{tree, ...}: let
  internal_wireguard = import ../../../data/chaos_wireguard_internal.nix {};
in {
  imports = with tree; [
    profiles.cockroachdb-bin-fix
  ];

  systemd.tmpfiles.rules = [
    "d /var/lib/cockroachdb-certs - root root"
  ];

  services.cockroachdb = {
    enable = true;
    certsDir = "/var/lib/cockroachdb-certs";
    join = "localhost:26257,${internal_wireguard.hosts.hetzner-vm.ip}:26257";
    #  ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry
    http = {
      address = "0.0.0.0";
      port = 8080;
    };
  };
}