diff --git a/nixos/modules/private-storage.nix b/nixos/modules/private-storage.nix
index 1b55614859801fd7580dd50508a10382bb493ae3..6892f3f48cd1ea5de275380b462f7daa2ca69ff3 100644
--- a/nixos/modules/private-storage.nix
+++ b/nixos/modules/private-storage.nix
@@ -96,68 +96,68 @@ in
   # Define configuration based on values given for our options - starting with
   # the option that says whether this is even turned on.
   config = lib.mkIf cfg.enable
-  { services.tahoe.nodes."${storage-node-name}" =
-    { package = cfg.tahoe.package;
-      # Each attribute in this set corresponds to a section in the tahoe.cfg
-      # file.  Attributes on those sets correspond to individual assignments
-      # in those sections.
-      #
-      # We just populate this according to policy/preference of Private
-      # Storage.
-      sections =
-      { client = if cfg.introducerFURL == null then {} else
-        { "introducer.furl" = cfg.introducerFURL;
-        };
-        node =
-        # XXX Should try to name that is unique across the grid.
-        { nickname = "${storage-node-name}";
+    { services.tahoe.nodes."${storage-node-name}" =
+        { package = cfg.tahoe.package;
+          # Each attribute in this set corresponds to a section in the
+          # tahoe.cfg file.  Attributes on those sets correspond to individual
+          # assignments in those sections.
+          #
+          # We just populate this according to policy/preference of Private
+          # Storage.
+          sections =
+            { client = if cfg.introducerFURL == null then {} else
+                { "introducer.furl" = cfg.introducerFURL;
+                };
+              node =
+                # XXX Should try to name that is unique across the grid.
+                { nickname = "${storage-node-name}";
 
-          # We have the web port active because the CLI uses it and because it
-          # exposes a metrics endpoint for our monitoring system.  The actual
-          # port configuration lives in systemd so that it can order binding
-          # the socket correctly with other dependencies (which we can't
-          # reliably do with Tahoe without a bunch of other work).
-          "web.port" = "systemd:domain=INET:index=0";
+                  # We have the web port active because the CLI uses it and
+                  # because it exposes a metrics endpoint for our monitoring
+                  # system.  The actual port configuration lives in systemd so
+                  # that it can order binding the socket correctly with other
+                  # dependencies (which we can't reliably do with Tahoe
+                  # without a bunch of other work).
+                  "web.port" = "systemd:domain=INET:index=0";
 
-          # We have to tell Tahoe-LAFS where to listen for Foolscap
-          # connections for the storage protocol.  We have to tell it twice.
-          # First, in the syntax which it uses to listen.
-          "tub.port" = "tcp:${toString cfg.publicStoragePort}";
+                  # We have to tell Tahoe-LAFS where to listen for Foolscap
+                  # connections for the storage protocol.  We have to tell it twice.
+                  # First, in the syntax which it uses to listen.
+                  "tub.port" = "tcp:${toString cfg.publicStoragePort}";
 
-          # Second, in the syntax it advertises to in the fURL.
-          "tub.location" = "tcp:${cfg.publicAddress}:${toString cfg.publicStoragePort}";
-        };
-        storage =
-        { enabled = true;
-          # Put the storage where we have a lot of space configured.
-          storage_dir = "/storage";
-          # Turn on our plugin.
-          plugins = "privatestorageio-zkapauthz-v2";
+                  # Second, in the syntax it advertises to in the fURL.
+                  "tub.location" = "tcp:${cfg.publicAddress}:${toString cfg.publicStoragePort}";
+                };
+              storage =
+                { enabled = true;
+                  # Put the storage where we have a lot of space configured.
+                  storage_dir = "/storage";
+                  # Turn on our plugin.
+                  plugins = "privatestorageio-zkapauthz-v2";
+                };
+              "storageserver.plugins.privatestorageio-zkapauthz-v2" =
+                { "ristretto-issuer-root-url" = cfg.issuerRootURL;
+                  "ristretto-signing-key-path" = cfg.ristrettoSigningKeyPath;
+                } // (
+                  if cfg.passValue == null
+                  then {}
+                  else { "pass-value" = (toString cfg.passValue); }
+                );
+            };
         };
-        "storageserver.plugins.privatestorageio-zkapauthz-v2" =
-        { "ristretto-issuer-root-url" = cfg.issuerRootURL;
-          "ristretto-signing-key-path" = cfg.ristrettoSigningKeyPath;
-        } // (
-          if cfg.passValue == null
-          then {}
-          else { "pass-value" = (toString cfg.passValue); }
-        );
-      };
-    };
 
-    # Let traffic destined for the storage node's Foolscap server through.
-    networking.firewall.allowedTCPPorts = [ cfg.publicStoragePort ];
+      # Let traffic destined for the storage node's Foolscap server through.
+      networking.firewall.allowedTCPPorts = [ cfg.publicStoragePort ];
 
-    systemd.tmpfiles.rules =
-    # Add a rule to prevent incident reports from accumulating indefinitely.
-    # See tmpfiles.d(5) for the syntax.
-    [ "d ${incidents-dir} 0755 root root ${max-incident-age} -"
-    ];
+      systemd.tmpfiles.rules =
+        # Add a rule to prevent incident reports from accumulating indefinitely.
+        # See tmpfiles.d(5) for the syntax.
+        [ "d ${incidents-dir} 0755 root root ${max-incident-age} -"
+        ];
 
-    environment.systemPackages = [
-      # Provide a useful tool for reporting about shares.
-      ourpkgs.leasereport
-    ];
-
-  };
+      environment.systemPackages = [
+        # Provide a useful tool for reporting about shares.
+        ourpkgs.leasereport
+      ];
+    };
 }