dotfiles/nixos/boxes/bolty/tailscale-cert.nix

61 lines
1.6 KiB
Nix

{ config, pkgs, inputs, lib, ... }:
let
fqdn = "bolty.raptor-carp.ts.net";
basePath = "/var/lib/tailscale-certs";
keyPath = "${basePath}/key.pem";
certPath = "${basePath}/cert.pem";
in {
imports = [ ];
services.nginx.virtualHosts."${fqdn}" = {
sslCertificateKey = keyPath;
sslCertificate = certPath;
};
systemd.services.tailscale-cert-make-path = {
script = ''
mkdir -p ${basePath}
'';
serviceConfig = { Type = "oneshot"; };
before = [ "tailscale-cert.service" ];
wantedBy = [ "multi-user.target" ];
};
systemd.services.tailscale-cert = {
after = [ "network.target" "network-online.target" "tailscaled.service" ];
wants = [ "tailscaled.service" ];
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ tailscale ];
serviceConfig = {
Type = "oneshot";
UMask = 22;
StateDirectoryMode = 750;
ProtectSystem = "strict";
ReadWritePaths = [ "${basePath}" ];
PrivateTmp = true;
WorkingDirectory = "${basePath}";
NoNewPrivileges = true;
PrivateDevices = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
StateDirectory = [ "${basePath}" ];
};
script = ''
tailscale cert --cert-file ${certPath} --key-file ${keyPath} ${fqdn}
'';
};
systemd.timers.tailscale-renew = {
wantedBy = [ "timers.target" ];
description = "Renew tailscale server cert";
timerConfig = {
OnCalendar = "weekly";
Unit = "tailscale-cert.service";
Persistent = "yes";
RandomizedDelaySec = "24h";
};
};
}