From cb323223f85f46b7f9c509b4f4fed8397e5c8354 Mon Sep 17 00:00:00 2001 From: Hadi Date: Thu, 7 May 2026 09:47:53 +0200 Subject: [PATCH] USBGuard rules for work Signed-off-by: Hadi --- hosts/work/configuration.nix | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/hosts/work/configuration.nix b/hosts/work/configuration.nix index a12d6fc..da92ff6 100644 --- a/hosts/work/configuration.nix +++ b/hosts/work/configuration.nix @@ -1,4 +1,8 @@ -{config, ...}: { +{ + config, + lib, + ... +}: { imports = [ # Mostly system related configuration ../../nixos/audio.nix @@ -8,6 +12,7 @@ ../../nixos/nix.nix ../../nixos/systemd-boot.nix ../../nixos/sddm.nix + ../../nixos/usbguard.nix ../../nixos/users.nix ../../nixos/utils.nix ../../nixos/hyprland.nix @@ -19,6 +24,18 @@ home-manager.users."${config.var.username}" = import ./home.nix; + # USBGuard: + # Allow all USB devices until a proper policy is configured. + # Run `sudo usbguard generate-policy` with your devices plugged in, + # then set rules = "" and switch implicitPolicyTarget to "block". + # services.usbguard.implicitPolicyTarget = lib.mkForce "allow"; + services.usbguard.rules = '' + allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type "" + allow id 17ef:608d serial "" name "Lenovo USB Optical Mouse" hash "klpDZuv1jhWGNqZLOl+KXF+75Ir3PfBm6D6ncjoLRBU=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-7" with-interface 03:01:02 with-connect-type "hotplug" + allow id 17ef:6190 serial "" name "Lenovo Calliope USB Keyboard G2" hash "CfZ9R/aoXGm7BN/ojVEzKQwVoxCUtRWMuACrE7BL/5Y=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-10" with-interface { 03:01:01 03:00:00 } with-connect-type "hotplug" + ''; + networking.firewall.allowedTCPPorts = [9001]; # Don't touch this