move proxy secret to state dir

2025-12-18 21:54:05 +08:00 · 2018-07-17 08:36:06 -07:00
parent 54532997d5
commit 24b535d524
3 changed files with 7 additions and 5 deletions
--- a/tljh/installer.py
+++ b/tljh/installer.py
@@ -14,6 +14,8 @@ INSTALL_PREFIX = os.environ.get('TLJH_INSTALL_PREFIX', '/opt/tljh')
 HUB_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'hub')
 USER_ENV_PREFIX = os.path.join(INSTALL_PREFIX, 'user')

+STATE_DIR = os.path.join(HUB_ENV_PREFIX, 'state')
+
 HERE = os.path.abspath(os.path.dirname(__file__))

 rt_yaml = YAML()
@@ -38,16 +40,16 @@ def ensure_jupyterhub_service(prefix):
    systemd.install_unit('jupyterhub.service', hub_unit_template.format(**unit_params))
    systemd.reload_daemon()

+    os.makedirs(STATE_DIR, mode=0o700, exist_ok=True)
+
    # Set up proxy / hub secret oken if it is not already setup
-    # FIXME: Check umask here properly
-    proxy_secret_path = os.path.join(INSTALL_PREFIX, 'configurable-http-proxy.secret')
+    proxy_secret_path = os.path.join(STATE_DIR, 'configurable-http-proxy.secret')
    if not os.path.exists(proxy_secret_path):
        with open(proxy_secret_path, 'w') as f:
            f.write('CONFIGPROXY_AUTH_TOKEN=' + secrets.token_hex(32))
        # If we are changing CONFIGPROXY_AUTH_TOKEN, restart configurable-http-proxy!
        systemd.restart_service('configurable-http-proxy')

-    os.makedirs(os.path.join(INSTALL_PREFIX, 'hub', 'state'), mode=0o700, exist_ok=True)
    # Start CHP if it has already not been started
    systemd.start_service('configurable-http-proxy')
    # If JupyterHub is running, we want to restart it.