dotfiles/nixos/boxes/bolty/tailscale-cert.nix

62 lines
1.4 KiB
Nix

{
config,
pkgs,
inputs,
lib,
...
}: let
fqdn = "bolty.raptor-carp.ts.net";
basePath = "/var/lib/tailscale-certs";
keyPath = "${basePath}/key.pem";
certPath = "${basePath}/cert.pem";
in {
imports = [];
systemd.services.tailscale-cert-make-path = {
script = ''
mkdir -p ${basePath}
'';
serviceConfig = {Type = "oneshot";};
before = ["tailscale-cert.service"];
wantedBy = ["multi-user.target"];
};
systemd.services.tailscale-cert = {
after = ["network.target" "network-online.target" "tailscaled.service"];
wants = ["tailscaled.service"];
wantedBy = ["multi-user.target"];
path = with pkgs; [tailscale];
serviceConfig = {
Type = "oneshot";
UMask = 22;
StateDirectoryMode = 750;
ProtectSystem = "strict";
ReadWritePaths = ["${basePath}"];
PrivateTmp = true;
WorkingDirectory = "${basePath}";
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
StateDirectory = ["${basePath}"];
};
script = ''
tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
'';
};
systemd.timers.tailscale-renew = {
wantedBy = ["timers.target"];
description = "Renew tailscale server cert";
timerConfig = {
OnCalendar = "weekly";
Unit = "tailscale-cert.service";
Persistent = "yes";
RandomizedDelaySec = "24h";
};
};
}