initial commit

2026-04-15 18:26:05 -04:00 · 2026-04-15 18:26:05 -04:00 · ebc1be5217
commit ebc1be5217
143 changed files with 7721 additions and 0 deletions
--- a/modules/features/security/security-usbguard.nix
+++ b/modules/features/security/security-usbguard.nix
@ -0,0 +1,50 @@
+{ ... }:
+{
+  config.dendritic.features.security-usbguard = {
+    nixosModules = [
+      (
+        {
+          config,
+          pkgs,
+          lib,
+          ...
+        }:
+        let
+          user = config.dendritic.current.primaryUser;
+        in
+        {
+          services.usbguard = {
+            enable = true;
+            IPCAllowedUsers = [
+              "root"
+              user
+            ];
+
+            # presentDevicePolicy refers to how to treat USB devices
+            # that are already connected when the daemon starts
+            presentDevicePolicy = "allow";
+
+            rules = lib.mkBefore ''
+              # allow `only` devices with mass storage interfaces (USB Mass Storage)
+              allow with-interface equals { 08:*:* }
+
+              # allow mice and keyboards
+              # allow with-interface equals { 03:*:* }
+
+              # Reject devices with suspicious combination of interfaces
+              reject with-interface all-of { 08:*:* 03:00:* }
+              reject with-interface all-of { 08:*:* 03:01:* }
+              reject with-interface all-of { 08:*:* e0:*:* }
+              reject with-interface all-of { 08:*:* 02:*:* }
+            '';
+          };
+
+          environment.systemPackages = with pkgs; [
+            usbguard
+            usbguard-notifier
+          ];
+        }
+      )
+    ];
+  };
+}