diff --git a/modules/features/mtls.nix b/modules/features/mtls.nix
index e4e6478..29023f5 100644
--- a/modules/features/mtls.nix
+++ b/modules/features/mtls.nix
@@ -103,12 +103,12 @@ let
       cat ${tlsCert} ${tlsKey} > ${mtlsBundle}
     '';
   
-  mkMtlsCheckScript = mtlsBundle: pkgs.writeShellScriptBin "mtls-check" ''
+  mkMtlsCheckScript = { pkgs, mtlsBundle }: pkgs.writeShellScriptBin "mtls-check" ''
     ${lib.getExe pkgs.openssl} x509 \
     -noout -subject -issuer \
     -ext subjectAltName,extendedKeyUsage \
     -enddate -in ${mtlsBundle}
-  ''
+  '';
 
   mkMtlsRenewScript = {
     pkgs,
@@ -270,7 +270,7 @@ in
             inherit (cfg) subject provisioner san lifetime;
             inherit pkgs tlsCert tlsKey mtlsBundle;
           })
-          (mkMtlsCheckScript { inherit (cfg) mtlsBundle; })
+          (mkMtlsCheckScript { inherit pkgs; inherit (cfg) mtlsBundle; })
           (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; })
         ];
 
@@ -309,7 +309,7 @@ in
             inherit (cfg) subject provisioner san lifetime;
             inherit pkgs tlsCert tlsKey mtlsBundle;
           })
-          (mkMtlsCheckScript { inherit (cfg) mtlsBundle; })
+          (mkMtlsCheckScript { inherit pkgs; inherit (cfg) mtlsBundle; })
           (mkMtlsRenewScript { inherit pkgs tlsCert tlsKey mtlsBundle; })
         ];