diff --git a/home/modules/runit/services/cloudflared.nix b/home/modules/runit/services/cloudflared.nix
new file mode 100644
index 0000000..a12f816
--- /dev/null
+++ b/home/modules/runit/services/cloudflared.nix
@@ -0,0 +1,26 @@
+{ pkgs, config, rootPath, ... }:
+
+let
+  tunnel = "cb0d9c2c-48f9-4bca-9e81-ef92423c5afa";
+in
+{
+  home.file.".cloudflared/${tunnel}.json".source = rootPath + /secrets/gitcrypt/cloudflared/${tunnel}.json;
+  home.file.".cloudflared/cert.pem".source = rootPath + /secrets/gitcrypt/cloudflared/cert.pem;
+  home.file.".cloudflared/config.yml".text = ''
+    tunnel: ${tunnel}
+    credentials-file: ${config.home.homeDirectory}/.cloudflared/${tunnel}.json
+
+    ingress:
+      - hostname: gist.toast.name
+        service: http://${config.runit.services.opengist.environment.OG_HTTP_HOST}:${config.runit.services.opengist.environment.OG_HTTP_PORT}
+
+      - service: http_status:404
+  '';
+
+  runit.services.cloudflared = {
+    script = ''
+      exec ${pkgs.cloudflared}/bin/cloudflared tunnel run
+    '';
+    log.enable = true;
+  };
+}
diff --git a/secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json b/secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json
new file mode 100644
index 0000000..46cd7b1
Binary files /dev/null and b/secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json differ
diff --git a/secrets/gitcrypt/cloudflared/cert.pem b/secrets/gitcrypt/cloudflared/cert.pem
new file mode 100644
index 0000000..230ea54
Binary files /dev/null and b/secrets/gitcrypt/cloudflared/cert.pem differ