{ config, pkgs, lib, ... }:

with lib;

{
  options.services.aiWorkerAccess = mkOption {
    type = types.bool;
    default = false;
    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
  };

  config = mkIf config.services.aiWorkerAccess {
    # ai-worker is member of docker group - can run docker commands via SSH
    # No bind mounts, no sudo access - docker-only for ollama benchmarking
    users.groups.docker.members = [ "ai-worker" ];
  };
}