dotfiles/nixos/boxes/bolty/tailscale-cert.nix

{ config, pkgs, inputs, lib, ... }:
let
  fqdn = "bolty.raptor-carp.ts.net";
  basePath = "/var/lib/tailscale-certs";
  keyPath = "${basePath}/key.pem";
  certPath = "${basePath}/cert.pem";
in {
  imports = [ ];

  systemd.services.tailscale-cert-make-path = {
    script = ''
      mkdir -p ${basePath}
    '';
    serviceConfig = { Type = "oneshot"; };
    before = [ "tailscale-cert.service" ];
    wantedBy = [ "multi-user.target" ];
  };

  systemd.services.tailscale-cert = {
    after = [ "network.target" "network-online.target" "tailscaled.service" ];
    wants = [ "tailscaled.service" ];
    wantedBy = [ "multi-user.target" ];

    path = with pkgs; [ tailscale ];

    serviceConfig = {
      Type = "oneshot";
      UMask = 22;
      StateDirectoryMode = 750;
      ProtectSystem = "strict";
      ReadWritePaths = [ "${basePath}" ];
      PrivateTmp = true;
      WorkingDirectory = "${basePath}";
      NoNewPrivileges = true;
      PrivateDevices = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      StateDirectory = [ "${basePath}" ];
    };

    script = ''
      tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn} 
    '';
  };

  systemd.timers.tailscale-renew = {
    wantedBy = [ "timers.target" ];
    description = "Renew tailscale server cert";
    timerConfig = {
      OnCalendar = "weekly";
      Unit = "tailscale-cert.service";
      Persistent = "yes";
      RandomizedDelaySec = "24h";
    };
  };
}
add influxdb over https 2023-02-26 12:05:55 +00:00			`{ config, pkgs, inputs, lib, ... }:`
			`let`
			`fqdn = "bolty.raptor-carp.ts.net";`
			`basePath = "/var/lib/tailscale-certs";`
			`keyPath = "${basePath}/key.pem";`
			`certPath = "${basePath}/cert.pem";`
			`in {`
			`imports = [ ];`

			`systemd.services.tailscale-cert-make-path = {`
			`script = ''`
			`mkdir -p ${basePath}`
			`'';`
			`serviceConfig = { Type = "oneshot"; };`
			`before = [ "tailscale-cert.service" ];`
			`wantedBy = [ "multi-user.target" ];`
			`};`

			`systemd.services.tailscale-cert = {`
			`after = [ "network.target" "network-online.target" "tailscaled.service" ];`
			`wants = [ "tailscaled.service" ];`
			`wantedBy = [ "multi-user.target" ];`

			`path = with pkgs; [ tailscale ];`

			`serviceConfig = {`
			`Type = "oneshot";`
			`UMask = 22;`
			`StateDirectoryMode = 750;`
			`ProtectSystem = "strict";`
			`ReadWritePaths = [ "${basePath}" ];`
			`PrivateTmp = true;`
			`WorkingDirectory = "${basePath}";`
			`NoNewPrivileges = true;`
			`PrivateDevices = true;`
			`ProtectClock = true;`
			`ProtectHome = true;`
			`ProtectHostname = true;`
			`StateDirectory = [ "${basePath}" ];`
			`};`

			`script = ''`
			`tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}`
			`'';`
			`};`

			`systemd.timers.tailscale-renew = {`
			`wantedBy = [ "timers.target" ];`
			`description = "Renew tailscale server cert";`
			`timerConfig = {`
			`OnCalendar = "weekly";`
			`Unit = "tailscale-cert.service";`
			`Persistent = "yes";`
			`RandomizedDelaySec = "24h";`
			`};`
			`};`
			`}`