netdata: make ui available in tailnet

hosts/sid/services/netdata.nix

@@ -55,21 +55,36 @@ in
     NETDATA_USER_CONFIG_DIR = "/etc/netdata/conf.d";
   };
 
-  # TODO: move into Tailnet
-  # services.nginx.virtualHosts."${constants.services.netdata.fqdn}" = {
-  #   enableACME = true;
-  #   forceSSL = true;
-  #
-  #   locations."/" = {
-  #     root = netdata-dashboard;
-  #     tryFiles = "$uri $uri/ /index.html";
-  #   };
-  #
-  #   locations."~ ^/(api|v[0-9]+|netdata.conf|registry|stream|version.txt)(/|$)" = {
-  #     proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
-  #     recommendedProxySettings = true;
-  #   };
-  # };
+  services.nginx.virtualHosts."${constants.services.netdata.fqdn}" = {
+    useACMEHost = constants.services.netdata.fqdn;
+    forceSSL = true;
+    listen = [
+      {
+        addr = "${constants.hosts.sid.ip}:443";
+        ssl = true;
+      }
+    ];
+
+    locations."/" = {
+      root = netdata-dashboard;
+      tryFiles = "$uri $uri/ /index.html";
+    };
+
+    locations."~ ^/(api|v[0-9]+|netdata.conf|registry|stream|version.txt)(/|$)" = {
+      proxyPass = "http://127.0.0.1:${toString constants.services.netdata.port}";
+      recommendedProxySettings = true;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs."${constants.services.netdata.fqdn}" = {
+      domain = constants.services.netdata.fqdn;
+      dnsProvider = "hetzner";
+      credentialFiles.HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
+      group = "nginx";
+    };
+  };
 
   services.journald.storage = "persistent";
 
@@ -83,6 +98,12 @@ in
       restartUnits = [ "netdata.service" ];
     in
     {
+      secrets.hetzner-api-key = {
+        inherit mode;
+        owner = "acme";
+        group = "acme";
+      };
+
       secrets."netdata/stream/rx4/uuid" = {
         inherit
           owner