diff options
author | Russell O'Connor <oconnorr@google.com> | 2015-01-05 15:01:49 -0500 |
---|---|---|
committer | Russell O'Connor <oconnorr@google.com> | 2015-01-05 15:01:49 -0500 |
commit | b19ab1f0465ec026cd4f33b08567aeaa9a9e1ed8 (patch) | |
tree | c09440afae7e48141f05e06c49cdef94d29c63c0 /nixos/modules/virtualisation/google-compute-image.nix | |
parent | e548a4330d858b81d00d9a586b02b494e4df8983 (diff) | |
download | nixlib-b19ab1f0465ec026cd4f33b08567aeaa9a9e1ed8.tar nixlib-b19ab1f0465ec026cd4f33b08567aeaa9a9e1ed8.tar.gz nixlib-b19ab1f0465ec026cd4f33b08567aeaa9a9e1ed8.tar.bz2 nixlib-b19ab1f0465ec026cd4f33b08567aeaa9a9e1ed8.tar.lz nixlib-b19ab1f0465ec026cd4f33b08567aeaa9a9e1ed8.tar.xz nixlib-b19ab1f0465ec026cd4f33b08567aeaa9a9e1ed8.tar.zst nixlib-b19ab1f0465ec026cd4f33b08567aeaa9a9e1ed8.zip |
google-comute-image.nix: set umask 077 when downloading private keys from the metadata server.
Diffstat (limited to 'nixos/modules/virtualisation/google-compute-image.nix')
-rw-r--r-- | nixos/modules/virtualisation/google-compute-image.nix | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix index 41337c7467ef..808b64501829 100644 --- a/nixos/modules/virtualisation/google-compute-image.nix +++ b/nixos/modules/virtualisation/google-compute-image.nix @@ -135,6 +135,8 @@ in path = [ pkgs.wget ]; script = '' + # When dealing with cryptographic keys, we want to keep things private. + umask 077 wget="wget --retry-connrefused -t 6 --waitretry=10" # Don't download the SSH key if it has already been downloaded if ! [ -e /root/.ssh/authorized_keys ]; then |