{pkgs, config, ...}: {
  users.users.cloudflared = {
    group = "cloudflared";
    isSystemUser = true;
  };
  users.groups.cloudflared = { };

  systemd.services.cloudflared = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      Description = "Cloudflared Tunnel Service";
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --cred-file /run/agenix/cloudflared-creds";
      Restart = "on-failure";
      RestartSec = "5s";
      User = "cloudflared";
      Group = "cloudflared";
      Type = "notify";
      TimeoutStartSec = 0;
      ReadWriteDirectories = "/run/agenix";
      EnvironmentFile = "/run/agenix/cloudflared-vars";
    };
  };
}