{
  pkgs,
  ...
}:
let
  desk_mqtt = pkgs.writers.writePython3 "desk_mqtt" {
    libraries = with pkgs.python3Packages; [
      pyusb
      ha-mqtt-discoverable
    ];
  } (builtins.readFile ./desk_mqtt.py);
  usb2lin06_udev = pkgs.writeTextFile {
    name = "usb2lin06-udev-rules";
    text = ''
      SUBSYSTEM=="usb", ATTR{idVendor}=="12d3", ATTR{idProduct}=="0002", MODE="0666"
    '';
    destination = "/lib/udev/rules.d/90-usb2lin06.rules";
  };
in
{
  config = {
    services.udev.packages = [ usb2lin06_udev ];
    systemd = {
      services.desk_mqtt = {
        description = "Control desk height via MQTT";
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = "${desk_mqtt}";
          RestartSec = 10;
          Restart = "on-failure";

          # Hardening (hapazardeous)
          CapabilityBoundingSet = "";
          DynamicUser = true;
          LockPersonality = true;
          MemoryDenyWriteExecute = false;
          NoNewPrivileges = true;
          PrivateTmp = true;
          PrivateUsers = true;
          ProtectClock = true;
          ProtectControlGroups = true;
          ProtectHome = true;
          ProtectHostname = true;
          ProtectKernelLogs = true;
          ProtectKernelModules = true;
          RemoveIPC = true;
          RestrictNamespaces = true;
          RestrictRealtime = true;
          RestrictSUIDSGID = true;
          SystemCallArchitectures = "native";
          SystemCallFilter = [
            "@system-service"
            "~@privileged"
            "~@resources"
          ];
          UMask = "0077";
        };
      };
    };
  };
}