diff --git a/.envrc b/.envrc
index a65a6462..66bf3418 100644
--- a/.envrc
+++ b/.envrc
@@ -1,13 +1,16 @@
 #!/usr/bin/env bash
 # the shebang is ignored, but nice for editors
-watch_file nix/sources.json
-watch_file nix/checks.nix
+watch_file npins/sources.json
 
 # Load .env file if it exists
 dotenv_if_exists
 
-# Set npins dir
-export NPINS_DIRECTORY="nix"
-
 # Activate development shell
-use nix
+if type lorri &>/dev/null; then
+    echo "direnv: using lorri from PATH ($(type -p lorri))"
+    eval "$(lorri direnv)"
+else
+    # fall back to using direnv's builtin nix support
+    # to prevent bootstrapping problems.
+    use nix
+fi
diff --git a/nix/treefmt.nix b/nix/treefmt.nix
new file mode 100644
index 00000000..f31bef83
--- /dev/null
+++ b/nix/treefmt.nix
@@ -0,0 +1,71 @@
+{
+  sources ? import ../npins,
+  pkgs ? import sources.nixpkgs { },
+  treefmt ? import sources.treefmt-nix,
+}:
+let
+  globalExcludes = [
+    "npins/default.nix"
+    "attic"
+    "vcluster"
+    ".*vendor"
+    ".*chart/.*"
+    ".*schema.json"
+  ];
+in
+treefmt.evalModule pkgs {
+  projectRootFile = ".git/config";
+
+  settings = {
+    excludes = globalExcludes;
+  };
+
+  programs = {
+
+    # --- Nix formatting ---
+    nixfmt = {
+      enable = true;
+      package = pkgs.nixfmt-rfc-style;
+    };
+    statix.enable = true;
+    deadnix.enable = true;
+
+    # --- Shell ---
+    shellcheck = {
+      enable = true;
+      excludes = [
+        "vcluster/"
+        "attic/"
+      ];
+    };
+
+    shfmt.enable = true;
+
+    # --- YAML ---
+    yamllint = {
+      enable = true;
+      excludes = [
+        "attic/"
+        "charts/templates/"
+        "charts/"
+        "values/"
+        "vcluster/"
+      ];
+      settings = {
+        extends = "default";
+        rules = {
+          document-start = "disable";
+          line-length = {
+            max = 300;
+          };
+        };
+      };
+    };
+
+    # --- JSON ---
+    jsonfmt.enable = true;
+
+    # Optional: keep JSON sorted
+    # prettier.enable = true;
+  };
+}
diff --git a/nix/checks.nix b/npins/checks.nix
similarity index 100%
rename from nix/checks.nix
rename to npins/checks.nix
diff --git a/nix/default.nix b/npins/default.nix
similarity index 100%
rename from nix/default.nix
rename to npins/default.nix
diff --git a/nix/sources.json b/npins/sources.json
similarity index 62%
rename from nix/sources.json
rename to npins/sources.json
index f1e23f5e..1096b05e 100644
--- a/nix/sources.json
+++ b/npins/sources.json
@@ -18,6 +18,19 @@
       "name": "nixpkgs-unstable",
       "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre930822.ed142ab1b3a0/nixexprs.tar.xz",
       "hash": "sha256-XH6awru9NnBc/m+2YhRNT8r1PAKEiPGF3gs//F3ods0="
+    },
+    "treefmt-nix": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "numtide",
+        "repo": "treefmt-nix"
+      },
+      "branch": "main",
+      "submodules": false,
+      "revision": "337a4fe074be1042a35086f15481d763b8ddc0e7",
+      "url": "https://github.com/numtide/treefmt-nix/archive/337a4fe074be1042a35086f15481d763b8ddc0e7.tar.gz",
+      "hash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk="
     }
   },
   "version": 7
diff --git a/shell.nix b/shell.nix
index 5523d063..94198859 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,68 +1,53 @@
 let
-  sources = import ./nix;
+  sources = import ./npins;
   system = builtins.currentSystem;
   pkgs = import sources.nixpkgs {
     inherit system;
     config = { };
     overlays = [ ];
   };
-  checks = import ./nix/checks.nix;
+  treefmt = import ./nix/treefmt.nix { };
 in
 pkgs.mkShellNoCC {
-  name = "clstr";
+  packages = [
+    # dev tools
+    pkgs.just
+    pkgs.npins
+    treefmt.config.build.wrapper
 
-  packages =
-    with pkgs;
-    [
-      # dev tools
-      just
-      npins
+    # helm
+    pkgs.helmfile
+    pkgs.kubernetes-helm
 
-      # helm
-      helmfile
-      kubernetes-helm
+    # kubectl tools
+    pkgs.kubectl-cnpg
+    pkgs.kubectl-neat
+    pkgs.kubectl-graph
+    pkgs.kubectl-klock
+    pkgs.kubectl-rook-ceph
 
-      # kubectl tools
-      kubectl-cnpg
-      kubectl-neat
-      kubelogin
-      kubelogin-oidc
-      kubectl-rook-ceph
-      kubectl-graph
-      kubectl-klock
-      graphviz
-      hubble
-
-      # other tools activate when needed
-      # step-cli
-      # linkerd
-      # cmctl
-      # rclone
-      # velero
-      renovate
-
-      # dapr
-      dapr-cli
-    ]
-    ++ checks.enabledPackages;
+    # other tools activate when needed
+    # pkgs.step-cli
+    # pkgs.linkerd
+    # pkgs.cmctl
+    # pkgs.rclone
+    # pkgs.velero
+    # pkgs.renovate
+    # pkgs.graphviz
+    # pkgs.hubble
+    # pkgs.dapr-cli
+  ];
 
   # Environment variables
   ARGOCD_ENV_CLUSTER_NAME = "oceanbox";
   HELM_GIT_ACCESS_TOKEN = "glpat-xxx";
 
-  shellHook = builtins.concatStringsSep "\n" [
-    checks.shellHook
-  ];
-
   # Alternative shells
   passthru = pkgs.lib.mapAttrs (name: value: pkgs.mkShellNoCC (value // { inherit name; })) {
     ci-shell = {
       packages = [
         pkgs.npins
       ];
-      shellHook = ''
-        export NPINS_DIRECTORY="nix"
-      '';
     };
   };
 }