From b19ab1f0465ec026cd4f33b08567aeaa9a9e1ed8 Mon Sep 17 00:00:00 2001
From: Russell O'Connor <oconnorr@google.com>
Date: Mon, 5 Jan 2015 15:01:49 -0500
Subject: [PATCH] google-comute-image.nix: set umask 077 when downloading
 private keys from the metadata server.

---
 nixos/modules/virtualisation/google-compute-image.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nixos/modules/virtualisation/google-compute-image.nix b/nixos/modules/virtualisation/google-compute-image.nix
index 41337c7467e..808b6450182 100644
--- a/nixos/modules/virtualisation/google-compute-image.nix
+++ b/nixos/modules/virtualisation/google-compute-image.nix
@@ -135,6 +135,8 @@ in
       path  = [ pkgs.wget ];
       script =
         ''
+          # When dealing with cryptographic keys, we want to keep things private.
+          umask 077
           wget="wget --retry-connrefused -t 6 --waitretry=10"
           # Don't download the SSH key if it has already been downloaded
           if ! [ -e /root/.ssh/authorized_keys ]; then