{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (config.meta.mainUser) username;
  inherit (lib.modules) mkIf;
  inherit (lib.options) mkEnableOption;
  cfg = config.modules.services.usbguard;
in {
  options.modules.services.usbguard.enable = mkEnableOption "usbguard";
  config = mkIf cfg.enable {
    environment.systemPackages = [pkgs.usbguard];
    services.usbguard = {
      enable = true;
      IPCAllowedUsers = ["root" "${username}"];
      presentDevicePolicy = "allow";
      rules = ''
        allow with-interface equals { 08:*:* }

        # Reject devices with suspicious combination of interfaces
        reject with-interface all-of { 08:*:* 03:00:* }
        reject with-interface all-of { 08:*:* 03:01:* }
        reject with-interface all-of { 08:*:* e0:*:* }
        reject with-interface all-of { 08:*:* 02:*:* }
      '';
    };
  };
}