{ config, pkgs, inputs, lib, ... }:
let
  fqdn = "bolty.raptor-carp.ts.net";
  port = 8086;
  path = "/data/influxdb";
  certPath = "${path}/cert.pem";
  keyPath = "${path}/key.pem";
in {
  networking.firewall.allowedTCPPorts = [ port ];

  systemd.services.influxdb2-prep = {
    script = ''
      mkdir -p ${path}
      cp -rv /var/lib/tailscale-certs/cert.pem ${certPath}
      cp -rv /var/lib/tailscale-certs/key.pem ${keyPath}
      chown -Rv influxdb2:influxdb2 ${path}
    '';
    serviceConfig = {
      Type = "oneshot";
      ReloadPropagatedFrom = "tailscale-cert.service";
    };
    before = [ "influxdb2.service" ];
    wantedBy = [ "multi-user.target" ];
    after = [
      "network.target"
      "network-online.target"
      "tailscaled.service"
      "tailscale-cert.service"
    ];
    wants = [ "tailscale-cert.service" ];
  };

  systemd.services.influxdb2 = {
    after = [
      "network.target"
      "network-online.target"
      "tailscaled.service"
      "tailscale-cert.service"
      "tailscale-auth.service"
    ];
  };

  services.influxdb2 = {
    enable = true;
    settings = {
      http-bind-address = "${fqdn}:${toString port}";
      tls-cert = "${certPath}";
      tls-key = "${keyPath}";
    };
  };

}