{self, ...}: let
  internalWireGuard = import "${self}/data/chaosInternalWireGuard.nix";
in {
  systemd.tmpfiles.rules = [
    "d /var/lib/cockroachdb-certs - root root"
  ];

  services.cockroachdb-bin = {
    enable = true;
    certsDir = "/var/lib/cockroachdb-certs";
    join = "localhost:26257,${internalWireGuard.hosts.hetzner-vm.ip}:26257";
    #  ssh -L 8080:127.0.0.1:8080 -L 26257:127.0.0.1:26257 raspberry
    extraArgs = ["--advertise-addr=${internalWireGuard.hosts.raspberry.ip}:26257"];
    listen = {
      port = 26257;
      address = "0.0.0.0";
    };
    http = {
      address = "0.0.0.0";
      port = 8080;
    };
  };
}