{ pkgs, config, ... }:
{
  boot.loader.systemd-boot.enable     = true;
  boot.loader.efi.canTouchEfiVariables = true;
  fileSystems."/boot".options = [ "umask=0077" ];
}