{ pkgs, lib, ... }:
let
  dashboardUrl = "https://night.purduehackers.com";
in
{
  # Create user to host kiosk
  users.users.kiosk = {
    isNormalUser = true;
    group = "kiosk";
    home = "/tmp/kiosk";
  };
  users.groups.kiosk = { };

  # Setup caged kiosk, with kiosk firefox
  services.cage = {
    enable = true;
    user = "kiosk";
    program = ''
      ${lib.getExe pkgs.firefox} \
        --kiosk \
        --private-window "${dashboardUrl}"
    '';
    extraArguments = [ "-d" ];
  };

  # Set firefox autoplay policy to always allow autoplay for dashboard
  # and disable checking for default browser
  programs.firefox.policies = {
    Permissions.Autoplay.Default = "allow-audio-video";
    Preferences."browser.shell.checkDefaultBrowser".Value = false;
    DontCheckDefaultBrowser = true;
  };

  # Enable pipewire/pipewire-pulse for audio
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    pulse.enable = true;
  };

  systemd.services.cage-tty1.requires = [ "network-online.target" ];

  services.tailscale = {
    enable = true;
    extraUpFlags = [ "--advertise-tags" "tag:kiosk" ];
    authKeyFile = ./tailscale-client-secret.key;
    authKeyParameters.ephemeral = false;
    openFirewall = true;
  };
  networking.firewall.trustedInterfaces = [ "tailscale0" ];

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "yes";
    };
  };
}