renew script tweaks

modules/features/mtls.nix

@@ -139,12 +139,11 @@ let
     echoCmd = lib.getExe' pkgs.coreutils "echo";
     chownCmd = lib.getExe' pkgs.coreutils "chown";
     chmodCmd = lib.getExe' pkgs.coreutils "chmod";
-    systemctl = lib.getExe' pkgs.systemd "systemctl";
+    stepCmd = lib.getExe pkgs.step-cli;
-    escapedArgs = lib.escapeShellArgs systemctlArgs;
+    systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
-    systemctlCommand = "${systemctl} ${escapedArgs}";
     renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
-      if ${systemctlCommand} --quiet is-active "${unit}"; then
+      if ${systemctlCmd} --quiet is-active "${unit}"; then
-        ${systemctlCommand} try-reload-or-restart "${unit}"
+        ${systemctlCmd} try-reload-or-restart "${unit}"
       fi
     '') reloadUnits;
     renewPostCommands = lib.concatStringsSep "\n" postCommands;
@@ -152,14 +151,14 @@ let
     pkgs.writeShellScriptBin "mtls-renew" ''
       set -euo pipefail
 
-      if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${certFile}"; then
+      if ${stepCmd} certificate needs-renewal "${certFile}"; then
         ${echoCmd} "Renewing mTLS certificate"
       else
         ${echoCmd} "Skipping renew"
         exit "$?"
       fi
 
-      ${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}"
+      ${stepCmd} ca renew --force "${certFile}" "${keyFile}"
       (umask 077; ${catCmd} "${certFile}" "${keyFile}" > "${bundleFile}")
       ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
       ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}