fix nix flake check

systems/x86_64-linux/jallen-nas/services.nix

@@ -7,12 +7,31 @@ let
   nasData = "/media/nas/main";
 in
 {
-  systemd.network.wait-online.enable = false;
-  # Force tailscaled to use nftables (Critical for clean nftables-only systems)
-  # This avoids the "iptables-compat" translation layer issues.
-  systemd.services.tailscaled.serviceConfig.Environment = [
-    "TS_DEBUG_FIREWALL_MODE=nftables"
-  ];
+  systemd = {
+    network.wait-online.enable = false;
+    services = {
+      # Force tailscaled to use nftables (Critical for clean nftables-only systems)
+      # This avoids the "iptables-compat" translation layer issues.
+      tailscaled.serviceConfig.Environment = [
+        "TS_DEBUG_FIREWALL_MODE=nftables"
+      ];
+      # Pre-create extensions and grant superuser-owned objects that the sparkyfitness
+      # role cannot manage itself.  Appended to postgresql-setup.service which already
+      # runs as the postgres superuser after the DB is confirmed ready.
+      #
+      # 1. pg_stat_statements requires superuser to CREATE EXTENSION.
+      # 2. The extension installs functions owned by the postgres superuser; the
+      #    sparkyfitness role cannot GRANT EXECUTE on objects it doesn't own, so we
+      #    pre-grant them here before the app's grantPermissions() runs.
+      postgresql-setup.script = lib.mkAfter ''
+        psql -d sparkyfitness -c "
+          CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
+          GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sparkyfitness;
+          GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO sparkyfitness;
+        "
+      '';
+    };
+  };
   networking.nftables.enable = true;
   boot.initrd.systemd.network.wait-online.enable = false;
 
@@ -168,19 +187,4 @@ in
 
   };
 
-  # Pre-create extensions and grant superuser-owned objects that the sparkyfitness
-  # role cannot manage itself.  Appended to postgresql-setup.service which already
-  # runs as the postgres superuser after the DB is confirmed ready.
-  #
-  # 1. pg_stat_statements requires superuser to CREATE EXTENSION.
-  # 2. The extension installs functions owned by the postgres superuser; the
-  #    sparkyfitness role cannot GRANT EXECUTE on objects it doesn't own, so we
-  #    pre-grant them here before the app's grantPermissions() runs.
-  systemd.services.postgresql-setup.script = lib.mkAfter ''
-    psql -d sparkyfitness -c "
-      CREATE EXTENSION IF NOT EXISTS pg_stat_statements;
-      GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO sparkyfitness;
-      GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA pg_catalog TO sparkyfitness;
-    "
-  '';
 }

systems/x86_64-linux/matt-nixos/sops.nix

@@ -6,7 +6,7 @@
 }:
 let
   user = config.${namespace}.user.name;
-  desktopSopsFile = (lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml");
+  desktopSopsFile = lib.snowfall.fs.get-file "secrets/desktop-secrets.yaml";
 in
 {
   # Permission modes are in octal representation (same as chmod),
@@ -32,7 +32,7 @@ in
         neededForUsers = true;
         mode = "0600";
         owner = config.users.users."${user}".name;
-        group = config.users.users."${user}".group;
+        inherit (config.users.users."${user}") group;
       };
 
       "desktop/hass_token" = {
@@ -65,13 +65,13 @@ in
       "ssh-keys-public/desktop-nixos" = {
         mode = "0644";
         owner = config.users.users."${user}".name;
-        group = config.users.users."${user}".group;
+        inherit (config.users.users."${user}") group;
         restartUnits = [ "sshd.service" ];
       };
       "ssh-keys-private/desktop-nixos" = {
         mode = "0600";
         owner = config.users.users."${user}".name;
-        group = config.users.users."${user}".group;
+        inherit (config.users.users."${user}") group;
         restartUnits = [ "sshd.service" ];
       };
       "ssh-keys-public/desktop-nixos-root" = {