diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index 1022513..cbc85e4 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -68,7 +68,7 @@ let
       group = lib.mkOption {
         description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
         type = lib.types.nullOr lib.types.str;
-        default = cfg.renew.user;
+        default = "mtls";
       };
       reloadUnits = lib.mkOption {
         description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
@@ -97,7 +97,6 @@ let
   }:
   let
     catCmd = lib.getExe' pkgs.coreutils "cat";
-    echoCmd = lib.getExe' pkgs.coreutils "echo";
     chownCmd = lib.getExe' pkgs.coreutils "chown";
     chmodCmd = lib.getExe' pkgs.coreutils "chmod";
     stepCmd = lib.getExe pkgs.step-cli;
@@ -114,6 +113,7 @@ let
       (umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
       ${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
       ${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
+      printf '\033[32m✔\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
     '';
   
   mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
@@ -281,7 +281,7 @@ in
 
       config = lib.mkIf cfg.enable {
         users.groups.certReaders = {
-          name = "mtls";
+          name = cfg.renew.group;
           members = cfg.certReaders;
         };
 
@@ -297,7 +297,7 @@ in
         ];
 
         systemd.tmpfiles.rules = [
-          "d ${cfg.certDir} 0750 ${cfg.renew.user} mtls -"
+          "d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
         ];
 
         systemd.services.mtls-renew = lib.mkIf cfg.renew.enable