{ inputs, pkgs, lib, ... }:
{
  imports = [
    ./hardware-configuration.nix
    ../../configs/desktop.nix
    ../../configs/qemu.nix
    ../../configs/mcpkg.nix
    ../../configs/mcp.nix # MCP agent + mcp user (straylight is becoming the core host)
  ];

  config = {
    # straylight is the unikernel host. The shared mcp.nix locks the agent
    # down with PrivateDevices=true, which hides /dev/kvm and /dev/net/tun.
    # Relax that here (only on straylight) so the agent can boot Nanos
    # unikernel VMs under QEMU/KVM and (Phase 2) manage TAP devices.
    systemd.services.mcp-agent.serviceConfig = {
      PrivateDevices = lib.mkForce false;
      DeviceAllow = [ "/dev/kvm rw" "/dev/net/tun rw" ];
      SupplementaryGroups = [ "kvm" ];
      AmbientCapabilities = [ "CAP_NET_ADMIN" ];
    };
    # Let the mcp user reach /dev/kvm directly as well.
    users.users.mcp.extraGroups = [ "kvm" ];

    # Allow rootless containers (podman) to bind low ports (53 for MCNS,
    # 443/8443/9443 for mc-proxy) as straylight takes over the core role.
    boot.kernel.sysctl."net.ipv4.ip_unprivileged_port_start" = 53;

    # Open ports: DNS (53), mc-proxy (443/8443/9443), agent (9444), master (9555).
    networking.firewall.allowedTCPPorts = [ 53 443 8443 9443 9444 9555 ];
    networking.firewall.allowedUDPPorts = [ 53 ];

    # DNS: MCNS for internal zones, public resolvers as fallback.
    networking.nameservers = [
      "192.168.88.181"
      "100.95.252.120"
      "1.1.1.1"
      "8.8.8.8"
    ];
    services.resolved.domains = [
      "~mcp.metacircular.net"
    ];
  };
}