Option to print the certificate during activation

This makes it easy to extract certificates from VMs.

diff --git a/modules/make-certs.nix b/modules/make-certs.nix
index 812c5a05dabe52622d8cc1e1baf42cad722ed01b..e77c84dfdc59ae6959a8170b6746ae46cdf31e9a 100644 (file)
--- a/modules/make-certs.nix
+++ b/modules/make-certs.nix
@@ -19,6 +19,9 @@ let
             escapeShellArg key-path
           }
         fi
+      '' + lib.optionalString cert-cfg.print ''
+        echo Public certificate for ${escapeShellArg name}: >&2
+        ${pkgs.coreutils}/bin/cat ${escapeShellArg pem-path} >&2
       '';
     };
 in {
@@ -38,6 +41,11 @@ in {
             # so just make really long-lived certificates for now.
             default = "99999";
           };
+          print = lib.mkOption {
+            type = lib.types.bool;
+            description = "If set, print the certificate (public key) during activation.";
+            default = false;
+          };
           user = lib.mkOption {
             type = lib.types.str;
             description = "The username that owns (can read) the secret key.";