diff --git a/nodepool/elements/nodepool-base/root.d/50-apt-allow-unauthenticated b/nodepool/elements/nodepool-base/root.d/50-apt-allow-unauthenticated
index 928e4d9b8f..250ac9f8cd 100755
--- a/nodepool/elements/nodepool-base/root.d/50-apt-allow-unauthenticated
+++ b/nodepool/elements/nodepool-base/root.d/50-apt-allow-unauthenticated
@@ -22,8 +22,9 @@ set -eu
 set -o pipefail
 
 # NOTE(pabelanger): Because our AFS mirrors are not signed, we need to allow
-# unauthenticated packages.
+# unauthenticated packages and insecure repos.
 if [ -d "$TARGET_ROOT/etc/apt/apt.conf.d" ]; then
     echo "APT::Get::AllowUnauthenticated \"true\";" | sudo tee $TARGET_ROOT/etc/apt/apt.conf.d/95allow-unauthenticated
+    echo "Acquire::AllowInsecureRepositories \"true\";" | sudo tee -a $TARGET_ROOT/etc/apt/apt.conf.d/95allow-unauthenticated
 fi
 
diff --git a/nodepool/nodepool.yaml b/nodepool/nodepool.yaml
index a9afdb7984..f915a8fc81 100644
--- a/nodepool/nodepool.yaml
+++ b/nodepool/nodepool.yaml
@@ -252,7 +252,8 @@ diskimages:
       DIB_APT_LOCAL_CACHE: '0'
       DIB_DISABLE_APT_CLEANUP: '1'
       DIB_GRUB_TIMEOUT: '0'
-      # TODO(pabelanger): Add AFS mirrors once bionic-updates is created.
+      DIB_DISTRIBUTION_MIRROR: 'http://mirror.dfw.rax.openstack.org/ubuntu'
+      DIB_DEBOOTSTRAP_EXTRA_ARGS: '--no-check-gpg'
       DIB_DEBIAN_COMPONENTS: 'main,universe'
   - name: ubuntu-trusty
     pause: false