_name = "The Virus Lounge";
+              org_role = "Viewer";
+            };
+
+            basic.enabled = false;
+            oauth_auto_login = true;
+            disable_login_form = true;
           };
-
-          basic.enabled = false;
-          oauth_auto_login = true;
-          disable_login_form = true;
         };
-      };
-      inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
-      inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
-
-      # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
-      encodeName = raw: replaceStrings ["."] ["_"] (toUpper (concatStringsSep "_" raw));
-
-      # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
-      optionToString = value:
-        if (typeOf value) == "bool" then
-          if value then "true" else "false"
-        else builtins.toString value;
-
-      # Turn an nested options attrset into a flat listToAttrs-compatible list.
-      encodeOptions = prefix: inp: concatLists (mapAttrsToList (name: value:
-        if (typeOf value) == "set"
-          then encodeOptions (prefix ++ [name]) value
-          else [ (nameValuePair (encodeName (prefix ++ [name])) (optionToString value)) ]
-        ) inp);
-    in listToAttrs (encodeOptions [] options);
+        inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
+        inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
+
+        # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
+        encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw));
+
+        # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
+        optionToString = value:
+          if (typeOf value) == "bool" then
+            if value then "true" else "false"
+          else builtins.toString value;
+
+        # Turn an nested options attrset into a flat listToAttrs-compatible list.
+        encodeOptions = prefix: inp: concatLists (mapAttrsToList
+          (name: value:
+            if (typeOf value) == "set"
+            then encodeOptions (prefix ++ [ name ]) value
+            else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ]
+          )
+          inp);
+      in
+      listToAttrs (encodeOptions [ ] options);
 
     provision = {
       enable = true;
@@ -623,8 +636,8 @@ in {
 
   security.sudo.extraRules = [
     {
-      groups = ["wheel"];
-      commands = [{ command = "ALL"; options = ["NOPASSWD"]; }];
+      groups = [ "wheel" ];
+      commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }];
     }
   ];
 
@@ -705,7 +718,7 @@ in {
     };
 
     # Set up a user & group for git shenanigans
-    groups.git = {};
+    groups.git = { };
     users.git = {
       group = "git";
       isSystemUser = true;
diff --git a/ops/modules/atward.nix b/ops/modules/atward.nix
index 354f9ebdd3cb..f345a08e3131 100644
--- a/ops/modules/atward.nix
+++ b/ops/modules/atward.nix
@@ -3,7 +3,8 @@
 let
   cfg = config.services.depot.atward;
   description = "atward - (attempt to) cleverly route queries";
-in {
+in
+{
   options.services.depot.atward = {
     enable = lib.mkEnableOption description;
 
diff --git a/ops/modules/auto-deploy.nix b/ops/modules/auto-deploy.nix
index 83a8273562f6..c504906b2b94 100644
--- a/ops/modules/auto-deploy.nix
+++ b/ops/modules/auto-deploy.nix
@@ -45,7 +45,8 @@ let
     # NixOS in $STATE_DIRECTORY
     (cd / && ${rebuild-system}/bin/rebuild-system)
   '';
-in {
+in
+{
   options.services.depot.auto-deploy = {
     enable = lib.mkEnableOption description;
 
diff --git a/ops/modules/automatic-gc.nix b/ops/modules/automatic-gc.nix
index 634785721024..ad53a63f7f16 100644
--- a/ops/modules/automatic-gc.nix
+++ b/ops/modules/automatic-gc.nix
@@ -29,7 +29,8 @@ let
       echo "Skipping GC, enough space available"
     fi
   '';
-in {
+in
+{
   options.services.depot.automatic-gc = {
     enable = lib.mkEnableOption description;
 
diff --git a/ops/modules/clbot.nix b/ops/modules/clbot.nix
index ef4c2ab23795..958d321f81ad 100644
--- a/ops/modules/clbot.nix
+++ b/ops/modules/clbot.nix
@@ -21,7 +21,7 @@ let
       (attrValues (mapAttrs (key: value: "-${key} \"${toString value}\"") flags));
 
   # Escapes a unit name for use in systemd
-  systemdEscape = name: removeSuffix "\n" (readFile (runCommandNoCC "unit-name" {} ''
+  systemdEscape = name: removeSuffix "\n" (readFile (runCommandNoCC "unit-name" { } ''
     ${pkgs.systemd}/bin/systemd-escape '${name}' >> $out
   ''));
 
@@ -42,7 +42,8 @@ let
       };
     };
   };
-in {
+in
+{
   options.services.depot.clbot = {
     enable = mkEnableOption description;
 
@@ -68,7 +69,7 @@ in {
     # (notably the SSH private key) readable by this user outside of
     # the module.
     users = {
-      groups.clbot = {};
+      groups.clbot = { };
 
       users.clbot = {
         group = "clbot";
diff --git a/ops/modules/default.nix b/ops/modules/default.nix
index 8bdfecdf41b0..d747e8e1319a 100644
--- a/ops/modules/default.nix
+++ b/ops/modules/default.nix
@@ -1,2 +1,2 @@
 # Make readTree happy at this level.
-_: {}
+_: { }
diff --git a/ops/modules/gerrit-queue.nix b/ops/modules/gerrit-queue.nix
index a4b073f8560b..66d584cc3361 100644
--- a/ops/modules/gerrit-queue.nix
+++ b/ops/modules/gerrit-queue.nix
@@ -8,7 +8,8 @@ let
     inherit default;
     type = lib.types.str;
   };
-in {
+in
+{
   options.services.depot.gerrit-queue = {
     enable = lib.mkEnableOption description;
     gerritUrl = mkStringOption "https://cl.tvl.fyi";
diff --git a/ops/modules/git-serving.nix b/ops/modules/git-serving.nix
index 6b8bef29b15a..49af01a0fd3e 100644
--- a/ops/modules/git-serving.nix
+++ b/ops/modules/git-serving.nix
@@ -12,7 +12,8 @@
 
 let
   cfg = config.services.depot.git-serving;
-in {
+in
+{
   options.services.depot.git-serving = with lib; {
     enable = mkEnableOption "Enable cgit & josh configuration";
 
diff --git a/ops/modules/irccat.nix b/ops/modules/irccat.nix
index deb0b4ecaf34..05a783fd6614 100644
--- a/ops/modules/irccat.nix
+++ b/ops/modules/irccat.nix
@@ -27,7 +27,8 @@ let
 
     exec ${depot.third_party.irccat}/bin/irccat
   '';
-in {
+in
+{
   options.services.depot.irccat = {
     enable = lib.mkEnableOption description;
 
diff --git a/ops/modules/monorepo-gerrit.nix b/ops/modules/monorepo-gerrit.nix
index 6638f30b3f9f..509500c9139d 100644
--- a/ops/modules/monorepo-gerrit.nix
+++ b/ops/modules/monorepo-gerrit.nix
@@ -9,12 +9,13 @@ let
     exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@"
   '';
 
-  gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" {} ''
+  gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" { } ''
     mkdir -p $out
     ln -s ${besadiiWithConfig "change-merged"} $out/change-merged
     ln -s ${besadiiWithConfig "patchset-created"} $out/patchset-created
   '';
-in {
+in
+{
   services.gerrit = {
     enable = true;
     listenAddress = "[::]:4778"; # 4778 - grrt
diff --git a/ops/modules/nixery.nix b/ops/modules/nixery.nix
index 60d151045756..33f196372dbb 100644
--- a/ops/modules/nixery.nix
+++ b/ops/modules/nixery.nix
@@ -6,7 +6,8 @@ let
   cfg = config.services.depot.nixery;
   description = "Nixery - container images on-demand";
   storagePath = "/var/lib/nixery/${pkgs.nixpkgsCommits.unstable}";
-in {
+in
+{
   options.services.depot.nixery = {
     enable = lib.mkEnableOption description;
 
diff --git a/ops/modules/oauth2_proxy.nix b/ops/modules/oauth2_proxy.nix
index 07ba8861e745..423f9010c5d2 100644
--- a/ops/modules/oauth2_proxy.nix
+++ b/ops/modules/oauth2_proxy.nix
@@ -19,7 +19,8 @@ let
     reverse_proxy = true
     set_xauthrequest = true
   '';
-in {
+in
+{
   options.services.depot.oauth2_proxy = {
     enable = lib.mkEnableOption description;
 
diff --git a/ops/modules/owothia.nix b/ops/modules/owothia.nix
index b2a77cddc2dd..d11fdd26ecbc 100644
--- a/ops/modules/owothia.nix
+++ b/ops/modules/owothia.nix
@@ -4,7 +4,8 @@
 let
   cfg = config.services.depot.owothia;
   description = "owothia - i'm a service owo";
-in {
+in
+{
   options.services.depot.owothia = {
     enable = lib.mkEnableOption description;
 
diff --git a/ops/modules/panettone.nix b/ops/modules/panettone.nix
index 11e934ec2e8d..d57e53e75442 100644
--- a/ops/modules/panettone.nix
+++ b/ops/modules/panettone.nix
@@ -2,7 +2,8 @@
 
 let
   cfg = config.services.depot.panettone;
-in {
+in
+{
   options.services.depot.panettone = with lib; {
     enable = mkEnableOption "Panettone issue tracker";
 
@@ -62,23 +63,26 @@ in {
       assertion =
         cfg.dbHost != "localhost" || config.services.postgresql.enable;
       message = "Panettone requires a postgresql database";
-    } {
-      assertion =
-        cfg.dbHost != "localhost" || config.services.postgresql.enableTCPIP;
-      message = "Panettone can only connect to the postgresql database over TCP";
-    } {
-      assertion =
-        cfg.dbHost != "localhost" || (lib.any
-          (user: user.name == cfg.dbUser)
-          config.services.postgresql.ensureUsers);
-      message = "Panettone requires a database user";
-    } {
-      assertion =
-        cfg.dbHost != "localhost" || (lib.any
-          (db: db == cfg.dbName)
-          config.services.postgresql.ensureDatabases);
-      message = "Panettone requires a database";
-    }];
+    }
+      {
+        assertion =
+          cfg.dbHost != "localhost" || config.services.postgresql.enableTCPIP;
+        message = "Panettone can only connect to the postgresql database over TCP";
+      }
+      {
+        assertion =
+          cfg.dbHost != "localhost" || (lib.any
+            (user: user.name == cfg.dbUser)
+            config.services.postgresql.ensureUsers);
+        message = "Panettone requires a database user";
+      }
+      {
+        assertion =
+          cfg.dbHost != "localhost" || (lib.any
+            (db: db == cfg.dbName)
+            config.services.postgresql.ensureDatabases);
+        message = "Panettone requires a database";
+      }];
 
     systemd.services.panettone = {
       wantedBy = [ "multi-user.target" ];
diff --git a/ops/modules/paroxysm.nix b/ops/modules/paroxysm.nix
index cd9cd3866e47..070e7623db09 100644
--- a/ops/modules/paroxysm.nix
+++ b/ops/modules/paroxysm.nix
@@ -3,7 +3,8 @@
 let
   cfg = config.services.depot.paroxysm;
   description = "TVL's majestic IRC bot";
-in {
+in
+{
   options.services.depot.paroxysm.enable = lib.mkEnableOption description;
 
   config = lib.mkIf cfg.enable {
diff --git a/ops/modules/quassel.nix b/ops/modules/quassel.nix
index 9c8692629a2a..4a0b64ffc100 100644
--- a/ops/modules/quassel.nix
+++ b/ops/modules/quassel.nix
@@ -8,7 +8,8 @@ let
     enableDaemon = true;
     withKDE = false;
   };
-in {
+in
+{
   options.services.depot.quassel = with lib; {
     enable = mkEnableOption "Quassel IRC daemon";
 
@@ -70,7 +71,7 @@ in {
         group = "quassel";
       };
 
-      groups.quassel = {};
+      groups.quassel = { };
     };
   };
 }
diff --git a/ops/modules/restic.nix b/ops/modules/restic.nix
index 1aacf68973e3..869539603578 100644
--- a/ops/modules/restic.nix
+++ b/ops/modules/restic.nix
@@ -14,7 +14,8 @@ let
     inherit default;
     type = lib.types.str;
   };
-in {
+in
+{
   options.services.depot.restic = {
     enable = lib.mkEnableOption description;
     bucketEndpoint = mkStringOption "objects.dc-sto1.glesys.net";
diff --git a/ops/modules/smtprelay.nix b/ops/modules/smtprelay.nix
index 106593fe39d1..cfb185ecd107 100644
--- a/ops/modules/smtprelay.nix
+++ b/ops/modules/smtprelay.nix
@@ -27,8 +27,9 @@ let
   prepareArgs = args:
     concatStringsSep " "
       (attrValues (mapAttrs (key: value: "-${key} \"${toString value}\"")
-                            (args // overrideArgs)));
-in {
+        (args // overrideArgs)));
+in
+{
   options.services.depot.smtprelay = {
     enable = mkEnableOption description;
 
diff --git a/ops/modules/sourcegraph.nix b/ops/modules/sourcegraph.nix
index a72cd75d477d..5311b42dd1db 100644
--- a/ops/modules/sourcegraph.nix
+++ b/ops/modules/sourcegraph.nix
@@ -4,7 +4,8 @@
 
 let
   cfg = config.services.depot.sourcegraph;
-in {
+in
+{
   options.services.depot.sourcegraph = with lib; {
     enable = mkEnableOption "SourceGraph code search engine";
 
@@ -51,7 +52,8 @@ in {
       # Sourcegraph needs a higher nofile limit, it logs warnings
       # otherwise (unclear whether it actually affects the service).
       extraOptions = [
-        "--ulimit" "nofile=10000:10000"
+        "--ulimit"
+        "nofile=10000:10000"
       ];
     };
   };
diff --git a/ops/modules/tvl-buildkite.nix b/ops/modules/tvl-buildkite.nix
index aaeb5a0f7554..a6e7372a250a 100644
--- a/ops/modules/tvl-buildkite.nix
+++ b/ops/modules/tvl-buildkite.nix
@@ -13,7 +13,7 @@ let
 
   # All Buildkite hooks are actually besadii, but it's being invoked
   # with different names.
-  buildkiteHooks = pkgs.runCommandNoCC "buildkite-hooks" {} ''
+  buildkiteHooks = pkgs.runCommandNoCC "buildkite-hooks" { } ''
     mkdir -p $out/bin
     ln -s ${besadiiWithConfig "post-command"} $out/bin/post-command
   '';
@@ -22,7 +22,8 @@ let
     echo 'username=buildkite'
     echo "password=$(jq -r '.gerritPassword' /run/agenix/buildkite-besadii-config)"
   '';
-in {
+in
+{
   options.services.depot.buildkite = {
     enable = lib.mkEnableOption description;
     agentCount = lib.mkOption {
@@ -33,39 +34,43 @@ in {
 
   config = lib.mkIf cfg.enable {
     # Run the Buildkite agents using the default upstream module.
-    services.buildkite-agents = builtins.listToAttrs (map (n: rec {
-      name = "whitby-${toString n}";
-      value = {
-        inherit name;
-        enable = true;
-        tokenPath = "/run/agenix/buildkite-agent-token";
-        hooks.post-command = "${buildkiteHooks}/bin/post-command";
+    services.buildkite-agents = builtins.listToAttrs (map
+      (n: rec {
+        name = "whitby-${toString n}";
+        value = {
+          inherit name;
+          enable = true;
+          tokenPath = "/run/agenix/buildkite-agent-token";
+          hooks.post-command = "${buildkiteHooks}/bin/post-command";
 
-        runtimePackages = with pkgs; [
-          bash
-          coreutils
-          credentialHelper
-          curl
-          git
-          gnutar
-          gzip
-          jq
-          nix
-        ];
-      };
-    }) agents);
+          runtimePackages = with pkgs; [
+            bash
+            coreutils
+            credentialHelper
+            curl
+            git
+            gnutar
+            gzip
+            jq
+            nix
+          ];
+        };
+      })
+      agents);
 
     # Set up a group for all Buildkite agent users
     users = {
-      groups.buildkite-agents = {};
-      users = builtins.listToAttrs (map (n: rec {
-        name = "buildkite-agent-whitby-${toString n}";
-        value = {
-          isSystemUser = true;
-          group = lib.mkForce "buildkite-agents";
-          extraGroups = [ name "docker" ];
-        };
-      }) agents);
+      groups.buildkite-agents = { };
+      users = builtins.listToAttrs (map
+        (n: rec {
+          name = "buildkite-agent-whitby-${toString n}";
+          value = {
+            isSystemUser = true;
+            group = lib.mkForce "buildkite-agents";
+            extraGroups = [ name "docker" ];
+          };
+        })
+        agents);
     };
   };
 }
diff --git a/ops/modules/tvl-slapd/default.nix b/ops/modules/tvl-slapd/default.nix
index dbcf139338ea..d0d6616e224b 100644
--- a/ops/modules/tvl-slapd/default.nix
+++ b/ops/modules/tvl-slapd/default.nix
@@ -26,7 +26,8 @@ let
 
   inherit (depot.ops) users;
 
-in {
+in
+{
   services.openldap = {
     enable = true;
 
@@ -48,7 +49,7 @@ in {
 
       "cn=schema".includes =
         map (schema: "${pkgs.openldap}/etc/schema/${schema}.ldif")
-            [ "core" "cosine" "inetorgperson" "nis" ];
+          [ "core" "cosine" "inetorgperson" "nis" ];
     };
 
     # Contents are immutable at runtime, and adding user accounts etc.
diff --git a/ops/pipelines/depot.nix b/ops/pipelines/depot.nix
index b6941ba38aa7..6d9e625e04be 100644
--- a/ops/pipelines/depot.nix
+++ b/ops/pipelines/depot.nix
@@ -16,9 +16,10 @@ let
     drvTargets = depot.ci.targets;
     additionalSteps = [ protoCheck ];
 
-    parentTargetMap = if (externalArgs ? parentTargetMap)
+    parentTargetMap =
+      if (externalArgs ? parentTargetMap)
       then builtins.fromJSON (builtins.readFile externalArgs.parentTargetMap)
-      else {};
+      else { };
 
     postBuildSteps = [
       # After successful builds, create a gcroot for builds on canon.
@@ -40,7 +41,8 @@ let
   };
 
   drvmap = depot.nix.buildkite.mkDrvmap depot.ci.targets;
-in pkgs.runCommandNoCC "depot-pipeline" {} ''
+in
+pkgs.runCommandNoCC "depot-pipeline" { } ''
   mkdir $out
   cp -r ${pipeline}/* $out
   cp ${drvmap} $out/drvmap.json
diff --git a/ops/secrets/mkSecrets.nix b/ops/secrets/mkSecrets.nix
index 4e40112b9610..c99130835f15 100644
--- a/ops/secrets/mkSecrets.nix
+++ b/ops/secrets/mkSecrets.nix
@@ -22,6 +22,6 @@ in
 
 defun [ path (attrs agenixSecret) (attrs any) ]
   (path: secrets:
-    depot.nix.readTree.drvTargets
-      # Import each secret into the Nix store
-      (builtins.mapAttrs (name: _: "${path}/${name}") secrets))
+  depot.nix.readTree.drvTargets
+    # Import each secret into the Nix store
+    (builtins.mapAttrs (name: _: "${path}/${name}") secrets))
diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index 52b79e444a7c..2c08bb1aee5d 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -15,7 +15,8 @@ let
   whitby = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNh/w4BSKov0jdz3gKBc98tpoLta5bb87fQXWBhAl2I";
 
   default.publicKeys = tazjin ++ grfn ++ sterni ++ [ whitby ];
-in {
+in
+{
   "besadii.age" = default;
   "buildkite-agent-token.age" = default;
   "buildkite-graphql-token.age" = default;