diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index 06cd339..f1a09ef 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -48,7 +48,7 @@ let
       enable = lib.mkOption {
         description = "Enable automatic mTLS certificate renewal using a systemd timer.";
         type = lib.types.bool;
-        default = true;
+        default = cfg.enable;
       };
       onCalendar = lib.mkOption {
         description = "systemd OnCalendar schedule for mTLS certificate renewal checks.";
@@ -199,11 +199,7 @@ in
         inherit (cfg) certDir keyFile certFile bundleFile;
         inherit (cfg.renew) reloadUnits postCommands;
         systemctlArgs = [ "--user" ];
-        systemd = {
-          description = "Renew the mTLS certificate when Smallstep marks it ready";
-          after = [ "network-online.target" ];
-          wants = [ "network-online.target" ];
-        } // lib.optionalAttrs cfg.renew.enable {
+        systemd = lib.optionalAttrs cfg.renew.enable {
           startAt = cfg.renew.onCalendar;
         };
       };
@@ -230,14 +226,14 @@ in
             inherit pkgs;
             inherit (cfg) bundleFile;
           }).wrapper
-          mtlsRenewWrapper.wrapper
         ];
 
         systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
-          "d ${cfg.certDir} 0700 - - -"
+          "d ${cfg.certDir} 0700 - - -" # Ensure the cert directory exists and is writable by the user
         ];
 
-        xdg.dataFile = lib.mkIf (cfg.enable && cfg.renew.enable) {
+        # Create the systemd service files for the user.
+        xdg.dataFile = lib.mkIf cfg.renew.enable {
           "systemd/user/mtls-renew.service".source =
             "${mtlsRenewWrapper.outputs.systemd-user}/systemd/user/mtls-renew.service";
           "systemd/user/mtls-renew.timer".source =
@@ -250,6 +246,7 @@ in
           '';
         };
 
+        # Ensure the timer gets started
         home.activation.mtlsRenewTimer = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
           if [ -n "$XDG_RUNTIME_DIR" ] && [ -S "$XDG_RUNTIME_DIR/systemd/private" ]; then
             if [ "${lib.boolToString (cfg.enable && cfg.renew.enable)}" = "true" ]; then
@@ -426,6 +423,13 @@ in
             '';
           };
         systemd = {
+          description = "Automatic mTLS renewal service";
+          documentation = [
+            "https://smallstep.com/docs/step-ca/certificate-authority-server-production"
+          ];
+          startLimitIntervalSec = 0;
+          after = [ "network-online.target" ];
+          wants = [ "network-online.target" ];
           serviceConfig.Type = lib.mkDefault "oneshot";
         };
       };