{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (config.meta.mainUser) username;
in {
  environment.systemPackages = [pkgs.usbguard];
  services.usbguard = {
    IPCAllowedUsers = ["root" "${username}"];
    presentDevicePolicy = "allow";
    rules = ''
      allow with-interface equals { 08:*:* }

      # Reject devices with suspicious combination of interfaces
      reject with-interface all-of { 08:*:* 03:00:* }
      reject with-interface all-of { 08:*:* 03:01:* }
      reject with-interface all-of { 08:*:* e0:*:* }
      reject with-interface all-of { 08:*:* 02:*:* }
    '';
  };
}