diff --git a/Dockerfile b/Dockerfile
index fa52e88..6ec963c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,18 +1,19 @@
-ARG DEBIAN_RELEASE=buster
+ARG DEBIAN_RELEASE=bullseye
 FROM docker.io/debian:$DEBIAN_RELEASE-slim
 ARG DEBIAN_RELEASE
-COPY pubkey.gpg entrypoint.sh /
+COPY entrypoint.sh /
 ENV DEBIAN_FRONTEND noninteractive
 RUN true && \
 	apt update && \
-	apt install -y gnupg ca-certificates libcap2-bin haproxy && \
-	apt-key add /pubkey.gpg && \
-	echo "deb http://pkg.cloudflareclient.com/ $DEBIAN_RELEASE main" > /etc/apt/sources.list.d/cloudflare-client.list && \
+	apt install -y gnupg ca-certificates curl && \
+	curl https://pkg.cloudflareclient.com/pubkey.gpg | gpg --yes --dearmor --output /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg && \
+	echo "deb [arch=amd64 signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] https://pkg.cloudflareclient.com/  $DEBIAN_RELEASE main" | tee /etc/apt/sources.list.d/cloudflare-client.list && \
 	apt update && \
-	apt install cloudflare-warp -y && \
+	apt install cloudflare-warp -y --no-install-recommends && \
+	apt remove -y curl ca-certificates && \
 	apt clean -y && \
+	rm -rf /var/lib/apt/lists/* && \
 	chmod +x /entrypoint.sh
-COPY haproxy.cfg /etc/haproxy/haproxy.cfg
 
 EXPOSE 40000/tcp
 ENTRYPOINT [ "/entrypoint.sh" ]
diff --git a/entrypoint.sh b/entrypoint.sh
index 7d9789e..4dbdc62 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -6,9 +6,8 @@ while ! warp-cli --accept-tos register; do
 	>&2 echo "Awaiting warp-svc become online..."
 done
 warp-cli --accept-tos set-mode proxy
-warp-cli --accept-tos set-proxy-port 40001
+warp-cli --accept-tos set-proxy-port 40000
 warp-cli --accept-tos connect
-warp-cli enable
 haproxy -f /etc/haproxy/haproxy.cfg
 ) &
 
diff --git a/haproxy.cfg b/haproxy.cfg
deleted file mode 100644
index da6ec70..0000000
--- a/haproxy.cfg
+++ /dev/null
@@ -1,40 +0,0 @@
-global
-	stats timeout 30s
-	daemon
-
-	# Default SSL material locations
-	ca-base /etc/ssl/certs
-	crt-base /etc/ssl/private
-
-	# Default ciphers to use on SSL-enabled listening sockets.
-	# For more information, see ciphers(1SSL). This list is from:
-	#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-	# An alternative list with additional directives can be obtained from
-	#  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
-	ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
-	ssl-default-bind-options no-sslv3
-
-defaults
-	log	global
-	#option	httplog
-	option	dontlognull
-	timeout connect 5000
-	timeout client  0
-	timeout server  0
-	timeout tunnel  0
-	errorfile 400 /etc/haproxy/errors/400.http
-	errorfile 403 /etc/haproxy/errors/403.http
-	errorfile 408 /etc/haproxy/errors/408.http
-	errorfile 500 /etc/haproxy/errors/500.http
-	errorfile 502 /etc/haproxy/errors/502.http
-	errorfile 503 /etc/haproxy/errors/503.http
-	errorfile 504 /etc/haproxy/errors/504.http
-
-frontend warp
-	mode tcp
-	bind :40000
-	use_backend warp
-
-backend warp
-	server warp 127.0.0.1:40001
-
diff --git a/pubkey.gpg b/pubkey.gpg
deleted file mode 100644
index 0ca77c5..0000000
--- a/pubkey.gpg
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGC6fSgBEADcsLdt3UbcPFzge7+ukvBtvHpgMZ8y36LxNCfjClbZjioRGwg2
-78mQdDSj1YBoQNVUtKV/6A1aFe9XJp5Hn40TM/CbI8RneKH9kUUyMqHWwjClAV8S
-dVa7FxgTTapN23bYAnxb0Z0yGfZTdDhTBjLG5OcH/59SNhzY9r2ToR5VjHhMGPV0
-qsQMfuknhSwbNCJLyQSEgh0vZKy4qdQOLCWEhZ0wccNQONXPcgIKw4nPCZubMI5P
-SJEaEL4RPJiacOFdkkWq7NOeU81L5YdwTKghIiC0LAw37/5PTkbu8tCAt3gnkbag
-UZQZW9FrKDuRQEJuBduFuMZBEtWTGqsAcOfrOT2pRahu953frHHhnv2/HohTGfM4
-PA9agFZlFXYMyxZvZr5VVQF8DSiq8h9iVJsrpdDaXeFniR6S8UkDFEVMEIzu5Zbu
-gTCe9ByZMnCz6L/KQrBf+v+FtEGxm82EBfxP1MWmh6hfRBhG4MsideUFfdxoazcl
-erItXSsufMuzetItT+AL4KQKpo1wygOk2cqBeqk16imUp8LFH27NiYDi80AvmGw+
-08k/UWAGuuZE+MqZhRGP4Xhc+IDJjiUj1qzj05Zg5kmbCZHwNujHMgTDIc41BkFU
-vcPDtadMEVNtU+O5WSoulJhVa+lcxiwqYBf4gbefUXyWRaEpY41aFQ2ITQARAQAB
-tDZDbG91ZGZsYXJlIFBhY2thZ2UgUmVwb3NpdG9yeSA8c3VwcG9ydEBjbG91ZGZs
-YXJlLmNvbT6JAlgEEwEIAEIWIQRnWaAqqcyol4MXMWBECPYng1uKywUCYLp9KAIb
-AwUJA8JnAAULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQRAj2J4NbissH
-YRAAy50sq5fFhyzregc+FPz9NPbagr/IlKheaJqninrDORHMgm+4zKtZaKegjpJR
-qh+jpvh2Lcfkgb/oXeg9SASvopt0jUfs+y6kfnYviFSySZrJGPFGCi5qliZOrFGm
-0B4dP4hiYa1cdt3pyscTu9O+yZIMxpIgx06L9SGrn3sg6uEuCjoQHFYjPFSSdomm
-iYGzPQQoI75gnkorctWy0E49DqipzAtpk7S9kS+pS/O9C+/YBcxs3iMVCbuB9mId
-xB24LAvcBF1lZUWrtd6Y3xxNdgLx1JqSRREyqh0safgtko736HUBTjCjve3cJryO
-3WGNmT+9+2YS3MbZMJw/HLaUaadByfZbe8ERRWGZBK85Iu4SDEJXtqyoAIgbaIrS
-QiWKggmQvJ/JkO3gZbpJV7zG4wYYVZ+qDPV8N+PXsDbNQAXsQ2FLMKCJcDSHVWdV
-xYc9aatqrei2kB+3u/1N4vzX02wL20yg5OQ2oPdceXOYqVG6BQlb/u6ivunhbxM+
-Y5bRWb2aT/2Ry52djxqsj+08KaL/ybjshjWITyLCVJA19Cg2JtSqOpZ8z1ED5h8A
-BS7vkeayWQ8osLCrVJaveAOvm94xf+ZptRCDrYbmzeyXWGS8qB33DRHEPGNzoGMJ
-wtEpBPfxh46uL2knvuFefJtxdoTttBko+S1wYQ5LHdaFFmI=
-=OiPd
------END PGP PUBLIC KEY BLOCK-----