Commit ffadbb67 authored by Felix Buehler's avatar Felix Buehler
Browse files

kubernetes: prefer 'install' over 'mkdir/chmod/chown'

parent 237e7780

nixos/modules/services/cluster/kubernetes/pki.nix

+3 −5
Original line number Diff line number Diff line
@@ -174,9 +174,8 @@ in 
      '')

      (optionalString cfg.genCfsslAPIToken ''

        if [ ! -f "${cfsslAPITokenPath}" ]; then

          head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ' >"${cfsslAPITokenPath}"

          install -u cfssl -m 400 <(head -c ${toString (cfsslAPITokenLength / 2)} /dev/urandom | od -An -t x | tr -d ' ') "${cfsslAPITokenPath}"

        fi

        chown cfssl "${cfsslAPITokenPath}" && chmod 400 "${cfsslAPITokenPath}"

      '')]);



    systemd.services.kube-certmgr-bootstrap = {
@@ -194,7 +193,7 @@ in 
        if [ -f "${cfsslAPITokenPath}" ]; then

          ln -fs "${cfsslAPITokenPath}" "${certmgrAPITokenPath}"

        else

          touch "${certmgrAPITokenPath}" && chmod 600 "${certmgrAPITokenPath}"

          install -m 600 /dev/null "${certmgrAPITokenPath}"

        fi

      ''

      (optionalString (cfg.pkiTrustOnBootstrap) ''
@@ -297,8 +296,7 @@ in 
          exit 1

        fi



        echo $token > ${certmgrAPITokenPath}

        chmod 600 ${certmgrAPITokenPath}

        install -m 0600 <(echo $token) ${certmgrAPITokenPath}



        echo "Restarting certmgr..." >&1

        systemctl restart certmgr