{ config, pkgs, ... }:

{
  environment.systemPackages = [ pkgs.cloudflared ];

  systemd.services.cloudflared-warp-ssh = {
    description = "Cloudflared SSH tunnel to warp.ftl.host → localhost:22";
    wantedBy = [ "multi-user.target" ];
    after = [ "network-online.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared access tcp --hostname warp.ftl.host --url localhost:22 --port 4401 --logfile /var/log/cloudflared-warp.log";
      Restart = "always";
      User = "root";
    };
  };

  systemd.tmpfiles.rules = [
    "d /var/log 0755 root root -"
  ];
}