From abccb6f9e04bee6e2f1505c7754d4924381e86e1 Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Sun, 31 Dec 2023 13:23:20 +0100
Subject: [PATCH] initrd-ssh: Make /boot only accessible for root

---
 modules/initrd-ssh.nix | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/modules/initrd-ssh.nix b/modules/initrd-ssh.nix
index 4d1a23d..928c607 100644
--- a/modules/initrd-ssh.nix
+++ b/modules/initrd-ssh.nix
@@ -32,4 +32,10 @@
       ];
     };
   };
+
+  # This only works for vfat (EFI),
+  # for ext2 (MBR) it needs to be changed manually with chmod.
+  fileSystems."/boot".options = lib.mkIf
+    (config.boot.initrd.network.ssh.enable && config.fileSystems."/boot".fsType == "vfat")
+    (lib.mkDefault [ "umask=0077" ]);
 }