62 lines
1.4 KiB
Nix
62 lines
1.4 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
inputs,
|
|
lib,
|
|
...
|
|
}: let
|
|
fqdn = "bolty.raptor-carp.ts.net";
|
|
basePath = "/var/lib/tailscale-certs";
|
|
keyPath = "${basePath}/key.pem";
|
|
certPath = "${basePath}/cert.pem";
|
|
in {
|
|
imports = [];
|
|
|
|
systemd.services.tailscale-cert-make-path = {
|
|
script = ''
|
|
mkdir -p ${basePath}
|
|
'';
|
|
serviceConfig = {Type = "oneshot";};
|
|
before = ["tailscale-cert.service"];
|
|
wantedBy = ["multi-user.target"];
|
|
};
|
|
|
|
systemd.services.tailscale-cert = {
|
|
after = ["network.target" "network-online.target" "tailscaled.service"];
|
|
wants = ["tailscaled.service"];
|
|
wantedBy = ["multi-user.target"];
|
|
|
|
path = with pkgs; [tailscale];
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
UMask = 22;
|
|
StateDirectoryMode = 750;
|
|
ProtectSystem = "strict";
|
|
ReadWritePaths = ["${basePath}"];
|
|
PrivateTmp = true;
|
|
WorkingDirectory = "${basePath}";
|
|
NoNewPrivileges = true;
|
|
PrivateDevices = true;
|
|
ProtectClock = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
StateDirectory = ["${basePath}"];
|
|
};
|
|
|
|
script = ''
|
|
tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
|
|
'';
|
|
};
|
|
|
|
systemd.timers.tailscale-renew = {
|
|
wantedBy = ["timers.target"];
|
|
description = "Renew tailscale server cert";
|
|
timerConfig = {
|
|
OnCalendar = "weekly";
|
|
Unit = "tailscale-cert.service";
|
|
Persistent = "yes";
|
|
RandomizedDelaySec = "24h";
|
|
};
|
|
};
|
|
}
|