diff --git a/curacao/co2meter/default.nix b/curacao/co2meter/default.nix
new file mode 100644
index 0000000..f5181fc
--- /dev/null
+++ b/curacao/co2meter/default.nix
@@ -0,0 +1,71 @@
+{ pkgs, lib, config, ... }:
+let
+  zytemp_mqtt_src = pkgs.fetchFromGitHub {
+    owner = "patrislav1";
+    repo = "zytemp_mqtt";
+    rev = "a6be5e3082e1e10dee435cfb9643fb13e9a71c34"; # PR that adds humidity
+    sha256 = "sha256-cMWDi20isnbB6jlMzut7YyYB4te4bVFYXSgCEQWQnts=";
+  };
+  zytemp_mqtt = pkgs.python3Packages.buildPythonPackage
+    rec {
+      name = "zytemp_mqtt";
+      src = zytemp_mqtt_src;
+      propagatedBuildInputs = with pkgs.python3Packages; [ hidapi paho-mqtt pyaml ];
+    };
+  usb_zytemp_udev = pkgs.stdenv.mkDerivation {
+    pname = "usb-zytemp-udev-rules";
+    version = "unstable-2023-05-24";
+    src = zytemp_mqtt_src;
+
+    dontConfigure = true;
+    dontBuild = true;
+    dontFixup = true;
+
+    installPhase = ''
+      mkdir -p $out/lib/udev/rules.d
+      cp udev/90-usb-zytemp-permissions.rules $out/lib/udev/rules.d/90-usb-zytemp.rules
+    '';
+  };
+  mqtt_host = "192.168.7.53"; # Ludwig
+in
+{
+  config = {
+    environment.etc."zytempmqtt/config.yaml".text = lib.generators.toYAML { } {
+      decrypt = true;
+      mqtt_host = mqtt_host;
+      friendly_name = "Desk sensor";
+    };
+    services.udev.packages = [ usb_zytemp_udev ];
+    systemd = {
+      services.zytemp_mqtt = {
+        description = "Forward zyTemp CO2 sensor to MQTT";
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          ExecStart = "${zytemp_mqtt}/bin/zytempmqtt";
+
+          # Hardening (hapazardeous)
+          CapabilityBoundingSet = "";
+          DynamicUser = true;
+          LockPersonality = true;
+          MemoryDenyWriteExecute = false;
+          NoNewPrivileges = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          RemoveIPC = true;
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          SystemCallFilter = [ "@system-service" "~@privileged" "~@resouces" ];
+          UMask = "0077";
+        };
+      };
+    };
+  };
+}
diff --git a/curacao/default.nix b/curacao/default.nix
index 8107c18..8cc1134 100644
--- a/curacao/default.nix
+++ b/curacao/default.nix
@@ -5,6 +5,7 @@
   };
   imports = [
     ./backup
+    ./co2meter
     ./dedup
     ./disko.nix
     ./features.nix