{ config, pkgs, ... }:

{
  # Hardened OpenSSH
  services.openssh = {
    enable = true;
    ports = [ 22 ];
    settings = {
      # Authentication
      PermitRootLogin = "no";
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
      PermitEmptyPasswords = false;
      
      # Security hardening
      X11Forwarding = false;
      AllowTcpForwarding = false;
      AllowAgentForwarding = false;
      AllowStreamLocalForwarding = false;
      
      # Session settings
      ClientAliveInterval = 300;
      ClientAliveCountMax = 2;
      MaxAuthTries = 3;
      MaxSessions = 2;
      LoginGraceTime = 30;
    };
    # Use only strong key exchange algos
    extraConfig = ''
      KexAlgorithms curve25519-sha256@libssh.org,curve25519-sha256
      Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
      MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
    '';
  };

  # Tailscale
  services.tailscale.enable = true;

  # Fwupd
  services.fwupd.enable = true;

  # udev
  services.udev.extraRules = ''
    ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="3434", MODE="0660", GROUP="plugdev"
    ACTION=="add", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="3434", MODE="0660", GROUP="plugdev"
    ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0b05", MODE="0660", GROUP="plugdev"
    ACTION=="add", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0b05", MODE="0660", GROUP="plugdev"
  '';

  # Sunshine
  services.sunshine = {
      enable = true;
      autoStart = true;
      openFirewall = true;
      capSysAdmin = true;
  };

  services.avahi.publish.enable = true;
  services.avahi.publish.userServices = true;
}