From f0eba76e4907b8902a40f9bddee55f12fadd9a39 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Thu, 30 Apr 2026 16:31:26 -0500
Subject: [PATCH] mtls-check wrapping openssl kinda working

---
 modules/features/mtls.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index e5453c7..4041c84 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -351,7 +351,14 @@ in
     };
 
   flake.wrappers = {
-    mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
+    mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }:
+      let
+        singleOutputOpenSSL = config.pkgs.symlinkJoin {
+          name = "openssl";
+          paths = [ config.pkgs.openssl.bin config.pkgs.openssl.man ];
+          meta.mainProgram = "openssl";
+        };
+      in {
       options = {
         bundleFile = lib.mkOption {
           description = "String path for the mTLS key bundle";
@@ -361,7 +368,8 @@ in
 
       config = {
         binName = "mtls-check";
-        package = config.pkgs.openssl;
+        package = singleOutputOpenSSL;
+        exePath = "${singleOutputOpenSSL}/bin/openssl";
         args = [
           "x509"
           "-noout"