From 6c45062740e80eefefe5f0537495e65bfd6ebae2 Mon Sep 17 00:00:00 2001
From: Scott Worley <scottworley@scottworley.com>
Date: Thu, 25 Sep 2025 15:13:03 -0700
Subject: [PATCH] Option to print the certificate during activation

This makes it easy to extract certificates from VMs.
---
 modules/make-certs.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/make-certs.nix b/modules/make-certs.nix
index 812c5a0..e77c84d 100644
--- a/modules/make-certs.nix
+++ b/modules/make-certs.nix
@@ -19,6 +19,9 @@ let
             escapeShellArg key-path
           }
         fi
+      '' + lib.optionalString cert-cfg.print ''
+        echo Public certificate for ${escapeShellArg name}: >&2
+        ${pkgs.coreutils}/bin/cat ${escapeShellArg pem-path} >&2
       '';
     };
 in {
@@ -38,6 +41,11 @@ in {
             # so just make really long-lived certificates for now.
             default = "99999";
           };
+          print = lib.mkOption {
+            type = lib.types.bool;
+            description = "If set, print the certificate (public key) during activation.";
+            default = false;
+          };
           user = lib.mkOption {
             type = lib.types.str;
             description = "The username that owns (can read) the secret key.";
-- 
2.50.1