{
  lib,
  pkgs,
  ...
}: let
  usb_data = import ../data/usb_data.nix {};
  mapper_name = "usb_unencrypted_afterboot";
  mapper_path = "/dev/mapper/${mapper_name}";
  mount_usb = pkgs.writeShellScriptBin "mount_usb" ''
    umount ${usb_data.mountpoint} || true
    cryptsetup close ${mapper_name} || true

    cat /secrets/usb_encryption_passphrase | cryptsetup luksOpen ${usb_data.encrypted_path} ${mapper_name} -
    mount ${mapper_path} -o rw ${usb_data.mountpoint}
  '';
  unmount_usb = pkgs.writeShellScriptBin "unmount_usb" ''
    umount -flR ${usb_data.mountpoint} || true
    cryptsetup close ${mapper_name} || true
  '';
in {
  environment.systemPackages = [mount_usb unmount_usb];

  systemd.tmpfiles.rules = ["d ${usb_data.mountpoint} - chaos root"];

  systemd.services.usb-mount = {
    path = [pkgs.util-linux pkgs.cryptsetup];
    script = ''
      ${mount_usb}/bin/mount_usb
    '';
  };

  systemd.services.usb-unmount = {
    path = [pkgs.util-linux pkgs.cryptsetup];
    script = ''
      ${unmount_usb}/bin/unmount_usb
    '';
  };

  services.udev.extraRules = ''
    ACTION=="add", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-mount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
    ACTION=="remove", ENV{PARTNAME}=="${usb_data.encrypted_partlabel}", ENV{SYSTEMD_WANTS}="usb-unmount.service"
  '';
}