{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: let
  fqdn = "bolty.raptor-carp.ts.net";
  basePath = "/var/lib/tailscale-certs";
  keyPath = "${basePath}/key.pem";
  certPath = "${basePath}/cert.pem";
in {
  imports = [];

  systemd.services = {
    tailscale-cert-make-path = {
      script = ''
        mkdir -p ${basePath}
      '';
      serviceConfig = {Type = "oneshot";};
      before = ["tailscale-cert.service"];
      wantedBy = ["multi-user.target"];
    };

    tailscale-cert = {
      after = ["network.target" "network-online.target" "tailscaled.service"];
      wants = ["tailscaled.service"];
      wantedBy = ["multi-user.target"];

      path = with pkgs; [tailscale];

      serviceConfig = {
        Type = "oneshot";
        UMask = 22;
        StateDirectoryMode = 750;
        ProtectSystem = "strict";
        ReadWritePaths = ["${basePath}"];
        PrivateTmp = true;
        WorkingDirectory = "${basePath}";
        NoNewPrivileges = true;
        PrivateDevices = true;
        ProtectClock = true;
        ProtectHome = true;
        ProtectHostname = true;
        StateDirectory = ["${basePath}"];
      };

      script = ''
        tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
      '';
    };
  };
  systemd.timers.tailscale-renew = {
    wantedBy = ["timers.target"];
    description = "Renew tailscale server cert";
    timerConfig = {
      OnCalendar = "weekly";
      Unit = "tailscale-cert.service";
      Persistent = "yes";
      RandomizedDelaySec = "24h";
    };
  };
}