diff --git a/lib/default.nix b/lib/default.nix
index 450f485..a5766e7 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -11,7 +11,7 @@
 
   haskell = import ./haskell.nix { inherit lib nixpkgs; inherit (cabal) getTestedWithVersions; };
 
-  systemd = import ./systemd;
+  systemd = import ./systemd { inherit lib; };
 
   types = import ./types.nix { inherit lib; };
 
diff --git a/lib/systemd/default.nix b/lib/systemd/default.nix
index fece4e7..f595ed3 100644
--- a/lib/systemd/default.nix
+++ b/lib/systemd/default.nix
@@ -1,3 +1,4 @@
+{ lib }:
 {
 
   hardeningProfiles = import ./profiles.nix;
@@ -5,4 +6,9 @@
   hardenServices = import ./harden-services.nix;
 
   userLevelServices = import ./user-level-services.nix;
+
+  withHardeningProfile = profile: serviceConfig: lib.mkMerge [
+    (builtins.mapAttrs (_: lib.mkDefault) profile)
+    serviceConfig
+  ];
 }
diff --git a/lib/systemd/profiles.nix b/lib/systemd/profiles.nix
index b8cced0..cc41871 100644
--- a/lib/systemd/profiles.nix
+++ b/lib/systemd/profiles.nix
@@ -42,7 +42,6 @@ rec {
     #   "~CLONE_NEWUTS"
     # ];
     RestrictNamespaces = "yes";
-    DeviceAllow = "no";
     IPAddressDeny = "any";
     KeyringMode = "private";
     NoNewPrivileges = "yes";