{
  pkgs,
  config,
  ...
}: {
  users.users.cloudflared = {
    group = "cloudflared";
    isSystemUser = true;
  };
  users.groups.cloudflared = {};

  systemd.services.cloudflared = {
    wantedBy = ["multi-user.target"];
    after = ["network.target"];
    serviceConfig = {
      Description = "Cloudflared Tunnel Service";
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --cred-file /run/agenix/cloudflared-creds";
      Restart = "on-failure";
      RestartSec = "5s";
      User = "cloudflared";
      Group = "cloudflared";
      Type = "notify";
      TimeoutStartSec = 0;
      ReadWriteDirectories = "/run/agenix";
      EnvironmentFile = "/run/agenix/cloudflared-vars";
    };
  };
}