[Unit]
Description=Cloudflare Tunnel — chat.saiden.dev
After=network-online.target ttyd-chat.service
Wants=network-online.target
# Don't start tunnel if ttyd isn't there — origin would 502
Requires=ttyd-chat.service

[Service]
Type=simple
User=chi
Group=chi
WorkingDirectory=/home/chi
ExecStart=/usr/bin/cloudflared --no-autoupdate tunnel --config /etc/cloudflared/chat-saiden/chat-saiden.yml run
Restart=on-failure
RestartSec=5
StandardOutput=journal
StandardError=journal

NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=read-only
ReadOnlyPaths=/etc/cloudflared/chat-saiden
PrivateTmp=true

[Install]
WantedBy=multi-user.target