From 133bad5aefb95c16e61fd1275be68ea7c5e08423 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Mon, 27 Apr 2026 09:01:19 -0500
Subject: [PATCH] started mtls wrappers

---
 modules/features/mtls.nix | 79 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 78 insertions(+), 1 deletion(-)

diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index 255c13e..1212d8f 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -334,7 +334,11 @@ in
             inherit pkgs certFile keyFile bundleFile;
           })
           (mkMtlsCheckScript { inherit pkgs bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
+          # (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
+          (inputs.self.wrappers.mtlsRenew.apply {
+            inherit pkgs;
+            inherit (cfg) certDir certFile keyFile;
+          }).wrapper
         ];
 
         systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
@@ -349,4 +353,77 @@ in
         });
       };
     };
+
+  flake.wrappers = {
+    mtlsNeedsRenewal = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
+      options = {
+        certFile = lib.mkOption {
+          description = "String path for the public cert";
+          type = lib.types.str;
+        };
+      };
+
+      config = {
+        binName = "mtls-needs-renewal";
+        package = config.pkgs.step-cli;
+        preHook = ''
+          echo "Checking renewal status..."
+        '';
+        args = [ "certificate" "needs-renewal" "${config.certFile}" ];
+      };
+    });
+
+    mtlsRenew = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
+      options = {
+        certDir = lib.mkOption {
+          description = "String path to the directory where the certs will be stored";
+          type = lib.types.str;
+        };
+        keyFile = lib.mkOption {
+          description = "String path for the private key";
+          type = lib.types.str;
+          default = "${config.certDir}/key.pem";
+        };
+        certFile = lib.mkOption {
+          description = "String path for the public cert";
+          type = lib.types.str;
+          default = "${config.certDir}/cert.pem";
+        };
+      };
+
+      config = {
+        binName = "mtls-renew";
+        package = config.pkgs.step-cli;
+        extraPackages = [
+          (inputs.self.wrappers.mtlsNeedsRenewal.apply {
+            inherit (config) pkgs certFile;
+          }).wrapper
+        ];
+        preHook = ''
+          YELLOW_BANG="\e[33m!\e[0m"
+
+          force=0
+          while [[ $# -gt 0 ]]; do
+            case $1 in
+              --force)
+              force=1
+              shift
+              ;;
+              *)
+              echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
+              exit 1
+              ;;
+            esac
+          done
+
+          if [[ $force -eq 0 ]] && ! mtls-needs-renewal; then
+            echo "Skipping renew"
+            exit 0
+          else
+            echo "Renewing mTLS certificate"
+          fi
+        '';
+      };
+    });
+  };
 }
\ No newline at end of file