{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: let
  port = 8086;
  path = "/data/influxdb";
  certPath = "${path}/cert.pem";
  keyPath = "${path}/key.pem";
in {
  networking.firewall.allowedTCPPorts = [port];

  systemd.services.influxdb2-prep = {
    script = ''
      mkdir -p ${path}
      cp -rv /var/lib/tailscale-certs/cert.pem ${certPath}
      cp -rv /var/lib/tailscale-certs/key.pem ${keyPath}
      chown -Rv influxdb2:influxdb2 ${path}
    '';
    serviceConfig = {
      Type = "oneshot";
      ReloadPropagatedFrom = "tailscale-cert.service";
    };
    before = ["influxdb2.service"];
    wantedBy = ["multi-user.target"];
    after = [
      "network.target"
      "network-online.target"
      "tailscaled.service"
      "tailscale-cert.service"
    ];
    wants = ["tailscale-cert.service"];
  };

  systemd.services.influxdb2 = {
    after = [
      "network.target"
      "network-online.target"
      "tailscaled.service"
      "tailscale-cert.service"
      "tailscale-auth.service"
    ];
  };

  services.influxdb2 = {
    enable = true;
    settings = {
      http-bind-address = "0.0.0.0:${toString port}";
      tls-cert = "${certPath}";
      tls-key = "${keyPath}";
    };
  };
}