style: format entire depot with nixpkgs-fmt

This CL can be used to compare the style of nixpkgs-fmt against other formatters (nixpkgs, alejandra). Change-Id: I87c6abff6bcb546b02ead15ad0405f81e01b6d9e Reviewed-on: https://cl.tvl.fyi/c/depot/+/4397 Tested-by: BuildkiteCI Reviewed-by: sterni <sternenseemann@systemli.org> Reviewed-by: lukegb <lukegb@tvl.fyi> Reviewed-by: wpcarro <wpcarro@gmail.com> Reviewed-by: Profpatsch <mail@profpatsch.de> Reviewed-by: kanepyork <rikingcoding@gmail.com> Reviewed-by: tazjin <tazjin@tvl.su> Reviewed-by: cynthia <cynthia@tvl.fyi> Reviewed-by: edef <edef@edef.eu> Reviewed-by: eta <tvl@eta.st> Reviewed-by: grfn <grfn@gws.fyi>
2022-01-30 19:06:58 +03:00 · 2022-01-30 19:06:58 +03:00 · aa122cbae7
commit aa122cbae7
parent 2d10d60fac
310 changed files with 7278 additions and 5490 deletions
--- a/ops/dns/default.nix
+++ b/ops/dns/default.nix
@ -2,11 +2,12 @@
 { depot, pkgs, ... }:

 let
-  checkZone = zone: file: pkgs.runCommandNoCC "${zone}-check" {} ''
+  checkZone = zone: file: pkgs.runCommandNoCC "${zone}-check" { } ''
    ${pkgs.bind}/bin/named-checkzone -i local ${zone} ${file} | tee $out
  '';

-in depot.nix.readTree.drvTargets {
+in
+depot.nix.readTree.drvTargets {
  nixery-dev = checkZone "nixery.dev" ./nixery.dev.zone;
  tvl-fyi = checkZone "tvl.fyi" ./tvl.fyi.zone;
  tvl-su = checkZone "tvl.su" ./tvl.su.zone;
--- a/ops/glesys/default.nix
+++ b/ops/glesys/default.nix
@ -2,7 +2,7 @@

 depot.nix.readTree.drvTargets {
  # Provide a Terraform wrapper with the right provider installed.
-  terraform = pkgs.terraform.withPlugins(_: [
+  terraform = pkgs.terraform.withPlugins (_: [
    depot.third_party.terraform-provider-glesys
  ]);
 }
--- a/ops/journaldriver/default.nix
+++ b/ops/journaldriver/default.nix
@ -4,6 +4,8 @@ depot.third_party.naersk.buildPackage {
  src = ./.;

  buildInputs = with pkgs; [
-    pkgconfig openssl systemd.dev
+    pkgconfig
+    openssl
+    systemd.dev
  ];
 }
--- a/ops/keycloak/default.nix
+++ b/ops/keycloak/default.nix
@ -2,7 +2,7 @@

 depot.nix.readTree.drvTargets {
  # Provide a Terraform wrapper with the right provider installed.
-  terraform = pkgs.terraform.withPlugins(p: [
+  terraform = pkgs.terraform.withPlugins (p: [
    p.keycloak
  ]);
 }
--- a/ops/kontemplate/release.nix
+++ b/ops/kontemplate/release.nix
@ -10,13 +10,17 @@
 # This file is the Nix derivation used to build release binaries for
 # several different architectures and operating systems.

-let pkgs = import ((import <nixpkgs> {}).fetchFromGitHub {
-  owner = "NixOS";
-  repo = "nixpkgs-channels";
-  rev = "541d9cce8af7a490fb9085305939569567cb58e6";
-  sha256 = "0jgz72hhzkd5vyq5v69vpljjlnf0lqaz7fh327bvb3cvmwbfxrja";
-}) {};
-in with pkgs; buildGoPackage rec {
+let
+  pkgs = import
+    ((import <nixpkgs> { }).fetchFromGitHub {
+      owner = "NixOS";
+      repo = "nixpkgs-channels";
+      rev = "541d9cce8af7a490fb9085305939569567cb58e6";
+      sha256 = "0jgz72hhzkd5vyq5v69vpljjlnf0lqaz7fh327bvb3cvmwbfxrja";
+    })
+    { };
+in
+with pkgs; buildGoPackage rec {
  name = "kontemplate-${version}";
  version = "canon";
  src = ./.;
@ -29,8 +33,8 @@ in with pkgs; buildGoPackage rec {
  # reason for setting the 'allowGoReference' flag.
  dontStrip = true; # Linker configuration handles stripping
  allowGoReference = true;
-  CGO_ENABLED="0";
-  GOCACHE="off";
+  CGO_ENABLED = "0";
+  GOCACHE = "off";

  # Configure release builds via the "build-matrix" script:
  buildInputs = [ git ];
--- a/ops/machines/whitby/default.nix
+++ b/ops/machines/whitby/default.nix
@ -4,7 +4,8 @@
 let
  inherit (builtins) listToAttrs;
  inherit (lib) range;
-in {
+in
+{
  imports = [
    "${depot.path}/ops/modules/atward.nix"
    "${depot.path}/ops/modules/clbot.nix"
@ -55,7 +56,13 @@ in {

    initrd = {
      availableKernelModules = [
-        "igb" "xhci_pci" "nvme" "ahci" "usbhid" "usb_storage" "sr_mod"
+        "igb"
+        "xhci_pci"
+        "nvme"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sr_mod"
      ];

      # Enable SSH in the initrd so that we can enter disk encryption
@ -189,7 +196,7 @@ in {
        ++ lukegb.keys.all
        ++ [ grfn.keys.whitby ]
        ++ sterni.keys.all
-        ;
+      ;
    };
  };

@ -205,7 +212,8 @@ in {
  age.secrets =
    let
      secretFile = name: depot.ops.secrets."${name}.age";
-    in {
+    in
+    {
      clbot.file = secretFile "clbot";
      gerrit-queue.file = secretFile "gerrit-queue";
      grafana.file = secretFile "grafana";
@ -509,15 +517,16 @@ in {
      job_name = "node";
      scrape_interval = "5s";
      static_configs = [{
-        targets = ["localhost:${toString config.services.prometheus.exporters.node.port}"];
+        targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
      }];
-    } {
-      job_name = "nginx";
-      scrape_interval = "5s";
-      static_configs = [{
-        targets = ["localhost:${toString config.services.prometheus.exporters.nginx.port}"];
+    }
+      {
+        job_name = "nginx";
+        scrape_interval = "5s";
+        static_configs = [{
+          targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
+        }];
      }];
-    }];
  };

  services.grafana = {
@ -526,58 +535,62 @@ in {
    domain = "status.tvl.su";
    rootUrl = "https://status.tvl.su";
    analytics.reporting.enable = false;
-    extraOptions = let
-      options = {
-        auth = {
-          generic_oauth = {
-            enabled = true;
-            client_id = "grafana";
-            scopes = "openid profile email";
-            name = "TVL";
-            email_attribute_path = "mail";
-            login_attribute_path = "sub";
-            name_attribute_path = "displayName";
-            auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
-            token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
-            api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";
+    extraOptions =
+      let
+        options = {
+          auth = {
+            generic_oauth = {
+              enabled = true;
+              client_id = "grafana";
+              scopes = "openid profile email";
+              name = "TVL";
+              email_attribute_path = "mail";
+              login_attribute_path = "sub";
+              name_attribute_path = "displayName";
+              auth_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/auth";
+              token_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/token";
+              api_url = "https://auth.tvl.fyi/auth/realms/TVL/protocol/openid-connect/userinfo";

-            # Give lukegb, grfn, tazjin "Admin" rights.
-            role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";
+              # Give lukegb, grfn, tazjin "Admin" rights.
+              role_attribute_path = "((sub == 'lukegb' || sub == 'grfn' || sub == 'tazjin') && 'Admin') || 'Editor'";

-            # Allow creating new Grafana accounts from OAuth accounts.
-            allow_sign_up = true;
+              # Allow creating new Grafana accounts from OAuth accounts.
+              allow_sign_up = true;
+            };
+
+            anonymous = {
+              enabled = true;
+              org_name = "The Virus Lounge";
+              org_role = "Viewer";
+            };
+
+            basic.enabled = false;
+            oauth_auto_login = true;
+            disable_login_form = true;
          };
-
-          anonymous = {
-            enabled = true;
-            org_name = "The Virus Lounge";
-            org_role = "Viewer";
-          };
-
-          basic.enabled = false;
-          oauth_auto_login = true;
-          disable_login_form = true;
        };
-      };
-      inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
-      inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;
+        inherit (builtins) typeOf replaceStrings listToAttrs concatLists;
+        inherit (lib) toUpper mapAttrsToList nameValuePair concatStringsSep;

-      # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
-      encodeName = raw: replaceStrings ["."] ["_"] (toUpper (concatStringsSep "_" raw));
+        # Take ["auth" "generic_oauth" "enabled"] and turn it into OPTIONS_GENERIC_OAUTH_ENABLED.
+        encodeName = raw: replaceStrings [ "." ] [ "_" ] (toUpper (concatStringsSep "_" raw));

-      # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
-      optionToString = value:
-        if (typeOf value) == "bool" then
-          if value then "true" else "false"
-        else builtins.toString value;
+        # Turn an option value into a string, but we want bools to be sensible strings and not "1" or "".
+        optionToString = value:
+          if (typeOf value) == "bool" then
+            if value then "true" else "false"
+          else builtins.toString value;

-      # Turn an nested options attrset into a flat listToAttrs-compatible list.
-      encodeOptions = prefix: inp: concatLists (mapAttrsToList (name: value:
-        if (typeOf value) == "set"
-          then encodeOptions (prefix ++ [name]) value
-          else [ (nameValuePair (encodeName (prefix ++ [name])) (optionToString value)) ]
-        ) inp);
-    in listToAttrs (encodeOptions [] options);
+        # Turn an nested options attrset into a flat listToAttrs-compatible list.
+        encodeOptions = prefix: inp: concatLists (mapAttrsToList
+          (name: value:
+            if (typeOf value) == "set"
+            then encodeOptions (prefix ++ [ name ]) value
+            else [ (nameValuePair (encodeName (prefix ++ [ name ])) (optionToString value)) ]
+          )
+          inp);
+      in
+      listToAttrs (encodeOptions [ ] options);

    provision = {
      enable = true;
@ -623,8 +636,8 @@ in {

  security.sudo.extraRules = [
    {
-      groups = ["wheel"];
-      commands = [{ command = "ALL"; options = ["NOPASSWD"]; }];
+      groups = [ "wheel" ];
+      commands = [{ command = "ALL"; options = [ "NOPASSWD" ]; }];
    }
  ];

@ -705,7 +718,7 @@ in {
    };

    # Set up a user & group for git shenanigans
-    groups.git = {};
+    groups.git = { };
    users.git = {
      group = "git";
      isSystemUser = true;
--- a/ops/modules/atward.nix
+++ b/ops/modules/atward.nix
@ -3,7 +3,8 @@
 let
  cfg = config.services.depot.atward;
  description = "atward - (attempt to) cleverly route queries";
-in {
+in
+{
  options.services.depot.atward = {
    enable = lib.mkEnableOption description;

--- a/ops/modules/auto-deploy.nix
+++ b/ops/modules/auto-deploy.nix
@ -45,7 +45,8 @@ let
    # NixOS in $STATE_DIRECTORY
    (cd / && ${rebuild-system}/bin/rebuild-system)
  '';
-in {
+in
+{
  options.services.depot.auto-deploy = {
    enable = lib.mkEnableOption description;

--- a/ops/modules/automatic-gc.nix
+++ b/ops/modules/automatic-gc.nix
@ -29,7 +29,8 @@ let
      echo "Skipping GC, enough space available"
    fi
  '';
-in {
+in
+{
  options.services.depot.automatic-gc = {
    enable = lib.mkEnableOption description;

--- a/ops/modules/clbot.nix
+++ b/ops/modules/clbot.nix
@ -21,7 +21,7 @@ let
      (attrValues (mapAttrs (key: value: "-${key} \"${toString value}\"") flags));

  # Escapes a unit name for use in systemd
-  systemdEscape = name: removeSuffix "\n" (readFile (runCommandNoCC "unit-name" {} ''
+  systemdEscape = name: removeSuffix "\n" (readFile (runCommandNoCC "unit-name" { } ''
    ${pkgs.systemd}/bin/systemd-escape '${name}' >> $out
  ''));

@ -42,7 +42,8 @@ let
      };
    };
  };
-in {
+in
+{
  options.services.depot.clbot = {
    enable = mkEnableOption description;

@ -68,7 +69,7 @@ in {
    # (notably the SSH private key) readable by this user outside of
    # the module.
    users = {
-      groups.clbot = {};
+      groups.clbot = { };

      users.clbot = {
        group = "clbot";
--- a/ops/modules/default.nix
+++ b/ops/modules/default.nix
@ -1,2 +1,2 @@
 # Make readTree happy at this level.
-_: {}
+_: { }
--- a/ops/modules/gerrit-queue.nix
+++ b/ops/modules/gerrit-queue.nix
@ -8,7 +8,8 @@ let
    inherit default;
    type = lib.types.str;
  };
-in {
+in
+{
  options.services.depot.gerrit-queue = {
    enable = lib.mkEnableOption description;
    gerritUrl = mkStringOption "https://cl.tvl.fyi";
--- a/ops/modules/git-serving.nix
+++ b/ops/modules/git-serving.nix
@ -12,7 +12,8 @@

 let
  cfg = config.services.depot.git-serving;
-in {
+in
+{
  options.services.depot.git-serving = with lib; {
    enable = mkEnableOption "Enable cgit & josh configuration";

--- a/ops/modules/irccat.nix
+++ b/ops/modules/irccat.nix
@ -27,7 +27,8 @@ let

    exec ${depot.third_party.irccat}/bin/irccat
  '';
-in {
+in
+{
  options.services.depot.irccat = {
    enable = lib.mkEnableOption description;

--- a/ops/modules/monorepo-gerrit.nix
+++ b/ops/modules/monorepo-gerrit.nix
@ -9,12 +9,13 @@ let
    exec -a ${name} ${depot.ops.besadii}/bin/besadii "$@"
  '';

-  gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" {} ''
+  gerritHooks = pkgs.runCommandNoCC "gerrit-hooks" { } ''
    mkdir -p $out
    ln -s ${besadiiWithConfig "change-merged"} $out/change-merged
    ln -s ${besadiiWithConfig "patchset-created"} $out/patchset-created
  '';
-in {
+in
+{
  services.gerrit = {
    enable = true;
    listenAddress = "[::]:4778"; # 4778 - grrt
--- a/ops/modules/nixery.nix
+++ b/ops/modules/nixery.nix
@ -6,7 +6,8 @@ let
  cfg = config.services.depot.nixery;
  description = "Nixery - container images on-demand";
  storagePath = "/var/lib/nixery/${pkgs.nixpkgsCommits.unstable}";
-in {
+in
+{
  options.services.depot.nixery = {
    enable = lib.mkEnableOption description;

--- a/ops/modules/oauth2_proxy.nix
+++ b/ops/modules/oauth2_proxy.nix
@ -19,7 +19,8 @@ let
    reverse_proxy = true
    set_xauthrequest = true
  '';
-in {
+in
+{
  options.services.depot.oauth2_proxy = {
    enable = lib.mkEnableOption description;

--- a/ops/modules/owothia.nix
+++ b/ops/modules/owothia.nix
@ -4,7 +4,8 @@
 let
  cfg = config.services.depot.owothia;
  description = "owothia - i'm a service owo";
-in {
+in
+{
  options.services.depot.owothia = {
    enable = lib.mkEnableOption description;

--- a/ops/modules/panettone.nix
+++ b/ops/modules/panettone.nix
@ -2,7 +2,8 @@

 let
  cfg = config.services.depot.panettone;
-in {
+in
+{
  options.services.depot.panettone = with lib; {
    enable = mkEnableOption "Panettone issue tracker";

@ -62,23 +63,26 @@ in {
      assertion =
        cfg.dbHost != "localhost" || config.services.postgresql.enable;
      message = "Panettone requires a postgresql database";
-    } {
-      assertion =
-        cfg.dbHost != "localhost" || config.services.postgresql.enableTCPIP;
-      message = "Panettone can only connect to the postgresql database over TCP";
-    } {
-      assertion =
-        cfg.dbHost != "localhost" || (lib.any
-          (user: user.name == cfg.dbUser)
-          config.services.postgresql.ensureUsers);
-      message = "Panettone requires a database user";
-    } {
-      assertion =
-        cfg.dbHost != "localhost" || (lib.any
-          (db: db == cfg.dbName)
-          config.services.postgresql.ensureDatabases);
-      message = "Panettone requires a database";
-    }];
+    }
+      {
+        assertion =
+          cfg.dbHost != "localhost" || config.services.postgresql.enableTCPIP;
+        message = "Panettone can only connect to the postgresql database over TCP";
+      }
+      {
+        assertion =
+          cfg.dbHost != "localhost" || (lib.any
+            (user: user.name == cfg.dbUser)
+            config.services.postgresql.ensureUsers);
+        message = "Panettone requires a database user";
+      }
+      {
+        assertion =
+          cfg.dbHost != "localhost" || (lib.any
+            (db: db == cfg.dbName)
+            config.services.postgresql.ensureDatabases);
+        message = "Panettone requires a database";
+      }];

    systemd.services.panettone = {
      wantedBy = [ "multi-user.target" ];
--- a/ops/modules/paroxysm.nix
+++ b/ops/modules/paroxysm.nix
@ -3,7 +3,8 @@
 let
  cfg = config.services.depot.paroxysm;
  description = "TVL's majestic IRC bot";
-in {
+in
+{
  options.services.depot.paroxysm.enable = lib.mkEnableOption description;

  config = lib.mkIf cfg.enable {
--- a/ops/modules/quassel.nix
+++ b/ops/modules/quassel.nix
@ -8,7 +8,8 @@ let
    enableDaemon = true;
    withKDE = false;
  };
-in {
+in
+{
  options.services.depot.quassel = with lib; {
    enable = mkEnableOption "Quassel IRC daemon";

@ -70,7 +71,7 @@ in {
        group = "quassel";
      };

-      groups.quassel = {};
+      groups.quassel = { };
    };
  };
 }
--- a/ops/modules/restic.nix
+++ b/ops/modules/restic.nix
@ -14,7 +14,8 @@ let
    inherit default;
    type = lib.types.str;
  };
-in {
+in
+{
  options.services.depot.restic = {
    enable = lib.mkEnableOption description;
    bucketEndpoint = mkStringOption "objects.dc-sto1.glesys.net";
--- a/ops/modules/smtprelay.nix
+++ b/ops/modules/smtprelay.nix
@ -27,8 +27,9 @@ let
  prepareArgs = args:
    concatStringsSep " "
      (attrValues (mapAttrs (key: value: "-${key} \"${toString value}\"")
-                            (args // overrideArgs)));
-in {
+        (args // overrideArgs)));
+in
+{
  options.services.depot.smtprelay = {
    enable = mkEnableOption description;

--- a/ops/modules/sourcegraph.nix
+++ b/ops/modules/sourcegraph.nix
@ -4,7 +4,8 @@

 let
  cfg = config.services.depot.sourcegraph;
-in {
+in
+{
  options.services.depot.sourcegraph = with lib; {
    enable = mkEnableOption "SourceGraph code search engine";

@ -51,7 +52,8 @@ in {
      # Sourcegraph needs a higher nofile limit, it logs warnings
      # otherwise (unclear whether it actually affects the service).
      extraOptions = [
-        "--ulimit" "nofile=10000:10000"
+        "--ulimit"
+        "nofile=10000:10000"
      ];
    };
  };
--- a/ops/modules/tvl-buildkite.nix
+++ b/ops/modules/tvl-buildkite.nix
@ -13,7 +13,7 @@ let

  # All Buildkite hooks are actually besadii, but it's being invoked
  # with different names.
-  buildkiteHooks = pkgs.runCommandNoCC "buildkite-hooks" {} ''
+  buildkiteHooks = pkgs.runCommandNoCC "buildkite-hooks" { } ''
    mkdir -p $out/bin
    ln -s ${besadiiWithConfig "post-command"} $out/bin/post-command
  '';
@ -22,7 +22,8 @@ let
    echo 'username=buildkite'
    echo "password=$(jq -r '.gerritPassword' /run/agenix/buildkite-besadii-config)"
  '';
-in {
+in
+{
  options.services.depot.buildkite = {
    enable = lib.mkEnableOption description;
    agentCount = lib.mkOption {
@ -33,39 +34,43 @@ in {

  config = lib.mkIf cfg.enable {
    # Run the Buildkite agents using the default upstream module.
-    services.buildkite-agents = builtins.listToAttrs (map (n: rec {
-      name = "whitby-${toString n}";
-      value = {
-        inherit name;
-        enable = true;
-        tokenPath = "/run/agenix/buildkite-agent-token";
-        hooks.post-command = "${buildkiteHooks}/bin/post-command";
+    services.buildkite-agents = builtins.listToAttrs (map
+      (n: rec {
+        name = "whitby-${toString n}";
+        value = {
+          inherit name;
+          enable = true;
+          tokenPath = "/run/agenix/buildkite-agent-token";
+          hooks.post-command = "${buildkiteHooks}/bin/post-command";

-        runtimePackages = with pkgs; [
-          bash
-          coreutils
-          credentialHelper
-          curl
-          git
-          gnutar
-          gzip
-          jq
-          nix
-        ];
-      };
-    }) agents);
+          runtimePackages = with pkgs; [
+            bash
+            coreutils
+            credentialHelper
+            curl
+            git
+            gnutar
+            gzip
+            jq
+            nix
+          ];
+        };
+      })
+      agents);

    # Set up a group for all Buildkite agent users
    users = {
-      groups.buildkite-agents = {};
-      users = builtins.listToAttrs (map (n: rec {
-        name = "buildkite-agent-whitby-${toString n}";
-        value = {
-          isSystemUser = true;
-          group = lib.mkForce "buildkite-agents";
-          extraGroups = [ name "docker" ];
-        };
-      }) agents);
+      groups.buildkite-agents = { };
+      users = builtins.listToAttrs (map
+        (n: rec {
+          name = "buildkite-agent-whitby-${toString n}";
+          value = {
+            isSystemUser = true;
+            group = lib.mkForce "buildkite-agents";
+            extraGroups = [ name "docker" ];
+          };
+        })
+        agents);
    };
  };
 }
--- a/ops/modules/tvl-slapd/default.nix
+++ b/ops/modules/tvl-slapd/default.nix
@ -26,7 +26,8 @@ let

  inherit (depot.ops) users;

-in {
+in
+{
  services.openldap = {
    enable = true;

@ -48,7 +49,7 @@ in {

      "cn=schema".includes =
        map (schema: "${pkgs.openldap}/etc/schema/${schema}.ldif")
-            [ "core" "cosine" "inetorgperson" "nis" ];
+          [ "core" "cosine" "inetorgperson" "nis" ];
    };

    # Contents are immutable at runtime, and adding user accounts etc.
--- a/ops/pipelines/depot.nix
+++ b/ops/pipelines/depot.nix
@ -16,9 +16,10 @@ let
    drvTargets = depot.ci.targets;
    additionalSteps = [ protoCheck ];

-    parentTargetMap = if (externalArgs ? parentTargetMap)
+    parentTargetMap =
+      if (externalArgs ? parentTargetMap)
      then builtins.fromJSON (builtins.readFile externalArgs.parentTargetMap)
-      else {};
+      else { };

    postBuildSteps = [
      # After successful builds, create a gcroot for builds on canon.
@ -40,7 +41,8 @@ let
  };

  drvmap = depot.nix.buildkite.mkDrvmap depot.ci.targets;
-in pkgs.runCommandNoCC "depot-pipeline" {} ''
+in
+pkgs.runCommandNoCC "depot-pipeline" { } ''
  mkdir $out
  cp -r ${pipeline}/* $out
  cp ${drvmap} $out/drvmap.json
--- a/ops/secrets/mkSecrets.nix
+++ b/ops/secrets/mkSecrets.nix
@ -22,6 +22,6 @@ in

 defun [ path (attrs agenixSecret) (attrs any) ]
  (path: secrets:
-    depot.nix.readTree.drvTargets
-      # Import each secret into the Nix store
-      (builtins.mapAttrs (name: _: "${path}/${name}") secrets))
+  depot.nix.readTree.drvTargets
+    # Import each secret into the Nix store
+    (builtins.mapAttrs (name: _: "${path}/${name}") secrets))
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@ -15,7 +15,8 @@ let
  whitby = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNh/w4BSKov0jdz3gKBc98tpoLta5bb87fQXWBhAl2I";

  default.publicKeys = tazjin ++ grfn ++ sterni ++ [ whitby ];
-in {
+in
+{
  "besadii.age" = default;
  "buildkite-agent-token.age" = default;
  "buildkite-graphql-token.age" = default;