···
cfg = config.services.usbguard;
···
PresentDevicePolicy=${cfg.presentDevicePolicy}
PresentControllerPolicy=${cfg.presentControllerPolicy}
InsertedDevicePolicy=${cfg.insertedDevicePolicy}
+
RestoreControllerDeviceState=${lib.boolToString cfg.restoreControllerDeviceState}
# this does not seem useful for endusers to change
DeviceManagerBackend=uevent
+
IPCAllowedUsers=${lib.concatStringsSep " " cfg.IPCAllowedUsers}
+
IPCAllowedGroups=${lib.concatStringsSep " " cfg.IPCAllowedGroups}
IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/
+
DeviceRulesWithPort=${lib.boolToString cfg.deviceRulesWithPort}
# HACK: that way audit logs still land in the journal
···
+
enable = lib.mkEnableOption "USBGuard daemon";
+
package = lib.mkPackageOption pkgs "usbguard" {
If you do not need the Qt GUI, use `pkgs.usbguard-nox` to save disk space.
+
ruleFile = lib.mkOption {
+
type = lib.types.nullOr lib.types.path;
default = "/var/lib/usbguard/rules.conf";
example = "/run/secrets/usbguard-rules";
···
+
type = lib.types.nullOr lib.types.lines;
allow with-interface equals { 08:*:* }
···
+
implicitPolicyTarget = lib.mkOption {
+
type = lib.types.enum [
···
+
presentDevicePolicy = lib.mkOption {
default = "apply-policy";
···
+
presentControllerPolicy = lib.mkOption {
···
+
insertedDevicePolicy = lib.mkOption {
+
type = lib.types.enum [
···
+
restoreControllerDeviceState = lib.mkOption {
The USBGuard daemon modifies some attributes of controller
···
+
IPCAllowedUsers = lib.mkOption {
+
type = lib.types.listOf lib.types.str;
···
+
IPCAllowedGroups = lib.mkOption {
+
type = lib.types.listOf lib.types.str;
···
+
deviceRulesWithPort = lib.mkOption {
Generate device specific rules including the "via-port" attribute.
+
dbus.enable = lib.mkEnableOption "USBGuard dbus daemon";
+
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
···
+
usbguard-dbus = lib.mkIf cfg.dbus.enable {
description = "USBGuard D-Bus Service";
wantedBy = [ "multi-user.target" ];
···
(lib.concatStrings (map (g: "subject.isInGroup(\"${g}\") || ") cfg.IPCAllowedGroups)) + "false";
+
lib.optionalString cfg.dbus.enable ''
polkit.addRule(function(action, subject) {
if ((action.id == "org.usbguard.Policy1.listRules" ||
action.id == "org.usbguard.Policy1.appendRule" ||
···
+
(lib.mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ]
"The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d."
+
(lib.mkRemovedOptionModule [
] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.")
+
(lib.mkRenamedOptionModule
[ "services" "usbguard" "implictPolicyTarget" ]
[ "services" "usbguard" "implicitPolicyTarget" ]
pyrox.dev