{ config, lib, pkgs, ... }: { options.snowflake.core.usbguard = { ### WARNING ### # NOTE: be very careful before turning on usbguard. It'll has the potential # to disable your keyboard and render your system useless. To use this # module follow the following steps. # # 1. Enable this module while keeping the serviceEnable option set to false. # This will only install usbguard onto your system without enabling the # usbguard systemd service. # 2. Do not connect any USB devices to your laptop. Or only connect # trusted, frequently used devices # 3. use the command `usbguard generate-policy` to generate the usbguard # "rules". This will generate a list of devices which are trusted and can # be interfaced with the system without explicit approval. This include # your inbuilt keyboard, webcam etc # 4. set the output of this command as the value for the "rules" option, # and set the "serviceEnable" option to true # # Ref: # - https://github.com/USBGuard/usbguard/blob/main/doc/man/usbguard-rules.conf.5.adoc ### WARNING ### # FAQ # - to connect a new USB device # - run `sudo usbguard watch` in a tty # - connect your device # - find the device ID from the tty running `usbguard watch` # - run `sudo usbguard allow-device {device_id}` to allow the device to # interface with the system enable = lib.mkEnableOption "enable usbguard module and only install usbguard"; serviceEnable = lib.mkOption { type = lib.types.bool; default = false; description = "explicitly enable the usbguard service"; }; rules = lib.mkOption { type = lib.types.str; default = ""; description = "usbguard rules for default devices which are allowed to be connected"; }; }; config = lib.mkIf config.snowflake.core.usbguard.enable { environment.systemPackages = with pkgs; [ usbguard ]; services.usbguard.enable = config.snowflake.core.usbguard.serviceEnable; services.usbguard.rules = config.snowflake.core.usbguard.rules; }; }