let
  uuid   = "4118935e-359b-4dd2-95bd-eb27f7b0c5bb";
  domain = "bug.tools";
  creds  = "/home/bug/.cloudflared/${uuid}.json";
in {
  den.aspects.cloudflared = {
    nixos = { config, pkgs, lib, ... }: {
      options.den.tunnels = lib.mkOption {
        default     = [];
        description = "Cloudflared tunnel subdomains, matched directly against portmap keys.";
        type = lib.types.listOf lib.types.str;
      };

      config = {
        environment.systemPackages = [ pkgs.cloudflared ];
        environment.etc."cloudflared/${uuid}.json".source = creds;

        services.cloudflared = {
          enable = true;

          tunnels.${uuid} = {
            credentialsFile = "/etc/cloudflared/${uuid}.json";
            default         = "http_status:404";

            ingress = lib.listToAttrs (map (subdomain: {
              name  = "${subdomain}.${domain}";
              value = "http://127.0.0.1:${toString config.den.portmap.${subdomain}}";
            }) config.den.tunnels);
          };
        };
      };
    };
  };
}