{ config, pkgs, inputs, lib, ... }: let fqdn = "bolty.raptor-carp.ts.net"; basePath = "/var/lib/tailscale-certs"; keyPath = "${basePath}/key.pem"; certPath = "${basePath}/cert.pem"; in { imports = [ ]; systemd.services.tailscale-cert-make-path = { script = '' mkdir -p ${basePath} ''; serviceConfig = { Type = "oneshot"; }; before = [ "tailscale-cert.service" ]; wantedBy = [ "multi-user.target" ]; }; systemd.services.tailscale-cert = { after = [ "network.target" "network-online.target" "tailscaled.service" ]; wants = [ "tailscaled.service" ]; wantedBy = [ "multi-user.target" ]; path = with pkgs; [ tailscale ]; serviceConfig = { Type = "oneshot"; UMask = 22; StateDirectoryMode = 750; ProtectSystem = "strict"; ReadWritePaths = [ "${basePath}" ]; PrivateTmp = true; WorkingDirectory = "${basePath}"; NoNewPrivileges = true; PrivateDevices = true; ProtectClock = true; ProtectHome = true; ProtectHostname = true; StateDirectory = [ "${basePath}" ]; }; script = '' tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn} ''; }; systemd.timers.tailscale-renew = { wantedBy = [ "timers.target" ]; description = "Renew tailscale server cert"; timerConfig = { OnCalendar = "weekly"; Unit = "tailscale-cert.service"; Persistent = "yes"; RandomizedDelaySec = "24h"; }; }; }