50 lines
1.3 KiB
Nix
50 lines
1.3 KiB
Nix
{ ... }:
|
|
{
|
|
config.dendritic.features.security-usbguard = {
|
|
nixosModules = [
|
|
(
|
|
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
user = config.dendritic.current.primaryUser;
|
|
in
|
|
{
|
|
services.usbguard = {
|
|
enable = true;
|
|
IPCAllowedUsers = [
|
|
"root"
|
|
user
|
|
];
|
|
|
|
# presentDevicePolicy refers to how to treat USB devices
|
|
# that are already connected when the daemon starts
|
|
presentDevicePolicy = "allow";
|
|
|
|
rules = lib.mkBefore ''
|
|
# allow `only` devices with mass storage interfaces (USB Mass Storage)
|
|
allow with-interface equals { 08:*:* }
|
|
|
|
# allow mice and keyboards
|
|
# allow with-interface equals { 03:*:* }
|
|
|
|
# Reject devices with suspicious combination of interfaces
|
|
reject with-interface all-of { 08:*:* 03:00:* }
|
|
reject with-interface all-of { 08:*:* 03:01:* }
|
|
reject with-interface all-of { 08:*:* e0:*:* }
|
|
reject with-interface all-of { 08:*:* 02:*:* }
|
|
'';
|
|
};
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
usbguard
|
|
usbguard-notifier
|
|
];
|
|
}
|
|
)
|
|
];
|
|
};
|
|
}
|