diff --git a/nixos/modules/services/web-apps/mastodon.nix b/nixos/modules/services/web-apps/mastodon.nix
index 532202497e73..34ff99540d3a 100644
--- a/nixos/modules/services/web-apps/mastodon.nix
+++ b/nixos/modules/services/web-apps/mastodon.nix
@@ -195,7 +195,7 @@ in {
           affect other virtualHosts running on your nginx instance, if any.
           Alternatively you can configure a reverse-proxy of your choice to serve these paths:
 
-          `/ -> $(nix-instantiate --eval '<nixpkgs>' -A mastodon.outPath)/public`
+          `/ -> ''${pkgs.mastodon}/public`
 
           `/ -> 127.0.0.1:{{ webPort }} `(If there was no file in the directory above.)
 
@@ -324,6 +324,21 @@ in {
         type = lib.types.str;
       };
 
+      vapidPrivateKeyFile = lib.mkOption {
+        description = ''
+          Path to file containing the private key used for Web Push
+          Voluntary Application Server Identification.  A new keypair can
+          be generated by running:
+
+          `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys`
+
+          If this file does not exist, it will be created with a new
+          private key.
+        '';
+        default = "/var/lib/mastodon/secrets/vapid-private-key";
+        type = lib.types.str;
+      };
+
       localDomain = lib.mkOption {
         description = "The domain serving your Mastodon instance.";
         example = "social.example.org";
@@ -401,21 +416,6 @@ in {
         type = lib.types.str;
       };
 
-      vapidPrivateKeyFile = lib.mkOption {
-        description = ''
-          Path to file containing the private key used for Web Push
-          Voluntary Application Server Identification.  A new keypair can
-          be generated by running:
-
-          `nix build -f '<nixpkgs>' mastodon; cd result; bin/rake webpush:generate_keys`
-
-          If this file does not exist, it will be created with a new
-          private key.
-        '';
-        default = "/var/lib/mastodon/secrets/vapid-private-key";
-        type = lib.types.str;
-      };
-
       trustedProxy = lib.mkOption {
         description = ''
           You need to set it to the IP from which your reverse proxy sends requests to Mastodon's web process,
@@ -945,6 +945,7 @@ in {
       enable = true;
       hostname = lib.mkDefault "${cfg.localDomain}";
     };
+
     services.redis.servers.mastodon = lib.mkIf redisActuallyCreateLocally (lib.mkMerge [
       {
         enable = true;
@@ -953,6 +954,7 @@ in {
         port = cfg.redis.port;
       })
     ]);
+
     services.postgresql = lib.mkIf databaseActuallyCreateLocally {
       enable = true;
       ensureUsers = [