diff --git a/common/server/cloudflared.nix b/common/server/cloudflared.nix
new file mode 100644
index 0000000..a8757bb
--- /dev/null
+++ b/common/server/cloudflared.nix
@@ -0,0 +1,58 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.cloudflared;
+  settingsFormat = pkgs.formats.yaml { };
+in
+{
+  meta.maintainers = with maintainers; [ pmc ];
+
+  options = {
+    services.cloudflared = {
+      enable = mkEnableOption "cloudflared";
+      package = mkOption {
+        type = types.package;
+        default = pkgs.cloudflared;
+        description = "The cloudflared package to use";
+        example = literalExpression ''pkgs.cloudflared'';
+      };
+      config = mkOption {
+        type = settingsFormat.type;
+        description = "Contents of the config.yaml as an attrset; see https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/configuration-file for documentation on the contents";
+        example = literalExpression ''
+          {
+            url = "http://localhost:3000";
+            tunnel = "505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf";
+            credentials-file = "/var/lib/cloudflared/505c8dd1-e4fb-4ea4-b909-26b8f61ceaaf.json";
+          }
+        '';
+      };
+
+      configFile = mkOption {
+        type = types.path;
+        description = "Path to cloudflared config.yaml.";
+        example = literalExpression ''"/etc/cloudflared/config.yaml"'';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable ({
+    # Prefer the config file over settings if both are set.
+    services.cloudflared.configFile = mkDefault (settingsFormat.generate "cloudflared.yaml" cfg.config);
+
+    systemd.services.cloudflared = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      description = "Cloudflare Argo Tunnel";
+      serviceConfig = {
+        TimeoutStartSec = 0;
+        Type = "notify";
+        ExecStart = "${cfg.package}/bin/cloudflared --config ${cfg.configFile} --no-autoupdate tunnel run";
+        Restart = "on-failure";
+        RestartSec = "5s";
+      };
+    };
+  });
+}
\ No newline at end of file
diff --git a/common/server/default.nix b/common/server/default.nix
index 7101367..1a9ab4a 100644
--- a/common/server/default.nix
+++ b/common/server/default.nix
@@ -13,5 +13,6 @@
     ./privatebin/privatebin.nix
     ./radio.nix
     ./samba.nix
+    ./cloudflared.nix
   ];
 }
\ No newline at end of file
diff --git a/machines/storage/s0/configuration.nix b/machines/storage/s0/configuration.nix
index c412acc..80b5376 100644
--- a/machines/storage/s0/configuration.nix
+++ b/machines/storage/s0/configuration.nix
@@ -143,6 +143,17 @@
     proxyWebsockets = true;
   };
 
+  # navidrome over cloudflare
+  services.cloudflared = {
+    enable = true;
+    config = {
+      url = config.services.nginx.virtualHosts."music.s0".locations."/".proxyPass;
+      tunnel = "5975c2f1-d1f4-496a-a704-6d89ccccae0d";
+      credentials-file = "/run/agenix/cloudflared-navidrome.json";
+    };
+  };
+  age.secrets."cloudflared-navidrome.json".file = ../../../secrets/cloudflared-navidrome.json.age;
+
   nixpkgs.overlays = [
     (final: prev: {
       radarr = prev.radarr.overrideAttrs (old: rec {
diff --git a/secrets/cloudflared-navidrome.json.age b/secrets/cloudflared-navidrome.json.age
new file mode 100644
index 0000000..4c157bc
Binary files /dev/null and b/secrets/cloudflared-navidrome.json.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 5caeab8..fb0905b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -16,4 +16,5 @@ in
   "iodine.age".publicKeys = all;
   "spotifyd.age".publicKeys = all;
   "wolframalpha.age".publicKeys = all;
-}
\ No newline at end of file
+  "cloudflared-navidrome.json.age".publicKeys = all;
+}