{pkgs, ...}: {
  systemd.services."prometheus-statsd-exporter" = {
    enable = true;
    wantedBy = ["multi-user.target" "mastodon-web.service" "mastodon-sidekiq.service" "mastodon-streaming.service"];
    after = ["network.target"];
    serviceConfig = {
      Restart = "always";
      PrivateTmp = true;
      WorkingDirectory = "/tmp";
      DynamicUser = true;
      CapabilityBoundingSet = [""];
      DeviceAllow = [""];
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectSystem = "strict";
      RemoveIPC = true;
      RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      UMask = "0077";
      ExeStart = ''
        ${pkgs.prometheus-statsd-exporter}/bin/prometheus-statsd-exporter --web-listen-adress="[::]:9102" --statsd.listen-upd="127.0.0.1:9125"
      '';
    };
  };
  networking.firewall.interfaces."wg0".allowedTCPPorts = [9102];
}