google-comute-image.nix: set umask 077 when downloading private keys from the metadata server.

2024-11-12 03:56:17 +03:00 · 2015-01-05 15:01:49 -05:00 · 2015-01-05 15:01:49 -05:00 · b19ab1f046
commit b19ab1f046
parent e548a4330d
1 changed files with 2 additions and 0 deletions
--- a/nixos/modules/virtualisation/google-compute-image.nix
+++ b/nixos/modules/virtualisation/google-compute-image.nix
@ -135,6 +135,8 @@ in
      path  = [ pkgs.wget ];
      script =
        ''
+          # When dealing with cryptographic keys, we want to keep things private.
+          umask 077
          wget="wget --retry-connrefused -t 6 --waitretry=10"
          # Don't download the SSH key if it has already been downloaded
          if ! [ -e /root/.ssh/authorized_keys ]; then