{ config, pkgs, lib, ... }:
# https://wiki.nixos.org/wiki/Cloudflared
{
  boot.kernel.sysctl."net.ipv4.ping_group_range" = "0 65535";
  users.groups.cloudflared = {};
  users.users.cloudflared = {
    isSystemUser = true;
    group = "cloudflared"; # Match allowed range
  };

  sops.secrets.cloudflared-creds = {};
  environment.systemPackages = with pkgs; [ cloudflared ];
  services.cloudflared = {
    enable = true;
    tunnels = {
      "panoptes-nix" = {
        credentialsFile = config.sops.secrets.cloudflared-creds.path;
        # credentialsFile = /root/.cloudflared/c5d343b4-c12c-4490-9d92-9a2345738dc2.json;
        default = "http_status:404";
        ingress = {
          "panoptes.john-stream.com" = {
            service = "https://localhost:443";
            # path = ".*";
            originRequest = {
              originServerName = "panoptes.john-stream.com";
              noTLSVerify = true;
            };
          };
        };
      };
    };
  };
  systemd.services.cloudflared-tunnel-panoptes-nix.serviceConfig = {
    DynamicUser = lib.mkForce false;
    User = "cloudflared";
    Group = "cloudflared";
  };
}