codingcoffee/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nix/modules/nixos/core/usbguard/default.nix
Ameya Shenoy 4998e822a7 feat: init 
Signed-off-by: Ameya Shenoy <shenoy.ameya@gmail.com>
2024-11-11 01:48:40 +05:30

55 lines
2.1 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }: {
options.snowflake.core.usbguard = {
### WARNING ###
# NOTE: be very careful before turning on usbguard. It'll has the potential
# to disable your keyboard and render your system useless. To use this
# module follow the following steps.
#
# 1. Enable this module while keeping the serviceEnable option set to false.
# This will only install usbguard onto your system without enabling the
# usbguard systemd service.
# 2. Do not connect any USB devices to your laptop. Or only connect
# trusted, frequently used devices
# 3. use the command `usbguard generate-policy` to generate the usbguard
# "rules". This will generate a list of devices which are trusted and can
# be interfaced with the system without explicit approval. This include
# your inbuilt keyboard, webcam etc
# 4. set the output of this command as the value for the "rules" option,
# and set the "serviceEnable" option to true
#
# Ref:
# - https://github.com/USBGuard/usbguard/blob/main/doc/man/usbguard-rules.conf.5.adoc
### WARNING ###
# FAQ
# - to connect a new USB device
# - run `sudo usbguard watch` in a tty
# - connect your device
# - find the device ID from the tty running `usbguard watch`
# - run `sudo usbguard allow-device {device_id}` to allow the device to
# interface with the system
enable =
lib.mkEnableOption "enable usbguard module and only install usbguard";
serviceEnable = lib.mkOption {
type = lib.types.bool;
default = false;
description = "explicitly enable the usbguard service";
};
rules = lib.mkOption {
type = lib.types.str;
default = "";
description =
"usbguard rules for default devices which are allowed to be connected";
};
};
config = lib.mkIf config.snowflake.core.usbguard.enable {
environment.systemPackages = with pkgs; [ usbguard ];
services.usbguard.enable = config.snowflake.core.usbguard.serviceEnable;
services.usbguard.rules = config.snowflake.core.usbguard.rules;
};
}
Reference in a new issue View git blame Copy permalink