{ den, ... }: let
  tunnel_uuid = "4118935e-359b-4dd2-95bd-eb27f7b0c5bb";
  domain = "bug.tools";
  creds  = "/home/bug/.cloudflared/${tunnel_uuid}.json";

  tunnel = port: subdomain: { pkgs, ... }: {
    environment.systemPackages = [ pkgs.cloudflared ];

    environment.etc."cloudflared/${tunnel_uuid}.json".source = creds;

    services.cloudflared = {
      enable = true;

      tunnels.${tunnel_uuid} = {
        credentialsFile = "/etc/cloudflared/${tunnel_uuid}.json";
        default = "http_status:404";

        ingress = {
          "${subdomain}.${domain}" = "http://127.0.0.1:${toString port}";
        };
      };
    };
  };
in {
  den.aspects.tunnel = port: subdomain: den.lib.parametric {
    includes = [
      (_: { nixos = tunnel port subdomain; })
    ];
  };
}