{
  config,
  pkgs,
  inputs,
  lib,
  ...
}: let
  fqdn = "bolty.raptor-carp.ts.net";
  basePath = "/var/lib/tailscale-certs";
  keyPath = "${basePath}/key.pem";
  certPath = "${basePath}/cert.pem";
in {
  imports = [];

  systemd.services.tailscale-cert-make-path = {
    script = ''
      mkdir -p ${basePath}
    '';
    serviceConfig = {Type = "oneshot";};
    before = ["tailscale-cert.service"];
    wantedBy = ["multi-user.target"];
  };

  systemd.services.tailscale-cert = {
    after = ["network.target" "network-online.target" "tailscaled.service"];
    wants = ["tailscaled.service"];
    wantedBy = ["multi-user.target"];

    path = with pkgs; [tailscale];

    serviceConfig = {
      Type = "oneshot";
      UMask = 22;
      StateDirectoryMode = 750;
      ProtectSystem = "strict";
      ReadWritePaths = ["${basePath}"];
      PrivateTmp = true;
      WorkingDirectory = "${basePath}";
      NoNewPrivileges = true;
      PrivateDevices = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      StateDirectory = ["${basePath}"];
    };

    script = ''
      tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
    '';
  };

  systemd.timers.tailscale-renew = {
    wantedBy = ["timers.target"];
    description = "Renew tailscale server cert";
    timerConfig = {
      OnCalendar = "weekly";
      Unit = "tailscale-cert.service";
      Persistent = "yes";
      RandomizedDelaySec = "24h";
    };
  };
}