diff --git a/hosts/laptop/configuration.nix b/hosts/laptop/configuration.nix index 0d5702e..509b0ba 100644 --- a/hosts/laptop/configuration.nix +++ b/hosts/laptop/configuration.nix @@ -12,6 +12,7 @@ ../../nixos/users.nix ../../nixos/utils.nix ../../nixos/hyprland.nix + ../../nixos/usbguard.nix ../../nixos/omen.nix # CHANGEME: For my laptop only, remove this (OMEN 16) @@ -20,6 +21,29 @@ ./variables.nix ]; + # USBGuard: + # Allow all USB devices until a proper policy is configured. + # Run `sudo usbguard generate-policy` with your devices plugged in, + # then set rules = "" and switch implicitPolicyTarget to "block". + # services.usbguard.implicitPolicyTarget = lib.mkForce "allow"; + + services.usbguard.rules = '' + allow id 1532:02a1 serial "" name "Razer Ornata V3" hash "wfuIjBhhGuge8gflyA526SKqKoy8rHJZQZ+2o6usMiE=" parent-hash "MSXcPAlZqkpTyZQylOhSIB8eMfST2AzVHV9EbrBGTWc=" with-interface { 03:01:01 03:00:01 03:00:02 } with-connect-type "unknown" + allow id 1d6b:0002 serial "0000:05:00.3" name "xHCI Host Controller" hash "4a4NgfdUaJO43rkCzmWRSeHHR/uUh5+SNsXnhosm9qs=" parent-hash "ldMchY4Tt4GPUYo30eNGvai+Fs/EdnVY3vMyxJUq4Nk=" with-interface 09:00:00 with-connect-type "" + allow id 1d6b:0003 serial "0000:05:00.3" name "xHCI Host Controller" hash "d+DNGWARDtv9nEK2ZvnNOCtFernuMu5/e/oZ7kCppqQ=" parent-hash "ldMchY4Tt4GPUYo30eNGvai+Fs/EdnVY3vMyxJUq4Nk=" with-interface 09:00:00 with-connect-type "" + allow id 0bda:c85c serial "00e04c000001" name "Bluetooth Radio" hash "Q/wlToV8WQgEYHBW/UIhnSwCCusCGqAR2D5gspSCImQ=" parent-hash "4a4NgfdUaJO43rkCzmWRSeHHR/uUh5+SNsXnhosm9qs=" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "hardwired" + allow id 30c9:009f serial "01.00.00" name "HP True Vision FHD Camera" hash "eYW5fqReJd29tfHXkEktKC63dGfDpmlRMo5uMGUWwME=" parent-hash "icotY3rI59mWiKsGxc59BGZZeBjfbuH0b4NUByj3cbQ=" with-interface { 0e:01:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 fe:01:01 } with-connect-type "hardwired" + allow id 03f0:036b serial "" name "HP USB-C Dock G5" hash "iPFGrgGz0sWgKQjWD/F8eNOhkeR728dTG8JJtkUSvuM=" parent-hash "Hp8B0Enf+ACRT2tyy0EqXj7eNsFDAnTRZadzuh/Iqd4=" with-interface { 09:00:01 09:00:02 } with-connect-type "hotplug" + allow id 03f0:066b serial "" name "HP USB-C Dock G5" hash "JHDjLFApQNqijjmuKdJSWH5+1oLL7S6LQ9QHTAk5fTk=" parent-hash "rJ3LKdvkCK3SUrCU3lV8qVbmPjA+r9Fe5106x2HlgK4=" with-interface 09:00:00 with-connect-type "hotplug" + allow id 03f0:056b serial "201604140001" name "USB Audio" hash "OxQ8HQenW3/4HSGEBOSYFS15rXDTOaNDnjMbICweHgw=" parent-hash "iPFGrgGz0sWgKQjWD/F8eNOhkeR728dTG8JJtkUSvuM=" with-interface { 01:01:00 01:02:00 01:02:00 01:02:00 01:02:00 03:00:00 } with-connect-type "unknown" + allow id 03f0:086b serial "" name "USB2734" hash "MSXcPAlZqkpTyZQylOhSIB8eMfST2AzVHV9EbrBGTWc=" parent-hash "iPFGrgGz0sWgKQjWD/F8eNOhkeR728dTG8JJtkUSvuM=" with-interface { 09:00:01 09:00:02 } with-connect-type "unknown" + allow id 03f0:046b serial "11AD1D0A89EA2D08310E0B00" name "HP USB-C Dock G5" hash "DEGeuj1u4lwqrzp0UksFX7mSEY9JnGLxg7yxGbglAKE=" parent-hash "iPFGrgGz0sWgKQjWD/F8eNOhkeR728dTG8JJtkUSvuM=" with-interface { 11:00:00 ff:03:00 03:00:00 } with-connect-type "unknown" + allow id 03f0:076b serial "" name "USB5734" hash "BshoqybYo0IKgoDORYPRtbhhlmQrYAxPQb2EAm1JsWA=" parent-hash "JHDjLFApQNqijjmuKdJSWH5+1oLL7S6LQ9QHTAk5fTk=" with-interface 09:00:00 with-connect-type "unknown" + allow id 0bda:8153 serial "000001000000" name "USB 10/100/1000 LAN" hash "utEnXKJ57kRUbPcGUaNWhEyoOEbLOYAFxvlsyC0PZkk=" parent-hash "JHDjLFApQNqijjmuKdJSWH5+1oLL7S6LQ9QHTAk5fTk=" with-interface { ff:ff:00 02:06:00 0a:00:00 0a:00:00 } with-connect-type "unknown" + allow id 046d:0ab7 serial "2046BAB04T68" name "Blue Microphones" hash "cC6AQ2e1Q/BeFeostpbf1mH2WpoUmt6bhau4NlA3niU=" parent-hash "MSXcPAlZqkpTyZQylOhSIB8eMfST2AzVHV9EbrBGTWc=" with-interface { 01:01:00 01:02:00 01:02:00 01:02:00 01:02:00 01:02:00 01:02:00 03:00:00 } with-connect-type "unknown" + allow id 13fd:5900 serial "50026B76861EE752 " name "External" hash "Xebp3uQRrhCKBHdGRVKXH0I5Vdawi4mSpuu0ttKgDyE=" parent-hash "BshoqybYo0IKgoDORYPRtbhhlmQrYAxPQb2EAm1JsWA=" with-interface { 08:06:50 08:06:62 } with-connect-type "unknown" + ''; + home-manager.users."${config.var.username}" = import ./home.nix; # Don't touch this diff --git a/nixos/usbguard.nix b/nixos/usbguard.nix new file mode 100644 index 0000000..8fa4399 --- /dev/null +++ b/nixos/usbguard.nix @@ -0,0 +1,7 @@ +{config, ...}: { + services.usbguard = { + enable = true; + implicitPolicyTarget = "block"; + IPCAllowedUsers = ["root" config.var.username]; + }; +}