From 4382120e37fae541e72cba695905198963a31332 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Fri, 21 Jun 2024 22:36:27 -0400
Subject: [PATCH] set umask for encrypted swapfile creation

---
 deploy-initial | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy-initial b/deploy-initial
index 1d5e37b..443f8af 100755
--- a/deploy-initial
+++ b/deploy-initial
@@ -60,7 +60,7 @@ rsync -cv nftables/nftables-${hosts_firewall[$host]:-web}.conf $remote:/mnt/etc/
 ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service plocate-updatedb.timer systemd-networkd.service sshd.service unbound.service"
 ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service"
 
-ssh $remote "dd if=/dev/random of=/mnt/swapfile bs=1M count=$swap status=progress"
+ssh $remote "umask 077 && dd if=/dev/random of=/mnt/swapfile bs=1M count=$swap status=progress"
 
 password=$(head -c32 <(tr -dc A-Za-z0-9 </dev/random))
 echo password: $password