diff --git a/hosts/glyph/services/torrents.nix b/hosts/glyph/services/torrents.nix
index 8fe5a5af..98e6504f 100644
--- a/hosts/glyph/services/torrents.nix
+++ b/hosts/glyph/services/torrents.nix
@@ -8,13 +8,13 @@
     file = ./../secrets/pushover-user-token.age;
     mode = "550";
     owner = config.services.transmission.user;
-    group = config.services.transmission.group;
+    inherit (config.services.transmission) group;
   };
   age.secrets.pushover-app-token = {
     file = ./../secrets/pushover-app-token.age;
     mode = "550";
     owner = config.services.transmission.user;
-    group = config.services.transmission.group;
+    inherit (config.services.transmission) group;
   };
   services.transmission = {
     enable = true;
diff --git a/hosts/spore/services/default.nix b/hosts/spore/services/default.nix
index 3ab0cb0b..d4c17dfe 100644
--- a/hosts/spore/services/default.nix
+++ b/hosts/spore/services/default.nix
@@ -15,11 +15,11 @@
     file = ../secrets/tailscale-auth-key.age;
     mode = "440";
     owner = config.services.golink.user;
-    group = config.services.golink.group;
+    inherit (config.services.golink) group;
   };
 
   services.glances = {
-    enable = config.services.homepage-dashboard.enable;
+    inherit (config.services.homepage-dashboard) enable;
   };
 
   services.golink = {
diff --git a/hosts/spore/services/web/auth.nix b/hosts/spore/services/web/auth.nix
index 6860cd3b..51b9a81c 100644
--- a/hosts/spore/services/web/auth.nix
+++ b/hosts/spore/services/web/auth.nix
@@ -13,7 +13,7 @@
     file = ./../../secrets/pocket-id-encryption-key.age;
     mode = "440";
     owner = config.services.pocket-id.user;
-    group = config.services.pocket-id.group;
+    inherit (config.services.pocket-id) group;
   };
 
   rc.web.auth = {
diff --git a/hosts/zeta/services/znc.nix b/hosts/zeta/services/znc.nix
index 4923d1a3..a07f827e 100644
--- a/hosts/zeta/services/znc.nix
+++ b/hosts/zeta/services/znc.nix
@@ -6,7 +6,7 @@
   age.secrets.znc-conf = {
     file = ./../secrets/znc-conf.age;
     owner = config.services.znc.user;
-    group = config.services.znc.group;
+    inherit (config.services.znc) group;
   };
   services.znc = {
     enable = true;
diff --git a/modules/darwin/programs/fastscripts.nix b/modules/darwin/programs/fastscripts.nix
index 7d5e475d..4f7a5b2e 100644
--- a/modules/darwin/programs/fastscripts.nix
+++ b/modules/darwin/programs/fastscripts.nix
@@ -26,7 +26,7 @@ with lib; let
     fi
   '';
   userScripts = filter (f: f.enable) (attrValues config.programs.fastscripts.userScripts);
-  plistFile = config.programs.fastscripts.plistFile;
+  inherit (config.programs.fastscripts) plistFile;
 in {
   options.programs.fastscripts = {
     enable = mkEnableOption "FastScripts";
diff --git a/modules/home/rustmission.nix b/modules/home/rustmission.nix
index d5f524be..c31f31df 100644
--- a/modules/home/rustmission.nix
+++ b/modules/home/rustmission.nix
@@ -18,7 +18,7 @@ in {
 
       # TODO: Require settings.connection.url to be set
       settings = mkOption {
-        type = tomlFormat.type;
+        inherit (tomlFormat) type;
         default = {};
         example = lib.literalExpression ''
           {
diff --git a/modules/nixos/web/auth.nix b/modules/nixos/web/auth.nix
index aeafc043..c238c771 100644
--- a/modules/nixos/web/auth.nix
+++ b/modules/nixos/web/auth.nix
@@ -150,10 +150,10 @@ in {
         enable = true;
         provider = "oidc";
         oidcIssuerUrl = "https://${cfg.issuer.host}";
-        keyFile = cfg.authProxy.keyFile;
+        inherit (cfg.authProxy) keyFile;
         reverseProxy = true;
         setXauthrequest = true;
-        clientID = cfg.authProxy.clientID;
+        inherit (cfg.authProxy) clientID;
         redirectURL = "https://${cfg.authProxy.host}/oauth2/callback";
         nginx.domain = cfg.authProxy.host;
         cookie.domain = cfg.authProxy.domain;
@@ -171,7 +171,7 @@ in {
 
         virtualHosts.${cfg.issuer.host} = {
           forceSSL = true;
-          useACMEHost = cfg.issuer.useACMEHost;
+          inherit (cfg.issuer) useACMEHost;
           locations."/" = {
             proxyPass = "http://127.0.0.1:1411";
             proxyWebsockets = true;
@@ -180,7 +180,7 @@ in {
 
         virtualHosts.${cfg.authProxy.host} = {
           forceSSL = true;
-          useACMEHost = cfg.authProxy.useACMEHost;
+          inherit (cfg.authProxy) useACMEHost;
           locations."/oauth2/" = {
             proxyPass = "http://127.0.0.1:4180";
             extraConfig = ''
@@ -206,7 +206,7 @@ in {
     })
     (let
       vhosts = config.services.nginx.virtualHosts;
-      vhostsRequiringAuth = mapNames (lib.filter (set: set.value.requireAuth == true) (lib.attrsToList vhosts));
+      vhostsRequiringAuth = mapNames (lib.filter (set: set.value.requireAuth) (lib.attrsToList vhosts));
       mapNames = e: toString (lib.map (set: set.name) e);
     in
       mkIf (!cfg.enable && vhostsRequiringAuth != "") {
diff --git a/statix.toml b/statix.toml
new file mode 100644
index 00000000..0a6543a0
--- /dev/null
+++ b/statix.toml
@@ -0,0 +1,3 @@
+disabled = [
+  "repeated_keys"
+]