From 68483c02310866f29d9880d2eaa955528bb641ba Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Thu, 30 Apr 2026 16:36:38 -0500
Subject: [PATCH] improvement

---
 modules/features/mtls.nix | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index 4041c84..3fa7b26 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -351,14 +351,7 @@ in
     };
 
   flake.wrappers = {
-    mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }:
-      let
-        singleOutputOpenSSL = config.pkgs.symlinkJoin {
-          name = "openssl";
-          paths = [ config.pkgs.openssl.bin config.pkgs.openssl.man ];
-          meta.mainProgram = "openssl";
-        };
-      in {
+    mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
       options = {
         bundleFile = lib.mkOption {
           description = "String path for the mTLS key bundle";
@@ -368,8 +361,12 @@ in
 
       config = {
         binName = "mtls-check";
-        package = singleOutputOpenSSL;
-        exePath = "${singleOutputOpenSSL}/bin/openssl";
+        # This pattern is necessary to wrap packages like openssl that provide more than one binary
+        package = config.pkgs.symlinkJoin {
+          name = "openssl";
+          paths = [ config.pkgs.openssl.bin config.pkgs.openssl.man ];
+          meta.mainProgram = "openssl";
+        };
         args = [
           "x509"
           "-noout"