From 522df107645acfc1c94884e309f80d3c1396d9f8 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Sat, 28 Mar 2026 00:05:43 -0500
Subject: [PATCH] creating certdir with tmpfiles

---
 modules/features/mtls.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index 01cefaf..56ae750 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -274,6 +274,10 @@ in
           (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; })
         ];
 
+        systemd.tmpfiles.rules = [
+          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${if cfg.renew.group == null then cfg.renew.user else cfg.renew.group} -"
+        ];
+
         systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
           inherit pkgs tlsCert tlsKey mtlsBundle;
           inherit (cfg.renew) reloadUnits postCommands user group;
@@ -313,6 +317,10 @@ in
           (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; })
         ];
 
+        systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
+          "d ${cfg.certDir} 0700 - - -"
+        ];
+
         systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {
           inherit pkgs tlsCert tlsKey mtlsBundle;
           inherit (cfg.renew) reloadUnits postCommands;