ref: get constant handles on more pkiFiles

- constant handles are stronger identities than string identities REFACTORING: proven to have no effect via diff-against-bitte-commit - the following diff shows equivalence where `echo "$cert" | cfssljson -bare cert` is the producer of cert & cert-key ENV DIFF: ```diff echo "$cert" | cfssljson -bare cert - echo "$cert" | jq -r -e .ca > "ca.pem" - echo "$cert" | jq -r -e .full > "full.pem" - - for pem in *.pem; do - [ -s "$pem" ] - cp "$pem" "/etc/ssl/certs/$pem" - done + cp cert.pem /etc/ssl/certs/cert.pem + cp cert-key.pem /etc/ssl/certs/cert-key.pem + + echo "$cert" | jq -r -e .ca > "/etc/ssl/certs/ca.pem" + echo "$cert" | jq -r -e .full > "/etc/ssl/certs/full.pem" ```
input-output-hk · Jan 9, 2022 · 383353d · 383353d
1 parent 6f6f358
commit 383353d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 12 deletions.
diff --git a/profiles/auxiliaries/secrets.nix b/profiles/auxiliaries/secrets.nix
@@ -1,4 +1,4 @@
-{ self, lib, pkgs, config, ... }:
+{ self, lib, pkgs, config, pkiFiles, ... }:
 let
   sopsEncrypt =
     "${pkgs.sops}/bin/sops --encrypt --input-type json --kms '${config.cluster.kms}' /dev/stdin";
@@ -184,13 +184,11 @@ in {
       export PATH="${lib.makeBinPath (with pkgs; [ cfssl jq coreutils ])}"
       cert="$(${sopsDecrypt (config.secrets.encryptedRoot + "/cert.json")})"
       echo "$cert" | cfssljson -bare cert
-      echo "$cert" | jq -r -e .ca  > "ca.pem"
-      echo "$cert" | jq -r -e .full  > "full.pem"
+      cp ${builtins.baseNameOf pkiFiles.certFile} ${pkiFiles.certFile}
+      cp ${builtins.baseNameOf pkiFiles.keyFile} ${pkiFiles.keyFile}
 
-      for pem in *.pem; do
-      [ -s "$pem" ]
-      cp "$pem" "/etc/ssl/certs/$pem"
-      done
+      echo "$cert" | jq -r -e .ca  > "${pkiFiles.caCertFile}"
+      echo "$cert" | jq -r -e .full  > "${pkiFiles.certChainFile}"
     '';
   };
 }
diff --git a/profiles/vault/client.nix b/profiles/vault/client.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }: let
+{ config, lib, pkgs, pkiFiles, ... }: let
 
   Imports = { imports = [
     ./common.nix
@@ -40,10 +40,10 @@
         set -exuo pipefail
 
         test -f /etc/ssl/certs/.last_restart || touch -d '2020-01-01' /etc/ssl/certs/.last_restart
-        [ -f /etc/ssl/certs/ca.pem ]
-        [ /etc/ssl/certs/full.pem -nt /etc/ssl/certs/.last_restart ]
-        [ /etc/ssl/certs/cert.pem -nt /etc/ssl/certs/.last_restart ]
-        [ /etc/ssl/certs/cert-key.pem -nt /etc/ssl/certs/.last_restart ]
+        [ -f ${pkiFiles.caCertFile} ]
+        [ ${pkiFiles.certChainFile} -nt /etc/ssl/certs/.last_restart ]
+        [ ${pkiFiles.certFile} -nt /etc/ssl/certs/.last_restart ]
+        [ ${pkiFiles.keyFile} -nt /etc/ssl/certs/.last_restart ]
 
         systemctl try-reload-or-restart consul.service