boot.nixStoreMountOpts

Defines the mount options used on a bind mount for the /nix/store. This affects the whole system except the nix store daemon, which will undo the bind mount.

ro enforces immutability of the Nix store. The store daemon should already not put device mappers or suid binaries in the store, meaning nosuid and nodev enforce what should already be the case.