dotfiles/nixos/boxes/bolty/tailscale-cert.nix

{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: let
  fqdn = "bolty.raptor-carp.ts.net";
  basePath = "/var/lib/tailscale-certs";
  keyPath = "${basePath}/key.pem";
  certPath = "${basePath}/cert.pem";
in {
  imports = [];

  systemd.services.tailscale-cert-make-path = {
    script = ''
      mkdir -p ${basePath}
    '';
    serviceConfig = {Type = "oneshot";};
    before = ["tailscale-cert.service"];
    wantedBy = ["multi-user.target"];
  };

  systemd.services.tailscale-cert = {
    after = ["network.target" "network-online.target" "tailscaled.service"];
    wants = ["tailscaled.service"];
    wantedBy = ["multi-user.target"];

    path = with pkgs; [tailscale];

    serviceConfig = {
      Type = "oneshot";
      UMask = 22;
      StateDirectoryMode = 750;
      ProtectSystem = "strict";
      ReadWritePaths = ["${basePath}"];
      PrivateTmp = true;
      WorkingDirectory = "${basePath}";
      NoNewPrivileges = true;
      PrivateDevices = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      StateDirectory = ["${basePath}"];
    };

    script = ''
      tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
    '';
  };

  systemd.timers.tailscale-renew = {
    wantedBy = ["timers.target"];
    description = "Renew tailscale server cert";
    timerConfig = {
      OnCalendar = "weekly";
      Unit = "tailscale-cert.service";
      Persistent = "yes";
      RandomizedDelaySec = "24h";
    };
  };
}
reformat all files using alejandra 2023-08-13 17:00:41 +01:00			`{`
			`config,`
			`pkgs,`
			`inputs,`
			`lib,`
			`...`
			`}: let`
add influxdb over https 2023-02-26 12:05:55 +00:00			`fqdn = "bolty.raptor-carp.ts.net";`
			`basePath = "/var/lib/tailscale-certs";`
			`keyPath = "${basePath}/key.pem";`
			`certPath = "${basePath}/cert.pem";`
			`in {`
reformat all files using alejandra 2023-08-13 17:00:41 +01:00			`imports = [];`
add influxdb over https 2023-02-26 12:05:55 +00:00
			`systemd.services.tailscale-cert-make-path = {`
			`script = ''`
			`mkdir -p ${basePath}`
			`'';`
reformat all files using alejandra 2023-08-13 17:00:41 +01:00			`serviceConfig = {Type = "oneshot";};`
			`before = ["tailscale-cert.service"];`
			`wantedBy = ["multi-user.target"];`
add influxdb over https 2023-02-26 12:05:55 +00:00			`};`

			`systemd.services.tailscale-cert = {`
reformat all files using alejandra 2023-08-13 17:00:41 +01:00			`after = ["network.target" "network-online.target" "tailscaled.service"];`
			`wants = ["tailscaled.service"];`
			`wantedBy = ["multi-user.target"];`
add influxdb over https 2023-02-26 12:05:55 +00:00
reformat all files using alejandra 2023-08-13 17:00:41 +01:00			`path = with pkgs; [tailscale];`
add influxdb over https 2023-02-26 12:05:55 +00:00
			`serviceConfig = {`
			`Type = "oneshot";`
			`UMask = 22;`
			`StateDirectoryMode = 750;`
			`ProtectSystem = "strict";`
reformat all files using alejandra 2023-08-13 17:00:41 +01:00			`ReadWritePaths = ["${basePath}"];`
add influxdb over https 2023-02-26 12:05:55 +00:00			`PrivateTmp = true;`
			`WorkingDirectory = "${basePath}";`
			`NoNewPrivileges = true;`
			`PrivateDevices = true;`
			`ProtectClock = true;`
			`ProtectHome = true;`
			`ProtectHostname = true;`
reformat all files using alejandra 2023-08-13 17:00:41 +01:00			`StateDirectory = ["${basePath}"];`
add influxdb over https 2023-02-26 12:05:55 +00:00			`};`

			`script = ''`
reformat all files using alejandra 2023-08-13 17:00:41 +01:00			`tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}`
add influxdb over https 2023-02-26 12:05:55 +00:00			`'';`
			`};`

			`systemd.timers.tailscale-renew = {`
reformat all files using alejandra 2023-08-13 17:00:41 +01:00			`wantedBy = ["timers.target"];`
add influxdb over https 2023-02-26 12:05:55 +00:00			`description = "Renew tailscale server cert";`
			`timerConfig = {`
			`OnCalendar = "weekly";`
			`Unit = "tailscale-cert.service";`
			`Persistent = "yes";`
			`RandomizedDelaySec = "24h";`
			`};`
			`};`
			`}`