add influxdb over https

nixos/boxes/bolty/default.nix

@@ -3,11 +3,13 @@
     ../cli.nix
     ./bolty-boot.nix
     ./home-assistant.nix
+    ./influxdb.nix
     ./matrix-server.nix
     ./nix-store-server.nix
     ./print-server.nix
     ./real-hardware.nix
     ./restic-server.nix
+    ./tailscale-cert.nix
     ./woodpecker-agent.nix
   ];
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

nixos/boxes/bolty/influxdb.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, inputs, lib, ... }:
+let
+  fqdn = "bolty.raptor-carp.ts.net";
+  port = 8086;
+  path = "/data/influxdb";
+  certPath = "${path}/cert.pem";
+  keyPath = "${path}/key.pem";
+in {
+  networking.firewall.allowedTCPPorts = [ port ];
+
+  systemd.services.influxdb2-prep = {
+    script = ''
+      mkdir -p ${path}
+      cp -rv /var/lib/tailscale-certs/cert.pem ${certPath}
+      cp -rv /var/lib/tailscale-certs/key.pem ${keyPath}
+      chown -Rv influxdb2:influxdb2 ${path}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      ReloadPropagatedFrom = "tailscale-cert.service";
+    };
+    before = [ "influxdb2.service" ];
+    wantedBy = [ "multi-user.target" ];
+    after = [
+      "network.target"
+      "network-online.target"
+      "tailscaled.service"
+      "tailscale-cert.service"
+    ];
+    wants = [ "tailscale-cert.service" ];
+  };
+
+  services.influxdb2 = {
+    enable = true;
+    settings = {
+      http-bind-address = "${fqdn}:${toString port}";
+      tls-cert = "${certPath}";
+      tls-key = "${keyPath}";
+    };
+  };
+
+}

nixos/boxes/bolty/tailscale-cert.nix

@@ -0,0 +1,61 @@
+{ config, pkgs, inputs, lib, ... }:
+let
+  fqdn = "bolty.raptor-carp.ts.net";
+  basePath = "/var/lib/tailscale-certs";
+  keyPath = "${basePath}/key.pem";
+  certPath = "${basePath}/cert.pem";
+in {
+  imports = [ ];
+  services.nginx.virtualHosts."${fqdn}" = {
+    sslCertificateKey = keyPath;
+    sslCertificate = certPath;
+  };
+
+  systemd.services.tailscale-cert-make-path = {
+    script = ''
+      mkdir -p ${basePath}
+    '';
+    serviceConfig = { Type = "oneshot"; };
+    before = [ "tailscale-cert.service" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  systemd.services.tailscale-cert = {
+    after = [ "network.target" "network-online.target" "tailscaled.service" ];
+    wants = [ "tailscaled.service" ];
+    wantedBy = [ "multi-user.target" ];
+
+    path = with pkgs; [ tailscale ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      UMask = 22;
+      StateDirectoryMode = 750;
+      ProtectSystem = "strict";
+      ReadWritePaths = [ "${basePath}" ];
+      PrivateTmp = true;
+      WorkingDirectory = "${basePath}";
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      ProtectClock = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      StateDirectory = [ "${basePath}" ];
+    };
+
+    script = ''
+      tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn} 
+    '';
+  };
+
+  systemd.timers.tailscale-renew = {
+    wantedBy = [ "timers.target" ];
+    description = "Renew tailscale server cert";
+    timerConfig = {
+      OnCalendar = "weekly";
+      Unit = "tailscale-cert.service";
+      Persistent = "yes";
+      RandomizedDelaySec = "24h";
+    };
+  };
+}

nixos/boxes/vpsfree1/mastodon.nix

@@ -78,11 +78,7 @@ in {
       chmod -R g+r ${publicPath}
       chmod -R u+rwX ${publicPath}
     '';
-    serviceConfig = {
+    serviceConfig = { Type = "oneshot"; };
-      Type = "oneshot";
-      ProtectSystem = "strict";
-      ReadWritePaths = path;
-    };
     before = [ "container@mastodon.service" ];
   };