diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index e1c52e5..dc335b9 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -140,6 +140,8 @@ let
     chownCmd = lib.getExe' pkgs.coreutils "chown";
     chmodCmd = lib.getExe' pkgs.coreutils "chmod";
     stepCmd = lib.getExe pkgs.step-cli;
+    hasReloadUnits = reloadUnits != [ ];
+    hasPostCommands = postCommands != [ ];
     systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
     renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
       if ${systemctlCmd} --quiet is-active "${unit}"; then
@@ -151,23 +153,42 @@ let
     pkgs.writeShellScriptBin "mtls-renew" ''
       set -euo pipefail
 
-      if ${stepCmd} certificate needs-renewal "${certFile}"; then
-        ${echoCmd} "Renewing mTLS certificate"
-      else
+      YELLOW_BANG="\e[33m!\e[0m"
+
+      force=0
+      while [[ $# -gt 0 ]]; do
+      case $1 in
+        --force)
+        force=1
+        shift
+        ;;
+        *)
+        ${echoCmd} -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
+        exit 1
+        ;;
+      esac
+      done
+
+      if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${certFile}"; then
         ${echoCmd} "Skipping renew"
-        exit "$?"
+        exit 0
       fi
 
+      ${echoCmd} "Renewing mTLS certificate"
       ${stepCmd} ca renew --force "${certFile}" "${keyFile}"
       (umask 077; ${catCmd} "${certFile}" "${keyFile}" > "${bundleFile}")
       ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
       ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
 
+      ${lib.optionalString hasReloadUnits ''
       ${echoCmd} "Reloading units:"
       ${renewReloadScript}
+      ''}
 
+      ${lib.optionalString hasPostCommands ''
       ${echoCmd} "Post commands:"
       ${renewPostCommands}
+      ''}
     '';
 
   mkNixosMtlsRenewService = {