diff --git a/desktop/ftl.host.nix b/desktop/ftl.host.nix
index d36ae50..cbe4e3d 100644
--- a/desktop/ftl.host.nix
+++ b/desktop/ftl.host.nix
@@ -1,78 +1,20 @@
-{ config, lib, pkgs, ... }:
+{ config, pkgs, ... }:
 
-let
-  # Cloudflare tunnel definitions
-  tunnels = {
-    warp = {
-      remoteHost = "warp.ftl.host";           # Cloudflare hostname
-      remoteTarget = "localhost:22";          # Where traffic routes to
-      localBindPort = 4401;                   # Local port exposed by cloudflared
-      logPath = "/var/log/cloudflared/warp.log";
+{
+  environment.systemPackages = [ pkgs.cloudflared ];
+
+  systemd.services.cloudflared-warp-ssh = {
+    description = "Cloudflared SSH tunnel to warp.ftl.host → localhost:22";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
+    serviceConfig = {
+      ExecStart = "${pkgs.cloudflared}/bin/cloudflared access tcp --hostname warp.ftl.host --url localhost:22 --port 4401 --logfile /var/log/cloudflared-warp.log";
+      Restart = "always";
+      User = "root";
     };
   };
-in {
-  # Install cloudflared
-  environment.systemPackages = with pkgs; [ cloudflared ];
 
-  # Ensure /var/log/cloudflared exists
   systemd.tmpfiles.rules = [
-    "d /var/log/cloudflared 0755 root root -"
+    "d /var/log 0755 root root -"
   ];
-
-  # Systemd services per tunnel
-  systemd.services = lib.mapAttrs (name: tunnel: {
-    description = "Cloudflared Access TCP Tunnel for ${tunnel.remoteHost}";
-    after = [ "network-online.target" ];
-    wants = [ "network-online.target" ];
-    wantedBy = [ "multi-user.target" ];
-    
-    # Use StateDirectory for persistent storage of logs
-    serviceConfig = {
-      StateDirectory = "cloudflared";
-      StateDirectoryMode = "0755";
-      RuntimeDirectory = "cloudflared";
-      RuntimeDirectoryMode = "0700";
-      
-      # The key setting to ensure the service stays running
-      Type = "simple";
-      ExecStart = "${pkgs.cloudflared}/bin/cloudflared access tcp --hostname ${tunnel.remoteHost} --url ${tunnel.remoteTarget} --port ${toString tunnel.localBindPort} --logfile /var/lib/cloudflared/warp.log";
-      Restart = "always";
-      RestartSec = "5s";
-      
-      # Use systemd's built-in user
-      User = "cloudflared";
-      Group = "cloudflared";
-      
-      # Standard outputs
-      StandardOutput = "journal";
-      StandardError = "journal";
-    };
-    
-    # Ensure the user exists
-    users.users.cloudflared = {
-      isSystemUser = true;
-      group = "cloudflared";
-      description = "Cloudflared service user";
-    };
-    
-    users.groups.cloudflared = {};
-  }) tunnels;
-
-  # Activation step to ensure log directory exists
-  system.activationScripts.cloudflaredLogs = lib.stringAfter [ "users" ] ''
-    mkdir -p /var/log/cloudflared
-    chmod 755 /var/log/cloudflared
-  '';
-
-  # Optional documentation metadata
-  meta.doc = ''
-    This module defines persistent cloudflared TCP tunnels using access tcp.
-    Add tunnels by appending to the `tunnels` attribute set.
-
-    Required keys:
-    - remoteHost: The public hostname exposed via Cloudflare Tunnel.
-    - remoteTarget: The internal service to forward traffic to (e.g. localhost:22).
-    - localBindPort: The port to expose locally (e.g. 4401).
-    - logPath: File path to capture logs.
-  '';
-}
+}
\ No newline at end of file