diff --git a/hosts/12kingdoms-shoukei/default.nix b/hosts/12kingdoms-shoukei/default.nix
index 5f39e75c..ae1c2146 100644
--- a/hosts/12kingdoms-shoukei/default.nix
+++ b/hosts/12kingdoms-shoukei/default.nix
@@ -10,12 +10,14 @@
 #############################################################
 let
   hostName = "shoukei"; # Define your hostname.
-in {
+in
+{
   imports = [
     ./hardware-configuration.nix
     ../idols-ai/preservation.nix
   ];
 
+  # disable sunshine for securrity
   services.sunshine.enable = lib.mkForce false;
 
   networking = {
diff --git a/hosts/idols-ai/default.nix b/hosts/idols-ai/default.nix
index 0caefb5f..43f38d45 100644
--- a/hosts/idols-ai/default.nix
+++ b/hosts/idols-ai/default.nix
@@ -1,4 +1,4 @@
-{myvars, ...}:
+{ myvars, lib, ... }:
 #############################################################
 #
 #  Ai - my main computer, with NixOS + I5-13600KF + RTX 4090 GPU, for gaming & daily use.
@@ -11,7 +11,8 @@ let
   inherit (myvars.networking.hostsAddr.${hostName}) iface ipv4 ipv6;
   ipv4WithMask = "${ipv4}/24";
   ipv6WithMask = "${ipv6}/64";
-in {
+in
+{
   imports = [
     ./netdev-mount.nix
     # Include the results of the hardware scan.
@@ -23,6 +24,8 @@ in {
     ./secureboot.nix
   ];
 
+  services.sunshine.enable = lib.mkForce true;
+
   networking = {
     inherit hostName;
 
@@ -35,7 +38,7 @@ in {
   systemd.network.enable = true;
 
   systemd.network.networks."10-${iface}" = {
-    matchConfig.Name = [iface];
+    matchConfig.Name = [ iface ];
     networkConfig = {
       Address = [
         ipv4WithMask
diff --git a/hosts/idols-ai/nvidia.nix b/hosts/idols-ai/nvidia.nix
index 6199f1c4..5aff5530 100644
--- a/hosts/idols-ai/nvidia.nix
+++ b/hosts/idols-ai/nvidia.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, lib, ... }:
 {
   # ===============================================================================================
   # for Nvidia GPU
@@ -38,4 +38,11 @@
       # };
     })
   ];
+
+  services.sunshine.settings = {
+    max_bitrate = 20000; # in Kbps
+    # NVIDIA NVENC Encoder
+    nvenc_preset = 3; # 1(fastest + worst quality) - 7(slowest + best quality)
+    nvenc_twopass = "full_res"; # quarter_res / full_res.
+  };
 }
diff --git a/modules/nixos/base/networking.nix b/modules/nixos/base/networking.nix
index bdc4ce49..7321fc7f 100644
--- a/modules/nixos/base/networking.nix
+++ b/modules/nixos/base/networking.nix
@@ -1,4 +1,5 @@
 {
+  # for security reasons, only open the following ports to the network by default.
   networking.firewall.allowedTCPPorts = [
     # localsend
     53317
diff --git a/modules/nixos/desktop/clash-verge.nix b/modules/nixos/desktop/networking/clash-verge.nix
similarity index 100%
rename from modules/nixos/desktop/clash-verge.nix
rename to modules/nixos/desktop/networking/clash-verge.nix
diff --git a/modules/nixos/desktop/networking/default.nix b/modules/nixos/desktop/networking/default.nix
new file mode 100644
index 00000000..049dda93
--- /dev/null
+++ b/modules/nixos/desktop/networking/default.nix
@@ -0,0 +1,4 @@
+{ mylib, ... }:
+{
+  imports = mylib.scanPaths ./.;
+}
diff --git a/modules/nixos/desktop/networking/remote-desktop.nix b/modules/nixos/desktop/networking/remote-desktop.nix
new file mode 100644
index 00000000..8a4753a7
--- /dev/null
+++ b/modules/nixos/desktop/networking/remote-desktop.nix
@@ -0,0 +1,42 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    moonlight-qt # moonlight client, for streaming games/desktop from a PC
+  ];
+
+  # ===============================================================================
+  #
+  # Sunshine: A self-hosted game stream server for Moonlight(Client).
+  # It's designed for game streaming, but it can be used for remote desktop as well.
+  #
+  # How to use:
+  #  1. setup user via Web Console: <https://localhost:47990/>):
+  #  2. on another machine, connect to sunshine on via moonlight-qt client
+  #
+  # Docs:
+  #  https://docs.lizardbyte.dev/projects/sunshine/latest/index.html
+  #
+  # Check Service Status
+  #   systemctl --user status sunshine
+  # Check logs
+  #   journalctl --user -u sunshine --since "2 minutes ago"
+  #
+  # References:
+  #   https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/networking/sunshine.nix
+  #
+  # ===============================================================================
+  services.sunshine = {
+    enable = false; # default to false, for security reasons.
+    autoStart = true;
+    capSysAdmin = true; # only needed for Wayland -- omit this when using with Xorg
+    openFirewall = true;
+    settings = {
+      # pc  - Only localhost may access the web ui
+      # lan - Only LAN devices may access the web ui
+      origin_web_ui_allowed = "pc";
+      # 2   -	encryption is mandatory and unencrypted connections are rejected
+      lan_encryption_mode = 2;
+      wan_encryption_mode = 2;
+    };
+  };
+}
diff --git a/modules/nixos/desktop/remote-desktop/tailscale.nix b/modules/nixos/desktop/networking/tailscale.nix
similarity index 100%
rename from modules/nixos/desktop/remote-desktop/tailscale.nix
rename to modules/nixos/desktop/networking/tailscale.nix
diff --git a/modules/nixos/desktop/remote-desktop/README.md b/modules/nixos/desktop/remote-desktop/README.md
deleted file mode 100644
index e8330dd9..00000000
--- a/modules/nixos/desktop/remote-desktop/README.md
+++ /dev/null
@@ -1,13 +0,0 @@
-# Remote Desktop
-
-1. **X11**: We have `xrdp` & `ssh -x` for remote desktop access, which works well for most use
-   cases.
-2. **Wayland**: (not tested)
-3. `waypipe`: similar to `ssh -X`, transfer wayland data over a ssh connection.
-4. [rustdesk](https://github.com/rustdesk/rustdesk): a remote desktop client/server written in rust.
-5. confirmed broken currently:
-   <https://www.reddit.com/r/rustdesk/comments/1912373/rustdesk_on_hyprland/>
-6. [sunshine server](https://github.com/LizardByte/Sunshine) +
-   [moonlight client](https://github.com/moonlight-stream): It's designed for game streaming, but it
-   can be used for remote desktop as well.
-7. broken currently: <https://github.com/LizardByte/Sunshine/pull/1977>
diff --git a/modules/nixos/desktop/remote-desktop/default.nix b/modules/nixos/desktop/remote-desktop/default.nix
deleted file mode 100644
index feacd8da..00000000
--- a/modules/nixos/desktop/remote-desktop/default.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{
-  pkgs,
-  mylib,
-  ...
-}:
-{
-  imports = mylib.scanPaths ./.;
-
-  environment.systemPackages = with pkgs; [
-    waypipe
-    moonlight-qt # moonlight client, for streaming games/desktop from a PC
-  ];
-}
diff --git a/modules/nixos/desktop/remote-desktop/sunshine.nix b/modules/nixos/desktop/remote-desktop/sunshine.nix
deleted file mode 100644
index c90b15e6..00000000
--- a/modules/nixos/desktop/remote-desktop/sunshine.nix
+++ /dev/null
@@ -1,25 +0,0 @@
-# ===============================================================================
-#
-# Sunshine: A self-hosted game stream server for Moonlight(Client).
-# It's designed for game streaming, but it can be used for remote desktop as well.
-#
-# How to use(Web Console: <https://localhost:47990/>):
-#  https://docs.lizardbyte.dev/projects/sunshine/en/latest/about/usage.html
-#
-# Check Service Status
-#   systemctl --user status sunshine
-# Check logs
-#   journalctl --user -u sunshine --since "2 minutes ago"
-#
-# References:
-#   https://github.com/NixOS/nixpkgs/blob/nixos-25.05/nixos/modules/services/networking/sunshine.nix
-#
-# ===============================================================================
-{
-  services.sunshine = {
-    enable = true;
-    autoStart = true;
-    capSysAdmin = true; # only needed for Wayland -- omit this when using with Xorg
-    openFirewall = true;
-  };
-}