diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
new file mode 100644
index 00000000..e6eddc2a
--- /dev/null
+++ b/.git-blame-ignore-revs
@@ -0,0 +1,2 @@
+1d72ba6c0beeb30d85d8021cb2004b3f6f48126d
+301aae86217b9c24fed83ac28f5da3d06d30e47e
diff --git a/.github/workflows/nomad-lint.yml b/.github/workflows/nomad-lint.yml
new file mode 100644
index 00000000..b22e4176
--- /dev/null
+++ b/.github/workflows/nomad-lint.yml
@@ -0,0 +1,43 @@
+name: Lint Nomad files
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - services/nomad/**.nomad
+  push:
+    branches:
+      - master
+    paths:
+      - services/nomad/**.nomad
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: Lint Nomad files
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/void-linux/void-glibc
+    steps:
+      - name: Prepare container
+        run: |
+          xbps-install -Syu xbps && xbps-install -y void-repo-nonfree && \
+            xbps-install -Syu && xbps-install -y nomad bash git
+
+      - name: Checkout repo
+        uses: classabbyamp/treeless-checkout-action@v1
+
+      - name: Run Lints
+        run: |
+          rv=0
+          printf "\033[1m=> Checking formatting of nomad files\033[0m\n"
+          nomad fmt -check -recursive services/nomad || rv=1
+          if [ "$rv" -ne 0 ]; then
+            printf "\033[1m=> Some nomad files need formatting! Run 'nomad fmt' on the listed files. \033[0m\n"
+          fi
+          exit "$rv"
+
diff --git a/.github/workflows/terraform-lint.yml b/.github/workflows/terraform-lint.yml
new file mode 100644
index 00000000..caca332d
--- /dev/null
+++ b/.github/workflows/terraform-lint.yml
@@ -0,0 +1,43 @@
+name: Lint Terraform files
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - master
+    paths:
+      - terraform/**.tf
+  push:
+    branches:
+      - master
+    paths:
+      - terraform/**.tf
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: Lint Terraform files
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/void-linux/void-glibc
+    steps:
+      - name: Prepare container
+        run: |
+          xbps-install -Syu xbps && xbps-install -y void-repo-nonfree && \
+            xbps-install -Syu && xbps-install -y terraform bash git
+
+      - name: Checkout repo
+        uses: classabbyamp/treeless-checkout-action@v1
+
+      - name: Run Lints
+        run: |
+          rv=0
+          printf "\033[1m=> Checking formatting of terraform files\033[0m\n"
+          terraform fmt -check -recursive terraform || rv=1
+          if [ "$rv" -ne 0 ]; then
+            printf "\033[1m=> Some terraform files need formatting! Run 'terraform fmt' on the listed files. \033[0m\n"
+          fi
+          exit "$rv"
+
diff --git a/services/nomad/apps/alps.nomad b/services/nomad/apps/alps.nomad
index 14d73fab..af960ccc 100644
--- a/services/nomad/apps/alps.nomad
+++ b/services/nomad/apps/alps.nomad
@@ -1,7 +1,7 @@
 job "alps" {
   datacenters = ["VOID"]
-  namespace = "apps-restricted"
-  type = "service"
+  namespace   = "apps-restricted"
+  type        = "service"
 
   group "app" {
     count = 1
@@ -16,7 +16,7 @@ job "alps" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "alps.s.voidlinux.org alps.voidlinux.org"
+        nginx_names  = "alps.s.voidlinux.org alps.voidlinux.org"
       }
     }
 
@@ -25,7 +25,7 @@ job "alps" {
 
       config {
         image = "ghcr.io/void-linux/infra-alps:9cb23b09"
-        args = ["imaps://mx1.voidlinux.org:993", "smtps://mx1.voidlinux.org:465"]
+        args  = ["imaps://mx1.voidlinux.org:993", "smtps://mx1.voidlinux.org:465"]
       }
     }
   }
diff --git a/services/nomad/apps/debuginfod.nomad b/services/nomad/apps/debuginfod.nomad
index 8e2d64f3..4cdd4136 100644
--- a/services/nomad/apps/debuginfod.nomad
+++ b/services/nomad/apps/debuginfod.nomad
@@ -1,21 +1,21 @@
 job "debuginfod" {
   datacenters = ["VOID"]
-  namespace = "apps"
-  type = "service"
+  namespace   = "apps"
+  type        = "service"
 
   group "app" {
     count = 1
 
     volume "binpkgs" {
-      type = "host"
+      type      = "host"
       read_only = true
-      source = "root-pkgs"
+      source    = "root-pkgs"
     }
 
     volume "debuginfod" {
-      type = "host"
+      type      = "host"
       read_only = false
-      source = "debuginfod-data"
+      source    = "debuginfod-data"
     }
 
     network {
@@ -30,15 +30,15 @@ job "debuginfod" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "debuginfod.s.voidlinux.org debuginfod.voidlinux.org"
+        nginx_names  = "debuginfod.s.voidlinux.org debuginfod.voidlinux.org"
       }
 
       check {
-        type = "http"
+        type         = "http"
         address_mode = "host"
-        path = "/metrics"
-        timeout = "30s"
-        interval = "15s"
+        path         = "/metrics"
+        timeout      = "30s"
+        interval     = "15s"
       }
     }
 
@@ -46,15 +46,15 @@ job "debuginfod" {
       driver = "docker"
 
       volume_mount {
-        volume = "binpkgs"
+        volume      = "binpkgs"
         destination = "/binpkgs"
-        read_only = true
+        read_only   = true
       }
 
       volume_mount {
-        volume = "debuginfod"
+        volume      = "debuginfod"
         destination = "/debuginfod"
-        read_only = false
+        read_only   = false
       }
 
       config {
@@ -73,12 +73,12 @@ job "debuginfod" {
 
       resources {
         memory = 8000
-        cpu = 6000
+        cpu    = 6000
       }
 
       restart {
         attempts = 100
-        delay = "30s"
+        delay    = "30s"
       }
     }
   }
diff --git a/services/nomad/apps/devspace.nomad b/services/nomad/apps/devspace.nomad
index 0e7a1bd5..efa7b78d 100644
--- a/services/nomad/apps/devspace.nomad
+++ b/services/nomad/apps/devspace.nomad
@@ -1,21 +1,21 @@
 job "devspace" {
   datacenters = ["VOID-MIRROR"]
-  namespace = "apps"
-  type = "service"
+  namespace   = "apps"
+  type        = "service"
 
   group "sftpgo" {
     count = 1
 
     volume "devspace_data" {
-      type = "host"
+      type      = "host"
       read_only = false
-      source = "devspace_data"
+      source    = "devspace_data"
     }
 
     volume "netauth_config" {
-      type = "host"
+      type      = "host"
       read_only = true
-      source = "netauth_config"
+      source    = "netauth_config"
     }
 
     network {
@@ -31,13 +31,13 @@ job "devspace" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "devspace-sftp.voidlinux.org"
+        nginx_names  = "devspace-sftp.voidlinux.org"
       }
       check {
-        type = "http"
-        port = 8081
-        path = "/healthz"
-        timeout = "1s"
+        type     = "http"
+        port     = 8081
+        path     = "/healthz"
+        timeout  = "1s"
         interval = "30s"
       }
     }
@@ -46,39 +46,39 @@ job "devspace" {
       driver = "docker"
 
       volume_mount {
-        volume = "devspace_data"
+        volume      = "devspace_data"
         destination = "/data"
-        read_only = false
+        read_only   = false
       }
 
       volume_mount {
-        volume = "netauth_config"
+        volume      = "netauth_config"
         destination = "/etc/netauth"
-        read_only = true
+        read_only   = true
       }
 
       config {
-        image = "ghcr.io/void-linux/infra-sftpgo:20241231R1"
+        image        = "ghcr.io/void-linux/infra-sftpgo:20241231R1"
         network_mode = "host"
       }
 
       env {
-        SFTPGO_HTTPD__BINDINGS__0__PORT = "${NOMAD_PORT_http}"
-        SFTPGO_HTTPD__TEMPLATES_PATH = "/usr/share/sftpgo/templates"
-        SFTPGO_HTTPD__STATIC_FILES_PATH = "/usr/share/sftpgo/static"
-        SFTPGO_SFTPD__HOST_KEYS = "/secrets/id_rsa,/secrets/id_ecdsa,/secrets/id_ed25519"
-        SFTPGO_TELEMETRY__BIND_PORT = "8081"
-        SFTPGO_TELEMETRY__BIND_ADDRESS = ""
-        SFTPGO_DATA_PROVIDER__DRIVER = "sqlite"
-        SFTPGO_DATA_PROVIDER__NAME = "/data/sftpgo.db"
+        SFTPGO_HTTPD__BINDINGS__0__PORT          = "${NOMAD_PORT_http}"
+        SFTPGO_HTTPD__TEMPLATES_PATH             = "/usr/share/sftpgo/templates"
+        SFTPGO_HTTPD__STATIC_FILES_PATH          = "/usr/share/sftpgo/static"
+        SFTPGO_SFTPD__HOST_KEYS                  = "/secrets/id_rsa,/secrets/id_ecdsa,/secrets/id_ed25519"
+        SFTPGO_TELEMETRY__BIND_PORT              = "8081"
+        SFTPGO_TELEMETRY__BIND_ADDRESS           = ""
+        SFTPGO_DATA_PROVIDER__DRIVER             = "sqlite"
+        SFTPGO_DATA_PROVIDER__NAME               = "/data/sftpgo.db"
         SFTPGO_DATA_PROVIDER__EXTERNAL_AUTH_HOOK = "/usr/libexec/sftpgo/netauth-hook"
-        SFTPGO_COMMAND__COMMANDS__0__PATH = "/usr/libexec/sftpgo/netauth-hook"
-        SFTPGO_COMMAND__COMMANDS__0__ENV = "SFTPGO_NETAUTH_REQUIREGROUP=devspace-users,SFTPGO_NETAUTH_HOMEDIR=/data/home"
-        SFTPGO_COMMAND__COMMANDS__0__HOOK = "external_auth"
+        SFTPGO_COMMAND__COMMANDS__0__PATH        = "/usr/libexec/sftpgo/netauth-hook"
+        SFTPGO_COMMAND__COMMANDS__0__ENV         = "SFTPGO_NETAUTH_REQUIREGROUP=devspace-users,SFTPGO_NETAUTH_HOMEDIR=/data/home"
+        SFTPGO_COMMAND__COMMANDS__0__HOOK        = "external_auth"
       }
 
       template {
-                data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/devspace" -}}
 {{ .ssh_host_rsa_key }}
 {{- end -}}
@@ -87,7 +87,7 @@ EOF
       }
 
       template {
-                data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/devspace" -}}
 {{ .ssh_host_ed25519_key }}
 {{- end -}}
@@ -96,7 +96,7 @@ EOF
       }
 
       template {
-                data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/devspace" -}}
 {{ .ssh_host_ecdsa_key }}
 {{- end -}}
@@ -110,9 +110,9 @@ EOF
     count = 1
 
     volume "devspace_home" {
-      type = "host"
+      type      = "host"
       read_only = true
-      source = "devspace_home"
+      source    = "devspace_home"
     }
 
     network {
@@ -125,7 +125,7 @@ EOF
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "devspace.voidlinux.org"
+        nginx_names  = "devspace.voidlinux.org"
       }
     }
 
@@ -133,7 +133,7 @@ EOF
       driver = "docker"
 
       volume_mount {
-        volume = "devspace_home"
+        volume      = "devspace_home"
         destination = "/srv/www"
       }
 
@@ -142,7 +142,7 @@ EOF
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 server {
     server_name devspace;
     listen 0.0.0.0:80 default_server;
diff --git a/services/nomad/apps/etherpad.nomad b/services/nomad/apps/etherpad.nomad
index d9350112..e08dd8cd 100644
--- a/services/nomad/apps/etherpad.nomad
+++ b/services/nomad/apps/etherpad.nomad
@@ -1,7 +1,7 @@
 job "etherpad" {
-  type = "service"
+  type        = "service"
   datacenters = ["VOID"]
-  namespace = "apps"
+  namespace   = "apps"
 
   group "etherpad" {
     network {
@@ -14,14 +14,14 @@ job "etherpad" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "pad.voidlinux.org"
+        nginx_names  = "pad.voidlinux.org"
       }
     }
 
     volume "etherpad" {
-      type = "host"
+      type      = "host"
       read_only = false
-      source = "etherpad-data"
+      source    = "etherpad-data"
     }
 
     task "app" {
@@ -32,15 +32,15 @@ job "etherpad" {
       }
 
       env {
-        DB_FILENAME="/data/db.json"
-        SUPPRESS_ERRORS_IN_PAD_TEXT="false"
-        TRUST_PROXY="true"
+        DB_FILENAME                 = "/data/db.json"
+        SUPPRESS_ERRORS_IN_PAD_TEXT = "false"
+        TRUST_PROXY                 = "true"
       }
 
       volume_mount {
-        volume = "etherpad"
+        volume      = "etherpad"
         destination = "/data"
-        read_only = false
+        read_only   = false
       }
     }
   }
diff --git a/services/nomad/apps/feediverse.nomad b/services/nomad/apps/feediverse.nomad
index 3b8fd40b..cb2d6ed5 100644
--- a/services/nomad/apps/feediverse.nomad
+++ b/services/nomad/apps/feediverse.nomad
@@ -1,7 +1,7 @@
 job "feediverse" {
-  type = "service"
+  type        = "service"
   datacenters = ["VOID"]
-  namespace = "apps"
+  namespace   = "apps"
 
   group "feediverse" {
     network {
@@ -10,8 +10,8 @@ job "feediverse" {
 
     ephemeral_disk {
       migrate = true
-      size = 200
-      sticky = true
+      size    = 200
+      sticky  = true
     }
 
     task "app" {
@@ -22,14 +22,14 @@ job "feediverse" {
       }
 
       env {
-        VERBOSE = 1
+        VERBOSE     = 1
         CONFIG_FILE = "/secrets/config.yaml"
-        STATE_FILE = "/alloc/data/state.json"
-        DEDUPE = "url"
+        STATE_FILE  = "/alloc/data/state.json"
+        DEDUPE      = "url"
       }
 
       template {
-        data = <<EOT
+        data        = <<EOT
 {{- with nomadVar "nomad/jobs/feediverse" }}
 access_token: "{{ .access_token }}"
 client_id: "{{ .client_id }}"
diff --git a/services/nomad/apps/infradocs.nomad b/services/nomad/apps/infradocs.nomad
index a3d61a9f..fc6a9532 100644
--- a/services/nomad/apps/infradocs.nomad
+++ b/services/nomad/apps/infradocs.nomad
@@ -1,7 +1,7 @@
 job "infradocs" {
   datacenters = ["VOID"]
-  namespace = "apps"
-  type = "service"
+  namespace   = "apps"
+  type        = "service"
 
   group "app" {
     count = 1
@@ -18,15 +18,15 @@ job "infradocs" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "infradocs.voidlinux.org"
+        nginx_names  = "infradocs.voidlinux.org"
       }
 
       check {
-        type = "http"
+        type         = "http"
         address_mode = "host"
-        path = "/"
-        timeout = "30s"
-        interval = "15s"
+        path         = "/"
+        timeout      = "30s"
+        interval     = "15s"
       }
     }
 
diff --git a/services/nomad/apps/ircbot.nomad b/services/nomad/apps/ircbot.nomad
index 2f8c5650..08da035d 100644
--- a/services/nomad/apps/ircbot.nomad
+++ b/services/nomad/apps/ircbot.nomad
@@ -1,7 +1,7 @@
 job "ircbot" {
   datacenters = ["VOID"]
-  namespace = "apps"
-  type = "service"
+  namespace   = "apps"
+  type        = "service"
 
   group "app" {
     count = 1
@@ -18,7 +18,7 @@ job "ircbot" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "ircbot.voidlinux.org"
+        nginx_names  = "ircbot.voidlinux.org"
       }
     }
 
@@ -30,14 +30,14 @@ job "ircbot" {
       }
 
       env {
-        IRC_SERVER="irc.libera.chat:6697"
-        IRC_CHANNEL="#xbps"
-        IRC_NICK="void-robot"
-        IRC_SASL="true"
+        IRC_SERVER  = "irc.libera.chat:6697"
+        IRC_CHANNEL = "#xbps"
+        IRC_NICK    = "void-robot"
+        IRC_SASL    = "true"
       }
 
       template {
-        data = <<EOT
+        data        = <<EOT
 {{- with nomadVar "nomad/jobs/ircbot" }}
 IRC_USER="{{ .username }}"
 IRC_PASS="{{ .password }}"
@@ -45,7 +45,7 @@ WEBHOOK_SECRET="{{ .webhook }}"
 {{- end }}
 EOT
         destination = "secret/env"
-        env = true
+        env         = true
       }
     }
   }
diff --git a/services/nomad/apps/maddy.nomad b/services/nomad/apps/maddy.nomad
index 1ffe0007..356257ed 100644
--- a/services/nomad/apps/maddy.nomad
+++ b/services/nomad/apps/maddy.nomad
@@ -1,21 +1,21 @@
 job "maddy" {
   datacenters = ["VOID-MX"]
-  namespace = "apps-restricted"
-  type = "service"
+  namespace   = "apps-restricted"
+  type        = "service"
 
   group "app" {
     count = 1
 
     volume "maddy_data" {
-      type = "host"
+      type      = "host"
       read_only = false
-      source = "maddy_data"
+      source    = "maddy_data"
     }
 
     volume "netauth_config" {
-      type = "host"
+      type      = "host"
       read_only = true
-      source = "netauth_config"
+      source    = "netauth_config"
     }
 
     network {
@@ -31,20 +31,20 @@ job "maddy" {
       driver = "docker"
 
       volume_mount {
-        volume = "maddy_data"
+        volume      = "maddy_data"
         destination = "/data"
-        read_only = false
+        read_only   = false
       }
 
       volume_mount {
-        volume = "netauth_config"
+        volume      = "netauth_config"
         destination = "/etc/netauth"
-        read_only = true
+        read_only   = true
       }
 
       config {
-        image = "docker.io/foxcpp/maddy:0.7.0"
-        entrypoint = ["/bin/maddy", "--config", "/local/maddy.conf", "run"]
+        image        = "docker.io/foxcpp/maddy:0.7.0"
+        entrypoint   = ["/bin/maddy", "--config", "/local/maddy.conf", "run"]
         network_mode = "host"
       }
 
@@ -53,26 +53,26 @@ job "maddy" {
       }
 
       env {
-        MADDY_DOMAIN = "voidlinux.org"
+        MADDY_DOMAIN   = "voidlinux.org"
         MADDY_HOSTNAME = "mx1.voidlinux.org"
       }
 
       template {
-        data = file("maddy.conf")
+        data        = file("maddy.conf")
         destination = "local/maddy.conf"
-        perms = 644
+        perms       = 644
       }
 
       template {
-        data = "{{ with nomadVar \"nomad/jobs/maddy\" }}{{ .certificate }}{{ end }}"
+        data        = "{{ with nomadVar \"nomad/jobs/maddy\" }}{{ .certificate }}{{ end }}"
         destination = "secrets/tls/fullchain.pem"
-        perms = 400
+        perms       = 400
       }
 
       template {
-        data = "{{ with nomadVar \"nomad/jobs/maddy\" }}{{ .key }}{{ end }}"
+        data        = "{{ with nomadVar \"nomad/jobs/maddy\" }}{{ .key }}{{ end }}"
         destination = "secrets/tls/privkey.pem"
-        perms = 400
+        perms       = 400
       }
     }
   }
diff --git a/services/nomad/apps/man-cgi.nomad b/services/nomad/apps/man-cgi.nomad
index af517777..43570d2b 100644
--- a/services/nomad/apps/man-cgi.nomad
+++ b/services/nomad/apps/man-cgi.nomad
@@ -1,21 +1,21 @@
 job "man-cgi" {
   datacenters = ["VOID-MIRROR"]
-  namespace = "apps"
-  type = "system"
+  namespace   = "apps"
+  type        = "system"
 
   # FIXME: b-hel-fi is not currently syncing
   constraint {
     attribute = "${node.unique.name}"
-    operator = "set_contains_any"
-    value = "d-hel-fi,a-fra-de"
+    operator  = "set_contains_any"
+    value     = "d-hel-fi,a-fra-de"
   }
 
   group "man-cgi" {
     count = 1
 
     volume "dist_mirror" {
-      type = "host"
-      source = "dist_mirror"
+      type      = "host"
+      source    = "dist_mirror"
       read_only = true
     }
 
@@ -29,7 +29,7 @@ job "man-cgi" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "man.voidlinux.org"
+        nginx_names  = "man.voidlinux.org"
       }
     }
 
@@ -41,7 +41,7 @@ job "man-cgi" {
       }
 
       volume_mount {
-        volume = "dist_mirror"
+        volume      = "dist_mirror"
         destination = "/mirror"
       }
     }
diff --git a/services/nomad/apps/popcorn-report.nomad b/services/nomad/apps/popcorn-report.nomad
index 0e532454..fd7b1f4c 100644
--- a/services/nomad/apps/popcorn-report.nomad
+++ b/services/nomad/apps/popcorn-report.nomad
@@ -1,10 +1,10 @@
 job "popcorn-report" {
   datacenters = ["VOID-MIRROR"]
-  namespace = "apps"
-  type = "batch"
+  namespace   = "apps"
+  type        = "batch"
 
   periodic {
-    crons = ["@daily"]
+    crons            = ["@daily"]
     prohibit_overlap = true
   }
 
@@ -14,8 +14,8 @@ job "popcorn-report" {
     network { mode = "bridge" }
 
     volume "popcorn_data" {
-      type = "host"
-      source = "popcorn_data"
+      type      = "host"
+      source    = "popcorn_data"
       read_only = false
     }
 
@@ -23,12 +23,12 @@ job "popcorn-report" {
       driver = "docker"
 
       config {
-        image = "ghcr.io/void-linux/infra-popcorn:20240704R1"
+        image   = "ghcr.io/void-linux/infra-popcorn:20240704R1"
         command = "/local/popcorn-report"
       }
 
       volume_mount {
-        volume = "popcorn_data"
+        volume      = "popcorn_data"
         destination = "/data"
       }
 
@@ -37,7 +37,7 @@ job "popcorn-report" {
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 #!/bin/sh
 {{ range service "popcorn-statrepo" }}
 exec popcornctl --server "{{ .Address }}" --port "{{ .Port }}" \
@@ -45,17 +45,17 @@ exec popcornctl --server "{{ .Address }}" --port "{{ .Port }}" \
 {{ end }}
 EOF
         destination = "local/popcorn-report"
-        perms = "755"
+        perms       = "755"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/popcorn" -}}
 POPCORN_KEY={{.reset_key}}
 {{- end -}}
 EOF
         destination = "secrets/env"
-        env = true
+        env         = true
       }
     }
   }
diff --git a/services/nomad/apps/popcorn.nomad b/services/nomad/apps/popcorn.nomad
index d21a28ba..fa13ba72 100644
--- a/services/nomad/apps/popcorn.nomad
+++ b/services/nomad/apps/popcorn.nomad
@@ -1,7 +1,7 @@
 job "popcorn" {
   datacenters = ["VOID-MIRROR"]
-  namespace = "apps"
-  type = "service"
+  namespace   = "apps"
+  type        = "service"
 
   group "webserver" {
     count = 1
@@ -12,8 +12,8 @@ job "popcorn" {
     }
 
     volume "popcorn_data" {
-      type = "host"
-      source = "popcorn_data"
+      type      = "host"
+      source    = "popcorn_data"
       read_only = true
     }
 
@@ -22,7 +22,7 @@ job "popcorn" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "popcorn.voidlinux.org"
+        nginx_names  = "popcorn.voidlinux.org"
       }
     }
 
@@ -34,7 +34,7 @@ job "popcorn" {
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 server {
     server_name popcorn;
     listen 0.0.0.0:80 default_server;
@@ -50,9 +50,9 @@ EOF
       }
 
       volume_mount {
-        volume = "popcorn_data"
+        volume      = "popcorn_data"
         destination = "/srv/www"
-        read_only = true
+        read_only   = true
       }
     }
   }
@@ -77,8 +77,8 @@ EOF
     }
 
     volume "popcorn_data" {
-      type = "host"
-      source = "popcorn_data"
+      type      = "host"
+      source    = "popcorn_data"
       read_only = false
     }
 
@@ -86,7 +86,7 @@ EOF
       driver = "docker"
 
       config {
-        image = "ghcr.io/void-linux/infra-popcorn:20240704R1"
+        image   = "ghcr.io/void-linux/infra-popcorn:20240704R1"
         command = "statrepo"
         args = [
           "--addr", "0.0.0.0",
@@ -97,17 +97,17 @@ EOF
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/popcorn" -}}
 POPCORN_KEY={{.reset_key}}
 {{- end -}}
 EOF
         destination = "secrets/env"
-        env = true
+        env         = true
       }
 
       volume_mount {
-        volume = "popcorn_data"
+        volume      = "popcorn_data"
         destination = "/var/lib/popcorn"
       }
     }
@@ -116,7 +116,7 @@ EOF
       driver = "docker"
 
       config {
-        image = "ghcr.io/void-linux/infra-popcorn:20240704R1"
+        image   = "ghcr.io/void-linux/infra-popcorn:20240704R1"
         command = "pqueryd"
         args = [
           "--checkpoint_enabled=false",
@@ -132,9 +132,9 @@ EOF
       }
 
       volume_mount {
-        volume = "popcorn_data"
+        volume      = "popcorn_data"
         destination = "/data"
-        read_only = true
+        read_only   = true
       }
     }
   }
diff --git a/services/nomad/apps/void-docs.nomad b/services/nomad/apps/void-docs.nomad
index 2d310876..33815323 100644
--- a/services/nomad/apps/void-docs.nomad
+++ b/services/nomad/apps/void-docs.nomad
@@ -1,10 +1,10 @@
 job "void-docs" {
   datacenters = ["VOID"]
-  namespace = "apps"
-  type = "batch"
+  namespace   = "apps"
+  type        = "batch"
 
   periodic {
-    crons = ["@hourly"]
+    crons            = ["@hourly"]
     prohibit_overlap = true
   }
 
@@ -12,8 +12,8 @@ job "void-docs" {
     count = 1
 
     volume "root-mirror" {
-      type = "host"
-      source = "root_mirror"
+      type      = "host"
+      source    = "root_mirror"
       read_only = false
     }
 
@@ -27,12 +27,12 @@ job "void-docs" {
       }
 
       env {
-        OUTDIR = "/mirror/docs"
+        OUTDIR   = "/mirror/docs"
         REPO_URL = "https://github.com/void-linux/void-docs.git"
       }
 
       volume_mount {
-        volume = "root-mirror"
+        volume      = "root-mirror"
         destination = "/mirror"
       }
     }
diff --git a/services/nomad/apps/void-updates.nomad b/services/nomad/apps/void-updates.nomad
index 9e22f888..6e0caa88 100644
--- a/services/nomad/apps/void-updates.nomad
+++ b/services/nomad/apps/void-updates.nomad
@@ -1,10 +1,10 @@
 job "void-updates" {
   datacenters = ["VOID"]
-  namespace = "apps"
-  type = "batch"
+  namespace   = "apps"
+  type        = "batch"
 
   periodic {
-    crons = ["0 4 * * *"]
+    crons            = ["0 4 * * *"]
     prohibit_overlap = true
   }
 
@@ -14,8 +14,8 @@ job "void-updates" {
     network { mode = "bridge" }
 
     volume "root-mirror" {
-      type = "host"
-      source = "root_mirror"
+      type      = "host"
+      source    = "root_mirror"
       read_only = false
     }
 
@@ -35,7 +35,7 @@ job "void-updates" {
       }
 
       volume_mount {
-        volume = "root-mirror"
+        volume      = "root-mirror"
         destination = "/mirror"
       }
     }
diff --git a/services/nomad/apps/xlocate.nomad b/services/nomad/apps/xlocate.nomad
index 41db1cfc..d3c446c5 100644
--- a/services/nomad/apps/xlocate.nomad
+++ b/services/nomad/apps/xlocate.nomad
@@ -1,10 +1,10 @@
 job "xlocate" {
   datacenters = ["VOID"]
-  namespace = "apps"
-  type = "batch"
+  namespace   = "apps"
+  type        = "batch"
 
   periodic {
-    crons = ["0 6 * * *"]
+    crons            = ["0 6 * * *"]
     prohibit_overlap = true
   }
 
@@ -14,8 +14,8 @@ job "xlocate" {
     network { mode = "bridge" }
 
     volume "root-mirror" {
-      type = "host"
-      source = "root_mirror"
+      type      = "host"
+      source    = "root_mirror"
       read_only = false
     }
 
@@ -23,8 +23,8 @@ job "xlocate" {
       driver = "docker"
 
       config {
-        image = "ghcr.io/void-linux/infra-xlocate:20231024R1"
-        volumes = [ "local/xbps.conf:/etc/xbps.d/00-repository-main.conf" ]
+        image   = "ghcr.io/void-linux/infra-xlocate:20231024R1"
+        volumes = ["local/xbps.conf:/etc/xbps.d/00-repository-main.conf"]
       }
 
       resources {
@@ -36,12 +36,12 @@ job "xlocate" {
       }
 
       volume_mount {
-        volume = "root-mirror"
+        volume      = "root-mirror"
         destination = "/mirror"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 repository=/mirror/current
 repository=/mirror/current/nonfree
 repository=/mirror/current/multilib
diff --git a/services/nomad/apps/xmandump.nomad b/services/nomad/apps/xmandump.nomad
index 0ea289b0..1627f1a3 100644
--- a/services/nomad/apps/xmandump.nomad
+++ b/services/nomad/apps/xmandump.nomad
@@ -1,10 +1,10 @@
 job "xmandump" {
   datacenters = ["VOID"]
-  namespace = "apps"
-  type = "batch"
+  namespace   = "apps"
+  type        = "batch"
 
   periodic {
-    crons = ["@daily"]
+    crons            = ["@daily"]
     prohibit_overlap = true
   }
 
@@ -13,12 +13,12 @@ job "xmandump" {
 
     restart {
       attempts = 0
-      mode = "fail"
+      mode     = "fail"
     }
 
     volume "root-mirror" {
-      type = "host"
-      source = "root_mirror"
+      type      = "host"
+      source    = "root_mirror"
       read_only = false
     }
 
@@ -30,7 +30,7 @@ job "xmandump" {
       }
 
       volume_mount {
-        volume = "root-mirror"
+        volume      = "root-mirror"
         destination = "/mirror"
       }
 
diff --git a/services/nomad/apps/xq-api.nomad b/services/nomad/apps/xq-api.nomad
index dddc0b2b..90c0215e 100644
--- a/services/nomad/apps/xq-api.nomad
+++ b/services/nomad/apps/xq-api.nomad
@@ -1,21 +1,21 @@
 job "xq-api" {
   datacenters = ["VOID-MIRROR"]
-  namespace = "apps"
-  type = "system"
+  namespace   = "apps"
+  type        = "system"
 
   # FIXME: b-hel-fi is not currently syncing
   constraint {
     attribute = "${node.unique.name}"
-    operator = "set_contains_any"
-    value = "d-hel-fi,a-fra-de"
+    operator  = "set_contains_any"
+    value     = "d-hel-fi,a-fra-de"
   }
 
   group "xq-api" {
     count = 1
 
     volume "dist_mirror" {
-      type = "host"
-      source = "dist_mirror"
+      type      = "host"
+      source    = "dist_mirror"
       read_only = true
     }
 
@@ -29,7 +29,7 @@ job "xq-api" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "xq-api.voidlinux.org"
+        nginx_names  = "xq-api.voidlinux.org"
       }
     }
 
@@ -41,7 +41,7 @@ job "xq-api" {
       }
 
       volume_mount {
-        volume = "dist_mirror"
+        volume      = "dist_mirror"
         destination = "/mirror"
       }
 
diff --git a/services/nomad/build/build-rsyncd.nomad b/services/nomad/build/build-rsyncd.nomad
index 58cb1c5f..0235dd19 100644
--- a/services/nomad/build/build-rsyncd.nomad
+++ b/services/nomad/build/build-rsyncd.nomad
@@ -1,40 +1,40 @@
 job "build-rsyncd" {
-  type = "service"
+  type        = "service"
   datacenters = ["VOID"]
-  namespace = "build"
+  namespace   = "build"
 
   group "rsync" {
     count = 1
     network {
       mode = "bridge"
       port "rsync" {
-        to = 873
+        to           = 873
         host_network = "internal"
       }
     }
 
     volume "glibc_hostdir" {
-      type = "host"
-      source = "glibc_hostdir"
+      type      = "host"
+      source    = "glibc_hostdir"
       read_only = false
     }
 
     volume "root_mirror" {
-      type = "host"
-      source = "root_mirror"
+      type      = "host"
+      source    = "root_mirror"
       read_only = false
     }
 
     volume "incoming_pkgs" {
-      type = "host"
-      source = "incoming_pkgs"
+      type      = "host"
+      source    = "incoming_pkgs"
       read_only = false
     }
 
     service {
       provider = "nomad"
-      name = "build-rsyncd"
-      port = "rsync"
+      name     = "build-rsyncd"
+      port     = "rsync"
     }
 
     task "rsyncd" {
@@ -45,43 +45,43 @@ job "build-rsyncd" {
       }
 
       resources {
-        memory = 1500
+        memory     = 1500
         memory_max = 3000
       }
 
       volume_mount {
-        volume = "glibc_hostdir"
+        volume      = "glibc_hostdir"
         destination = "/hostdir"
       }
 
       volume_mount {
-        volume = "root_mirror"
+        volume      = "root_mirror"
         destination = "/mirror"
       }
 
       volume_mount {
-        volume = "incoming_pkgs"
+        volume      = "incoming_pkgs"
         destination = "/incoming"
       }
 
       template {
-        data = file("rsync-post-xfer")
+        data        = file("rsync-post-xfer")
         destination = "local/rsync-post-xfer"
-        perms = "0755"
+        perms       = "0755"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/buildsync" }}
 buildsync:{{ .password }}
 {{- end }}
 EOF
         destination = "secrets/buildsync.secrets"
-        perms = "0400"
+        perms       = "0400"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 [global]
 uid = 418
 gid = 418
@@ -110,7 +110,7 @@ EOF
         ]
 
         content {
-          data = <<EOF
+          data        = <<EOF
 [incoming-${template.value}]
 path = /incoming/${template.value}
 auth users = buildsync:rw
diff --git a/services/nomad/build/buildbot-worker.nomad b/services/nomad/build/buildbot-worker.nomad
index ecab439f..3e564f6f 100644
--- a/services/nomad/build/buildbot-worker.nomad
+++ b/services/nomad/build/buildbot-worker.nomad
@@ -1,54 +1,54 @@
 job "buildbot-worker" {
-  type = "service"
+  type        = "service"
   datacenters = ["VOID"]
-  namespace = "build"
+  namespace   = "build"
 
   dynamic "group" {
     for_each = [
       // cpu is ~equivalent to a number of cores
       // memory is ~90% of capacity
       // memory_max is ~95% of capacity
-      { name = "glibc",   jobs = 10, cpu = 38100, mem = 115840, mem_max = 122270 },
-      { name = "musl",    jobs = 6,  cpu = 21700, mem = 57690,  mem_max = 60890  },
-      { name = "aarch64", jobs = 6,  cpu = 12000, mem = 28500,  mem_max = 30500  },
+      { name = "glibc", jobs = 10, cpu = 38100, mem = 115840, mem_max = 122270 },
+      { name = "musl", jobs = 6, cpu = 21700, mem = 57690, mem_max = 60890 },
+      { name = "aarch64", jobs = 6, cpu = 12000, mem = 28500, mem_max = 30500 },
     ]
-    labels = [ "buildbot-worker-${group.value.name}" ]
+    labels = ["buildbot-worker-${group.value.name}"]
 
     content {
       network {
-        mode = "bridge"
+        mode     = "bridge"
         hostname = "void-buildbot-worker-${group.value.name}"
       }
 
       dynamic "volume" {
-        for_each = [ "${group.value.name}" ]
-        labels = [ "${volume.value}_hostdir" ]
+        for_each = ["${group.value.name}"]
+        labels   = ["${volume.value}_hostdir"]
 
         content {
-          type = "host"
-          source = "${volume.value}_hostdir"
+          type      = "host"
+          source    = "${volume.value}_hostdir"
           read_only = false
         }
       }
 
       dynamic "volume" {
-        for_each = [ "${group.value.name}" ]
-        labels = [ "${volume.value}_workdir" ]
+        for_each = ["${group.value.name}"]
+        labels   = ["${volume.value}_workdir"]
 
         content {
-          type = "host"
-          source = "${volume.value}_workdir"
+          type      = "host"
+          source    = "${volume.value}_workdir"
           read_only = false
         }
       }
 
       dynamic "volume" {
-        for_each = [ "${group.value.name}" ]
-        labels = [ "${volume.value}_buildrootdir" ]
+        for_each = ["${group.value.name}"]
+        labels   = ["${volume.value}_buildrootdir"]
 
         content {
-          type = "host"
-          source = "${volume.value}_buildrootdir"
+          type      = "host"
+          source    = "${volume.value}_buildrootdir"
           read_only = false
         }
       }
@@ -58,23 +58,23 @@ job "buildbot-worker" {
         driver = "docker"
 
         config {
-          image = "ghcr.io/void-linux/void-glibc-full:20250616R2"
+          image   = "ghcr.io/void-linux/void-glibc-full:20250616R2"
           command = "chown"
-          args = ["418:418", "/hostdir", "/workdir", "/buildroots"]
+          args    = ["418:418", "/hostdir", "/workdir", "/buildroots"]
         }
 
         volume_mount {
-          volume = "${group.value.name}_hostdir"
+          volume      = "${group.value.name}_hostdir"
           destination = "/hostdir"
         }
 
         volume_mount {
-          volume = "${group.value.name}_workdir"
+          volume      = "${group.value.name}_workdir"
           destination = "/workdir"
         }
 
         volume_mount {
-          volume = "${group.value.name}_buildrootdir"
+          volume      = "${group.value.name}_buildrootdir"
           destination = "/buildroots"
         }
 
@@ -98,28 +98,28 @@ job "buildbot-worker" {
         }
 
         resources {
-          cpu = "${group.value.cpu}"
-          memory = "${group.value.mem}"
+          cpu        = "${group.value.cpu}"
+          memory     = "${group.value.mem}"
           memory_max = "${group.value.mem_max}"
         }
 
         volume_mount {
-          volume = "${group.value.name}_hostdir"
+          volume      = "${group.value.name}_hostdir"
           destination = "/hostdir"
         }
 
         volume_mount {
-          volume = "${group.value.name}_workdir"
+          volume      = "${group.value.name}_workdir"
           destination = "/workdir"
         }
 
         volume_mount {
-          volume = "${group.value.name}_buildrootdir"
+          volume      = "${group.value.name}_buildrootdir"
           destination = "/buildroots"
         }
 
         template {
-          data = <<EOF
+          data        = <<EOF
 {{ range service "buildbot-worker" -}}
 [buildbot]
 host = {{ .Address }}
@@ -133,7 +133,7 @@ EOF
         }
 
         template {
-          data = <<EOF
+          data        = <<EOF
 XBPS_MAKEJOBS=${group.value.jobs}
 XBPS_CHROOT_CMD=uchroot
 XBPS_CCACHE=yes
@@ -149,12 +149,12 @@ EOF
         }
 
         template {
-          data = "Void Build Operators <build-ops@voidlinux.org>"
+          data        = "Void Build Operators <build-ops@voidlinux.org>"
           destination = "local/info/admin"
         }
 
         template {
-          data = <<EOF
+          data        = <<EOF
 Void Linux Buildbot builder for ${group.value.name} running on {{ env "attr.unique.hostname" -}}
 EOF
           destination = "local/info/host"
@@ -162,7 +162,7 @@ EOF
 
         // the builders should use the internal mirror
         template {
-          data = <<EOF
+          data        = <<EOF
 {{ range service "root-pkgs-internal" }}
 {{ if eq "${group.value.name}" "glibc" }}
 repository=http://{{ .Address }}:{{ .Port }}/bootstrap
@@ -193,34 +193,34 @@ EOF
 
         // /usr/share/xbps.d/xbps-arch.conf will mess up xbps-checkvers, so mask it with an empty file
         template {
-          data = <<EOF
+          data        = <<EOF
 # this file intentionally left blank
 EOF
           destination = "local/xbps-arch.conf"
         }
 
         template {
-          data = <<EOF
+          data        = <<EOF
 {{- with nomadVar "nomad/jobs/buildbot-worker" -}}
 {{ .worker_password }}
 {{- end -}}
 EOF
           destination = "secrets/buildbot/worker-password"
-          perms = "400"
-          uid = 418
-          gid = 418
+          perms       = "400"
+          uid         = 418
+          gid         = 418
         }
 
         template {
-          data = <<EOF
+          data        = <<EOF
 {{- with nomadVar "nomad/jobs/buildsync" -}}
 {{ .password }}
 {{- end -}}
 EOF
           destination = "secrets/rsync/password"
-          perms = "400"
-          uid = 418
-          gid = 418
+          perms       = "400"
+          uid         = 418
+          gid         = 418
         }
       }
     }
diff --git a/services/nomad/build/buildbot.nomad b/services/nomad/build/buildbot.nomad
index 7ee1b02e..8e7b20ec 100644
--- a/services/nomad/build/buildbot.nomad
+++ b/services/nomad/build/buildbot.nomad
@@ -1,36 +1,36 @@
 job "buildbot" {
-  type = "service"
+  type        = "service"
   datacenters = ["VOID"]
-  namespace = "build"
+  namespace   = "build"
 
   group "buildbot" {
     network {
-      mode = "bridge"
+      mode     = "bridge"
       hostname = "void-buildbot"
 
       port "http" {
         static = 8010
-        to = 8010
+        to     = 8010
       }
 
       port "metrics" { to = 9100 }
 
       port "worker" {
-        to = 42042
+        to           = 42042
         host_network = "internal"
       }
     }
 
     volume "buildbot_database" {
-      type = "host"
-      source = "buildbot_database"
+      type      = "host"
+      source    = "buildbot_database"
       read_only = false
     }
 
     volume "netauth_config" {
-      type = "host"
+      type      = "host"
       read_only = true
-      source = "netauth_config"
+      source    = "netauth_config"
     }
 
     service {
@@ -38,11 +38,11 @@ job "buildbot" {
       port = "http"
 
       check {
-        type = "http"
+        type         = "http"
         address_mode = "host"
-        path = "/"
-        timeout = "30s"
-        interval = "5s"
+        path         = "/"
+        timeout      = "30s"
+        interval     = "5s"
       }
     }
 
@@ -74,18 +74,18 @@ job "buildbot" {
       }
 
       volume_mount {
-        volume = "buildbot_database"
+        volume      = "buildbot_database"
         destination = "/db"
       }
 
       volume_mount {
-        volume = "netauth_config"
+        volume      = "netauth_config"
         destination = "/etc/netauth"
-        read_only = true
+        read_only   = true
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 [buildbot]
 worker-port = 42042
 url = https://build.voidlinux.org/
@@ -102,19 +102,19 @@ EOF
       template {
         data = jsonencode({
           workers = [
-            { name = "glibc",   max-builds = 4 },
-            { name = "musl",    max-builds = 3 },
+            { name = "glibc", max-builds = 4 },
+            { name = "musl", max-builds = 3 },
             { name = "aarch64", max-builds = 2 },
           ],
           builders = [
-            { name = "x86_64",       host = "x86_64",                               worker = "glibc",  },
-            { name = "i686",         host = "i686",                                 worker = "glibc",  },
-            { name = "armv7l",       host = "x86_64",      target = "armv7l",       worker = "glibc",  },
-            { name = "armv6l",       host = "x86_64",      target = "armv6l",       worker = "glibc",  },
-            { name = "x86_64-musl",  host = "x86_64-musl",                          worker = "musl",   },
-            { name = "armv7l-musl",  host = "x86_64-musl", target = "armv7l-musl",  worker = "musl",   },
-            { name = "armv6l-musl",  host = "x86_64-musl", target = "armv6l-musl",  worker = "musl",   },
-            { name = "aarch64",      host = "x86_64",      target = "aarch64",      worker = "aarch64" },
+            { name = "x86_64", host = "x86_64", worker = "glibc", },
+            { name = "i686", host = "i686", worker = "glibc", },
+            { name = "armv7l", host = "x86_64", target = "armv7l", worker = "glibc", },
+            { name = "armv6l", host = "x86_64", target = "armv6l", worker = "glibc", },
+            { name = "x86_64-musl", host = "x86_64-musl", worker = "musl", },
+            { name = "armv7l-musl", host = "x86_64-musl", target = "armv7l-musl", worker = "musl", },
+            { name = "armv6l-musl", host = "x86_64-musl", target = "armv6l-musl", worker = "musl", },
+            { name = "aarch64", host = "x86_64", target = "aarch64", worker = "aarch64" },
             { name = "aarch64-musl", host = "x86_64-musl", target = "aarch64-musl", worker = "aarch64" },
           ],
         })
@@ -122,45 +122,45 @@ EOF
       }
 
       template {
-        data = file("buildbot.cfg")
+        data        = file("buildbot.cfg")
         destination = "local/buildbot.cfg"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 Void Linux Buildbot controller running on {{ env "attr.unique.hostname" -}}
 EOF
         destination = "local/info/host"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/buildbot" -}}
 {{ .webhook_secret }}
 {{- end -}}
 EOF
         destination = "secrets/buildbot/github-webhook"
-        perms = "400"
+        perms       = "400"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/buildbot" -}}
 {{ .irc_password }}
 {{- end -}}
 EOF
         destination = "secrets/buildbot/irc-password"
-        perms = "400"
+        perms       = "400"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/buildbot-worker" -}}
 {{ .worker_password }}
 {{- end -}}
 EOF
         destination = "secrets/buildbot/worker-password"
-        perms = "400"
+        perms       = "400"
       }
     }
   }
diff --git a/services/nomad/build/buildsync.nomad b/services/nomad/build/buildsync.nomad
index 4a8db1c2..73284b12 100644
--- a/services/nomad/build/buildsync.nomad
+++ b/services/nomad/build/buildsync.nomad
@@ -1,23 +1,23 @@
 job "buildsync" {
-  type = "service"
+  type        = "service"
   datacenters = ["VOID"]
-  namespace = "build"
+  namespace   = "build"
 
   dynamic "group" {
-    for_each = [ "aarch64", "musl", ]
-    labels = [ "buildsync-${group.value}" ]
+    for_each = ["aarch64", "musl", ]
+    labels   = ["buildsync-${group.value}"]
 
     content {
       count = 1
       network { mode = "bridge" }
 
       dynamic "volume" {
-        for_each = [ "${group.value}" ]
-        labels = [ "${volume.value}_hostdir" ]
+        for_each = ["${group.value}"]
+        labels   = ["${volume.value}_hostdir"]
 
         content {
-          type = "host"
-          source = "${volume.value}_hostdir"
+          type      = "host"
+          source    = "${volume.value}_hostdir"
           read_only = true
         }
       }
@@ -30,22 +30,22 @@ job "buildsync" {
         }
 
         volume_mount {
-          volume = "${group.value}_hostdir"
+          volume      = "${group.value}_hostdir"
           destination = "/hostdir"
         }
 
         template {
-          data = <<EOF
+          data        = <<EOF
 {{- with nomadVar "nomad/jobs/buildsync" -}}
 {{.password}}
 {{- end -}}
 EOF
           destination = "secrets/rsync_passwd"
-          perms = "0400"
+          perms       = "0400"
         }
 
         template {
-          data = <<EOF
+          data        = <<EOF
 {{ $allocID := env "NOMAD_ALLOC_ID" -}}
 settings {
     statusFile = "/tmp/lsyncd.status",
@@ -74,7 +74,7 @@ sync {
 }
 EOF
           destination = "local/lsyncd.conf"
-          perms = "0644"
+          perms       = "0644"
         }
       }
     }
diff --git a/services/nomad/build/root-pkgs-httpd.nomad b/services/nomad/build/root-pkgs-httpd.nomad
index fd1aa1b4..da85a10d 100644
--- a/services/nomad/build/root-pkgs-httpd.nomad
+++ b/services/nomad/build/root-pkgs-httpd.nomad
@@ -1,13 +1,13 @@
 job "build-mirror" {
-  type = "service"
+  type        = "service"
   datacenters = ["VOID"]
-  namespace = "build"
+  namespace   = "build"
 
   group "busybox" {
     network {
       mode = "host"
       port "http" {
-        to = 80
+        to     = 80
         static = 80
       }
     }
@@ -18,8 +18,8 @@ job "build-mirror" {
     }
 
     volume "root-pkgs" {
-      type = "host"
-      source = "root-pkgs"
+      type      = "host"
+      source    = "root-pkgs"
       read_only = true
     }
 
@@ -27,13 +27,13 @@ job "build-mirror" {
       driver = "docker"
 
       config {
-        image = "busybox:1.37-musl"
-        args = ["httpd", "-f", "-p", "80", "-h", "/pkgs"]
+        image        = "busybox:1.37-musl"
+        args         = ["httpd", "-f", "-p", "80", "-h", "/pkgs"]
         network_mode = "host"
       }
 
       volume_mount {
-        volume = "root-pkgs"
+        volume      = "root-pkgs"
         destination = "/pkgs"
       }
     }
diff --git a/services/nomad/build/signing.nomad b/services/nomad/build/signing.nomad
index 6caa9ec8..a54c91ab 100644
--- a/services/nomad/build/signing.nomad
+++ b/services/nomad/build/signing.nomad
@@ -1,14 +1,14 @@
 job "reposigner" {
-  type = "service"
-  namespace = "build"
+  type        = "service"
+  namespace   = "build"
   datacenters = ["VOID"]
 
   group "xbps" {
     count = 1
 
     volume "root-pkgs" {
-      type = "host"
-      source = "root-pkgs"
+      type      = "host"
+      source    = "root-pkgs"
       read_only = false
     }
 
@@ -19,36 +19,36 @@ job "reposigner" {
         image = "ghcr.io/void-linux/xbps-legacy-sign:20230815"
         args = [
           "-private-key", "/secrets/id_rsa", "-passphrase-file", "/secrets/id_rsa_passphrase", "-watch",
-          "/pkgs",          "/pkgs/bootstrap",          "/pkgs/nonfree",          "/pkgs/debug",
+          "/pkgs", "/pkgs/bootstrap", "/pkgs/nonfree", "/pkgs/debug",
           "/pkgs/multilib", "/pkgs/multilib/bootstrap", "/pkgs/multilib/nonfree",
-          "/pkgs/musl",     "/pkgs/musl/bootstrap",     "/pkgs/musl/nonfree",     "/pkgs/musl/debug",
-          "/pkgs/aarch64",  "/pkgs/aarch64/bootstrap",  "/pkgs/aarch64/nonfree",  "/pkgs/aarch64/debug",
+          "/pkgs/musl", "/pkgs/musl/bootstrap", "/pkgs/musl/nonfree", "/pkgs/musl/debug",
+          "/pkgs/aarch64", "/pkgs/aarch64/bootstrap", "/pkgs/aarch64/nonfree", "/pkgs/aarch64/debug",
         ]
       }
 
       volume_mount {
-        volume = "root-pkgs"
+        volume      = "root-pkgs"
         destination = "/pkgs"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/reposigner" -}}
 {{ .key }}
 {{- end -}}
 EOF
         destination = "secrets/id_rsa"
-        perms = "0400"
+        perms       = "0400"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 {{- with nomadVar "nomad/jobs/reposigner" -}}
 {{ .keyphrase }}
 {{- end -}}
 EOF
         destination = "secrets/id_rsa_passphrase"
-        perms = "0400"
+        perms       = "0400"
       }
     }
   }
diff --git a/services/nomad/build/timefiles.nomad b/services/nomad/build/timefiles.nomad
index af3a9d23..3bb616dc 100644
--- a/services/nomad/build/timefiles.nomad
+++ b/services/nomad/build/timefiles.nomad
@@ -1,14 +1,14 @@
 job "timefiles" {
-  type = "service"
+  type        = "service"
   datacenters = ["VOID"]
-  namespace = "build"
+  namespace   = "build"
 
   group "timefiles" {
     count = 1
 
     volume "root_mirror" {
-      type = "host"
-      source = "root_mirror"
+      type      = "host"
+      source    = "root_mirror"
       read_only = false
     }
 
@@ -16,17 +16,17 @@ job "timefiles" {
       driver = "docker"
 
       config {
-        image = "ghcr.io/void-linux/void-glibc:20240526R1"
+        image   = "ghcr.io/void-linux/void-glibc:20240526R1"
         command = "/local/run.sh"
       }
 
       volume_mount {
-        volume = "root_mirror"
+        volume      = "root_mirror"
         destination = "/mirror"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 #!/bin/sh
 
 while true ; do
@@ -40,7 +40,7 @@ while true ; do
 done
 EOF
         destination = "local/run.sh"
-        perms = "0755"
+        perms       = "0755"
       }
     }
   }
diff --git a/services/nomad/infrastructure/cert-renew.nomad b/services/nomad/infrastructure/cert-renew.nomad
index 8977a469..825afb90 100644
--- a/services/nomad/infrastructure/cert-renew.nomad
+++ b/services/nomad/infrastructure/cert-renew.nomad
@@ -1,7 +1,7 @@
 job "cert-renew" {
   datacenters = ["VOID"]
-  namespace = "infrastructure"
-  type = "batch"
+  namespace   = "infrastructure"
+  type        = "batch"
 
   periodic {
     crons = ["@weekly"]
@@ -16,7 +16,7 @@ job "cert-renew" {
       driver = "docker"
 
       config {
-        image = "docker.io/hashicorp/terraform:1.14.3"
+        image      = "docker.io/hashicorp/terraform:1.14.3"
         entrypoint = ["/local/entrypoint"]
       }
 
@@ -25,30 +25,30 @@ job "cert-renew" {
       }
 
       env {
-        TF_HTTP_USERNAME="_terraform"
-        NOMAD_ADDR="unix://${NOMAD_SECRETS_DIR}/api.sock"
+        TF_HTTP_USERNAME = "_terraform"
+        NOMAD_ADDR       = "unix://${NOMAD_SECRETS_DIR}/api.sock"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 {{ with nomadVar "nomad/jobs/cert-renew" }}
 TF_HTTP_PASSWORD={{.terraform_password}}
 DO_AUTH_TOKEN={{.digitalocean_token}}
 {{ end }}
 EOF
         destination = "${NOMAD_SECRETS_DIR}/env"
-        env = true
+        env         = true
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 #!/bin/sh
 cd /local
 terraform init
 terraform apply -auto-approve
 EOF
         destination = "local/entrypoint"
-        perms = "755"
+        perms       = "755"
       }
 
       dynamic "artifact" {
diff --git a/services/nomad/infrastructure/nginx-control.nomad b/services/nomad/infrastructure/nginx-control.nomad
index 1ca16c01..2b62c754 100644
--- a/services/nomad/infrastructure/nginx-control.nomad
+++ b/services/nomad/infrastructure/nginx-control.nomad
@@ -1,7 +1,7 @@
 job "nginx-control" {
-  type = "system"
+  type        = "system"
   datacenters = ["VOID-CONTROL"]
-  namespace = "infrastructure"
+  namespace   = "infrastructure"
 
   group "nginx" {
     network {
@@ -12,22 +12,22 @@ job "nginx-control" {
       driver = "docker"
 
       config {
-        image = "ghcr.io/void-linux/infra-nginx:20250719R1"
+        image        = "ghcr.io/void-linux/infra-nginx:20250719R1"
         network_mode = "host"
-        dns_servers = ["127.0.0.1"]
+        dns_servers  = ["127.0.0.1"]
       }
 
       template {
-        data = "{{ with nomadVar \"nomad/jobs/nginx-control\" }}{{ .certificate }}{{ end }}"
+        data        = "{{ with nomadVar \"nomad/jobs/nginx-control\" }}{{ .certificate }}{{ end }}"
         destination = "secrets/certs/voidlinux.org.crt"
-        perms = 400
+        perms       = 400
         change_mode = "signal"
       }
 
       template {
-        data = "{{ with nomadVar \"nomad/jobs/nginx-control\" }}{{ .key }}{{ end }}"
+        data        = "{{ with nomadVar \"nomad/jobs/nginx-control\" }}{{ .key }}{{ end }}"
         destination = "secrets/certs/voidlinux.org.key"
-        perms = 400
+        perms       = 400
         change_mode = "signal"
       }
 
@@ -40,9 +40,9 @@ job "nginx-control" {
         ]
 
         content {
-          data = file("nginx-sites/${template.value}")
+          data        = file("nginx-sites/${template.value}")
           destination = "local/nginx/${template.value}"
-          perms = 400
+          perms       = 400
           change_mode = "signal"
         }
       }
diff --git a/services/nomad/infrastructure/nginx-mirror.nomad b/services/nomad/infrastructure/nginx-mirror.nomad
index f8a3e3ce..8255a363 100644
--- a/services/nomad/infrastructure/nginx-mirror.nomad
+++ b/services/nomad/infrastructure/nginx-mirror.nomad
@@ -1,7 +1,7 @@
 job "nginx" {
-  type = "system"
+  type        = "system"
   datacenters = ["VOID-MIRROR"]
-  namespace = "mirror"
+  namespace   = "mirror"
 
   group "nginx" {
     network {
@@ -9,12 +9,12 @@ job "nginx" {
     }
 
     dynamic "volume" {
-      for_each = [ "mirror", "sources", ]
-      labels = [ "dist-${volume.value}" ]
+      for_each = ["mirror", "sources", ]
+      labels   = ["dist-${volume.value}"]
 
       content {
-        type = "host"
-        source = "dist_${volume.value}"
+        type      = "host"
+        source    = "dist_${volume.value}"
         read_only = true
       }
     }
@@ -23,15 +23,15 @@ job "nginx" {
       driver = "docker"
 
       config {
-        image = "ghcr.io/void-linux/infra-nginx:20250719R1"
+        image        = "ghcr.io/void-linux/infra-nginx:20250719R1"
         network_mode = "host"
       }
 
       dynamic "volume_mount" {
-        for_each = [ "mirror", "sources", ]
+        for_each = ["mirror", "sources", ]
 
         content {
-          volume = "dist-${volume_mount.value}"
+          volume      = "dist-${volume_mount.value}"
           destination = "/srv/www/${volume_mount.value}"
         }
       }
@@ -43,9 +43,9 @@ job "nginx" {
         ]
 
         content {
-          data = file("nginx-sites/${template.value}")
+          data        = file("nginx-sites/${template.value}")
           destination = "secrets/certs/${template.value}"
-          perms = 400
+          perms       = 400
           change_mode = "signal"
         }
       }
@@ -63,9 +63,9 @@ job "nginx" {
         ]
 
         content {
-          data = file("nginx-sites/${template.value}")
+          data        = file("nginx-sites/${template.value}")
           destination = "local/nginx/${template.value}"
-          perms = 400
+          perms       = 400
           change_mode = "signal"
         }
       }
diff --git a/services/nomad/infrastructure/terrastate.nomad b/services/nomad/infrastructure/terrastate.nomad
index 76131bed..6a86cff0 100644
--- a/services/nomad/infrastructure/terrastate.nomad
+++ b/services/nomad/infrastructure/terrastate.nomad
@@ -1,7 +1,7 @@
 job "terrastate" {
-  type = "service"
+  type        = "service"
   datacenters = ["VOID"]
-  namespace = "infrastructure"
+  namespace   = "infrastructure"
 
   group "terrastate" {
     count = 1
@@ -14,15 +14,15 @@ job "terrastate" {
     }
 
     volume "terrastate_data" {
-      type = "host"
+      type      = "host"
       read_only = false
-      source = "terrastate"
+      source    = "terrastate"
     }
 
     volume "netauth_config" {
-      type = "host"
+      type      = "host"
       read_only = true
-      source = "netauth_config"
+      source    = "netauth_config"
     }
 
     service {
@@ -30,15 +30,15 @@ job "terrastate" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "terrastate.s.voidlinux.org"
+        nginx_names  = "terrastate.s.voidlinux.org"
       }
 
       check {
-        type = "http"
+        type         = "http"
         address_mode = "host"
-        path = "/healthz"
-        timeout = "30s"
-        interval = "15s"
+        path         = "/healthz"
+        timeout      = "30s"
+        interval     = "15s"
       }
     }
 
@@ -47,30 +47,30 @@ job "terrastate" {
 
       config {
         image = "ghcr.io/the-maldridge/terrastate:v1.2.4"
-        init = true
+        init  = true
       }
 
       env {
-        AUTHWARE_BASIC_MECHS = "htpasswd:netauth"
+        AUTHWARE_BASIC_MECHS   = "htpasswd:netauth"
         AUTHWARE_HTPASSWD_FILE = "/secrets/.htpasswd"
-        AUTHWARE_HTGROUP_FILE = "/secrets/.htgroup"
-        TS_BITCASK_PATH = "/data"
-        TS_STORE = "bitcask"
+        AUTHWARE_HTGROUP_FILE  = "/secrets/.htgroup"
+        TS_BITCASK_PATH        = "/data"
+        TS_STORE               = "bitcask"
       }
 
       volume_mount {
-        volume = "terrastate_data"
+        volume      = "terrastate_data"
         destination = "/data"
-        read_only = false
+        read_only   = false
       }
       volume_mount {
-        volume = "netauth_config"
+        volume      = "netauth_config"
         destination = "/etc/netauth"
-        read_only = true
+        read_only   = true
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 _terraform:{{ with nomadVar "nomad/jobs/terrastate" }}{{ .hashed_passwd }}{{ end }}
 EOF
         destination = "${NOMAD_SECRETS_DIR}/.htpasswd"
@@ -78,7 +78,7 @@ EOF
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 terrastate-tls: _terraform
 EOF
         destination = "${NOMAD_SECRETS_DIR}/.htgroup"
diff --git a/services/nomad/mirror/rsyncd.nomad b/services/nomad/mirror/rsyncd.nomad
index d4ec0d45..f927035a 100644
--- a/services/nomad/mirror/rsyncd.nomad
+++ b/services/nomad/mirror/rsyncd.nomad
@@ -1,7 +1,7 @@
 job "rsyncd" {
-  type = "system"
+  type        = "system"
   datacenters = ["VOID-MIRROR"]
-  namespace = "mirror"
+  namespace   = "mirror"
 
   group "rsync" {
     network {
@@ -9,8 +9,8 @@ job "rsyncd" {
     }
 
     volume "dist-mirror" {
-      type = "host"
-      source = "dist_mirror"
+      type      = "host"
+      source    = "dist_mirror"
       read_only = true
     }
 
@@ -18,18 +18,18 @@ job "rsyncd" {
       driver = "docker"
 
       config {
-        image = "ghcr.io/void-linux/infra-rsync:20250114R1"
-        volumes = ["local/voidmirror.conf:/etc/rsyncd.conf.d/voidmirror.conf"]
+        image        = "ghcr.io/void-linux/infra-rsync:20250114R1"
+        volumes      = ["local/voidmirror.conf:/etc/rsyncd.conf.d/voidmirror.conf"]
         network_mode = "host"
       }
 
       volume_mount {
-        volume = "dist-mirror"
+        volume      = "dist-mirror"
         destination = "/srv/rsync"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 [voidlinux]
 comment = Main Void Repository
 path = /srv/rsync
diff --git a/services/nomad/mirror/shadow-rsyncd.nomad b/services/nomad/mirror/shadow-rsyncd.nomad
index 117ec3b9..d86777a5 100644
--- a/services/nomad/mirror/shadow-rsyncd.nomad
+++ b/services/nomad/mirror/shadow-rsyncd.nomad
@@ -1,42 +1,42 @@
 job "shadow-rsyncd" {
-  type = "service"
+  type        = "service"
   datacenters = ["VOID"]
-  namespace = "mirror"
+  namespace   = "mirror"
 
   group "rsync" {
     count = 1
     network {
       mode = "bridge"
       port "rsync" {
-        to = 873
+        to           = 873
         host_network = "internal"
       }
     }
 
     volume "root_mirror" {
-      type = "host"
-      source = "root_mirror"
+      type      = "host"
+      source    = "root_mirror"
       read_only = true
     }
 
     volume "glibc_hostdir" {
-      type = "host"
-      source = "glibc_hostdir"
+      type      = "host"
+      source    = "glibc_hostdir"
       read_only = true
     }
 
     service {
       provider = "nomad"
-      name = "shadow-rsyncd"
-      port = "rsync"
+      name     = "shadow-rsyncd"
+      port     = "rsync"
     }
 
     task "rsyncd" {
       driver = "docker"
 
       config {
-        image = "ghcr.io/void-linux/infra-rsync:20250114R1"
-        volumes = [ "local/shadowsync.conf:/etc/rsyncd.conf.d/shadowsync.conf" ]
+        image   = "ghcr.io/void-linux/infra-rsync:20250114R1"
+        volumes = ["local/shadowsync.conf:/etc/rsyncd.conf.d/shadowsync.conf"]
       }
 
       resources {
@@ -44,17 +44,17 @@ job "shadow-rsyncd" {
       }
 
       volume_mount {
-        volume = "root_mirror"
+        volume      = "root_mirror"
         destination = "/mirror"
       }
 
       volume_mount {
-        volume = "glibc_hostdir"
+        volume      = "glibc_hostdir"
         destination = "/hostdir"
       }
 
       template {
-        data = <<EOF
+        data        = <<EOF
 [global]
 uid = 992
 gid = 991
diff --git a/services/nomad/mirror/sync.nomad b/services/nomad/mirror/sync.nomad
index 8fa898f4..9e03f1b2 100644
--- a/services/nomad/mirror/sync.nomad
+++ b/services/nomad/mirror/sync.nomad
@@ -1,35 +1,35 @@
 job "sync" {
-  type = "sysbatch"
+  type        = "sysbatch"
   datacenters = ["VOID-MIRROR"]
-  namespace = "mirror"
+  namespace   = "mirror"
 
   # FIXME: b-hel-fi is consistently filling up when syncing chromium/electron tarballs
   constraint {
     attribute = "${node.unique.name}"
-    operator = "set_contains_any"
-    value = "d-hel-fi,a-fra-de"
+    operator  = "set_contains_any"
+    value     = "d-hel-fi,a-fra-de"
   }
 
   periodic {
-    crons = ["* * * * *"]
+    crons            = ["* * * * *"]
     prohibit_overlap = true
   }
 
   dynamic "group" {
-    for_each = [ "mirror", "sources", ]
-    labels = [ "sync-${group.value}" ]
+    for_each = ["mirror", "sources", ]
+    labels   = ["sync-${group.value}"]
 
     content {
       count = 1
       network { mode = "bridge" }
 
       dynamic "volume" {
-        for_each =  [ "${group.value}" ]
-        labels = [ "dist-${volume.value}" ]
+        for_each = ["${group.value}"]
+        labels   = ["dist-${volume.value}"]
 
         content {
-          type = "host"
-          source = "dist_${volume.value}"
+          type      = "host"
+          source    = "dist_${volume.value}"
           read_only = false
         }
       }
@@ -38,7 +38,7 @@ job "sync" {
         driver = "docker"
 
         config {
-          image = "ghcr.io/void-linux/infra-rsync:20240709R1"
+          image   = "ghcr.io/void-linux/infra-rsync:20240709R1"
           command = "/usr/bin/rsync"
           args = [
             "-vurk",
@@ -51,14 +51,14 @@ job "sync" {
         }
 
         template {
-          data=<<EOF
+          data        = <<EOF
 {{ $allocID := env "NOMAD_ALLOC_ID" -}}
 {{ range nomadService 1 $allocID "shadow-rsyncd" }}
 RSYNC_ADDR="{{ .Address }}:{{ .Port }}"
 {{ end }}
 EOF
           destination = "local/env"
-          env = true
+          env         = true
         }
 
         resources {
@@ -66,7 +66,7 @@ EOF
         }
 
         volume_mount {
-          volume = "dist-${group.value}"
+          volume      = "dist-${group.value}"
           destination = "/${group.value}"
         }
       }
diff --git a/services/nomad/monitoring/alertmanager.nomad b/services/nomad/monitoring/alertmanager.nomad
index 4c179b76..bc2f7f24 100644
--- a/services/nomad/monitoring/alertmanager.nomad
+++ b/services/nomad/monitoring/alertmanager.nomad
@@ -1,7 +1,7 @@
 job "alertmanager" {
   datacenters = ["VOID"]
-  namespace = "monitoring"
-  type = "service"
+  namespace   = "monitoring"
+  type        = "service"
 
   group "app" {
     count = 1
@@ -16,15 +16,15 @@ job "alertmanager" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "alertmanager.s.voidlinux.org alertmanager.voidlinux.org"
+        nginx_names  = "alertmanager.s.voidlinux.org alertmanager.voidlinux.org"
       }
 
       check {
-        type = "http"
+        type         = "http"
         address_mode = "host"
-        path = "/-/healthy"
-        timeout = "30s"
-        interval = "15s"
+        path         = "/-/healthy"
+        timeout      = "30s"
+        interval     = "15s"
       }
     }
 
@@ -45,7 +45,7 @@ job "alertmanager" {
       }
 
       template {
-        data = <<EOT
+        data        = <<EOT
 global:
 route:
   receiver: 'infra-team'
diff --git a/services/nomad/monitoring/alertrelay.nomad b/services/nomad/monitoring/alertrelay.nomad
index 10ddf22d..8352946d 100644
--- a/services/nomad/monitoring/alertrelay.nomad
+++ b/services/nomad/monitoring/alertrelay.nomad
@@ -1,6 +1,6 @@
 job "alertrelay" {
-  type = "service"
-  namespace = "monitoring"
+  type        = "service"
+  namespace   = "monitoring"
   datacenters = ["VOID"]
 
   group "app" {
@@ -19,7 +19,7 @@ job "alertrelay" {
 
       config {
         image = "maldridge/alertmanager-irc-relay:v0.4.1"
-        args = ["--config=/local/config.yml"]
+        args  = ["--config=/local/config.yml"]
       }
 
       resources {
@@ -27,7 +27,7 @@ job "alertrelay" {
       }
 
       template {
-        data = <<EOT
+        data        = <<EOT
 ---
 http_host: 0.0.0.0
 http_port: 21225
@@ -45,11 +45,11 @@ EOT
       }
 
       template {
-        data = <<EOT
+        data        = <<EOT
 NICKSERV_PASSWORD={{ with nomadVar "nomad/jobs/alertrelay" }}{{ .password }}{{end}}
 EOT
         destination = "secrets/env"
-        env = true
+        env         = true
       }
     }
   }
diff --git a/services/nomad/monitoring/ccache.nomad b/services/nomad/monitoring/ccache.nomad
index 8e8f35b4..70744998 100644
--- a/services/nomad/monitoring/ccache.nomad
+++ b/services/nomad/monitoring/ccache.nomad
@@ -1,12 +1,12 @@
 job "ccache_exporter" {
-  type = "service"
-  namespace = "monitoring"
+  type        = "service"
+  namespace   = "monitoring"
   datacenters = ["VOID"]
 
   dynamic "group" {
     for_each = {
-      glibc = { host = "a-fsn-de", size = "16GB" }
-      musl = { host = "a-hel-fi", size = "8GB" }
+      glibc   = { host = "a-fsn-de", size = "16GB" }
+      musl    = { host = "a-hel-fi", size = "8GB" }
       aarch64 = { host = "b-fsn-de", size = "16GB" }
     }
 
@@ -15,13 +15,13 @@ job "ccache_exporter" {
     content {
       constraint {
         attribute = "${node.unique.name}"
-        value = group.value.host
+        value     = group.value.host
       }
 
       volume "ccache" {
-        type = "host"
+        type      = "host"
         read_only = true
-        source = "ccache"
+        source    = "ccache"
       }
 
       network {
@@ -38,14 +38,14 @@ job "ccache_exporter" {
         driver = "docker"
 
         volume_mount {
-          volume = "ccache"
+          volume      = "ccache"
           destination = "/ccache"
-          read_only = true
+          read_only   = true
         }
 
         config {
           image = "ghcr.io/duncaen/ccache_exporter:v0.0.1"
-          args = ["-ccache-dir", "/ccache", "-ccache-size", group.value.size]
+          args  = ["-ccache-dir", "/ccache", "-ccache-size", group.value.size]
         }
       }
     }
diff --git a/services/nomad/monitoring/grafana.nomad b/services/nomad/monitoring/grafana.nomad
index 5b955068..7f8022d7 100644
--- a/services/nomad/monitoring/grafana.nomad
+++ b/services/nomad/monitoring/grafana.nomad
@@ -1,21 +1,21 @@
 job "grafana" {
   datacenters = ["VOID"]
-  namespace = "monitoring"
-  type = "service"
+  namespace   = "monitoring"
+  type        = "service"
 
   group "app" {
     count = 1
 
     volume "grafana" {
-      type = "host"
+      type      = "host"
       read_only = false
-      source = "grafana"
+      source    = "grafana"
     }
 
     volume "netauth_config" {
-      type = "host"
+      type      = "host"
       read_only = true
-      source = "netauth_config"
+      source    = "netauth_config"
     }
 
     network {
@@ -28,15 +28,15 @@ job "grafana" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "grafana.s.voidlinux.org grafana.voidlinux.org"
+        nginx_names  = "grafana.s.voidlinux.org grafana.voidlinux.org"
       }
 
       check {
-        type = "http"
+        type         = "http"
         address_mode = "alloc"
-        path = "/healthz"
-        timeout = "30s"
-        interval = "15s"
+        path         = "/healthz"
+        timeout      = "30s"
+        interval     = "15s"
       }
     }
 
@@ -44,9 +44,9 @@ job "grafana" {
       driver = "docker"
 
       volume_mount {
-        volume = "grafana"
+        volume      = "grafana"
         destination = "/var/lib/grafana"
-        read_only = false
+        read_only   = false
       }
 
       config {
@@ -54,17 +54,17 @@ job "grafana" {
       }
 
       env {
-        GF_AUTH_ANONYMOUS_ENABLED="true"
-        GF_AUTH_ANONYMOUS_ORG_NAME="Main Org."
-        GF_AUTH_ANONYMOUS_ORG_ROLE="Viewer"
-        GF_AUTH_LDAP_ALLOW_SIGN_UP="true"
-        GF_AUTH_LDAP_CONFIG_FILE="/local/ldap.toml"
-        GF_AUTH_LDAP_ENABLED="true"
-        GF_INSTALL_PLUGINS="victoriametrics-logs-datasource"
+        GF_AUTH_ANONYMOUS_ENABLED  = "true"
+        GF_AUTH_ANONYMOUS_ORG_NAME = "Main Org."
+        GF_AUTH_ANONYMOUS_ORG_ROLE = "Viewer"
+        GF_AUTH_LDAP_ALLOW_SIGN_UP = "true"
+        GF_AUTH_LDAP_CONFIG_FILE   = "/local/ldap.toml"
+        GF_AUTH_LDAP_ENABLED       = "true"
+        GF_INSTALL_PLUGINS         = "victoriametrics-logs-datasource"
       }
 
-        template {
-          data = <<EOT
+      template {
+        data        = <<EOT
 [[servers]]
 host = "localhost"
 port = 389
@@ -90,18 +90,18 @@ org_role = "Editor"
 group_dn = "*"
 org_role = "Viewer"
 EOT
-          perms = 644
-          destination = "local/ldap.toml"
-        }
+        perms       = 644
+        destination = "local/ldap.toml"
+      }
     }
 
     task "ldap" {
       driver = "docker"
 
       volume_mount {
-        volume = "netauth_config"
+        volume      = "netauth_config"
         destination = "/etc/netauth"
-        read_only = true
+        read_only   = true
       }
 
       config {
diff --git a/services/nomad/monitoring/prometheus.nomad b/services/nomad/monitoring/prometheus.nomad
index 0e7548d7..1b865626 100644
--- a/services/nomad/monitoring/prometheus.nomad
+++ b/services/nomad/monitoring/prometheus.nomad
@@ -1,21 +1,21 @@
 job "prometheus" {
   datacenters = ["VOID"]
-  namespace = "monitoring"
-  type = "service"
+  namespace   = "monitoring"
+  type        = "service"
 
   group "app" {
     count = 1
 
     volume "prometheus" {
-      type = "host"
+      type      = "host"
       read_only = false
-      source = "prometheus"
+      source    = "prometheus"
     }
 
     network {
       mode = "bridge"
       port "http" {
-        to = 9090
+        to     = 9090
         static = 9090
       }
     }
@@ -25,15 +25,15 @@ job "prometheus" {
       port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "prometheus.s.voidlinux.org prometheus.voidlinux.org"
+        nginx_names  = "prometheus.s.voidlinux.org prometheus.voidlinux.org"
       }
 
       check {
-        type = "http"
+        type         = "http"
         address_mode = "alloc"
-        path = "/-/healthy"
-        timeout = "30s"
-        interval = "15s"
+        path         = "/-/healthy"
+        timeout      = "30s"
+        interval     = "15s"
       }
     }
 
@@ -41,9 +41,9 @@ job "prometheus" {
       driver = "docker"
 
       volume_mount {
-        volume = "prometheus"
+        volume      = "prometheus"
         destination = "/prometheus"
-        read_only = false
+        read_only   = false
       }
 
       config {
@@ -57,29 +57,29 @@ job "prometheus" {
       }
 
       resources {
-        cpu = 500
+        cpu    = 500
         memory = 400
       }
 
       template {
-        data = file("./prometheus.yml")
-        destination = "local/prometheus.yml"
-        perms = 644
+        data          = file("./prometheus.yml")
+        destination   = "local/prometheus.yml"
+        perms         = 644
         change_mode   = "signal"
         change_signal = "SIGHUP"
       }
 
       template {
-        data = file("./alerts/node_exporter.yml")
-        destination = "local/alerts/node_exporter_alerts.yml"
-        left_delimiter = "@@"
+        data            = file("./alerts/node_exporter.yml")
+        destination     = "local/alerts/node_exporter_alerts.yml"
+        left_delimiter  = "@@"
         right_delimiter = "@@"
       }
 
       template {
-        data = file("./alerts/prometheus.yml")
-        destination = "local/alerts/prometheus_alerts.yml"
-        left_delimiter = "@@"
+        data            = file("./alerts/prometheus.yml")
+        destination     = "local/alerts/prometheus_alerts.yml"
+        left_delimiter  = "@@"
         right_delimiter = "@@"
       }
     }
diff --git a/services/nomad/monitoring/promtail.nomad b/services/nomad/monitoring/promtail.nomad
index ddb1194a..58821d17 100644
--- a/services/nomad/monitoring/promtail.nomad
+++ b/services/nomad/monitoring/promtail.nomad
@@ -2,9 +2,9 @@ job "promtail" {
   datacenters = [
     "VOID",
   ]
-  namespace   = "monitoring"
-  type        = "service"
-  priority    = 99
+  namespace = "monitoring"
+  type      = "service"
+  priority  = 99
 
   group "promtail" {
     network {
@@ -22,7 +22,7 @@ job "promtail" {
       port = "metrics"
       meta {
         nginx_enable = "true"
-        nginx_names = "promtail-tmp.voidlinux.org"
+        nginx_names  = "promtail-tmp.voidlinux.org"
       }
     }
 
@@ -31,7 +31,7 @@ job "promtail" {
 
       config {
         image = "docker.io/grafana/promtail:2.9.2"
-        args = ["-config.file", "/local/config.yaml", "-config.expand-env=true"]
+        args  = ["-config.file", "/local/config.yaml", "-config.expand-env=true"]
       }
 
       resources {
@@ -62,29 +62,29 @@ job "promtail" {
           scrape_configs = [{
             job_name = "docker"
             docker_sd_configs = [{
-              host = "unix:///var/run/docker.sock"
+              host             = "unix:///var/run/docker.sock"
               refresh_interval = "5s"
             }]
             relabel_configs = [
               {
                 source_labels = ["__meta_docker_container_label_com_hashicorp_nomad_namespace"]
-                target_label = "nomad_namespace"
+                target_label  = "nomad_namespace"
               },
               {
                 source_labels = ["__meta_docker_container_label_com_hashicorp_nomad_job_name"]
-                target_label = "nomad_job"
+                target_label  = "nomad_job"
               },
               {
                 source_labels = ["__meta_docker_container_label_com_hashicorp_nomad_group_name"]
-                target_label = "nomad_group"
+                target_label  = "nomad_group"
               },
               {
                 source_labels = ["__meta_docker_container_label_com_hashicorp_nomad_task_name"]
-                target_label = "nomad_task"
+                target_label  = "nomad_task"
               },
               {
                 source_labels = ["__meta_docker_container_label_com_hashicorp_nomad_alloc_id"]
-                target_label = "nomad_alloc"
+                target_label  = "nomad_alloc"
               },
             ]
           }]
diff --git a/services/nomad/monitoring/repo_exporter.nomad b/services/nomad/monitoring/repo_exporter.nomad
index 0517d87c..bb4471fc 100644
--- a/services/nomad/monitoring/repo_exporter.nomad
+++ b/services/nomad/monitoring/repo_exporter.nomad
@@ -1,13 +1,13 @@
 job "repo-exporter" {
-  type = "service"
-  namespace = "monitoring"
+  type        = "service"
+  namespace   = "monitoring"
   datacenters = ["VOID"]
 
   group "exporter" {
     network {
       mode = "bridge"
       port "metrics" {
-        to = 1234
+        to     = 1234
         static = 9213
       }
     }
@@ -15,12 +15,12 @@ job "repo-exporter" {
     service {
       port = "metrics"
       check {
-        type = "http"
-        port = "metrics"
-        path = "/"
+        type         = "http"
+        port         = "metrics"
+        path         = "/"
         address_mode = "host"
-        interval = "30s"
-        timeout = "2s"
+        interval     = "30s"
+        timeout      = "2s"
       }
     }
 
diff --git a/services/nomad/monitoring/ssl_exporter.nomad b/services/nomad/monitoring/ssl_exporter.nomad
index fca99054..4611905d 100644
--- a/services/nomad/monitoring/ssl_exporter.nomad
+++ b/services/nomad/monitoring/ssl_exporter.nomad
@@ -1,7 +1,7 @@
 job "ssl-exporter" {
   datacenters = ["VOID"]
-  namespace = "monitoring"
-  type = "service"
+  namespace   = "monitoring"
+  type        = "service"
 
   group "app" {
     count = 1
@@ -9,7 +9,7 @@ job "ssl-exporter" {
     network {
       mode = "bridge"
       port "http" {
-        to = 9219
+        to     = 9219
         static = 9219
       }
     }
@@ -19,11 +19,11 @@ job "ssl-exporter" {
       port = "http"
 
       check {
-        type = "http"
+        type         = "http"
         address_mode = "host"
-        path = "/"
-        timeout = "30s"
-        interval = "15s"
+        path         = "/"
+        timeout      = "30s"
+        interval     = "15s"
       }
     }
 
@@ -33,7 +33,7 @@ job "ssl-exporter" {
       config {
         image = "ribbybibby/ssl-exporter:2.4.0"
         ports = ["http"]
-        args = ["--config.file=/local/conf.yaml"]
+        args  = ["--config.file=/local/conf.yaml"]
       }
 
       template {
diff --git a/services/nomad/monitoring/vector.nomad b/services/nomad/monitoring/vector.nomad
index 1032a4f2..2b635a27 100644
--- a/services/nomad/monitoring/vector.nomad
+++ b/services/nomad/monitoring/vector.nomad
@@ -5,9 +5,9 @@ job "vector" {
     "VOID-MIRROR",
     "VOID-CONTROL",
   ]
-  namespace   = "monitoring"
-  type        = "system"
-  priority    = 99
+  namespace = "monitoring"
+  type      = "system"
+  priority  = 99
 
   group "vector" {
     network {
@@ -25,7 +25,7 @@ job "vector" {
       port = "metrics"
       meta {
         nginx_enable = "true"
-        nginx_names = "vector-tmp.voidlinux.org"
+        nginx_names  = "vector-tmp.voidlinux.org"
       }
     }
 
@@ -81,8 +81,8 @@ job "vector" {
             }
           }
         })
-        destination = "local/vector.yaml"
-        left_delimiter = "[["
+        destination     = "local/vector.yaml"
+        left_delimiter  = "[["
         right_delimiter = "]]"
       }
     }
diff --git a/services/nomad/monitoring/vmlogs.nomad b/services/nomad/monitoring/vmlogs.nomad
index 45d95d00..8ba20f02 100644
--- a/services/nomad/monitoring/vmlogs.nomad
+++ b/services/nomad/monitoring/vmlogs.nomad
@@ -14,11 +14,11 @@ job "vmlogs" {
     }
 
     service {
-      name     = "vmlogs"
-      port     = "http"
+      name = "vmlogs"
+      port = "http"
       meta {
         nginx_enable = "true"
-        nginx_names = "vmlogs.voidlinux.org"
+        nginx_names  = "vmlogs.voidlinux.org"
       }
     }
 
diff --git a/terraform/hashistack/policy_buildbot.tf b/terraform/hashistack/policy_buildbot.tf
index 1e894fef..222c2965 100644
--- a/terraform/hashistack/policy_buildbot.tf
+++ b/terraform/hashistack/policy_buildbot.tf
@@ -1,10 +1,10 @@
 resource "nomad_acl_policy" "buildbot_worker_admin" {
-  name = "buildbot-worker-admin"
+  name        = "buildbot-worker-admin"
   description = "Manage buildbot worker secrets in nomad variables"
 
   job_acl {
     namespace = "build"
-    job_id = "buildbot"
+    job_id    = "buildbot"
   }
 
   rules_hcl = <<EOT
diff --git a/terraform/hashistack/policy_buildsync.tf b/terraform/hashistack/policy_buildsync.tf
index 9ed3039b..c4b001da 100644
--- a/terraform/hashistack/policy_buildsync.tf
+++ b/terraform/hashistack/policy_buildsync.tf
@@ -1,10 +1,10 @@
 resource "nomad_acl_policy" "buildsync_admin" {
-  name = "buildsync-admin"
+  name        = "buildsync-admin"
   description = "Manage buildsync secrets in nomad variables"
 
   job_acl {
     namespace = "build"
-    job_id = "build-rsyncd"
+    job_id    = "build-rsyncd"
   }
 
   rules_hcl = <<EOT
@@ -19,12 +19,12 @@ EOT
 }
 
 resource "nomad_acl_policy" "buildsync_buildbot_admin" {
-  name = "buildsync-buildbot-admin"
+  name        = "buildsync-buildbot-admin"
   description = "Manage buildsync secrets in nomad variables for buildbot"
 
   job_acl {
     namespace = "build"
-    job_id = "buildbot-worker"
+    job_id    = "buildbot-worker"
   }
 
   rules_hcl = <<EOT
diff --git a/terraform/hashistack/policy_certs.tf b/terraform/hashistack/policy_certs.tf
index d3a5c9d2..20a5252e 100644
--- a/terraform/hashistack/policy_certs.tf
+++ b/terraform/hashistack/policy_certs.tf
@@ -1,10 +1,10 @@
 resource "nomad_acl_policy" "certs_admin" {
-  name = "certs-admin"
+  name        = "certs-admin"
   description = "Manage certificates in nomad variables"
 
   job_acl {
     namespace = "infrastructure"
-    job_id = "cert-renew"
+    job_id    = "cert-renew"
   }
 
   rules_hcl = <<EOT
diff --git a/terraform/hashistack/policy_popcorn.tf b/terraform/hashistack/policy_popcorn.tf
index c69eda4a..ed2171a5 100644
--- a/terraform/hashistack/policy_popcorn.tf
+++ b/terraform/hashistack/policy_popcorn.tf
@@ -1,10 +1,10 @@
 resource "nomad_acl_policy" "popcorn_admin" {
-  name = "popcorn-admin"
+  name        = "popcorn-admin"
   description = "Manage popcorn keys in nomad variables"
 
   job_acl {
     namespace = "apps"
-    job_id = "popcorn-report"
+    job_id    = "popcorn-report"
   }
 
   rules_hcl = <<EOT
diff --git a/terraform/le/provider.tf b/terraform/le/provider.tf
index f0eb1431..92ca5f83 100644
--- a/terraform/le/provider.tf
+++ b/terraform/le/provider.tf
@@ -5,7 +5,7 @@ terraform {
       version = "2.41.0"
     }
     nomad = {
-      source = "hashicorp/nomad"
+      source  = "hashicorp/nomad"
       version = "2.5.2"
     }
   }
diff --git a/terraform/le/variables.tf b/terraform/le/variables.tf
index 6e1b5c92..536341f5 100644
--- a/terraform/le/variables.tf
+++ b/terraform/le/variables.tf
@@ -1,15 +1,15 @@
 resource "nomad_variable" "certs" {
   for_each = {
-    "nomad/jobs/nginx" = "mirror"
+    "nomad/jobs/nginx"         = "mirror"
     "nomad/jobs/nginx-control" = "infrastructure"
-    "nomad/jobs/maddy" = "apps-restricted"
+    "nomad/jobs/maddy"         = "apps-restricted"
   }
 
   namespace = each.value
-  path = each.key
+  path      = each.key
 
   items = {
     certificate = "${acme_certificate.voidlinux_org.certificate_pem}${acme_certificate.voidlinux_org.issuer_pem}"
-    key = acme_certificate.voidlinux_org.private_key_pem
+    key         = acme_certificate.voidlinux_org.private_key_pem
   }
 }