docs: Fix /boot security hole warning in examples

The alternative would be to do this automatically if format=="vfat" and
mountpoint=="/boot", but it's better to be upfront about this.

Fixes #527

Author: iFreilicht

docs/HowTo.md

@@ -150,6 +150,7 @@ or with pinning:
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {

docs/disko-install.md

@@ -65,6 +65,7 @@ example we assume a system that has been booted with EFI:
                       type = "filesystem";
                       format = "vfat";
                       mountpoint = "/boot";
+                      mountOptions = [ "umask=0077" ];
                     };
                   };
                   root = {
@@ -168,6 +169,7 @@ Add this to your flake.nix output:
                       type = "filesystem";
                       format = "vfat";
                       mountpoint = "/boot";
+                      mountOptions = [ "umask=0077" ];
                     };
                   };
                   root = {

docs/table-to-gpt.md

@@ -122,6 +122,7 @@ The fixed disko configuration would look like this:
             type = "filesystem";
             format = "vfat";
             mountpoint = "/boot";
+            mountOptions = [ "umask=0077" ];
           };
         };
         root = {

example/bcachefs.nix

@@ -14,6 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {

example/btrfs-only-root-subvolume.nix

@@ -17,6 +17,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {

example/btrfs-subvolumes.nix

@@ -17,6 +17,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {

example/complex.nix

@@ -15,6 +15,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
           };

example/f2fs.nix

@@ -14,6 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {

example/hybrid-mbr.nix

@@ -29,6 +29,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {

example/hybrid-tmpfs-on-root.nix

@@ -18,6 +18,7 @@
               type = "filesystem";
               format = "vfat";
               mountpoint = "/boot";
+              mountOptions = [ "umask=0077" ];
             };
           };
           nix = {

example/hybrid.nix

@@ -18,6 +18,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {
@@ -34,4 +35,3 @@
     };
   };
 }
-

example/long-device-name.nix

@@ -15,6 +15,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {
@@ -31,4 +32,3 @@
     };
   };
 }
-

example/luks-btrfs-subvolumes.nix

@@ -14,9 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
-                mountOptions = [
-                  "defaults"
-                ];
+                mountOptions = [ "umask=0077" ];
               };
             };
             luks = {

example/luks-interactive-login.nix

@@ -14,6 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             luks = {

example/luks-lvm.nix

@@ -14,9 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
-                mountOptions = [
-                  "defaults"
-                ];
+                mountOptions = [ "umask=0077" ];
               };
             };
             luks = {

example/lvm-sizes-sort.nix

@@ -14,6 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             primary = {

example/lvm-thin.nix

@@ -14,9 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
-                mountOptions = [
-                  "defaults"
-                ];
+                mountOptions = [ "umask=0077" ];
               };
             };
             primary = {

example/non-root-zfs.nix

@@ -14,6 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {
@@ -106,4 +107,3 @@
     };
   };
 }
-

example/simple-efi.nix

@@ -14,6 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {
@@ -30,4 +31,3 @@
     };
   };
 }
-

example/swap.nix

@@ -14,6 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {

example/tmpfs.nix

@@ -14,6 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             root = {
@@ -38,4 +39,3 @@
     };
   };
 }
-

example/zfs-over-legacy.nix

@@ -14,9 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
-                mountOptions = [
-                  "defaults"
-                ];
+                mountOptions = [ "umask=0077" ];
               };
             };
             primary = {
@@ -57,4 +55,3 @@
     };
   };
 }
-

example/zfs-with-vdevs.nix

@@ -14,6 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             zfs = {
@@ -84,7 +85,10 @@
             vdev = [
               {
                 mode = "mirror";
-                members = [ "x" "y" ];
+                members = [
+                  "x"
+                  "y"
+                ];
               }
             ];
             special = {

example/zfs.nix

@@ -14,6 +14,7 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
               };
             };
             zfs = {
@@ -102,4 +103,3 @@
     };
   };
 }
-