From 8357372b394d9ce3972619ff691ff0b76cf39d71 Mon Sep 17 00:00:00 2001
From: John Lancaster <32917998+jsl12@users.noreply.github.com>
Date: Wed, 29 Apr 2026 21:46:11 -0500
Subject: [PATCH] mtlsCheck wrapper

---
 modules/features/mtls.nix | 44 +++++++++++++++++++++++++++------------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index 02fe517..e5453c7 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -114,17 +114,6 @@ let
         printf '\033[32m✔\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
       '';
     };
-  
-  mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellApplication {
-    name = "mtls-check";
-    runtimeInputs = with pkgs; [ openssl ];
-    text = ''
-      openssl x509 -noout -in ${bundleFile} \
-        -subject -issuer \
-        -ext subjectAltName,extendedKeyUsage \
-        -enddate
-    '';
-  };
 
   mkMtlsRenewScript = {
     pkgs,
@@ -291,7 +280,10 @@ in
             inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime;
             inherit (cfg.renew) user group;
           })
-          (mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; })
+          (inputs.self.wrappers.mtlsCheck.apply {
+            inherit pkgs;
+            inherit (cfg) bundleFile;
+          }).wrapper
           (mkMtlsRenewScript { inherit pkgs cfg; })
         ];
 
@@ -334,7 +326,10 @@ in
             inherit (cfg) subject provisioner san lifetime;
             inherit (cfg.renew) user group;
           })
-          (mkMtlsCheckScript { inherit pkgs bundleFile; })
+          (inputs.self.wrappers.mtlsCheck.apply {
+            inherit pkgs;
+            inherit (cfg) bundleFile;
+          }).wrapper
           # (mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
           (inputs.self.wrappers.mtlsRenew.apply {
             inherit pkgs;
@@ -356,6 +351,29 @@ in
     };
 
   flake.wrappers = {
+    mtlsCheck = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
+      options = {
+        bundleFile = lib.mkOption {
+          description = "String path for the mTLS key bundle";
+          type = lib.types.str;
+        };
+      };
+
+      config = {
+        binName = "mtls-check";
+        package = config.pkgs.openssl;
+        args = [
+          "x509"
+          "-noout"
+          "-in" config.bundleFile
+          "-subject"
+          "-issuer"
+          "-ext" "subjectAltName,extendedKeyUsage"
+          "-enddate"
+        ];
+      };
+    });
+
     mtlsNeedsRenewal = inputs.wrappers.lib.wrapModule ({ config, lib, wlib, ... }: {
       options = {
         certFile = lib.mkOption {