use tailscale auth for hledger

hosts/freun-dev/services.nix

@@ -19,6 +19,7 @@ in
 {
   virtualisation.podman.enable = true;
   virtualisation.oci-containers.backend = "podman";
+  security.acme.defaults.environmentFile = secrets.hetzner.path;
 
   modules.storageBoxMounts = {
     ${immichDataDir} = {
@@ -387,12 +388,17 @@ in
       enable = true;
       subdomain = "ledger";
       stateDir = "${syncthingDataDir}/ledger";
-      basicAuthFile = secrets.hledger-basic-auth.path;
       user = config.systemd.services.syncthing.serviceConfig.User;
       group = config.systemd.services.syncthing.serviceConfig.Group;
+      extraOptions = [ "--forecast" ];
       journalFiles = [
         "main.ldg"
       ];
     };
+
+    webserver = {
+      acme.dnsChallenge = true;
+      tailscaleAuth.expectedTailnet = "tempel-vibes.ts.net";
+    };
   };
 }