treewide: Fix all Nix ASTs in all markdown files

This allows for correct highlighting and maybe future automatic
formatting. The AST was verified to work with nixfmt only.

36 files changed, 1128 insertions, 929 deletions

diff --git a/nixos/modules/i18n/input-method/default.md b/nixos/modules/i18n/input-method/default.md
index 3d56c97a1726..6d12462b788e 100644
--- a/nixos/modules/i18n/input-method/default.md
+++ b/nixos/modules/i18n/input-method/default.md
@@ -23,10 +23,12 @@ friendly input method user interface.
 The following snippet can be used to configure IBus:
 
 ```nix
-i18n.inputMethod = {
-  enabled = "ibus";
-  ibus.engines = with pkgs.ibus-engines; [ anthy hangul mozc ];
-};
+{
+  i18n.inputMethod = {
+    enabled = "ibus";
+    ibus.engines = with pkgs.ibus-engines; [ anthy hangul mozc ];
+  };
+}
 ```
 
 `i18n.inputMethod.ibus.engines` is optional and can be used
@@ -49,7 +51,9 @@ Available extra IBus engines are:
     `table`. For example:
 
     ```nix
-    ibus.engines = with pkgs.ibus-engines; [ table table-others ];
+    {
+      ibus.engines = with pkgs.ibus-engines; [ table table-others ];
+    }
     ```
 
 To use any input method, the package must be added in the configuration, as
@@ -75,10 +79,12 @@ built-in Input Method Engine, Pinyin, QuWei and Table-based input methods.
 The following snippet can be used to configure Fcitx:
 
 ```nix
-i18n.inputMethod = {
-  enabled = "fcitx5";
-  fcitx5.addons = with pkgs; [ fcitx5-mozc fcitx5-hangul fcitx5-m17n ];
-};
+{
+  i18n.inputMethod = {
+    enabled = "fcitx5";
+    fcitx5.addons = with pkgs; [ fcitx5-mozc fcitx5-hangul fcitx5-m17n ];
+  };
+}
 ```
 
 `i18n.inputMethod.fcitx5.addons` is optional and can be
@@ -111,9 +117,11 @@ phonetic Korean characters (hangul) and pictographic Korean characters
 The following snippet can be used to configure Nabi:
 
 ```nix
-i18n.inputMethod = {
-  enabled = "nabi";
-};
+{
+  i18n.inputMethod = {
+    enabled = "nabi";
+  };
+}
 ```
 
 ## Uim {#module-services-input-methods-uim}
@@ -124,9 +132,11 @@ framework. Applications can use it through so-called bridges.
 The following snippet can be used to configure uim:
 
 ```nix
-i18n.inputMethod = {
-  enabled = "uim";
-};
+{
+  i18n.inputMethod = {
+    enabled = "uim";
+  };
+}
 ```
 
 Note: The [](#opt-i18n.inputMethod.uim.toolbar) option can be
@@ -142,9 +152,11 @@ etc...
 The following snippet can be used to configure Hime:
 
 ```nix
-i18n.inputMethod = {
-  enabled = "hime";
-};
+{
+  i18n.inputMethod = {
+    enabled = "hime";
+  };
+}
 ```
 
 ## Kime {#module-services-input-methods-kime}
@@ -154,7 +166,9 @@ Kime is Korean IME. it's built with Rust language and let you get simple, safe,
 The following snippet can be used to configure Kime:
 
 ```nix
-i18n.inputMethod = {
-  enabled = "kime";
-};
+{
+  i18n.inputMethod = {
+    enabled = "kime";
+  };
+}
 ```
diff --git a/nixos/modules/programs/digitalbitbox/default.md b/nixos/modules/programs/digitalbitbox/default.md
index c93d0f2b7f0a..5147bb971e3a 100644
--- a/nixos/modules/programs/digitalbitbox/default.md
+++ b/nixos/modules/programs/digitalbitbox/default.md
@@ -5,7 +5,9 @@ Digital Bitbox is a hardware wallet and second-factor authenticator.
 The `digitalbitbox` programs module may be installed by setting
 `programs.digitalbitbox` to `true` in a manner similar to
 ```nix
-programs.digitalbitbox.enable = true;
+{
+  programs.digitalbitbox.enable = true;
+}
 ```
 and bundles the `digitalbitbox` package (see [](#sec-digitalbitbox-package)),
 which contains the `dbb-app` and `dbb-cli` binaries, along with the hardware
@@ -22,9 +24,11 @@ For more information, see <https://digitalbitbox.com/start_linux>.
 The binaries, `dbb-app` (a GUI tool) and `dbb-cli` (a CLI tool), are available
 through the `digitalbitbox` package which could be installed as follows:
 ```nix
-environment.systemPackages = [
-  pkgs.digitalbitbox
-];
+{
+  environment.systemPackages = [
+    pkgs.digitalbitbox
+  ];
+}
 ```
 
 ## Hardware {#sec-digitalbitbox-hardware-module}
@@ -32,16 +36,20 @@ environment.systemPackages = [
 The digitalbitbox hardware package enables the udev rules for Digital Bitbox
 devices and may be installed as follows:
 ```nix
-hardware.digitalbitbox.enable = true;
+{
+  hardware.digitalbitbox.enable = true;
+}
 ```
 
 In order to alter the udev rules, one may provide different values for the
 `udevRule51` and `udevRule52` attributes by means of overriding as follows:
 ```nix
-programs.digitalbitbox = {
-  enable = true;
-  package = pkgs.digitalbitbox.override {
-    udevRule51 = "something else";
+{
+  programs.digitalbitbox = {
+    enable = true;
+    package = pkgs.digitalbitbox.override {
+      udevRule51 = "something else";
+    };
   };
-};
+}
 ```
diff --git a/nixos/modules/programs/plotinus.md b/nixos/modules/programs/plotinus.md
index b59d0d5c188b..0a2c688c722c 100644
--- a/nixos/modules/programs/plotinus.md
+++ b/nixos/modules/programs/plotinus.md
@@ -13,5 +13,7 @@ palette provides a searchable list of of all menu items in the application.
 To enable Plotinus, add the following to your
 {file}`configuration.nix`:
 ```nix
-programs.plotinus.enable = true;
+{
+  programs.plotinus.enable = true;
+}
 ```
diff --git a/nixos/modules/security/acme/default.md b/nixos/modules/security/acme/default.md
index 38fbfbf0caec..a6ef2a3fdf18 100644
--- a/nixos/modules/security/acme/default.md
+++ b/nixos/modules/security/acme/default.md
@@ -46,33 +46,35 @@ certs are overwritten when the ACME certs arrive. For
 `foo.example.com` the config would look like this:
 
 ```nix
-security.acme.acceptTerms = true;
-security.acme.defaults.email = "admin+acme@example.com";
-services.nginx = {
-  enable = true;
-  virtualHosts = {
-    "foo.example.com" = {
-      forceSSL = true;
-      enableACME = true;
-      # All serverAliases will be added as extra domain names on the certificate.
-      serverAliases = [ "bar.example.com" ];
-      locations."/" = {
-        root = "/var/www";
+{
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "admin+acme@example.com";
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "foo.example.com" = {
+        forceSSL = true;
+        enableACME = true;
+        # All serverAliases will be added as extra domain names on the certificate.
+        serverAliases = [ "bar.example.com" ];
+        locations."/" = {
+          root = "/var/www";
+        };
       };
-    };
 
-    # We can also add a different vhost and reuse the same certificate
-    # but we have to append extraDomainNames manually beforehand:
-    # security.acme.certs."foo.example.com".extraDomainNames = [ "baz.example.com" ];
-    "baz.example.com" = {
-      forceSSL = true;
-      useACMEHost = "foo.example.com";
-      locations."/" = {
-        root = "/var/www";
+      # We can also add a different vhost and reuse the same certificate
+      # but we have to append extraDomainNames manually beforehand:
+      # security.acme.certs."foo.example.com".extraDomainNames = [ "baz.example.com" ];
+      "baz.example.com" = {
+        forceSSL = true;
+        useACMEHost = "foo.example.com";
+        locations."/" = {
+          root = "/var/www";
+        };
       };
     };
   };
-};
+}
 ```
 
 ## Using ACME certificates in Apache/httpd {#module-security-acme-httpd}
@@ -89,65 +91,69 @@ the intent that you will generate certs for all your vhosts and redirect
 everyone to HTTPS.
 
 ```nix
-security.acme.acceptTerms = true;
-security.acme.defaults.email = "admin+acme@example.com";
-
-# /var/lib/acme/.challenges must be writable by the ACME user
-# and readable by the Nginx user. The easiest way to achieve
-# this is to add the Nginx user to the ACME group.
-users.users.nginx.extraGroups = [ "acme" ];
-
-services.nginx = {
-  enable = true;
-  virtualHosts = {
-    "acmechallenge.example.com" = {
-      # Catchall vhost, will redirect users to HTTPS for all vhosts
-      serverAliases = [ "*.example.com" ];
-      locations."/.well-known/acme-challenge" = {
-        root = "/var/lib/acme/.challenges";
-      };
-      locations."/" = {
-        return = "301 https://$host$request_uri";
+{
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "admin+acme@example.com";
+
+  # /var/lib/acme/.challenges must be writable by the ACME user
+  # and readable by the Nginx user. The easiest way to achieve
+  # this is to add the Nginx user to the ACME group.
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "acmechallenge.example.com" = {
+        # Catchall vhost, will redirect users to HTTPS for all vhosts
+        serverAliases = [ "*.example.com" ];
+        locations."/.well-known/acme-challenge" = {
+          root = "/var/lib/acme/.challenges";
+        };
+        locations."/" = {
+          return = "301 https://$host$request_uri";
+        };
       };
     };
   };
-};
-# Alternative config for Apache
-users.users.wwwrun.extraGroups = [ "acme" ];
-services.httpd = {
-  enable = true;
-  virtualHosts = {
-    "acmechallenge.example.com" = {
-      # Catchall vhost, will redirect users to HTTPS for all vhosts
-      serverAliases = [ "*.example.com" ];
-      # /var/lib/acme/.challenges must be writable by the ACME user and readable by the Apache user.
-      # By default, this is the case.
-      documentRoot = "/var/lib/acme/.challenges";
-      extraConfig = ''
-        RewriteEngine On
-        RewriteCond %{HTTPS} off
-        RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge [NC]
-        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301]
-      '';
+  # Alternative config for Apache
+  users.users.wwwrun.extraGroups = [ "acme" ];
+  services.httpd = {
+    enable = true;
+    virtualHosts = {
+      "acmechallenge.example.com" = {
+        # Catchall vhost, will redirect users to HTTPS for all vhosts
+        serverAliases = [ "*.example.com" ];
+        # /var/lib/acme/.challenges must be writable by the ACME user and readable by the Apache user.
+        # By default, this is the case.
+        documentRoot = "/var/lib/acme/.challenges";
+        extraConfig = ''
+          RewriteEngine On
+          RewriteCond %{HTTPS} off
+          RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge [NC]
+          RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301]
+        '';
+      };
     };
   };
-};
+}
 ```
 
 Now you need to configure ACME to generate a certificate.
 
 ```nix
-security.acme.certs."foo.example.com" = {
-  webroot = "/var/lib/acme/.challenges";
-  email = "foo@example.com";
-  # Ensure that the web server you use can read the generated certs
-  # Take a look at the group option for the web server you choose.
-  group = "nginx";
-  # Since we have a wildcard vhost to handle port 80,
-  # we can generate certs for anything!
-  # Just make sure your DNS resolves them.
-  extraDomainNames = [ "mail.example.com" ];
-};
+{
+  security.acme.certs."foo.example.com" = {
+    webroot = "/var/lib/acme/.challenges";
+    email = "foo@example.com";
+    # Ensure that the web server you use can read the generated certs
+    # Take a look at the group option for the web server you choose.
+    group = "nginx";
+    # Since we have a wildcard vhost to handle port 80,
+    # we can generate certs for anything!
+    # Just make sure your DNS resolves them.
+    extraDomainNames = [ "mail.example.com" ];
+  };
+}
 ```
 
 The private key {file}`key.pem` and certificate
@@ -168,31 +174,33 @@ for provider/server specific configuration values. For the sake of these
 docs, we will provide a fully self-hosted example using bind.
 
 ```nix
-services.bind = {
-  enable = true;
-  extraConfig = ''
-    include "/var/lib/secrets/dnskeys.conf";
-  '';
-  zones = [
-    rec {
-      name = "example.com";
-      file = "/var/db/bind/${name}";
-      master = true;
-      extraConfig = "allow-update { key rfc2136key.example.com.; };";
-    }
-  ];
-};
-
-# Now we can configure ACME
-security.acme.acceptTerms = true;
-security.acme.defaults.email = "admin+acme@example.com";
-security.acme.certs."example.com" = {
-  domain = "*.example.com";
-  dnsProvider = "rfc2136";
-  environmentFile = "/var/lib/secrets/certs.secret";
-  # We don't need to wait for propagation since this is a local DNS server
-  dnsPropagationCheck = false;
-};
+{
+  services.bind = {
+    enable = true;
+    extraConfig = ''
+      include "/var/lib/secrets/dnskeys.conf";
+    '';
+    zones = [
+      rec {
+        name = "example.com";
+        file = "/var/db/bind/${name}";
+        master = true;
+        extraConfig = "allow-update { key rfc2136key.example.com.; };";
+      }
+    ];
+  };
+
+  # Now we can configure ACME
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "admin+acme@example.com";
+  security.acme.certs."example.com" = {
+    domain = "*.example.com";
+    dnsProvider = "rfc2136";
+    environmentFile = "/var/lib/secrets/certs.secret";
+    # We don't need to wait for propagation since this is a local DNS server
+    dnsPropagationCheck = false;
+  };
+}
 ```
 
 The {file}`dnskeys.conf` and {file}`certs.secret`
@@ -200,36 +208,38 @@ must be kept secure and thus you should not keep their contents in your
 Nix config. Instead, generate them one time with a systemd service:
 
 ```nix
-systemd.services.dns-rfc2136-conf = {
-  requiredBy = ["acme-example.com.service" "bind.service"];
-  before = ["acme-example.com.service" "bind.service"];
-  unitConfig = {
-    ConditionPathExists = "!/var/lib/secrets/dnskeys.conf";
-  };
-  serviceConfig = {
-    Type = "oneshot";
-    UMask = 0077;
+{
+  systemd.services.dns-rfc2136-conf = {
+    requiredBy = ["acme-example.com.service" "bind.service"];
+    before = ["acme-example.com.service" "bind.service"];
+    unitConfig = {
+      ConditionPathExists = "!/var/lib/secrets/dnskeys.conf";
+    };
+    serviceConfig = {
+      Type = "oneshot";
+      UMask = 0077;
+    };
+    path = [ pkgs.bind ];
+    script = ''
+      mkdir -p /var/lib/secrets
+      chmod 755 /var/lib/secrets
+      tsig-keygen rfc2136key.example.com > /var/lib/secrets/dnskeys.conf
+      chown named:root /var/lib/secrets/dnskeys.conf
+      chmod 400 /var/lib/secrets/dnskeys.conf
+
+      # extract secret value from the dnskeys.conf
+      while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf
+
+      cat > /var/lib/secrets/certs.secret << EOF
+      RFC2136_NAMESERVER='127.0.0.1:53'
+      RFC2136_TSIG_ALGORITHM='hmac-sha256.'
+      RFC2136_TSIG_KEY='rfc2136key.example.com'
+      RFC2136_TSIG_SECRET='$secret'
+      EOF
+      chmod 400 /var/lib/secrets/certs.secret
+    '';
   };
-  path = [ pkgs.bind ];
-  script = ''
-    mkdir -p /var/lib/secrets
-    chmod 755 /var/lib/secrets
-    tsig-keygen rfc2136key.example.com > /var/lib/secrets/dnskeys.conf
-    chown named:root /var/lib/secrets/dnskeys.conf
-    chmod 400 /var/lib/secrets/dnskeys.conf
-
-    # extract secret value from the dnskeys.conf
-    while read x y; do if [ "$x" = "secret" ]; then secret="''${y:1:''${#y}-3}"; fi; done < /var/lib/secrets/dnskeys.conf
-
-    cat > /var/lib/secrets/certs.secret << EOF
-    RFC2136_NAMESERVER='127.0.0.1:53'
-    RFC2136_TSIG_ALGORITHM='hmac-sha256.'
-    RFC2136_TSIG_KEY='rfc2136key.example.com'
-    RFC2136_TSIG_SECRET='$secret'
-    EOF
-    chmod 400 /var/lib/secrets/certs.secret
-  '';
-};
+}
 ```
 
 Now you're all set to generate certs! You should monitor the first invocation
@@ -251,27 +261,29 @@ you will set them as defaults
 (e.g. [](#opt-security.acme.defaults.dnsProvider)).
 
 ```nix
-# Configure ACME appropriately
-security.acme.acceptTerms = true;
-security.acme.defaults.email = "admin+acme@example.com";
-security.acme.defaults = {
-  dnsProvider = "rfc2136";
-  environmentFile = "/var/lib/secrets/certs.secret";
-  # We don't need to wait for propagation since this is a local DNS server
-  dnsPropagationCheck = false;
-};
-
-# For each virtual host you would like to use DNS-01 validation with,
-# set acmeRoot = null
-services.nginx = {
-  enable = true;
-  virtualHosts = {
-    "foo.example.com" = {
-      enableACME = true;
-      acmeRoot = null;
+{
+  # Configure ACME appropriately
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "admin+acme@example.com";
+  security.acme.defaults = {
+    dnsProvider = "rfc2136";
+    environmentFile = "/var/lib/secrets/certs.secret";
+    # We don't need to wait for propagation since this is a local DNS server
+    dnsPropagationCheck = false;
+  };
+
+  # For each virtual host you would like to use DNS-01 validation with,
+  # set acmeRoot = null
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "foo.example.com" = {
+        enableACME = true;
+        acmeRoot = null;
+      };
     };
   };
-};
+}
 ```
 
 And that's it! Next time your configuration is rebuilt, or when
@@ -288,39 +300,41 @@ Below is an example configuration for OpenSMTPD, but this pattern
 can be applied to any service.
 
 ```nix
-# Configure ACME however you like (DNS or HTTP validation), adding
-# the following configuration for the relevant certificate.
-# Note: You cannot use `systemctl reload` here as that would mean
-# the LoadCredential configuration below would be skipped and
-# the service would continue to use old certificates.
-security.acme.certs."mail.example.com".postRun = ''
-  systemctl restart opensmtpd
-'';
-
-# Now you must augment OpenSMTPD's systemd service to load
-# the certificate files.
-systemd.services.opensmtpd.requires = ["acme-finished-mail.example.com.target"];
-systemd.services.opensmtpd.serviceConfig.LoadCredential = let
-  certDir = config.security.acme.certs."mail.example.com".directory;
-in [
-  "cert.pem:${certDir}/cert.pem"
-  "key.pem:${certDir}/key.pem"
-];
-
-# Finally, configure OpenSMTPD to use these certs.
-services.opensmtpd = let
-  credsDir = "/run/credentials/opensmtpd.service";
-in {
-  enable = true;
-  setSendmail = false;
-  serverConfiguration = ''
-    pki mail.example.com cert "${credsDir}/cert.pem"
-    pki mail.example.com key "${credsDir}/key.pem"
-    listen on localhost tls pki mail.example.com
-    action act1 relay host smtp://127.0.0.1:10027
-    match for local action act1
+{
+  # Configure ACME however you like (DNS or HTTP validation), adding
+  # the following configuration for the relevant certificate.
+  # Note: You cannot use `systemctl reload` here as that would mean
+  # the LoadCredential configuration below would be skipped and
+  # the service would continue to use old certificates.
+  security.acme.certs."mail.example.com".postRun = ''
+    systemctl restart opensmtpd
   '';
-};
+
+  # Now you must augment OpenSMTPD's systemd service to load
+  # the certificate files.
+  systemd.services.opensmtpd.requires = ["acme-finished-mail.example.com.target"];
+  systemd.services.opensmtpd.serviceConfig.LoadCredential = let
+    certDir = config.security.acme.certs."mail.example.com".directory;
+  in [
+    "cert.pem:${certDir}/cert.pem"
+    "key.pem:${certDir}/key.pem"
+  ];
+
+  # Finally, configure OpenSMTPD to use these certs.
+  services.opensmtpd = let
+    credsDir = "/run/credentials/opensmtpd.service";
+  in {
+    enable = true;
+    setSendmail = false;
+    serverConfiguration = ''
+      pki mail.example.com cert "${credsDir}/cert.pem"
+      pki mail.example.com key "${credsDir}/key.pem"
+      listen on localhost tls pki mail.example.com
+      action act1 relay host smtp://127.0.0.1:10027
+      match for local action act1
+    '';
+  };
+}
 ```
 
 ## Regenerating certificates {#module-security-acme-regenerate}
diff --git a/nixos/modules/services/audio/castopod.md b/nixos/modules/services/audio/castopod.md
index ee8590737a7c..40838cc77aa6 100644
--- a/nixos/modules/services/audio/castopod.md
+++ b/nixos/modules/services/audio/castopod.md
@@ -7,16 +7,18 @@ Castopod is an open-source hosting platform made for podcasters who want to enga
 Use the following configuration to start a public instance of Castopod on `castopod.example.com` domain:
 
 ```nix
-networking.firewall.allowedTCPPorts = [ 80 443 ];
-services.castopod = {
-  enable = true;
-  database.createLocally = true;
-  nginx.virtualHost = {
-    serverName = "castopod.example.com";
-    enableACME = true;
-    forceSSL = true;
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.castopod = {
+    enable = true;
+    database.createLocally = true;
+    nginx.virtualHost = {
+      serverName = "castopod.example.com";
+      enableACME = true;
+      forceSSL = true;
+    };
   };
-};
+}
 ```
 
 Go to `https://castopod.example.com/cp-install` to create superadmin account after applying the above configuration.
diff --git a/nixos/modules/services/backup/borgbackup.md b/nixos/modules/services/backup/borgbackup.md
index 64d9e35720f1..2c91174732e1 100644
--- a/nixos/modules/services/backup/borgbackup.md
+++ b/nixos/modules/services/backup/borgbackup.md
@@ -24,19 +24,18 @@ A very basic configuration for backing up to a locally accessible directory is:
 ```nix
 {
     opt.services.borgbackup.jobs = {
-      { rootBackup = {
-          paths = "/";
-          exclude = [ "/nix" "/path/to/local/repo" ];
-          repo = "/path/to/local/repo";
-          doInit = true;
-          encryption = {
-            mode = "repokey";
-            passphrase = "secret";
-          };
-          compression = "auto,lzma";
-          startAt = "weekly";
+      rootBackup = {
+        paths = "/";
+        exclude = [ "/nix" "/path/to/local/repo" ];
+        repo = "/path/to/local/repo";
+        doInit = true;
+        encryption = {
+          mode = "repokey";
+          passphrase = "secret";
         };
-      }
+        compression = "auto,lzma";
+        startAt = "weekly";
+      };
     };
 }
 ```
@@ -96,7 +95,7 @@ accessible by root
       startAt = "hourly";
     };
   };
-};
+}
 ```
 
 The following few commands (run as root) let you test your backup.
diff --git a/nixos/modules/services/databases/foundationdb.md b/nixos/modules/services/databases/foundationdb.md
index af17c9f95999..9f7addc9c140 100644
--- a/nixos/modules/services/databases/foundationdb.md
+++ b/nixos/modules/services/databases/foundationdb.md
@@ -16,8 +16,10 @@ key-value store.
 To enable FoundationDB, add the following to your
 {file}`configuration.nix`:
 ```nix
-services.foundationdb.enable = true;
-services.foundationdb.package = pkgs.foundationdb71; # FoundationDB 7.1.x
+{
+  services.foundationdb.enable = true;
+  services.foundationdb.package = pkgs.foundationdb71; # FoundationDB 7.1.x
+}
 ```
 
 The {option}`services.foundationdb.package` option is required, and
@@ -110,7 +112,9 @@ FoundationDB stores all data for all server processes under
 {file}`/var/lib/foundationdb`. You can override this using
 {option}`services.foundationdb.dataDir`, e.g.
 ```nix
-services.foundationdb.dataDir = "/data/fdb";
+{
+  services.foundationdb.dataDir = "/data/fdb";
+}
 ```
 
 Similarly, logs are stored under {file}`/var/log/foundationdb`
@@ -266,7 +270,9 @@ For example, to create backups in {command}`/opt/fdb-backups`, first
 set up the paths in the module options:
 
 ```nix
-services.foundationdb.extraReadWritePaths = [ "/opt/fdb-backups" ];
+{
+  services.foundationdb.extraReadWritePaths = [ "/opt/fdb-backups" ];
+}
 ```
 
 Restart the FoundationDB service, and it will now be able to write to this
diff --git a/nixos/modules/services/databases/postgresql.md b/nixos/modules/services/databases/postgresql.md
index ce1f2856b019..6cce8f542a53 100644
--- a/