From 73e7daf926ce832335a529d67c8076a02b1c5dbc Mon Sep 17 00:00:00 2001
From: Trolli Schmittlauch <t.schmittlauch@orlives.de>
Date: Wed, 6 May 2026 14:31:13 +0200
Subject: [PATCH 1/2] /boot: protect random seed file

---
 hosts/framenix/storage.nix | 5 ++++-
 hosts/thinknix/storage.nix | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/hosts/framenix/storage.nix b/hosts/framenix/storage.nix
index 8acb7fd..3e4b194 100644
--- a/hosts/framenix/storage.nix
+++ b/hosts/framenix/storage.nix
@@ -37,7 +37,10 @@ in
     "/boot" = {
       device = "/dev/disk/by-uuid/AF8E-E9E6";
       fsType = "vfat";
-      options = [ "discard" ];
+      options = [
+        "discard"
+        "umask=077"
+      ];
     };
     # nix/ lix build directory
     # lix:
diff --git a/hosts/thinknix/storage.nix b/hosts/thinknix/storage.nix
index 169cca6..e9d67a8 100644
--- a/hosts/thinknix/storage.nix
+++ b/hosts/thinknix/storage.nix
@@ -35,7 +35,10 @@ in
     "/boot" = {
       device = "/dev/disk/by-uuid/DED9-661B";
       fsType = "vfat";
-      options = [ "discard" ];
+      options = [
+        "discard"
+        "umask=077"
+      ];
     };
 
     "/home" = {

From 69574ba1f0a1df87a85ff5224b4796952487acb7 Mon Sep 17 00:00:00 2001
From: Trolli Schmittlauch <t.schmittlauch@orlives.de>
Date: Wed, 6 May 2026 16:52:11 +0200
Subject: [PATCH 2/2] hosts/framenix: disable secureboot again

amdgpu + secureboot somehow manage to mess up graphics semi-persistently
after a long uptime.
---
 hosts/framenix/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/framenix/default.nix b/hosts/framenix/default.nix
index 497c7c7..496bf1b 100644
--- a/hosts/framenix/default.nix
+++ b/hosts/framenix/default.nix
@@ -88,6 +88,6 @@ in
 
   schmittlauch = {
     audio-sharing.enable = true;
-    secureboot.enable = true;
+    secureboot.enable = false;
   };
 }