diff --git a/flake.lock b/flake.lock
index 3b9dee1..19527f2 100644
--- a/flake.lock
+++ b/flake.lock
@@ -250,6 +250,21 @@
         "type": "github"
       }
     },
+    "flakey-profile": {
+      "locked": {
+        "lastModified": 1712898590,
+        "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lf-",
+        "repo": "flakey-profile",
+        "type": "github"
+      }
+    },
     "gitignore": {
       "inputs": {
         "nixpkgs": [
@@ -313,6 +328,43 @@
         "type": "github"
       }
     },
+    "lix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1751235704,
+        "narHash": "sha256-J4ycLoXHPsoBoQtEXFCelL4xlq5pT8U9tNWNKm43+YI=",
+        "rev": "1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6.tar.gz?rev=1d7368585eebaa2c4bdbcb88fe600cfb2239b2c6"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/lix/archive/release-2.93.tar.gz"
+      }
+    },
+    "lix-module": {
+      "inputs": {
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "flakey-profile": "flakey-profile",
+        "lix": "lix",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1751240025,
+        "narHash": "sha256-SXUAlxpjPRkArRMHy5+Hdi+PiC+ND9yzzIjiaHmTvQU=",
+        "rev": "8b1094356f4723d6e89d3f8a95b333ee16d9ab02",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/8b1094356f4723d6e89d3f8a95b333ee16d9ab02.tar.gz?rev=8b1094356f4723d6e89d3f8a95b333ee16d9ab02"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz"
+      }
+    },
     "matrix-appservices": {
       "inputs": {
         "devshell": "devshell",
@@ -468,6 +520,7 @@
         "flake-parts": "flake-parts",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager_2",
+        "lix-module": "lix-module",
         "matrix-appservices": "matrix-appservices",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
diff --git a/flake.nix b/flake.nix
index cf2c29e..dafa3ba 100644
--- a/flake.nix
+++ b/flake.nix
@@ -19,6 +19,12 @@ rec {
 
     nixos-hardware.url = "github:NixOS/nixos-hardware";
 
+    lix-module = {
+      url = "https://git.lix.systems/lix-project/nixos-module/archive/2.93.2-1.tar.gz";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
+
     disko = {
       url = "github:nix-community/disko/latest";
       inputs.nixpkgs.follows = "nixpkgs";
diff --git a/home/flake-module.nix b/home/flake-module.nix
index 7d46de3..2849f00 100644
--- a/home/flake-module.nix
+++ b/home/flake-module.nix
@@ -21,8 +21,7 @@ let
           home.username = user;
           home.homeDirectory = "/home/${user}";
         }
-      ]
-      ++ modules;
+      ] ++ modules;
     };
 in
 {
diff --git a/home/modules/firefox/mkFirefoxModuleCompat.nix b/home/modules/firefox/mkFirefoxModuleCompat.nix
index 3345953..e3cf8ea 100644
--- a/home/modules/firefox/mkFirefoxModuleCompat.nix
+++ b/home/modules/firefox/mkFirefoxModuleCompat.nix
@@ -29,8 +29,7 @@ let
       configPath = [
         "config"
         "content" # due to mkIf
-      ]
-      ++ modulePath;
+      ] ++ modulePath;
     in
     lib.updateManyAttrsByPath
       [
diff --git a/home/modules/firefox/mkFirefoxProfileBinModule.nix b/home/modules/firefox/mkFirefoxProfileBinModule.nix
index 4c3ff5a..ebae797 100644
--- a/home/modules/firefox/mkFirefoxProfileBinModule.nix
+++ b/home/modules/firefox/mkFirefoxProfileBinModule.nix
@@ -33,8 +33,7 @@ let
         categories = [
           "Network"
           "WebBrowser"
-        ]
-        ++ lib.optional isSecure "Security";
+        ] ++ lib.optional isSecure "Security";
       };
     in
     pkgs.runCommand pname { } ''
diff --git a/lib/createUser.nix b/lib/createUser.nix
index 18c8ce3..56f68d3 100644
--- a/lib/createUser.nix
+++ b/lib/createUser.nix
@@ -35,8 +35,7 @@
             count = 60000000;
           }
         ];
-      }
-      // user;
+      } // user;
 
       home-manager = {
         useGlobalPkgs = true;
diff --git a/lib/openwrt.nix b/lib/openwrt.nix
index ee761ac..271aba7 100644
--- a/lib/openwrt.nix
+++ b/lib/openwrt.nix
@@ -30,8 +30,7 @@ in
           "luci-ssl"
           "nextdns"
           "tailscale"
-        ]
-        ++ packages;
+        ] ++ packages;
 
         # TODO set up SSH config (register public keys, disable password login, ...)
         files = pkgs.runCommand "image-files" { } ''
diff --git a/modules/systemdNotify.nix b/modules/systemdNotify.nix
index a4c3273..6a4c1d0 100644
--- a/modules/systemdNotify.nix
+++ b/modules/systemdNotify.nix
@@ -85,32 +85,34 @@ in
       }
     ];
 
-    systemd.services."notify@" = {
-      onFailure = lib.mkForce [ ];
-    }
-    // optionalAttrs (cfg.method == "libnotify") {
-      description = "Desktop notifications for %i service failure";
-      environment = {
-        DISPLAY = ":0";
-        INSTANCE = "%i";
+    systemd.services."notify@" =
+      {
+        onFailure = lib.mkForce [ ];
+      }
+      // optionalAttrs (cfg.method == "libnotify") {
+        description = "Desktop notifications for %i service failure";
+        environment = {
+          DBUS_SESSION_BUS_ADDRESS = "unix:path=/run/user/${
+            toString config.users.users.${cfg.libnotify.user}.uid
+          }/bus";
+          INSTANCE = "%i";
+        };
+        script = ''
+          ${pkgs.libnotify}/bin/notify-send --urgency=critical \
+            "Service '$INSTANCE' failed" \
+            "$(journalctl -n 6 -o cat -u $INSTANCE)"
+        '';
+        serviceConfig = {
+          Type = "oneshot";
+          User = cfg.libnotify.user;
+        };
+      }
+      // optionalAttrs (cfg.method == "email") {
+        description = "E-Mail notifications for %i service failure";
+        serviceConfig = {
+          ExecStart = "${sendmail} %i";
+          Type = "oneshot";
+        };
       };
-      script = ''
-        export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u '${cfg.libnotify.user}')/bus"
-        ${pkgs.libnotify}/bin/notify-send --app-name="$INSTANCE" --urgency=critical \
-          "Service '$INSTANCE' failed" \
-          "$(journalctl -n 6 -o cat -u $INSTANCE)"
-      '';
-      serviceConfig = {
-        Type = "oneshot";
-        User = cfg.libnotify.user;
-      };
-    }
-    // optionalAttrs (cfg.method == "email") {
-      description = "E-Mail notifications for %i service failure";
-      serviceConfig = {
-        ExecStart = "${sendmail} %i";
-        Type = "oneshot";
-      };
-    };
   };
 }
diff --git a/services/restic/lib.nix b/services/restic/lib.nix
index 7b53de6..727b856 100644
--- a/services/restic/lib.nix
+++ b/services/restic/lib.nix
@@ -53,8 +53,7 @@ in
         # reduce download bandwidth
         "--max-unused 10%"
         "--repack-cacheable-only"
-      ]
-      ++ extraPruneOpts;
+      ] ++ extraPruneOpts;
     }
     // (removeAttrs args [
       "name"
diff --git a/system/nix.nix b/system/nix.nix
index ea9c489..335dc93 100644
--- a/system/nix.nix
+++ b/system/nix.nix
@@ -10,22 +10,15 @@ let
   inherit (inputs.self.outputs) nixConfig;
 in
 {
-  nixpkgs.config.allowUnfree = true;
-
-  nixpkgs.overlays = [
-    (final: prev: {
-      inherit (final.lixPackageSets.stable)
-        nixpkgs-review
-        nix-direnv
-        nix-eval-jobs
-        nix-fast-build
-        colmena
-        ;
-    })
+  imports = [
+    # TODO switch to lixFromNixpkgs once 2.93.2 is available
+    inputs.lix-module.nixosModules.default
+    # inputs.lix-module.nixosModules.lixFromNixpkgs
   ];
 
+  nixpkgs.config.allowUnfree = true;
+
   nix = {
-    package = pkgs.lixPackageSets.stable.lix;
     settings = {
       trusted-users = [ "@wheel" ];
       substituters = nixConfig.extra-substituters;
diff --git a/system/vpn.nix b/system/vpn.nix
index 4b0e459..753708c 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -89,20 +89,21 @@ in
     wants = [ "tailscaled.service" ];
     wantedBy = [ "multi-user.target" ];
     serviceConfig.Type = "oneshot";
-    script = ''
-      status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)
-      if [[ $status != Connected* ]]; then
-        ${cfg.package}/bin/tailscale up
-      fi
+    script =
+      ''
+        status=$(${config.systemd.package}/bin/systemctl show -P StatusText tailscaled.service)
+        if [[ $status != Connected* ]]; then
+          ${cfg.package}/bin/tailscale up
+        fi
 
-      # some options cannot be set immediately
-      ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}
+        # some options cannot be set immediately
+        ${cfg.package}/bin/tailscale up ${lib.escapeShellArgs cfg.extraUpFlags}
 
-      ${cfg.package}/bin/tailscale cert ${tailnetHost}
-    ''
-    + lib.optionalString config.services.nginx.enable ''
-      chown nginx:nginx /var/lib/tailscale/certs/${tailnetHost}.{key,crt}
-    '';
+        ${cfg.package}/bin/tailscale cert ${tailnetHost}
+      ''
+      + lib.optionalString config.services.nginx.enable ''
+        chown nginx:nginx /var/lib/tailscale/certs/${tailnetHost}.{key,crt}
+      '';
   };
 
   services.nginx.virtualHosts.${tailnetHost} = {