Ensure cert creation runs after user creation

[nixos-make-certs] / modules / make-certs.nix

diff --git a/modules/make-certs.nix b/modules/make-certs.nix
index 812c5a05dabe52622d8cc1e1baf42cad722ed01b..a7dae4b552f4346051c4ca01614ff7bc7c58d635 100644 (file)
--- a/modules/make-certs.nix
+++ b/modules/make-certs.nix
@@ -1,13 +1,13 @@
 { lib, config, pkgs, ... }:
 let
-  inherit (lib) escapeShellArg;
+  inherit (lib) escapeShellArg stringAfter;
   mkActvationScript = name: cert-cfg:
     let
       pem-path = "${cert-cfg.dir}/${name}.pem";
       key-path = "${cert-cfg.dir}/${name}.key";
     in {
       name = "make-cert-${name}";
-      value = ''
+      value = stringAfter [ "users" ] (''
         if [[ ! -e ${escapeShellArg pem-path} ]];then
           ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg cert-cfg.dir}
           ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa:4096 \
@@ -19,7 +19,10 @@ let
             escapeShellArg key-path
           }
         fi
-      '';
+      '' + lib.optionalString cert-cfg.print ''
+        echo Public certificate for ${escapeShellArg name}: >&2
+        ${pkgs.coreutils}/bin/cat ${escapeShellArg pem-path} >&2
+      '');
     };
 in {
   options = {
@@ -38,6 +41,11 @@ in {
             # so just make really long-lived certificates for now.
             default = "99999";
           };
+          print = lib.mkOption {
+            type = lib.types.bool;
+            description = "If set, print the certificate (public key) during activation.";
+            default = false;
+          };
           user = lib.mkOption {
             type = lib.types.str;
             description = "The username that owns (can read) the secret key.";