{
  config,
  pkgs,
  lib,
  ...
}: {
  # For nautilius and iOS
  services.gvfs.enable = true;
  # iOS
  services.usbmuxd.enable = true;
  environment.systemPackages = with pkgs; [libimobiledevice idevicerestore];

  # https://unix.stackexchange.com/questions/592775/how-can-i-enable-apple-ios-fast-charge-support
  services.udev.extraRules = ''
    SUBSYSTEM=="usb", ACTION=="add", DRIVER=="apple-mfi-fastcharge", RUN+="/bin/sh -c 'echo Fast > /sys/class/power_supply/apple_mfi_fastcharge/charge_type'"
  '';

  users.users.root.openssh.authorizedKeys.keys = let
    ids = import ../../../identities.nix;
  in
    builtins.concatMap builtins.attrValues (builtins.attrValues ids);

  networking = {
    networkmanager.enable = lib.mkForce false;

    firewall.allowedTCPPorts = [
      8080

      # For 'localsend'
      # https://github.com/localsend/localsend?tab=readme-ov-file#setup
      53317
    ];

    # To enable roaming https://wiki.archlinux.org/title/Wpa_supplicant#Roaming
    wireless = {
      enable = true;
      userControlled.enable = true;
      secretsFile = config.age.secrets.wpa_password.path;
      scanOnLowSignal = false;
      networks = let
        # The higher the more preferred
        prio = i: lib.mapAttrs (_: conf: conf // {priority = i;});

        privatePrio = prio 10;
        limitedDataPrio = prio (-10);

        openNetworks = lib.flip lib.genAttrs (_: {});
        pskNetworks = let
          # wpa_supplicant uses `strchr` to seek to the first `=`, so the only forbidden character is `=`.
          escapePwdKey = lib.replaceStrings ["="] ["_"];
        in
          lib.flip lib.genAttrs (name: {pskRaw = "ext:${escapePwdKey name}";});
      in
        lib.mkMerge [
          (privatePrio (pskNetworks [
            "HiddenParadize@Earth2077"
            "Pei’s Wifi"
            "girlypop-net"
            "annapurna"
            "5526-1"

            "A-WAY"
            "CAT.jpgcafe"
            # TODO: Figure out how to configure networks of "same password, different ssid".
            #
            # In the following documentation, bssid can be used to match
            # Besides, is it possible to have duplicated SSID?
            # https://man.freebsd.org/cgi/man.cgi?wpa_supplicant.conf%285%29
            "LOUISA" # 區公所
            "LouisaCoffee" # 七張
            "MetroTaipei x Louisa" # 大安
          ]))

          (limitedDataPrio (pskNetworks [
            "iPhone de Léana 江"
          ]))

          (openNetworks [
            "_SNCF_WIFI_INOUI"
            "_WIFI_LYRIA"
            "EurostarTrainsWiFi"
            "SBB-FREE"
            "AOT Airport Free Wi-Fi by NT"
          ])

          # TODO: Delete this when my account is deactivated
          {
            eduroam = {
              authProtocols = ["WPA-EAP"];
              auth = ''
                pairwise=CCMP
                group=CCMP TKIP
                eap=PEAP
                ca_cert="${./certs/universite_de_rennes.pem}"
                identity="ychiang@etudiant.univ-rennes.fr"
                altsubject_match="DNS:radius.univ-rennes1.fr;DNS:radius1.univ-rennes1.fr;DNS:radius2.univ-rennes1.fr;DNS:vmradius-psf1.univ-rennes1.fr;DNS:vmradius-psf2.univ-rennes1.fr"
                phase2="auth=MSCHAPV2"
                password=ext:EDUROAM
                anonymous_identity="anonymous@univ-rennes.fr"
              '';
            };
          }

          # Other per-network configuration
          # bgscan has performance penalty so we don't enable it globally
          {
            "5526-1".extraConfig = ''
              bgscan="simple:30:-70:3600"
            '';
          }
        ];
    };
  };

  services.mullvad-vpn.enable = true;

  hardware.bluetooth.enable = true;
}