From 65a0f7bf2f8f137e19cb1702ed49b089eff5c59b Mon Sep 17 00:00:00 2001 From: Daniel Langbein Date: Fri, 12 Jul 2024 22:57:37 +0200 Subject: [PATCH] NixOS 24.05: umask boot partition --- hosts/yodaHedgehog/hardware-configuration.nix | 1 + hosts/yodaNas/hardware-configuration.nix | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/hosts/yodaHedgehog/hardware-configuration.nix b/hosts/yodaHedgehog/hardware-configuration.nix index 7e7c840..221292a 100644 --- a/hosts/yodaHedgehog/hardware-configuration.nix +++ b/hosts/yodaHedgehog/hardware-configuration.nix @@ -30,6 +30,7 @@ fileSystems."/boot" = { device = "/dev/disk/by-uuid/81A5-B98A"; fsType = "vfat"; + options = [ "umask=0077" ]; }; fileSystems."/mnt/backup" = diff --git a/hosts/yodaNas/hardware-configuration.nix b/hosts/yodaNas/hardware-configuration.nix index c087ed2..1b57219 100644 --- a/hosts/yodaNas/hardware-configuration.nix +++ b/hosts/yodaNas/hardware-configuration.nix @@ -30,6 +30,11 @@ fileSystems."/boot" = { device = "/dev/disk/by-uuid/072E-897D"; fsType = "vfat"; + # Fixes the error + # systemd-boot-random-seed.service: Mount point '/boot' which backs the random seed file is world accessible, which is a security hole! + # TODO: Do this with disko. Example: https://github.com/wimpysworld/nix-config/blob/0cc52f746d5c5fec9d8edea5391661da811eb08f/nixos/tanis/disks.nix#L17 + # TODO: Add this to other NixOS hosts. + options = [ "umask=0077" ]; }; fileSystems."/mnt/data" =