USBGuard rules for work

Signed-off-by: Hadi <hadi@example.com>

hosts/work/configuration.nix

@@ -1,4 +1,8 @@
-{config, ...}: {
+{
+  config,
+  lib,
+  ...
+}: {
   imports = [
     # Mostly system related configuration
     ../../nixos/audio.nix
@@ -8,6 +12,7 @@
     ../../nixos/nix.nix
     ../../nixos/systemd-boot.nix
     ../../nixos/sddm.nix
+    ../../nixos/usbguard.nix
     ../../nixos/users.nix
     ../../nixos/utils.nix
     ../../nixos/hyprland.nix
@@ -19,6 +24,18 @@
 
   home-manager.users."${config.var.username}" = import ./home.nix;
 
+  # USBGuard:
+  # Allow all USB devices until a proper policy is configured.
+  # Run `sudo usbguard generate-policy` with your devices plugged in,
+  # then set rules = "<output>" and switch implicitPolicyTarget to "block".
+  # services.usbguard.implicitPolicyTarget = lib.mkForce "allow";
+  services.usbguard.rules = ''
+    allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
+    allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
+    allow id 17ef:608d serial "" name "Lenovo USB Optical Mouse" hash "klpDZuv1jhWGNqZLOl+KXF+75Ir3PfBm6D6ncjoLRBU=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-7" with-interface 03:01:02 with-connect-type "hotplug"
+    allow id 17ef:6190 serial "" name "Lenovo Calliope USB Keyboard G2" hash "CfZ9R/aoXGm7BN/ojVEzKQwVoxCUtRWMuACrE7BL/5Y=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "1-10" with-interface { 03:01:01 03:00:00 } with-connect-type "hotplug"
+  '';
+
   networking.firewall.allowedTCPPorts = [9001];
 
   # Don't touch this