{ pkgs, ... }:
{
  security.polkit = {
    enable = true;
    extraConfig = ''
      polkit.addRule(function (action, subject) {
        if (
          subject.isInGroup("users") &&
          [
            "org.freedesktop.login1.reboot",
            "org.freedesktop.login1.reboot-multiple-sessions",
            "org.freedesktop.login1.power-off",
            "org.freedesktop.login1.power-off-multiple-sessions",
          ].indexOf(action.id) !== -1
        ) {
          return polkit.Result.YES;
        }
      });
      polkit.addRule(function(action, subject) {
        var YES = polkit.Result.YES;
        var permission = {
          // required for udisks1:
          "org.freedesktop.udisks.filesystem-mount": YES,
          "org.freedesktop.udisks.luks-unlock": YES,
          "org.freedesktop.udisks.drive-eject": YES,
          "org.freedesktop.udisks.drive-detach": YES,
          // required for udisks2:
          "org.freedesktop.udisks2.filesystem-mount": YES,
          "org.freedesktop.udisks2.encrypted-unlock": YES,
          "org.freedesktop.udisks2.eject-media": YES,
          "org.freedesktop.udisks2.power-off-drive": YES,
          // required for udisks2 if using udiskie from another seat (e.g. systemd):
          "org.freedesktop.udisks2.filesystem-mount-other-seat": YES,
          "org.freedesktop.udisks2.filesystem-unmount-others": YES,
          "org.freedesktop.udisks2.encrypted-unlock-other-seat": YES,
          "org.freedesktop.udisks2.encrypted-unlock-system": YES,
          "org.freedesktop.udisks2.eject-media-other-seat": YES,
          "org.freedesktop.udisks2.power-off-drive-other-seat": YES
        };
        if (subject.isInGroup("storage")) {
          return permission[action.id];
        }
      });
    '';
  };

  security.pam.services = {
   login.enableKwallet = true;
   login.kwallet = {
     enable = true;
     package = pkgs.plasma5Packages.kwallet-pam; # Comment for plasma6
   };
  sddm = {
    enableKwallet = true;
    text = ''
      # Enable pam_kwallet5 for sddm
      auth      optional      pam_kwallet5.so
      session   optional      pam_kwallet5.so auto_start
    '';
    };
  };
  security.pam.services.wayne.kwallet.enable = true;
  security.pam.services.wayne.kwallet.package = pkgs.plasma5Packages.kwallet-pam;

  security.rtkit.enable = true;

  security.sudo = {
    enable = true;
    extraConfig = ''
      %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-service
      %wheel ALL=(ALL) NOPASSWD: ${pkgs.input-remapper}/bin/input-remapper-control
      %wheel ALL=(ALL) NOPASSWD: /run/wrappers/bin/systemctl restart display-manager
    '';
  };

  age = {
    identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = {
      nextcloud = {
        file = ../secrets/nextcloud.age;
      };
      wayne = {
        file = ../secrets/whayes.age;
      };
      onlyoffice = {
        file = ../secrets/onlyoffice-jwt.age;
      };
      pia = {
        file = ../secrets/pia.age;
      };
    };
  };
}