{ config, pkgs, ... }:

{
  # Enable the OpenSSH daemon
  services.openssh.enable = true;

  # Sleep configuration optimized for NVIDIA
  systemd.sleep.extraConfig = ''
    AllowSuspend=yes
    AllowHibernation=no
    AllowHybridSleep=no
    AllowSuspendThenHibernate=no
  '';

  services.sunshine = {
    enable = true;
    autoStart = true;
    capSysAdmin = true;
    openFirewall = true;
    package = pkgs.sunshine.override {
      cudaSupport = true;
    };    
  };

  # Tailscale
  services.tailscale.enable = true;

  # Docker
  virtualisation.docker.enable = true;

  # Fwupd
  services.fwupd.enable = true;

  # udev
  services.udev.extraRules = ''
    # --- Rules for WebHID/WebUSB Permissions for Keychron Devices ---
    # These rules aim to make ALL Keychron devices accessible to users in the 'plugdev' group,
    # or the 'users' group, so browsers (running as that user) can potentially interact.

    # This rule targets any Keychron device by its Vendor ID.
    # It sets the group to 'plugdev' (or 'users') and grants read/write permissions.
    #
    # Considerations:
    # 1. 'SUBSYSTEMS=="usb"': Matches devices within the USB subsystem, broad enough for WebUSB/WebHID.
    # 2. 'ATTRS{idVendor}=="3434"': Specifically targets Keychron devices.
    # 3. 'MODE="0660"': Grants read/write to owner (root) and group (plugdev/users).
    # 4. 'GROUP="plugdev"': Assigns the 'plugdev' group. You might use 'users' or 'your-username-group'
    #    if 'plugdev' isn't suitable or doesn't exist on your system.
    #    The group used here must be one that your *browser's user process* is a member of.
    #
    # IMPORTANT: Do NOT use this rule for your primary system keyboard/mouse
    # if you want to prevent web pages from *potentially* messing with them.
    # For a general-purpose keyboard, the OS typically blacklists it from WebHID.
    # This rule is most useful for custom peripherals or secondary devices.
    ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="3434", MODE="0660", GROUP="plugdev"
    ACTION=="add", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="3434", MODE="0660", GROUP="plugdev"

    # You might also include specific product IDs if you only want to grant access to certain Keychron models:
    # ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="3434", ATTRS{idProduct}=="d030", MODE="0660", GROUP="plugdev"
    # ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="3434", ATTRS{idProduct}=="0e20", MODE="0660", GROUP="plugdev"
    # ACTION=="add", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="3434", ATTRS{idProduct}=="d030", MODE="0660", GROUP="plugdev"
    # ACTION=="add", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="3434", ATTRS{idProduct}=="0e20", MODE="0660", GROUP="plugdev"
  '';
}