From 54ddb367272714195a7eca5651d43aa7e4e9c024 Mon Sep 17 00:00:00 2001
From: Scott Worley <scottworley@scottworley.com>
Date: Tue, 21 Oct 2025 21:36:30 -0700
Subject: [PATCH] Ensure cert creation runs after user creation

So we can set ownership.
---
 modules/make-certs.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/make-certs.nix b/modules/make-certs.nix
index e77c84d..a7dae4b 100644
--- a/modules/make-certs.nix
+++ b/modules/make-certs.nix
@@ -1,13 +1,13 @@
 { lib, config, pkgs, ... }:
 let
-  inherit (lib) escapeShellArg;
+  inherit (lib) escapeShellArg stringAfter;
   mkActvationScript = name: cert-cfg:
     let
       pem-path = "${cert-cfg.dir}/${name}.pem";
       key-path = "${cert-cfg.dir}/${name}.key";
     in {
       name = "make-cert-${name}";
-      value = ''
+      value = stringAfter [ "users" ] (''
         if [[ ! -e ${escapeShellArg pem-path} ]];then
           ${pkgs.coreutils}/bin/mkdir -p ${escapeShellArg cert-cfg.dir}
           ${pkgs.openssl}/bin/openssl req -batch -x509 -newkey rsa:4096 \
@@ -22,7 +22,7 @@ let
       '' + lib.optionalString cert-cfg.print ''
         echo Public certificate for ${escapeShellArg name}: >&2
         ${pkgs.coreutils}/bin/cat ${escapeShellArg pem-path} >&2
-      '';
+      '');
     };
 in {
   options = {
-- 
2.50.1