{ config, pkgs, ... }:

{
  users.users.cloudflared = {
    group = "cloudflared";
    isSystemUser = true;
  };
  users.groups.cloudflared = { };

  environment.systemPackages = [
    pkgs.cloudflared
  ];

  systemd.services.cloudflared_tunnel = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token=TODO_FIXSECRETS";
      Restart = "always";
      User = "cloudflared";
      Group = "cloudflared";
    };
  };
}