From 24b535d524618ad4b9f5780433d1e1161a9c9037 Mon Sep 17 00:00:00 2001
From: Min RK <benjaminrk@gmail.com>
Date: Tue, 17 Jul 2018 08:36:06 -0700
Subject: [PATCH] move  proxy secret to state dir

---
 tljh/installer.py                                  | 8 +++++---
 tljh/systemd-units/configurable-http-proxy.service | 2 +-
 tljh/systemd-units/jupyterhub.service              | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/tljh/installer.py b/tljh/installer.py
index 324cbb9..a68652c 100644
--- a/tljh/installer.py
+++ b/tljh/installer.py
@@ -14,6 +14,8 @@ INSTALL_PREFIX = os.environ.get('TLJH_INSTALL_PREFIX', '/opt/tljh')
 HUB_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'hub')
 USER_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'user')
 
+STATE_DIR = os.path.join(HUB_ENV_PREFIX, 'state')
+
 HERE = os.path.abspath(os.path.dirname(__file__))
 
 rt_yaml = YAML()
@@ -38,16 +40,16 @@ def ensure_jupyterhub_service(prefix):
     systemd.install_unit('jupyterhub.service', hub_unit_template.format(**unit_params))
     systemd.reload_daemon()
 
+    os.makedirs(STATE_DIR, mode=0o700, exist_ok=True)
+
     # Set up proxy / hub secret oken if it is not already setup
-    # FIXME: Check umask here properly
-    proxy_secret_path = os.path.join(INSTALL_PREFIX, 'configurable-http-proxy.secret')
+    proxy_secret_path = os.path.join(STATE_DIR, 'configurable-http-proxy.secret')
     if not os.path.exists(proxy_secret_path):
         with open(proxy_secret_path, 'w') as f:
             f.write('CONFIGPROXY_AUTH_TOKEN=' + secrets.token_hex(32))
         # If we are changing CONFIGPROXY_AUTH_TOKEN, restart configurable-http-proxy!
         systemd.restart_service('configurable-http-proxy')
 
-    os.makedirs(os.path.join(INSTALL_PREFIX, 'hub', 'state'), mode=0o700, exist_ok=True)
     # Start CHP if it has already not been started
     systemd.start_service('configurable-http-proxy')
     # If JupyterHub is running, we want to restart it.
diff --git a/tljh/systemd-units/configurable-http-proxy.service b/tljh/systemd-units/configurable-http-proxy.service
index 808bb8b..483028a 100644
--- a/tljh/systemd-units/configurable-http-proxy.service
+++ b/tljh/systemd-units/configurable-http-proxy.service
@@ -14,7 +14,7 @@ PrivateTmp=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
-EnvironmentFile={install_prefix}/configurable-http-proxy.secret
+EnvironmentFile={install_prefix}/hub/state/configurable-http-proxy.secret
 # Set PATH so env can find correct node
 Environment=PATH=$PATH:{install_prefix}/hub/bin
 ExecStart={install_prefix}/hub/bin/configurable-http-proxy \
diff --git a/tljh/systemd-units/jupyterhub.service b/tljh/systemd-units/jupyterhub.service
index b7fbcb2..a653592 100644
--- a/tljh/systemd-units/jupyterhub.service
+++ b/tljh/systemd-units/jupyterhub.service
@@ -17,7 +17,7 @@ PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 # Source CONFIGPROXY_AUTH_TOKEN from here!
-EnvironmentFile={install_prefix}/configurable-http-proxy.secret
+EnvironmentFile={install_prefix}/hub/state/configurable-http-proxy.secret
 Environment=TLJH_INSTALL_PREFIX={install_prefix}
 ExecStart={python_interpreter_path} -m jupyterhub.app -f {jupyterhub_config_path}