refactor(treewide): format with alejandra

nixos/modules/base/security/kernel.nix

@@ -1,18 +1,18 @@
-{ lib, config, ... }:
-
-let
+{
+  lib,
+  config,
+  ...
+}: let
   inherit (lib) optionals mkForce concatLists;
   inherit (builtins) elem;
   features = config.ooknet.host.hardware.features;
-in
-
-{
+in {
   security = {
     # Protects the kernel from being tampered with at runtime. prevents the ability to hibernate.
-    protectKernelImage = true; 
+    protectKernelImage = true;
 
     # page table isolation (PTI) is a kernel option designed to protect against
-    # side-channel attacks, including Meltdown & Spectre vunerabilities.  
+    # side-channel attacks, including Meltdown & Spectre vunerabilities.
     forcePageTableIsolation = true;
 
     # locking kernel modules during runtime breaks certain services by stopping them from being
@@ -41,7 +41,7 @@ in
 
         # limits the exposer of the kernel memory address via dmesg
         "kernel.dmesg_restrict" = 1;
-        
+
         # we are not a kernel developer so we disable this to prevent potential information leaks & attacks
         "kernel.ftrace_enabled" = false;
 
@@ -100,7 +100,7 @@ in
       # disables a common interface that contains sensitive info on the kernel
       "debugfs=off"
 
-      # prevent kernel from blanking plymouth out of the frame buffer console 
+      # prevent kernel from blanking plymouth out of the frame buffer console
       "fbcon=nodefer"
 
       # enables auditing of integrity measurement events
@@ -112,11 +112,10 @@ in
 
       # disables the legacy vyscall mechanism, reducing attack surface.
       "vsyscall=none"
-      
+
       # reduce exposure to heap attacks by preventing different slab caches from being merged.
       "slab_nomerge"
 
-      
       "rootflags=noatime"
       "lsm=landlock,lockdown,yama,integrity,apparmor,bpf,tomoyo,selinux"
     ];

nixos/modules/base/security/polkit.nix

@@ -1,11 +1,10 @@
-
-{ lib, config, ... }:
-
-let
-  inherit (lib) mkDefault mkIf;
-in
-
 {
+  lib,
+  config,
+  ...
+}: let
+  inherit (lib) mkDefault mkIf;
+in {
   security.polkit = {
     enable = true;
     debug = mkDefault true;

nixos/modules/base/security/sudo.nix

@@ -1,10 +1,6 @@
-{ lib, ... }: 
-
-let
+{lib, ...}: let
   inherit (lib) mkDefault mkForce;
-in
-
-{
+in {
   # nyx module
   security = {
     sudo-rs.enable = mkForce false; # we don't want the rust sudo fork
@@ -12,12 +8,16 @@ in
       enable = true;
       wheelNeedsPassword = mkDefault false; # only use false here if the extraRules below are enabled
       execWheelOnly = mkForce true; # only allow wheel to execute sudo
-      extraConfig = /* shell */ ''
-        Defaults lecture = never # disable sudo lecture
-        Defaults pwfeedback # password feedback
-        Defaults env_keep += "EDITOR PATH DISPLAY" # variables to be passes to root
-        Defaults timestamp_timeout = 300 # asks for sudo password ever 300s
-      '';
+      extraConfig =
+        /*
+        shell
+        */
+        ''
+          Defaults lecture = never # disable sudo lecture
+          Defaults pwfeedback # password feedback
+          Defaults env_keep += "EDITOR PATH DISPLAY" # variables to be passes to root
+          Defaults timestamp_timeout = 300 # asks for sudo password ever 300s
+        '';
       extraRules = [
         {
           # allow wheel group to run nixos-rebuild without password