diff --git a/infra/README.org b/infra/README.org index 2998682..c50af47 100644 --- a/infra/README.org +++ b/infra/README.org @@ -7,19 +7,27 @@ Their configuration can be updated via NixOps4. Run nixops4 deployments list #+end_src -to see the available deployments. Given a deployment (eg. ~actions-runners~), run +to see the available deployments. Given a deployment (eg. ~git~), run #+begin_src sh nixops4 apply #+end_src +* Deployments + +- ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions + runners +- ~web~ :: Machines hosting our online content, eg. the website or the wiki + * Procolix machines These machines are hosted on the Procolix Proxmox instance, to which non-Procolix members of the project do not have access. They host our stable infrastructure. -| Machine | Description | Deployment | -|---------+------------------------+-----------------| -| vm02179 | Forgejo actions runner | actions-runners | -| vm02186 | Forgejo actions runner | actions-runners | +| Machine | Description | Deployment | +|---------+------------------------+------------| +| vm02116 | Forgejo | ~git~ | +| vm02179 | Forgejo actions runner | ~git~ | +| vm02186 | Forgejo actions runner | ~git~ | +| vm02187 | Wiki | ~web~ | diff --git a/infra/flake-part.nix b/infra/flake-part.nix index 5a08844..857848a 100644 --- a/infra/flake-part.nix +++ b/infra/flake-part.nix @@ -1,12 +1,30 @@ { inputs, ... }: { - nixops4Deployments.actions-runners = + nixops4Deployments.git = { providers, ... }: { providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local; resources = { + vm02116 = { + type = providers.local.exec; + imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; + ssh = { + host = "185.206.232.34"; + opts = ""; + hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILriawl1za2jbxzelkL5v8KPmcvuj7xVBgwFxuM/zhYr"; + }; + nixpkgs = inputs.nixpkgs; + nixos.module = { + imports = [ + ./vm02116/configuration.nix + ./vm02116/forgejo.nix + ./vm02116/hardware-configuration.nix + ]; + }; + }; + vm02179 = { type = providers.local.exec; imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; @@ -44,4 +62,29 @@ }; }; }; + + nixops4Deployments.web = + { providers, ... }: + { + providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local; + + resources = { + vm02187 = { + type = providers.local.exec; + imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ]; + ssh = { + host = "185.206.232.187"; + opts = ""; + hostPublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN24ZfdQNklKkIqfMg/+0vqENuDcy6fhT6SfAq01ae83"; + }; + nixpkgs = inputs.nixpkgs; + nixos.module = { + imports = [ + ./vm02187/configuration.nix + ./vm02187/hardware-configuration.nix + ]; + }; + }; + }; + }; } diff --git a/forgejo/configuration.nix b/infra/vm02116/configuration.nix similarity index 90% rename from forgejo/configuration.nix rename to infra/vm02116/configuration.nix index 9158f3c..4ac97bc 100644 --- a/forgejo/configuration.nix +++ b/infra/vm02116/configuration.nix @@ -2,15 +2,15 @@ # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ config, lib, pkgs, ... }: +{ pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - # This will install and configure Forgejo - ./forgejo.nix - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + # This will install and configure Forgejo + ./forgejo.nix + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -22,7 +22,7 @@ # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. # Networking - networking = { + networking = { hostName = "vm02116"; domain = "procolix.com"; interfaces = { @@ -53,15 +53,18 @@ address = "2a00:51c0:12:1201::1"; interface = "eth0"; }; - nameservers = [ "2a00:51c0::5fd7:b906" "95.215.185.7" ]; + nameservers = [ + "2a00:51c0::5fd7:b906" + "95.215.185.7" + ]; firewall.enable = false; nftables = { enable = true; ruleset = '' #!/usr/sbin/nft -f - + flush ruleset - + ########### define usefull variables here ##################### define wan = eth0 define ssh_allow = { @@ -77,21 +80,21 @@ define nrpe_allow = { 95.215.185.34/32, # nagios2 ipv4 } - + ########### here starts the automated bit ##################### table inet filter { chain input { type filter hook input priority 0; policy drop; - + # established/related connections ct state established,related accept ct state invalid drop - + # Limit ping requests. ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - + # loopback interface iifname lo accept @@ -99,17 +102,17 @@ ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept # Without the nd-* ones ipv6 will not work. ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - + # open tcp ports: sshd (22) #ip saddr $ssh_allow tcp dport {ssh} accept tcp dport {ssh} accept - + # open tcp ports: snmp (161) ip saddr $snmp_allow udp dport {snmp} accept - + # open tcp ports: nrpe (5666) ip saddr $nrpe_allow tcp dport {nrpe} accept - + # open tcp ports: http (80,443) tcp dport {http,https} accept } @@ -120,7 +123,7 @@ type filter hook output priority 0; } } - + table ip nat { chain postrouting { } @@ -131,7 +134,6 @@ }; }; - # Set your time zone. time.timeZone = "Europe/Amsterdam"; @@ -150,9 +152,6 @@ # Enable the X11 windowing system. # services.xserver.enable = true; - - - # Configure keymap in X11 # services.xserver.xkb.layout = "us"; # services.xserver.xkb.options = "eurosign:e,caps:escape"; @@ -175,17 +174,22 @@ openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1" "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2" - ]; + ]; }; }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg" + ]; + # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ (pkgs.vim_configurable.customize { - name = "vim"; - vimrcConfig.packages.myplugins = with pkgs.vimPlugins; { - start = [ vim-nix ]; # load plugin on startup + name = "vim"; + vimrcConfig.packages.myplugins = with pkgs.vimPlugins; { + start = [ vim-nix ]; # load plugin on startup }; vimrcConfig.customRC = '' " your custom vimrc @@ -196,7 +200,8 @@ " ... ''; }) - wget subversion + wget + subversion ]; # Some programs need SUID wrappers, can be configured further or are @@ -223,11 +228,6 @@ # Or disable the firewall altogether. # networking.firewall.enable = false; - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - system.copySystemConfiguration = true; - # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # @@ -244,7 +244,6 @@ # and migrated your data accordingly. # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . - system.stateVersion = "24.05"; + system.stateVersion = "24.05"; } - diff --git a/forgejo/forgejo.nix b/infra/vm02116/forgejo.nix similarity index 97% rename from forgejo/forgejo.nix rename to infra/vm02116/forgejo.nix index 3b54301..32c3381 100644 --- a/forgejo/forgejo.nix +++ b/infra/vm02116/forgejo.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ pkgs, ... }: let domain = "git.fediversity.eu"; in @@ -32,7 +32,7 @@ in }; users.groups.keys.members = [ "forgejo" ]; - + services.mysql = { enable = true; package = pkgs.mariadb; @@ -61,7 +61,7 @@ in clientMaxBodySize = "500m"; appendHttpConfig = '' - + map $uri $forgejo_access_log { default 1; /api/actions/runner.v1.RunnerService/FetchTask 0; @@ -73,12 +73,12 @@ in https "max-age=31536000; includeSubdomains; always"; } add_header Strict-Transport-Security $hsts_header; - ''; + ''; virtualHosts.${domain} = { listenAddresses = [ "185.206.232.34" "[2a00:51c0:12:1201::20]" - ]; + ]; enableACME = true; forceSSL = true; locations."/" = { @@ -91,4 +91,3 @@ in }; }; } - diff --git a/forgejo/hardware-configuration.nix b/infra/vm02116/hardware-configuration.nix similarity index 70% rename from forgejo/hardware-configuration.nix rename to infra/vm02116/hardware-configuration.nix index b6f60e3..82d1356 100644 --- a/forgejo/hardware-configuration.nix +++ b/infra/vm02116/hardware-configuration.nix @@ -1,25 +1,30 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ lib, ... }: { imports = [ ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "sr_mod" "xen_blkfront" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "sr_mod" + "xen_blkfront" + ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/3802a66d-e31a-4650-86f3-b51b11918853"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/2CE2-1173"; - fsType = "vfat"; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/2CE2-1173"; + fsType = "vfat"; + }; swapDevices = [ ]; diff --git a/wiki/configuration.nix b/infra/vm02187/configuration.nix similarity index 81% rename from wiki/configuration.nix rename to infra/vm02187/configuration.nix index ffdcce6..1d73482 100644 --- a/wiki/configuration.nix +++ b/infra/vm02187/configuration.nix @@ -1,15 +1,14 @@ - # Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: +{ pkgs, ... }: { - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ]; + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; @@ -22,7 +21,7 @@ services.mediawiki = { enable = true; - name = "Fediversity Wiki"; + name = "Fediversity Wiki"; webserver = "nginx"; nginx.hostName = "wiki.fediversity.eu"; passwordFile = pkgs.writeText "password" "eiM9etha8ohmo9Ohphahpesiux0ahda6"; @@ -35,7 +34,7 @@ $wgMaxShellMemory = 524288; $wgSVGMetadataCutoff = 1024*1024; $wgAllowExternalImages = false; - + ## Permissions $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['createaccount'] = false; @@ -48,21 +47,23 @@ # 1 GB ought to be enough for everyone $wgUploadSizeWarning = 1024*1024*512; $wgMaxUploadSize = 1024*1024*1024; - + $wgHeadScriptCode = <<<'END' END; - ''; + ''; - extensions = { - VisualEditor = null; - }; + extensions = { + VisualEditor = null; + }; }; services.nginx = { enable = true; virtualHosts."wiki.fediversity.eu" = { - basicAuth = { fediv = "SecretSauce123!"; }; + basicAuth = { + fediv = "SecretSauce123!"; + }; forceSSL = true; enableACME = true; }; @@ -75,7 +76,7 @@ users.users.nginx.extraGroups = [ "acme" ]; - networking = { + networking = { hostName = "vm02187"; domain = "procolix.com"; interfaces = { @@ -106,15 +107,18 @@ address = "2a00:51c0:12:1201::1"; interface = "eth0"; }; - nameservers = [ "95.215.185.6" "95.215.185.7" ]; + nameservers = [ + "95.215.185.6" + "95.215.185.7" + ]; firewall.enable = false; nftables = { enable = true; ruleset = '' #!/usr/sbin/nft -f - + flush ruleset - + ########### define usefull variables here ##################### define wan = eth0 define ssh_allow = { @@ -131,21 +135,21 @@ define nrpe_allow = { 95.215.185.34/32, # nagios2 ipv4 } - + ########### here starts the automated bit ##################### table inet filter { chain input { type filter hook input priority 0; policy drop; - + # established/related connections ct state established,related accept ct state invalid drop - + # Limit ping requests. ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets drop ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets drop - + # loopback interface iifname lo accept @@ -153,16 +157,16 @@ ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept # Without the nd-* ones ipv6 will not work. ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept - + # open tcp ports: sshd (22) ip saddr $ssh_allow tcp dport {ssh} accept - + # open tcp ports: snmp (161) ip saddr $snmp_allow udp dport {snmp} accept - + # open tcp ports: nrpe (5666) ip saddr $nrpe_allow tcp dport {nrpe} accept - + # open tcp ports: http (80,443) tcp dport {http,https} accept } @@ -173,7 +177,7 @@ type filter hook output priority 0; } } - + table ip nat { chain postrouting { } @@ -184,7 +188,6 @@ }; }; - # Set your time zone. time.timeZone = "Europe/Amsterdam"; @@ -192,18 +195,23 @@ i18n.defaultLocale = "en_US.UTF-8"; # Define a user account. Don't forget to set a password with ‘passwd’. - users.users.root.hashedPassword = "$y$j9T$WXvLAUqArJJusuC017FCW0$.rfMOeyx/BsClkJFi5hLcynrSk.njWmfiB6Uy.9th3A"; + users.users.root = { + hashedPassword = "$y$j9T$WXvLAUqArJJusuC017FCW0$.rfMOeyx/BsClkJFi5hLcynrSk.njWmfiB6Uy.9th3A"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg" + ]; + }; users.users.procolix = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. hashedPassword = "$y$j9T$UH8Dh/poTCCZ3PXk43au6/$iYen8VUEVvv7SIPqteNtTPKktLxny3TbqvjUwhvi.6B"; openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1" - "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2" - ]; - packages = with pkgs; [ + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAotfCIjLoDlHOe+++kVS1xiBPaS8mC5FypgrxDrDVst6SHxMTca2+IScMajzUZajenvNAoZOwIsyAPacT8OHeyFvV5Y7G874Qa+cZVqJxLht9gdXxr1GNabU3RfhhCh272dUeIKIqfgsRsM2HzdnZCMDavS1Yo+f+RhhHhnJIua+NdVFo21vPrpsz+Cd0M1NhojARLajrTHvEXW0KskUnkbfgxT0vL9jeRZxdgMS+a9ZoR5dbzOxQHWfbP8N04Xc+7CweMlvKwlWuAE/xDb5XLNHorfGWFvZuVhptJN8jPaaVS25wsmsF5IbaAuSZfzCtBdFQhIloUhy0L6ZisubHjQ== procolix@sshnode1" + "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuT3C0f3nyQ7SwUvXcFmEYEgwL+crY6iK0Bhoi9yfn4soz3fhfMKyKSwc/0RIlRnrz3xnkyJiV0vFeU7AC1ixbGCS3T9uc0G1x0Yedd9n2yR8ZJmkdyfjZ5KE4YvqZ3f6UZn5Mtj+7tGmyp+ee+clLSHzsqeyDiX0FIgFmqiiAVJD6qeKPFAHeWz9b2MOXIBIw+fSLOpx0rosCgesOmPc8lgFvo+dMKpSlPkCuGLBPj2ObT4sLjc98NC5z8sNJMu3o5bMbiCDR9JWgx9nKj+NlALwk3Y/nzHSL/DNcnP5vz2zbX2CBKjx6ju0IXh6YKlJJVyMsH9QjwYkgDQVmy8amQ== procolix@sshnode2" ]; + packages = with pkgs; [ ]; }; # List packages installed in system profile. To search, run: @@ -231,11 +239,6 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; - # Copy the NixOS configuration file and link it from the resulting system - # (/run/current-system/configuration.nix). This is useful in case you - # accidentally delete configuration.nix. - system.copySystemConfiguration = true; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave @@ -245,4 +248,3 @@ system.stateVersion = "24.05"; # Did you read the comment? } - diff --git a/wiki/hardware-configuration.nix b/infra/vm02187/hardware-configuration.nix similarity index 63% rename from wiki/hardware-configuration.nix rename to infra/vm02187/hardware-configuration.nix index d18784a..79f182e 100644 --- a/wiki/hardware-configuration.nix +++ b/infra/vm02187/hardware-configuration.nix @@ -1,28 +1,36 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ lib, modulesPath, ... }: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49"; - fsType = "ext4"; - }; + fileSystems."/" = { + device = "/dev/disk/by-uuid/a46a9c46-e32b-4216-a4aa-8819b2cd0d49"; + fsType = "ext4"; + }; - fileSystems."/boot" = - { device = "/dev/disk/by-uuid/6AB5-4FA8"; - fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; - }; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/6AB5-4FA8"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; swapDevices = [ ];