diff --git a/lib/k8s.nix b/lib/k8s.nix
index e6ed34e..4cfb331 100644
--- a/lib/k8s.nix
+++ b/lib/k8s.nix
@@ -7,26 +7,37 @@ let
 
   cluster-ca = import ./initca.nix { inherit pgks initca; };
 
-  cfssl-apitoken = pkgs.stdenv.mkDerivation {
-    name = "cfssl-apitoken";
-    buildCommand = ''
-      head -c ${toString (32 / 2)} /dev/urandom | \
-      od -An -t x | tr -d ' ' > $out
-      chmod 400 $out
-    '';
-  };
+  cfssl-apitoken =
+    let
+      apitoken = pkgs.stdenv.mkDerivation {
+        name = "apitoken";
+        buildCommand = ''
+          head -c ${toString (32 / 2)} /dev/urandom | \
+          od -An -t x | tr -d ' ' > $out
+          chmod 400 $out
+        '';
+      };
+    in
+    # make ca derivation sha depend on initca cfssl output
+    pkgs.stdenv.mkDerivation {
+      name = "cfssl-apitoken";
+      src = apitoken;
+      buildCommand = ''
+        cp $src $out
+      '';
+    };
 
   kube-system-bootstrap =
     with settings;
     let
-      worker_nodes = pkgs.writeText "worker-nodes.txt" (
+      worker_nodes = pkgs.writeText "kube-worker-nodes" (
         builtins.foldl' (a: x:
           a + "  - ${x.address}\n"
         ) "" settings.workers);
       grafana_ldap = pkgs.writeText "grafana-ldap.toml" grafana_ldap_toml;
     in
     pkgs.stdenv.mkDerivation {
-      name = "bootstrap-kube-system";
+      name = "kube-system-bootstrap";
       src = ../bootstrap;
       buildCommand = ''
         mkdir -p $out/bin
@@ -44,8 +55,8 @@ let
         export grafana_ldap_toml="$(cat ${grafana_ldap} | base64 -w0)"
         export workers="$(cat ${worker_nodes})"
 
-        substituteAll $src/kube-system-bootstrap $out/bin/bootstrap-kube-system
-        chmod 755 $out/bin/bootstrap-kube-system
+        substituteAll $src/initial-kube-system-bootstrap $out/bin/initial-kube-system-bootstrap
+        chmod 755 $out/bin/initial-kube-system-bootstrap
 
         cd $src/config
         for i in *; do
@@ -81,7 +92,8 @@ let
     services.cfssl.caKey = "${cluster-ca}/ca-key.pem";
     services.kubernetes = {
       roles = [ "master" ];
-      inherit apiserverAddress masterAddress;
+      inherit apiserverAddress;
+      masterAddress = settings.master.name;
       clusterCidr = settings.cidr;
       pki.genCfsslCACert = false;
       pki.genCfsslAPIToken = false;
@@ -147,7 +159,8 @@ let
   kubeWorker = {
     services.kubernetes = rec {
       roles = [ "node" ];
-      inherit apiserverAddress masterAddress;
+      inherit apiserverAddress;
+      masterAddress = settings.master.name;
       clusterCidr = settings.cidr;
       kubelet.clusterDomain = "${settings.clusterName}.local";
     };