diff --git a/desktop/ftl.host.nix b/desktop/ftl.host.nix
index 6dc35b9..582a2ab 100644
--- a/desktop/ftl.host.nix
+++ b/desktop/ftl.host.nix
@@ -35,10 +35,19 @@ in {
 
     serviceConfig = {
       ExecStart = "${pkgs.cloudflared}/bin/cloudflared access tcp --hostname ${tunnel.remoteHost} --url ${tunnel.remoteTarget} --port ${toString tunnel.localBindPort} --logfile ${tunnel.logPath}";
+      # The key setting to ensure the service stays running
+      Type = "simple";
       Restart = "always";
       RestartSec = "5s";
-      User = "root";
-      Group = "root";
+      # Configure service to wait for network
+      After = [ "network-online.target" ];
+      Wants = [ "network-online.target" ];
+      # Run as dedicated user for better security
+      DynamicUser = true;
+      # Configure systemd runtime directory
+      RuntimeDirectory = "cloudflared";
+      RuntimeDirectoryMode = "0700";
+      # Standard outputs
       StandardOutput = "journal";
       StandardError = "journal";
     };