diff --git a/nixos/modules/services/cluster/kubernetes/controller-manager.nix b/nixos/modules/services/cluster/kubernetes/controller-manager.nix
index 8e82db36425a..cc43a243df1c 100644
--- a/nixos/modules/services/cluster/kubernetes/controller-manager.nix
+++ b/nixos/modules/services/cluster/kubernetes/controller-manager.nix
@@ -104,16 +104,7 @@ in
   };
 
   ###### implementation
-  config = mkIf cfg.enable (let
-    controllerManagerPaths = [
-      cfg.rootCaFile
-      cfg.tlsCertFile
-      cfg.tlsKeyFile
-      top.pki.certs.controllerManagerClient.cert
-      top.pki.certs.controllerManagerClient.key
-    ];
-  in {
-
+  config = mkIf cfg.enable {
     systemd.services.kube-controller-manager = {
       description = "Kubernetes Controller Manager Service";
       wantedBy = [ "kube-control-plane-online.target" ];
@@ -160,15 +151,6 @@ in
         Group = "kubernetes";
       };
       path = top.path;
-      unitConfig.ConditionPathExists = controllerManagerPaths;
-    };
-
-    systemd.paths.kube-controller-manager = {
-      wantedBy = [ "kube-controller-manager.service" ];
-      pathConfig = {
-        PathExists = controllerManagerPaths;
-        PathChanged = controllerManagerPaths;
-      };
     };
 
     services.kubernetes.pki.certs = with top.lib; {
@@ -185,5 +167,5 @@ in
     };
 
     services.kubernetes.controllerManager.kubeconfig.server = mkDefault top.apiserverAddress;
-  });
+  };
 }
diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix
index 4d97d8322cd4..98284fba12ac 100644
--- a/nixos/modules/services/cluster/kubernetes/pki.nix
+++ b/nixos/modules/services/cluster/kubernetes/pki.nix
@@ -143,6 +143,13 @@ in
       cfg.certs.schedulerClient.cert
       cfg.certs.schedulerClient.key
     ];
+    controllerManagerPaths = [
+      top.controllerManager.rootCaFile
+      top.controllerManager.tlsCertFile
+      top.controllerManager.tlsKeyFile
+      cfg.certs.controllerManagerClient.cert
+      cfg.certs.controllerManagerClient.key
+    ];
   in
   {
 
@@ -336,6 +343,18 @@ in
         };
       };
 
+      systemd.services.kube-controller-manager = mkIf top.controllerManager.enable {
+        unitConfig.ConditionPathExists = controllerManagerPaths;
+      };
+
+      systemd.paths.kube-controller-manager = mkIf top.controllerManager.enable {
+        wantedBy = [ "kube-controller-manager.service" ];
+        pathConfig = {
+          PathExists = controllerManagerPaths;
+          PathChanged = controllerManagerPaths;
+        };
+      };
+
       environment.etc.${cfg.etcClusterAdminKubeconfig}.source = mkIf (!isNull cfg.etcClusterAdminKubeconfig)
         clusterAdminKubeconfig;