Cleanup pki: apiserver and etcd

nixos/modules/services/cluster/kubernetes/apiserver.nix

@@ -272,7 +272,27 @@ in
   ###### implementation
   config = mkMerge [
 
-    (mkIf cfg.enable {
+    (let
+
+      apiserverPaths = filter (a: a != null) [
+        cfg.clientCaFile
+        cfg.etcd.caFile
+        cfg.etcd.certFile
+        cfg.etcd.keyFile
+        cfg.kubeletClientCaFile
+        cfg.kubeletClientCertFile
+        cfg.kubeletClientKeyFile
+        cfg.serviceAccountKeyFile
+        cfg.tlsCertFile
+        cfg.tlsKeyFile
+      ];
+      etcdPaths = filter (a: a != null) [
+        config.services.etcd.trustedCaFile
+        config.services.etcd.certFile
+        config.services.etcd.keyFile
+      ];
+
+    in mkIf cfg.enable {
         systemd.services.kube-apiserver = {
           description = "Kubernetes APIServer Service";
           wantedBy = [ "kube-control-plane-online.target" ];
@@ -342,6 +362,15 @@ in
             Restart = "on-failure";
             RestartSec = 5;
           };
+          unitConfig.ConditionPathExists = apiserverPaths;
+        };
+
+        systemd.paths.kube-apiserver = mkIf top.apiserver.enable {
+          wantedBy = [ "kube-apiserver.service" ];
+          pathConfig = {
+            PathExists = apiserverPaths;
+            PathChanged = apiserverPaths;
+          };
         };
 
         services.etcd = {
@@ -355,6 +384,18 @@ in
           initialAdvertisePeerUrls = mkDefault ["https://${top.masterAddress}:2380"];
         };
 
+        systemd.services.etcd = {
+          unitConfig.ConditionPathExists = etcdPaths;
+        };
+
+        systemd.paths.etcd = {
+          wantedBy = [ "etcd.service" ];
+          pathConfig = {
+            PathExists = etcdPaths;
+            PathChanged = etcdPaths;
+          };
+        };
+
         services.kubernetes.addonManager.bootstrapAddons = mkIf isRBACEnabled {
 
           apiserver-kubelet-api-admin-crb = {

nixos/modules/services/cluster/kubernetes/pki.nix

@@ -124,23 +124,6 @@ in
       top.caFile
       certmgrAPITokenPath
     ];
-    apiserverPaths = [
-      top.apiserver.clientCaFile
-      top.apiserver.etcd.caFile
-      top.apiserver.etcd.certFile
-      top.apiserver.etcd.keyFile
-      top.apiserver.kubeletClientCaFile
-      top.apiserver.kubeletClientCertFile
-      top.apiserver.kubeletClientKeyFile
-      top.apiserver.serviceAccountKeyFile
-      top.apiserver.tlsCertFile
-      top.apiserver.tlsKeyFile
-    ];
-    etcdPaths = [
-      config.services.etcd.certFile
-      config.services.etcd.keyFile
-      config.services.etcd.trustedCaFile
-    ];
     flannelPaths = [
       cfg.certs.flannelClient.cert
       cfg.certs.flannelClient.key
@@ -412,30 +395,6 @@ in
         127.0.0.1 etcd.${top.addons.dns.clusterDomain} etcd.local
       '';
 
-      systemd.services.kube-apiserver = mkIf top.apiserver.enable {
-        unitConfig.ConditionPathExists = apiserverPaths;
-      };
-
-      systemd.paths.kube-apiserver = mkIf top.apiserver.enable {
-        wantedBy = [ "kube-apiserver.service" ];
-        pathConfig = {
-          PathExists = apiserverPaths;
-          PathChanged = apiserverPaths;
-        };
-      };
-
-      systemd.services.etcd = mkIf top.apiserver.enable {
-        unitConfig.ConditionPathExists = etcdPaths;
-      };
-
-      systemd.paths.etcd = mkIf top.apiserver.enable {
-        wantedBy = [ "etcd.service" ];
-        pathConfig = {
-          PathExists = etcdPaths;
-          PathChanged = etcdPaths;
-        };
-      };
-
       services.flannel = with cfg.certs.flannelClient; {
         kubeconfig = top.lib.mkKubeConfig "flannel" {
           server = top.apiserverAddress;