diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index a0eb5cd..06cd339 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -115,80 +115,6 @@ let
       '';
     };
 
-  mkMtlsRenewScript = {
-    pkgs,
-    certFile,
-    keyFile,
-    bundleFile,
-    user ? null,
-    group ? null,
-    reloadUnits ? [ ],
-    postCommands ? [ ],
-    systemctlArgs ? [ ],
-  }:
-  let
-    systemctlCmd = "systemctl ${lib.escapeShellArgs systemctlArgs}";
-
-    hasReloadUnits = reloadUnits != [ ];
-    renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
-      if ${systemctlCmd} --quiet is-active "${unit}"; then
-        ${systemctlCmd} try-reload-or-restart "${unit}"
-      fi
-    '') reloadUnits;
-
-    hasPostCommands = postCommands != [ ];
-    renewPostCommands = lib.concatStringsSep "\n" postCommands;
-
-    hasOwnership = user != null && group != null;
-  in
-    pkgs.writeShellApplication {
-      name = "mtls-renew";
-      runtimeInputs = with pkgs; [ coreutils step-cli systemd ];
-      text = ''
-      set -euo pipefail
-
-      YELLOW_BANG="\e[33m!\e[0m"
-
-      force=0
-      while [[ $# -gt 0 ]]; do
-      case $1 in
-        --force)
-        force=1
-        shift
-        ;;
-        *)
-        echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
-        exit 1
-        ;;
-      esac
-      done
-
-      if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${certFile}"; then
-        echo "Skipping renew"
-        exit 0
-      fi
-
-      echo "Renewing mTLS certificate"
-      step ca renew --force "${certFile}" "${keyFile}"
-      (umask 077; cat "${certFile}" "${keyFile}" > "${bundleFile}")
-
-      ${lib.optionalString hasOwnership ''
-        chown ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
-        chmod 640 ${certFile} ${keyFile} ${bundleFile}
-      ''}
-
-      ${lib.optionalString hasReloadUnits ''
-        echo "Reloading units: ${lib.concatStringsSep ", " reloadUnits}"
-        ${renewReloadScript}
-      ''}
-
-      ${lib.optionalString hasPostCommands ''
-        echo "Running post commands"
-        ${renewPostCommands}
-      ''}
-      '';
-    };
-
 in
 {
   flake.modules.nixos.mtls = { config, lib, pkgs, ... }:
@@ -277,7 +203,6 @@ in
           description = "Renew the mTLS certificate when Smallstep marks it ready";
           after = [ "network-online.target" ];
           wants = [ "network-online.target" ];
-          serviceConfig.Type = "oneshot";
         } // lib.optionalAttrs cfg.renew.enable {
           startAt = cfg.renew.onCalendar;
         };
@@ -438,9 +363,68 @@ in
 
       config = {
         binName = "mtls-renew";
-        package = mkMtlsRenewScript {
-          inherit (config) pkgs certFile keyFile bundleFile user group reloadUnits postCommands systemctlArgs;
-        };
+        package = let
+          systemctlCmd = "systemctl ${lib.escapeShellArgs config.systemctlArgs}";
+
+          hasReloadUnits = config.reloadUnits != [ ];
+          renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
+            if ${systemctlCmd} --quiet is-active "${unit}"; then
+              ${systemctlCmd} try-reload-or-restart "${unit}"
+            fi
+          '') config.reloadUnits;
+
+          hasPostCommands = config.postCommands != [ ];
+          renewPostCommands = lib.concatStringsSep "\n" config.postCommands;
+
+          hasOwnership = config.user != null && config.group != null;
+        in
+          config.pkgs.writeShellApplication {
+            name = "mtls-renew";
+            runtimeInputs = with config.pkgs; [ coreutils step-cli systemd ];
+            text = ''
+            set -euo pipefail
+
+            YELLOW_BANG="\e[33m!\e[0m"
+
+            force=0
+            while [[ $# -gt 0 ]]; do
+            case $1 in
+              --force)
+              force=1
+              shift
+              ;;
+              *)
+              echo -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
+              exit 1
+              ;;
+            esac
+            done
+
+            if [[ $force -eq 0 ]] && ! step certificate needs-renewal "${config.certFile}"; then
+              echo "Skipping renew"
+              exit 0
+            fi
+
+            echo "Renewing mTLS certificate"
+            step ca renew --force "${config.certFile}" "${config.keyFile}"
+            (umask 077; cat "${config.certFile}" "${config.keyFile}" > "${config.bundleFile}")
+
+            ${lib.optionalString hasOwnership ''
+              chown ${config.user}:${config.group} ${config.certFile} ${config.keyFile} ${config.bundleFile}
+              chmod 640 ${config.certFile} ${config.keyFile} ${config.bundleFile}
+            ''}
+
+            ${lib.optionalString hasReloadUnits ''
+              echo "Reloading units: ${lib.concatStringsSep ", " config.reloadUnits}"
+              ${renewReloadScript}
+            ''}
+
+            ${lib.optionalString hasPostCommands ''
+              echo "Running post commands"
+              ${renewPostCommands}
+            ''}
+            '';
+          };
         systemd = {
           serviceConfig.Type = lib.mkDefault "oneshot";
         };