diff --git a/system/common.nix b/system/common.nix
index 5c5657e..064ead3 100644
--- a/system/common.nix
+++ b/system/common.nix
@@ -277,6 +277,9 @@
       lib.filter (m: m != "aes_generic") options.boot.initrd.luks.cryptoModules.default
     );
 
+    # don't pull legacy ATA modules into initrd (ATA_SFF=n)
+    initrd.includeDefaultModules = false;
+
     lanzaboote = {
       enable = true;
       # TODO: proper secrets management so this is not stored in nix store