initrd-ssh: Make /boot only accessible for root

2023-12-31 13:23:20 +01:00 · 2023-12-31 13:23:20 +01:00 · abccb6f9e0
parent c5f5f6a5ca
commit abccb6f9e0
1 changed files with 6 additions and 0 deletions
--- a/modules/initrd-ssh.nix
+++ b/modules/initrd-ssh.nix
@ -32,4 +32,10 @@
      ];
    };
  };
+
+  # This only works for vfat (EFI),
+  # for ext2 (MBR) it needs to be changed manually with chmod.
+  fileSystems."/boot".options = lib.mkIf
+    (config.boot.initrd.network.ssh.enable && config.fileSystems."/boot".fsType == "vfat")
+    (lib.mkDefault [ "umask=0077" ]);
 }