See more here: Nixos-install with custom flake results in /boot being world accessible - #14 by ElvishJerricco
Basically, you should add options = ["umask=0077"]; to the /boot file system stanza. You can avoid the warning during installation too by mounting /mnt/boot with -o umask=0077 in the first place.
We should add this information to the nixos manual, but unfortunately nixos-generate-config currently wouldn’t include that option in the generated hardware-configuration.nix.
Overall, the warning is fairly harmless. This wasn’t warned about for many years, and so it’s very common for systems not to have this configured (which is why the manual hasn’t had this information before). But it is technically best practice to make sure that only root can read /boot using umask=0077, so systemd v254 included the new warning