···
cfg = config.services.usbguard;
···
PresentDevicePolicy=${cfg.presentDevicePolicy}
PresentControllerPolicy=${cfg.presentControllerPolicy}
InsertedDevicePolicy=${cfg.insertedDevicePolicy}
33
-
RestoreControllerDeviceState=${boolToString cfg.restoreControllerDeviceState}
31
+
RestoreControllerDeviceState=${lib.boolToString cfg.restoreControllerDeviceState}
# this does not seem useful for endusers to change
DeviceManagerBackend=uevent
36
-
IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers}
37
-
IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups}
34
+
IPCAllowedUsers=${lib.concatStringsSep " " cfg.IPCAllowedUsers}
35
+
IPCAllowedGroups=${lib.concatStringsSep " " cfg.IPCAllowedGroups}
IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/
39
-
DeviceRulesWithPort=${boolToString cfg.deviceRulesWithPort}
37
+
DeviceRulesWithPort=${lib.boolToString cfg.deviceRulesWithPort}
# HACK: that way audit logs still land in the journal
···
53
-
enable = mkEnableOption "USBGuard daemon";
51
+
enable = lib.mkEnableOption "USBGuard daemon";
55
-
package = mkPackageOption pkgs "usbguard" {
53
+
package = lib.mkPackageOption pkgs "usbguard" {
If you do not need the Qt GUI, use `pkgs.usbguard-nox` to save disk space.
61
-
ruleFile = mkOption {
62
-
type = types.nullOr types.path;
59
+
ruleFile = lib.mkOption {
60
+
type = lib.types.nullOr lib.types.path;
default = "/var/lib/usbguard/rules.conf";
example = "/run/secrets/usbguard-rules";
···
75
-
type = types.nullOr types.lines;
72
+
rules = lib.mkOption {
73
+
type = lib.types.nullOr lib.types.lines;
allow with-interface equals { 08:*:* }
···
95
-
implicitPolicyTarget = mkOption {
93
+
implicitPolicyTarget = lib.mkOption {
94
+
type = lib.types.enum [
···
109
-
presentDevicePolicy = mkOption {
107
+
presentDevicePolicy = lib.mkOption {
default = "apply-policy";
···
120
-
presentControllerPolicy = mkOption {
118
+
presentControllerPolicy = lib.mkOption {
···
129
-
insertedDevicePolicy = mkOption {
130
-
type = types.enum [
127
+
insertedDevicePolicy = lib.mkOption {
128
+
type = lib.types.enum [
···
142
-
restoreControllerDeviceState = mkOption {
140
+
restoreControllerDeviceState = lib.mkOption {
141
+
type = lib.types.bool;
The USBGuard daemon modifies some attributes of controller
···
154
-
IPCAllowedUsers = mkOption {
155
-
type = types.listOf types.str;
152
+
IPCAllowedUsers = lib.mkOption {
153
+
type = lib.types.listOf lib.types.str;
···
166
-
IPCAllowedGroups = mkOption {
167
-
type = types.listOf types.str;
164
+
IPCAllowedGroups = lib.mkOption {
165
+
type = lib.types.listOf lib.types.str;
···
176
-
deviceRulesWithPort = mkOption {
174
+
deviceRulesWithPort = lib.mkOption {
175
+
type = lib.types.bool;
Generate device specific rules including the "via-port" attribute.
184
-
dbus.enable = mkEnableOption "USBGuard dbus daemon";
182
+
dbus.enable = lib.mkEnableOption "USBGuard dbus daemon";
190
-
config = mkIf cfg.enable {
188
+
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
···
242
-
usbguard-dbus = mkIf cfg.dbus.enable {
240
+
usbguard-dbus = lib.mkIf cfg.dbus.enable {
description = "USBGuard D-Bus Service";
wantedBy = [ "multi-user.target" ];
···
(lib.concatStrings (map (g: "subject.isInGroup(\"${g}\") || ") cfg.IPCAllowedGroups)) + "false";
264
-
optionalString cfg.dbus.enable ''
262
+
lib.optionalString cfg.dbus.enable ''
polkit.addRule(function(action, subject) {
if ((action.id == "org.usbguard.Policy1.listRules" ||
action.id == "org.usbguard.Policy1.appendRule" ||
···
281
-
(mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ]
279
+
(lib.mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ]
"The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d."
284
-
(mkRemovedOptionModule [
282
+
(lib.mkRemovedOptionModule [
] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.")
289
-
(mkRenamedOptionModule
287
+
(lib.mkRenamedOptionModule
[ "services" "usbguard" "implictPolicyTarget" ]
[ "services" "usbguard" "implicitPolicyTarget" ]
pyrox.dev