diff --git a/nixos/modules/services/security/sshguard.nix b/nixos/modules/services/security/sshguard.nix
index ab768f787a66..49d27ad61eb6 100644
--- a/nixos/modules/services/security/sshguard.nix
+++ b/nixos/modules/services/security/sshguard.nix
@@ -4,9 +4,6 @@
   pkgs,
   ...
 }:
-
-with lib;
-
 let
   cfg = config.services.sshguard;
 
@@ -19,7 +16,7 @@ let
           "-o cat"
           "-n1"
         ]
-        ++ (map (name: "-t ${escapeShellArg name}") cfg.services)
+        ++ (map (name: "-t ${lib.escapeShellArg name}") cfg.services)
       );
       backend = if config.networking.nftables.enable then "sshg-fw-nft-sets" else "sshg-fw-ipset";
     in
@@ -36,40 +33,40 @@ in
   options = {
 
     services.sshguard = {
-      enable = mkOption {
+      enable = lib.mkOption {
         default = false;
-        type = types.bool;
+        type = lib.types.bool;
         description = "Whether to enable the sshguard service.";
       };
 
-      attack_threshold = mkOption {
+      attack_threshold = lib.mkOption {
         default = 30;
-        type = types.int;
+        type = lib.types.int;
         description = ''
           Block attackers when their cumulative attack score exceeds threshold. Most attacks have a score of 10.
         '';
       };
 
-      blacklist_threshold = mkOption {
+      blacklist_threshold = lib.mkOption {
         default = null;
         example = 120;
-        type = types.nullOr types.int;
+        type = lib.types.nullOr lib.types.int;
         description = ''
           Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
         '';
       };
 
-      blacklist_file = mkOption {
+      blacklist_file = lib.mkOption {
         default = "/var/lib/sshguard/blacklist.db";
-        type = types.path;
+        type = lib.types.path;
         description = ''
           Blacklist an attacker when its score exceeds threshold. Blacklisted addresses are loaded from and added to blacklist-file.
         '';
       };
 
-      blocktime = mkOption {
+      blocktime = lib.mkOption {
         default = 120;
-        type = types.int;
+        type = lib.types.int;
         description = ''
           Block attackers for initially blocktime seconds after exceeding threshold. Subsequent blocks increase by a factor of 1.5.
 
@@ -77,33 +74,33 @@ in
         '';
       };
 
-      detection_time = mkOption {
+      detection_time = lib.mkOption {
         default = 1800;
-        type = types.int;
+        type = lib.types.int;
         description = ''
           Remember potential attackers for up to detection_time seconds before resetting their score.
         '';
       };
 
-      whitelist = mkOption {
+      whitelist = lib.mkOption {
         default = [ ];
         example = [
           "198.51.100.56"
           "198.51.100.2"
         ];
-        type = types.listOf types.str;
+        type = lib.types.listOf lib.types.str;
         description = ''
           Whitelist a list of addresses, hostnames, or address blocks.
         '';
       };
 
-      services = mkOption {
+      services = lib.mkOption {
         default = [ "sshd" ];
         example = [
           "sshd"
           "exim"
         ];
-        type = types.listOf types.str;
+        type = lib.types.listOf lib.types.str;
         description = ''
           Systemd services sshguard should receive logs of.
         '';
@@ -113,7 +110,7 @@ in
 
   ###### implementation
 
-  config = mkIf cfg.enable {
+  config = lib.mkIf cfg.enable {
 
     environment.etc."sshguard.conf".source = configFile;
 
@@ -122,7 +119,7 @@ in
 
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
-      partOf = optional config.networking.firewall.enable "firewall.service";
+      partOf = lib.optional config.networking.firewall.enable "firewall.service";
 
       restartTriggers = [ configFile ];
 
@@ -149,21 +146,21 @@ in
       # of the ipsets. So instead, we create both the ipsets and
       # firewall rules before sshguard starts.
       preStart =
-        optionalString config.networking.firewall.enable ''
+        lib.optionalString config.networking.firewall.enable ''
           ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard4 hash:net family inet
           ${pkgs.iptables}/bin/iptables  -I INPUT -m set --match-set sshguard4 src -j DROP
         ''
-        + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
+        + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
           ${pkgs.ipset}/bin/ipset -quiet create -exist sshguard6 hash:net family inet6
           ${pkgs.iptables}/bin/ip6tables -I INPUT -m set --match-set sshguard6 src -j DROP
         '';
 
       postStop =
-        optionalString config.networking.firewall.enable ''
+        lib.optionalString config.networking.firewall.enable ''
           ${pkgs.iptables}/bin/iptables  -D INPUT -m set --match-set sshguard4 src -j DROP
           ${pkgs.ipset}/bin/ipset -quiet destroy sshguard4
         ''
-        + optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
+        + lib.optionalString (config.networking.firewall.enable && config.networking.enableIPv6) ''
           ${pkgs.iptables}/bin/ip6tables -D INPUT -m set --match-set sshguard6 src -j DROP
           ${pkgs.ipset}/bin/ipset -quiet destroy sshguard6
         '';
@@ -179,11 +176,11 @@ in
                 "-a ${toString cfg.attack_threshold}"
                 "-p ${toString cfg.blocktime}"
                 "-s ${toString cfg.detection_time}"
-                (optionalString (
+                (lib.optionalString (
                   cfg.blacklist_threshold != null
                 ) "-b ${toString cfg.blacklist_threshold}:${cfg.blacklist_file}")
               ]
-              ++ (map (name: "-w ${escapeShellArg name}") cfg.whitelist)
+              ++ (map (name: "-w ${lib.escapeShellArg name}") cfg.whitelist)
             );
           in
           "${pkgs.sshguard}/bin/sshguard ${args}";