From a0e2a0d0cda6ffc5194c6d5c1c5475469b8ea785 Mon Sep 17 00:00:00 2001
From: Christoph Urlacher <christoph.urlacher@protonmail.com>
Date: Tue, 15 Jul 2025 23:06:52 +0200
Subject: [PATCH] System/Nixinator: Mount /boot with umask=077

---
 system/nixinator/disks.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/system/nixinator/disks.nix b/system/nixinator/disks.nix
index 7c3474d6..195bb6be 100644
--- a/system/nixinator/disks.nix
+++ b/system/nixinator/disks.nix
@@ -8,6 +8,8 @@
           type = "gpt";
           partitions = {
             ESP = {
+              # NOTE: The disk identification uses /dev/disk/by-partlabel,
+              #       so make sure this matches the actual partlabel!!!
               label = "EFI";
               size = "512M";
               type = "EF00";
@@ -15,7 +17,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
-                mountOptions = ["defaults"];
+                mountOptions = ["umask=077"];
               };
             };
             luks = {