{ lib, pkgs, ... }:
let
  usb_label = "my_usb";
  usb_path = "/usb";
  onInsert = pkgs.writeShellScriptBin "usb-on-insert" ''
    umount /usb || true
    mount $(findfs LABEL=${usb_label}) -o rw,umask=600,uid=chaos,gid=root,fmask=0022,dmask=0022 ${usb_path}
    touch /home/chaos/.ssh/id_ed25519 /home/chaos/.ssh/id_ed25519.pub
    bindfs -n -r -p 0700 -o nonempty /usb/ssh-keys/chaos.priv /home/chaos/.ssh/id_ed25519
    bindfs -n -r -p 0700 -o nonempty /usb/ssh-keys/chaos.pub /home/chaos/.ssh/id_ed25519.pub
  '';
in {
  systemd.tmpfiles.rules = [ "d ${usb_path} - chaos root" ];

  systemd.services.usb-automount = {
    path = [ pkgs.util-linux pkgs.bindfs ];
    script = ''
      ${onInsert}/bin/usb-on-insert
    '';
  };

  services.udev.extraRules = ''
    ACTION=="add", ENV{ID_FS_LABEL}=="${usb_label}", ENV{SYSTEMD_WANTS}="usb-automount.service", ENV{UDISKS_PRESENTATION_HIDE}="1"
  '';
}