Restrict permissions on /boot to protect the random seed.

common/encrypted-btrfs-layout.nix

@@ -31,6 +31,9 @@ in
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [
+                  "umask=0077"  # to avoid the random seed being world readable
+                ];
               };
             };
             luksroot = {

hosts/alo-cloud-1/hardware.nix

@@ -36,6 +36,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/FF9C-DC81";
       fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
     };
 
   swapDevices = [ {

hosts/c1/hardware.nix

@@ -39,6 +39,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/D8C2-9216";
       fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
     };
 
   swapDevices = [ {

hosts/c2/hardware.nix

@@ -39,6 +39,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/B543-374F";
       fsType = "vfat";
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
     };
 
   swapDevices = pkgs.lib.mkForce [ {

hosts/zippy/hardware.nix

@@ -39,7 +39,7 @@
   fileSystems."/boot" =
     { device = "/dev/disk/by-uuid/F3C9-A38F";
       fsType = "vfat";
-      options = [ "fmask=0022" "dmask=0022" ];
+      options = [ "umask=0077" ]; # to avoid the random seed being world readable
     };
 
   swapDevices = [ {