diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index dc335b9..1022513 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -68,7 +68,7 @@ let
       group = lib.mkOption {
         description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
         type = lib.types.nullOr lib.types.str;
-        default = cfg.user;
+        default = cfg.renew.user;
       };
       reloadUnits = lib.mkOption {
         description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
@@ -125,13 +125,7 @@ let
 
   mkMtlsRenewScript = {
     pkgs,
-    certFile,
-    keyFile,
-    bundleFile,
-    user,
-    group,
-    reloadUnits ? [ ],
-    postCommands ? [ ],
+    cfg,
     systemctlArgs ? [ ],
   }:
   let
@@ -140,15 +134,19 @@ let
     chownCmd = lib.getExe' pkgs.coreutils "chown";
     chmodCmd = lib.getExe' pkgs.coreutils "chmod";
     stepCmd = lib.getExe pkgs.step-cli;
-    hasReloadUnits = reloadUnits != [ ];
-    hasPostCommands = postCommands != [ ];
     systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
+
+    hasReloadUnits = cfg.renew.reloadUnits != [ ];
     renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
       if ${systemctlCmd} --quiet is-active "${unit}"; then
         ${systemctlCmd} try-reload-or-restart "${unit}"
       fi
-    '') reloadUnits;
-    renewPostCommands = lib.concatStringsSep "\n" postCommands;
+    '') cfg.renew.reloadUnits;
+
+    hasPostCommands = cfg.renew.postCommands != [ ];
+    renewPostCommands = lib.concatStringsSep "\n" cfg.renew.postCommands;
+
+    fileOwner = "${cfg.renew.user}:${cfg.renew.group}";
   in
     pkgs.writeShellScriptBin "mtls-renew" ''
       set -euo pipefail
@@ -169,19 +167,19 @@ let
       esac
       done
 
-      if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${certFile}"; then
+      if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${cfg.certFile}"; then
         ${echoCmd} "Skipping renew"
         exit 0
       fi
 
       ${echoCmd} "Renewing mTLS certificate"
-      ${stepCmd} ca renew --force "${certFile}" "${keyFile}"
-      (umask 077; ${catCmd} "${certFile}" "${keyFile}" > "${bundleFile}")
-      ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
-      ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
+      ${stepCmd} ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
+      (umask 077; ${catCmd} "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
+      ${chownCmd} ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
+      ${chmodCmd} 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
 
       ${lib.optionalString hasReloadUnits ''
-      ${echoCmd} "Reloading units:"
+      ${echoCmd} "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
       ${renewReloadScript}
       ''}
 
@@ -191,34 +189,19 @@ let
       ''}
     '';
 
-  mkNixosMtlsRenewService = {
-    pkgs,
-    certFile,
-    keyFile,
-    bundleFile,
-    reloadUnits ? [ ],
-    postCommands ? [ ],
-    user ? "root",
-    group ? null,
-  }:
-  let
-    serviceGroup = if group == null then user else group;
-    renewScript = mkMtlsRenewScript {
-      inherit pkgs certFile keyFile bundleFile reloadUnits postCommands user group;
+  mkNixosMtlsRenewService = { pkgs, cfg, ... }:
+    {
+      description = "Renew the mTLS certificate when Smallstep marks it ready";
+      wantedBy = [ ];
+      after = [ "network-online.target" ];
+      wants = [ "network-online.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = cfg.renew.user;
+        Group = cfg.renew.group;
+        ExecStart = lib.getExe (mkMtlsRenewScript { inherit pkgs cfg; });
+      };
     };
-  in
-  {
-    description = "Renew the mTLS certificate when Smallstep marks it ready";
-    wantedBy = [ ];
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      User = user;
-      Group = serviceGroup;
-      ExecStart = lib.getExe renewScript;
-    };
-  };
 
   mkNixosMtlsRenewTimer = {
     onCalendar,
@@ -236,17 +219,10 @@ let
     };
   };
 
-  mkHomeManagerMtlsRenewService = {
-    pkgs,
-    certFile,
-    keyFile,
-    bundleFile,
-    reloadUnits ? [ ],
-    postCommands ? [ ],
-  }:
+  mkHomeManagerMtlsRenewService = { pkgs, cfg, ... }:
   let
     renewScript = mkMtlsRenewScript {
-      inherit pkgs certFile keyFile bundleFile reloadUnits postCommands;
+      inherit pkgs cfg;
       systemctlArgs = [ "--user" ];
     };
   in
@@ -296,9 +272,19 @@ in
           type = lib.types.str;
           default = "/etc/step-ca/certs";
         };
+        certReaders = lib.mkOption {
+          description = "";
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+        };
       };
 
       config = lib.mkIf cfg.enable {
+        users.groups.certReaders = {
+          name = "mtls";
+          members = cfg.certReaders;
+        };
+
         environment.systemPackages = with pkgs; lib.optionals cfg.enable [
           # step-cli
           (mkMtlsGenerateScript {
@@ -307,22 +293,15 @@ in
             inherit (cfg.renew) user group;
           })
           (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; })
-          (mkMtlsRenewScript {
-            inherit pkgs;
-            inherit (cfg) certFile keyFile bundleFile;
-            inherit (cfg.renew) user group;
-          })
+          (mkMtlsRenewScript { inherit pkgs cfg; })
         ];
 
         systemd.tmpfiles.rules = [
-          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
+          "d ${cfg.certDir} 0750 ${cfg.renew.user} mtls -"
         ];
 
-        systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
-          inherit pkgs;
-          inherit (cfg) certFile keyFile bundleFile;
-          inherit (cfg.renew) reloadUnits postCommands user group;
-        });
+        systemd.services.mtls-renew = lib.mkIf cfg.renew.enable
+          (mkNixosMtlsRenewService { inherit pkgs cfg; });
 
         systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer {
           inherit (cfg.renew) onCalendar randomizedDelaySec;
@@ -356,17 +335,15 @@ in
             inherit pkgs certFile keyFile bundleFile;
           })
           (mkMtlsCheckScript { inherit pkgs bundleFile; })
-          (mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; inherit (cfg.renew) user group; })
+          (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
         ];
 
         systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
           "d ${cfg.certDir} 0700 - - -"
         ];
 
-        systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {
-          inherit pkgs certFile keyFile bundleFile;
-          inherit (cfg.renew) reloadUnits postCommands;
-        });
+        systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable
+          (mkHomeManagerMtlsRenewService { inherit pkgs cfg; });
 
         systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer {
           inherit (cfg.renew) onCalendar randomizedDelaySec;