fix nixos readonly config

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>

README.md

@@ -19,6 +19,15 @@ USBGuard is a software framework for implementing a USB device authorization pol
 
 Built with [bubbletea](https://github.com/charmbracelet/bubbletea) & Golang!
 
+## Features
+
+- List all connected USB devices with their current status (allowed, blocked, rejected)
+- Allow, block, or reject devices: temporarily or permanently
+- Action popup with mouse support for quick device management
+- Filter devices by name with `/`
+- Auto-refresh
+- Keyboard shortcuts for all actions (`a`/`A`, `b`/`B`, `e`/`E`)
+
 ## Requirements
 
 - usbguard installed and the daemon running

internal/guard/client.go

@@ -2,6 +2,7 @@ package guard
 
 import (
 	"errors"
+	"os"
 	"os/exec"
 	"strconv"
 	"strings"
@@ -86,6 +87,42 @@ func wrapExecError(err error) error {
 	return err
 }
 
+func IsRulesManaged() bool {
+	out, err := exec.Command("systemctl", "cat", "usbguard").Output()
+	if err != nil {
+		return false
+	}
+	configPath := extractConfigPath(string(out))
+	if configPath == "" {
+		return false
+	}
+	ruleFile := parseRuleFilePath(configPath)
+	return strings.HasPrefix(ruleFile, "/nix/store/")
+}
+
+func extractConfigPath(s string) string {
+	fields := strings.Fields(s)
+	for i, f := range fields {
+		if f == "-c" && i+1 < len(fields) {
+			return fields[i+1]
+		}
+	}
+	return ""
+}
+
+func parseRuleFilePath(configPath string) string {
+	data, err := os.ReadFile(configPath)
+	if err != nil {
+		return ""
+	}
+	for _, line := range strings.Split(string(data), "\n") {
+		if after, ok := strings.CutPrefix(line, "RuleFile="); ok {
+			return strings.TrimSpace(after)
+		}
+	}
+	return ""
+}
+
 func classifyError(output string) error {
 	lower := strings.ToLower(output)
 	switch {

internal/guard/errors.go

@@ -5,5 +5,5 @@ import "errors"
 var (
 	ErrNotFound   = errors.New("usbguard not found in PATH")
 	ErrPermission = errors.New("insufficient permissions to manage devices")
-	ErrReadOnly   = errors.New("rules file is read-only")
+	ErrReadOnly   = errors.New("rules file is not writable")
 )

internal/ui/model.go

@@ -37,6 +37,7 @@ type Model struct {
 	height       int
 	notice       string
 	selectedDev  *guard.Device
+	rulesManaged bool
 }
 
 func New() Model {
@@ -58,24 +59,42 @@ func New() Model {
 	h := help.New()
 	h.Styles = help.DefaultStyles(true)
 
+	rulesManaged := guard.IsRulesManaged()
+	notice := ""
+	if rulesManaged {
+		notice = "Rules managed by NixOS config: permanent actions not available."
+		listKeys.AllowPerm.SetEnabled(false)
+		listKeys.BlockPerm.SetEnabled(false)
+		listKeys.RejectPerm.SetEnabled(false)
+	}
+
 	return Model{
-		state:      stateList,
+		state:        stateList,
-		list:       l,
+		list:         l,
-		actionList: makeActionList(),
+		actionList:   makeActionList(rulesManaged),
-		help:       h,
+		help:         h,
+		rulesManaged: rulesManaged,
+		notice:       notice,
 	}
 }
 
-func makeActionList() list.Model {
+func makeActionList(rulesManaged bool) list.Model {
 	items := []list.Item{
 		actionItem{"allow", guard.AllowDevice, false, guard.Allowed},
-		actionItem{"allow (permanent)", guard.AllowDevice, true, guard.Allowed},
 		actionItem{"block", guard.BlockDevice, false, guard.Blocked},
-		actionItem{"block (permanent)", guard.BlockDevice, true, guard.Blocked},
 		actionItem{"reject", guard.RejectDevice, false, guard.Rejected},
-		actionItem{"reject (permanent)", guard.RejectDevice, true, guard.Rejected},
 	}
-	l := list.New(items, actionDelegate{}, 24, 6)
+	if !rulesManaged {
+		items = []list.Item{
+			actionItem{"allow", guard.AllowDevice, false, guard.Allowed},
+			actionItem{"allow (permanent)", guard.AllowDevice, true, guard.Allowed},
+			actionItem{"block", guard.BlockDevice, false, guard.Blocked},
+			actionItem{"block (permanent)", guard.BlockDevice, true, guard.Blocked},
+			actionItem{"reject", guard.RejectDevice, false, guard.Rejected},
+			actionItem{"reject (permanent)", guard.RejectDevice, true, guard.Rejected},
+		}
+	}
+	l := list.New(items, actionDelegate{}, 24, len(items))
 	l.SetShowHelp(false)
 	l.SetShowTitle(false)
 	l.SetShowStatusBar(false)
@@ -120,14 +139,14 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		if msg.err != nil {
 			switch msg.err {
 			case guard.ErrReadOnly:
-				m.notice = "Read-only rules: applied temporarily. Add the rule to your config for persistence."
+				m.notice = "Rules file is not writable: permanent changes are not supported."
 			case guard.ErrPermission:
 				m.notice = "Permission denied. Run with appropriate privileges."
 			default:
 				m.notice = msg.err.Error()
 			}
 		} else {
-			m.notice = ""
+			m.notice = m.defaultNotice()
 		}
 		return m, fetchDevices
 
@@ -146,10 +165,21 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 
 	case tea.MouseWheelMsg:
 		if m.state == statePopup {
-			var cmd tea.Cmd
+			switch msg.Button {
-			m.actionList, cmd = m.actionList.Update(msg)
+			case tea.MouseWheelUp:
-			return m, cmd
+				m.actionList.CursorUp()
+			case tea.MouseWheelDown:
+				m.actionList.CursorDown()
+			}
+		} else {
+			switch msg.Button {
+			case tea.MouseWheelUp:
+				m.list.CursorUp()
+			case tea.MouseWheelDown:
+				m.list.CursorDown()
+			}
 		}
+		return m, nil
 	}
 
 	if m.state == stateList {
@@ -171,7 +201,7 @@ func (m Model) updateList(msg tea.KeyPressMsg) (tea.Model, tea.Cmd) {
 		case key.Matches(msg, listKeys.Quit):
 			return m, tea.Quit
 		case key.Matches(msg, listKeys.Refresh):
-			m.notice = ""
+			m.notice = m.defaultNotice()
 			return m, tea.Batch(fetchDevices, fetchDaemonStatus)
 		case key.Matches(msg, listKeys.Help):
 			m.help.ShowAll = !m.help.ShowAll
@@ -188,15 +218,15 @@ func (m Model) updateList(msg tea.KeyPressMsg) (tea.Model, tea.Cmd) {
 			}
 		case id >= 0 && key.Matches(msg, listKeys.Allow):
 			return m, doAction(id, guard.AllowDevice, false)
-		case id >= 0 && key.Matches(msg, listKeys.AllowPerm):
+		case id >= 0 && !m.rulesManaged && key.Matches(msg, listKeys.AllowPerm):
 			return m, doAction(id, guard.AllowDevice, true)
 		case id >= 0 && key.Matches(msg, listKeys.Block):
 			return m, doAction(id, guard.BlockDevice, false)
-		case id >= 0 && key.Matches(msg, listKeys.BlockPerm):
+		case id >= 0 && !m.rulesManaged && key.Matches(msg, listKeys.BlockPerm):
 			return m, doAction(id, guard.BlockDevice, true)
 		case id >= 0 && key.Matches(msg, listKeys.Reject):
 			return m, doAction(id, guard.RejectDevice, false)
-		case id >= 0 && key.Matches(msg, listKeys.RejectPerm):
+		case id >= 0 && !m.rulesManaged && key.Matches(msg, listKeys.RejectPerm):
 			return m, doAction(id, guard.RejectDevice, true)
 		}
 	}
@@ -290,12 +320,26 @@ func (m Model) actionListInnerWidth() int {
 	return m.popupOuterWidth() - 8 // border(2) + padding_h(6)
 }
 
+func (m Model) defaultNotice() string {
+	if m.rulesManaged {
+		return "Rules managed by NixOS config: permanent actions not available."
+	}
+	return ""
+}
+
+func (m Model) actionItemCount() int {
+	if m.rulesManaged {
+		return 3
+	}
+	return 6
+}
+
 // updateActionListSize sizes the action list and toggles pagination based on available space.
 // When there is enough room for all items: pagination is hidden and height is set exactly,
 // avoiding the phantom line that bubbles/list reserves when showPagination=true.
 // When space is limited: pagination is shown naturally by bubbles/list.
 func (m *Model) updateActionListSize() {
-	const items = 6
+	items := m.actionItemCount()
 	innerW := m.actionListInnerWidth()
 	// popup overhead: border(2) + padding_v(2) + title(1) + blank(1) + hint(1) = 7
 	available := m.height - 7 - 2 // 2 lines margin