# cloudflared/battery.nix
{ den, ... }:
let

  description = ''
    Configures a Cloudflare tunnel ingress rule for a given subdomain and port.
    Assumes the tunnel UUID and credentials are fixed for this machine.

    Usage:

      den.aspects.bug.includes = [
        (den.provides.cloudflared-tunnel "search" 8888)
        (den.provides.cloudflared-tunnel "tube"   3030)
        (den.provides.cloudflared-tunnel "git"    3000)
      ];

    Each call adds one ingress entry: <subdomain>.bug.tools -> http://127.0.0.1:<port>
    The base tunnel setup (enable, credentials, default) is included every time
    and merges safely via the NixOS module system.
  '';

  TUNNEL_UUID = "4118935e-359b-4dd2-95bd-eb27f7b0c5bb";
  DOMAIN      = "bug.tools";
  CREDS_PATH  = "/home/bug/.cloudflared/${TUNNEL_UUID}.json";

  tunnelNixos = subdomain: port: { pkgs, ... }: {
    environment.systemPackages = [ pkgs.cloudflared ];

    environment.etc."cloudflared/${TUNNEL_UUID}.json".source = CREDS_PATH;

    services.cloudflared = {
      enable = true;

      tunnels.${TUNNEL_UUID} = {
        credentialsFile = "/etc/cloudflared/${TUNNEL_UUID}.json";
        default = "http_status:404";

        ingress = {
          "${subdomain}.${DOMAIN}" = "http://127.0.0.1:${toString port}";
        };
      };
    };
  };

in
{
  den.provides.cloudflared-tunnel =
    subdomain: port:
    den.lib.parametric {
      inherit description;
      includes = [
        (_: { nixos = tunnelNixos subdomain port; })
      ];
    };
}