diff --git a/common/encrypted-btrfs-layout.nix b/common/encrypted-btrfs-layout.nix index 844dd38..a4c646b 100644 --- a/common/encrypted-btrfs-layout.nix +++ b/common/encrypted-btrfs-layout.nix @@ -31,6 +31,9 @@ in type = "filesystem"; format = "vfat"; mountpoint = "/boot"; + mountOptions = [ + "umask=0077" # to avoid the random seed being world readable + ]; }; }; luksroot = { diff --git a/hosts/alo-cloud-1/hardware.nix b/hosts/alo-cloud-1/hardware.nix index 1974535..2f700cf 100644 --- a/hosts/alo-cloud-1/hardware.nix +++ b/hosts/alo-cloud-1/hardware.nix @@ -36,6 +36,7 @@ fileSystems."/boot" = { device = "/dev/disk/by-uuid/FF9C-DC81"; fsType = "vfat"; + options = [ "umask=0077" ]; # to avoid the random seed being world readable }; swapDevices = [ { diff --git a/hosts/c1/hardware.nix b/hosts/c1/hardware.nix index 570e713..d60c905 100644 --- a/hosts/c1/hardware.nix +++ b/hosts/c1/hardware.nix @@ -39,6 +39,7 @@ fileSystems."/boot" = { device = "/dev/disk/by-uuid/D8C2-9216"; fsType = "vfat"; + options = [ "umask=0077" ]; # to avoid the random seed being world readable }; swapDevices = [ { diff --git a/hosts/c2/hardware.nix b/hosts/c2/hardware.nix index 6e6d080..bed4683 100644 --- a/hosts/c2/hardware.nix +++ b/hosts/c2/hardware.nix @@ -39,6 +39,7 @@ fileSystems."/boot" = { device = "/dev/disk/by-uuid/B543-374F"; fsType = "vfat"; + options = [ "umask=0077" ]; # to avoid the random seed being world readable }; swapDevices = pkgs.lib.mkForce [ { diff --git a/hosts/zippy/hardware.nix b/hosts/zippy/hardware.nix index 86717fc..486bb4b 100644 --- a/hosts/zippy/hardware.nix +++ b/hosts/zippy/hardware.nix @@ -39,7 +39,7 @@ fileSystems."/boot" = { device = "/dev/disk/by-uuid/F3C9-A38F"; fsType = "vfat"; - options = [ "fmask=0022" "dmask=0022" ]; + options = [ "umask=0077" ]; # to avoid the random seed being world readable }; swapDevices = [ {