Merge branch 'main' of github.com:anotherhadi/usbguard-tui

Signed-off-by: Hadi <hadi@example.com>

.github/assets/demo.tape

@@ -0,0 +1,27 @@
+Output ./assets/demo.gif
+Require usbguard-tui
+
+Set Shell "zsh"
+Set FontSize 32
+Set Width 1500
+Set Height 1000
+
+Type "usbguard-tui"
+Sleep 500ms
+Enter
+Sleep 1s
+
+Down
+Sleep 200ms
+Down
+Sleep 200ms
+Enter
+Sleep 1s
+
+Down Sleep 200ms
+Down Sleep 200ms
+Sleep 1s
+Enter
+Sleep 1s
+
+Type "Q"

README.md

@@ -15,7 +15,18 @@ A terminal UI for managing USB devices via [usbguard](https://usbguard.github.io
 
 USBGuard is a software framework for implementing a USB device authorization policy (allowlisting/blocklisting). It protects your system against rogue USB devices by scanning them and checking their parameters against a set of rules.
 
-Built with [bubbletea](https://github.com/charmbracelet/bubbletea) & Goland!
+<img alt="USBGuard-tui demo" src="./.github/assets/demo.gif" width="600" />
+
+Built with [bubbletea](https://github.com/charmbracelet/bubbletea) & Golang!
+
+## Features
+
+- List all connected USB devices with their current status (allowed, blocked, rejected)
+- Allow, block, or reject devices: temporarily or permanently
+- Action popup with mouse support for quick device management
+- Filter devices by name with `/`
+- Auto-refresh
+- Keyboard shortcuts for all actions (`a`/`A`, `b`/`B`, `e`/`E`)
 
 ## Requirements
 

flake.nix

@@ -14,12 +14,12 @@
       (system: f system (import nixpkgs {inherit system;}));
 
     pname = "usbguard-tui";
-    version = "1.0.0";
+    version = "1.0.1";
 
     ldflags = ["-s" "-w" "-X main.version=${version}"];
   in {
-    packages = forAllSystems (system: pkgs: {
-      "${pname}" = pkgs.buildGoModule {
+    packages = forAllSystems (system: pkgs: let
+      pkg = pkgs.buildGoModule {
         inherit pname version ldflags;
 
         src = ./.;
@@ -33,9 +33,9 @@
           platforms = platforms.unix;
         };
       };
+    in {
+      "${pname}" = pkg;
+      default = pkg;
     });
-
-    defaultPackage =
-      forAllSystems (system: pkgs: self.packages.${system}.${pname});
   };
 }

internal/guard/client.go

@@ -2,6 +2,7 @@ package guard
 
 import (
 	"errors"
+	"os"
 	"os/exec"
 	"strconv"
 	"strings"
@@ -28,7 +29,7 @@ func ListDevices() ([]Device, error) {
 		}
 		d, err := parseLine(line)
 		if err == nil {
-			d.Permanent = rules[d.VidPid] == d.Status
+			d.Permanent = rules[d.Hash] == d.Status
 			devices = append(devices, d)
 		}
 	}
@@ -46,8 +47,8 @@ func listRules() map[string]Status {
 			continue
 		}
 		d, err := parseLine(line)
-		if err == nil {
-			rules[d.VidPid] = d.Status
+		if err == nil && d.Hash != "" {
+			rules[d.Hash] = d.Status
 		}
 	}
 	return rules
@@ -86,6 +87,42 @@ func wrapExecError(err error) error {
 	return err
 }
 
+func IsRulesManaged() bool {
+	out, err := exec.Command("systemctl", "cat", "usbguard").Output()
+	if err != nil {
+		return false
+	}
+	configPath := extractConfigPath(string(out))
+	if configPath == "" {
+		return false
+	}
+	ruleFile := parseRuleFilePath(configPath)
+	return strings.HasPrefix(ruleFile, "/nix/store/")
+}
+
+func extractConfigPath(s string) string {
+	fields := strings.Fields(s)
+	for i, f := range fields {
+		if f == "-c" && i+1 < len(fields) {
+			return fields[i+1]
+		}
+	}
+	return ""
+}
+
+func parseRuleFilePath(configPath string) string {
+	data, err := os.ReadFile(configPath)
+	if err != nil {
+		return ""
+	}
+	for _, line := range strings.Split(string(data), "\n") {
+		if after, ok := strings.CutPrefix(line, "RuleFile="); ok {
+			return strings.TrimSpace(after)
+		}
+	}
+	return ""
+}
+
 func classifyError(output string) error {
 	lower := strings.ToLower(output)
 	switch {

internal/guard/device.go

@@ -20,6 +20,7 @@ type Device struct {
 	Name      string
 	Status    Status
 	VidPid    string
+	Hash      string
 	Permanent bool
 }
 
@@ -57,6 +58,7 @@ func parseLine(line string) (Device, error) {
 		Name:   name,
 		Status: status,
 		VidPid: extractUnquoted(rest, "id"),
+		Hash:   extractField(rest, "hash"),
 	}, nil
 }
 
@@ -74,6 +76,10 @@ func extractField(rule, field string) string {
 	return rest[:end]
 }
 
+func NixOSRule(dev Device, status Status) string {
+	return fmt.Sprintf("%s id %s name \"%s\"", status, dev.VidPid, dev.Name)
+}
+
 func extractUnquoted(rule, field string) string {
 	prefix := field + " "
 	idx := strings.Index(rule, prefix)

internal/guard/errors.go

@@ -5,5 +5,5 @@ import "errors"
 var (
 	ErrNotFound   = errors.New("usbguard not found in PATH")
 	ErrPermission = errors.New("insufficient permissions to manage devices")
-	ErrReadOnly   = errors.New("rules file is read-only")
+	ErrReadOnly   = errors.New("rules file is not writable")
 )

internal/ui/delegate.go

@@ -2,7 +2,6 @@ package ui
 
 import (
 	"fmt"
-	"image/color"
 	"io"
 
 	"charm.land/bubbles/v2/list"
@@ -11,11 +10,10 @@ import (
 	"github.com/anotherhadi/usbguard-tui/internal/guard"
 )
 
-// deviceDelegate renders device list items with status colors.
 type deviceDelegate struct{}
 
-func (d deviceDelegate) Height() int                              { return 2 }
-func (d deviceDelegate) Spacing() int                             { return 0 }
+func (d deviceDelegate) Height() int                             { return 2 }
+func (d deviceDelegate) Spacing() int                            { return 0 }
 func (d deviceDelegate) Update(_ tea.Msg, _ *list.Model) tea.Cmd { return nil }
 
 func (d deviceDelegate) Render(w io.Writer, m list.Model, index int, item list.Item) {
@@ -26,19 +24,13 @@ func (d deviceDelegate) Render(w io.Writer, m list.Model, index int, item list.I
 
 	selected := index == m.Index()
 
-	var clr color.Color
+	colorMap := statusColors
 	if selected {
-		var ok bool
-		clr, ok = statusColorsSelected[dev.Status]
-		if !ok {
-			clr = colorMuted
-		}
-	} else {
-		var ok bool
-		clr, ok = statusColors[dev.Status]
-		if !ok {
-			clr = colorMuted
-		}
+		colorMap = statusColorsSelected
+	}
+	clr, ok := colorMap[dev.Status]
+	if !ok {
+		clr = colorMuted
 	}
 
 	var nameStyle, descStyle lipgloss.Style
@@ -69,23 +61,22 @@ func (d deviceDelegate) Render(w io.Writer, m list.Model, index int, item list.I
 	)
 }
 
-// actionItem represents a device policy action in the select popup.
 type actionItem struct {
 	label     string
 	fn        func(int, bool) error
 	permanent bool
 	status    guard.Status
+	nixos     bool
 }
 
 func (a actionItem) Title() string       { return a.label }
 func (a actionItem) Description() string { return "" }
 func (a actionItem) FilterValue() string { return a.label }
 
-// actionDelegate renders single-line action items.
 type actionDelegate struct{}
 
-func (d actionDelegate) Height() int                              { return 1 }
-func (d actionDelegate) Spacing() int                             { return 0 }
+func (d actionDelegate) Height() int                             { return 1 }
+func (d actionDelegate) Spacing() int                            { return 0 }
 func (d actionDelegate) Update(_ tea.Msg, _ *list.Model) tea.Cmd { return nil }
 
 func (d actionDelegate) Render(w io.Writer, m list.Model, index int, item list.Item) {

internal/ui/model.go

@@ -1,6 +1,7 @@
 package ui
 
 import (
+	"fmt"
 	"strings"
 	"time"
 
@@ -25,6 +26,7 @@ type (
 	devicesMsg      []guard.Device
 	daemonStatusMsg string
 	actionMsg       struct{ err error }
+	nixRuleMsg      struct{ rule string }
 )
 
 type Model struct {
@@ -37,8 +39,12 @@ type Model struct {
 	height       int
 	notice       string
 	selectedDev  *guard.Device
+	rulesManaged bool
+	pendingRules []string
 }
 
+func (m Model) PendingRules() []string { return m.pendingRules }
+
 func New() Model {
 	l := list.New(nil, deviceDelegate{}, 0, 0)
 	l.SetShowHelp(false)
@@ -58,24 +64,47 @@ func New() Model {
 	h := help.New()
 	h.Styles = help.DefaultStyles(true)
 
+	rulesManaged := guard.IsRulesManaged()
+	notice := ""
+	if rulesManaged {
+		notice = "Rules managed by NixOS config: permanent actions will print NixOS rules on exit."
+		listKeys.AllowPerm.SetEnabled(false)
+		listKeys.BlockPerm.SetEnabled(false)
+		listKeys.RejectPerm.SetEnabled(false)
+	}
+
 	return Model{
-		state:      stateList,
-		list:       l,
-		actionList: makeActionList(),
-		help:       h,
+		state:        stateList,
+		list:         l,
+		actionList:   makeActionList(rulesManaged),
+		help:         h,
+		rulesManaged: rulesManaged,
+		notice:       notice,
 	}
 }
 
-func makeActionList() list.Model {
-	items := []list.Item{
-		actionItem{"allow", guard.AllowDevice, false, guard.Allowed},
-		actionItem{"allow (permanent)", guard.AllowDevice, true, guard.Allowed},
-		actionItem{"block", guard.BlockDevice, false, guard.Blocked},
-		actionItem{"block (permanent)", guard.BlockDevice, true, guard.Blocked},
-		actionItem{"reject", guard.RejectDevice, false, guard.Rejected},
-		actionItem{"reject (permanent)", guard.RejectDevice, true, guard.Rejected},
+func makeActionList(rulesManaged bool) list.Model {
+	var items []list.Item
+	if rulesManaged {
+		items = []list.Item{
+			actionItem{"allow", guard.AllowDevice, false, guard.Allowed, false},
+			actionItem{"allow (perm)", nil, true, guard.Allowed, true},
+			actionItem{"block", guard.BlockDevice, false, guard.Blocked, false},
+			actionItem{"block (perm)", nil, true, guard.Blocked, true},
+			actionItem{"reject", guard.RejectDevice, false, guard.Rejected, false},
+			actionItem{"reject (perm)", nil, true, guard.Rejected, true},
+		}
+	} else {
+		items = []list.Item{
+			actionItem{"allow", guard.AllowDevice, false, guard.Allowed, false},
+			actionItem{"allow (permanent)", guard.AllowDevice, true, guard.Allowed, false},
+			actionItem{"block", guard.BlockDevice, false, guard.Blocked, false},
+			actionItem{"block (permanent)", guard.BlockDevice, true, guard.Blocked, false},
+			actionItem{"reject", guard.RejectDevice, false, guard.Rejected, false},
+			actionItem{"reject (permanent)", guard.RejectDevice, true, guard.Rejected, false},
+		}
 	}
-	l := list.New(items, actionDelegate{}, 24, 6)
+	l := list.New(items, actionDelegate{}, 24, len(items))
 	l.SetShowHelp(false)
 	l.SetShowTitle(false)
 	l.SetShowStatusBar(false)
@@ -114,20 +143,32 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		m.daemonStatus = string(msg)
 		return m, nil
 
+	case nixRuleMsg:
+		m.state = stateList
+		m.selectedDev = nil
+		m.pendingRules = append(m.pendingRules, msg.rule)
+		count := len(m.pendingRules)
+		if count == 1 {
+			m.notice = "1 NixOS rule queued (printed on exit)"
+		} else {
+			m.notice = fmt.Sprintf("%d NixOS rules queued (printed on exit)", count)
+		}
+		return m, nil
+
 	case actionMsg:
 		m.state = stateList
 		m.selectedDev = nil
 		if msg.err != nil {
 			switch msg.err {
 			case guard.ErrReadOnly:
-				m.notice = "Read-only rules: applied temporarily. Add the rule to your config for persistence."
+				m.notice = "Rules file is not writable: permanent changes are not supported."
 			case guard.ErrPermission:
 				m.notice = "Permission denied. Run with appropriate privileges."
 			default:
 				m.notice = msg.err.Error()
 			}
 		} else {
-			m.notice = ""
+			m.notice = m.defaultNotice()
 		}
 		return m, fetchDevices
 
@@ -145,11 +186,7 @@ func (m Model) Update(msg tea.Msg) (tea.Model, tea.Cmd) {
 		}
 
 	case tea.MouseWheelMsg:
-		if m.state == statePopup {
-			var cmd tea.Cmd
-			m.actionList, cmd = m.actionList.Update(msg)
-			return m, cmd
-		}
+		return m.updateMouseWheel(msg)
 	}
 
 	if m.state == stateList {
@@ -171,7 +208,7 @@ func (m Model) updateList(msg tea.KeyPressMsg) (tea.Model, tea.Cmd) {
 		case key.Matches(msg, listKeys.Quit):
 			return m, tea.Quit
 		case key.Matches(msg, listKeys.Refresh):
-			m.notice = ""
+			m.notice = m.defaultNotice()
 			return m, tea.Batch(fetchDevices, fetchDaemonStatus)
 		case key.Matches(msg, listKeys.Help):
 			m.help.ShowAll = !m.help.ShowAll
@@ -186,18 +223,11 @@ func (m Model) updateList(msg tea.KeyPressMsg) (tea.Model, tea.Cmd) {
 				m.state = statePopup
 				return m, nil
 			}
-		case id >= 0 && key.Matches(msg, listKeys.Allow):
-			return m, doAction(id, guard.AllowDevice, false)
-		case id >= 0 && key.Matches(msg, listKeys.AllowPerm):
-			return m, doAction(id, guard.AllowDevice, true)
-		case id >= 0 && key.Matches(msg, listKeys.Block):
-			return m, doAction(id, guard.BlockDevice, false)
-		case id >= 0 && key.Matches(msg, listKeys.BlockPerm):
-			return m, doAction(id, guard.BlockDevice, true)
-		case id >= 0 && key.Matches(msg, listKeys.Reject):
-			return m, doAction(id, guard.RejectDevice, false)
-		case id >= 0 && key.Matches(msg, listKeys.RejectPerm):
-			return m, doAction(id, guard.RejectDevice, true)
+		}
+		if id >= 0 {
+			if cmd := m.deviceActionCmd(msg, id); cmd != nil {
+				return m, cmd
+			}
 		}
 	}
 	var cmd tea.Cmd
@@ -214,6 +244,10 @@ func (m Model) updatePopup(msg tea.KeyPressMsg) (tea.Model, tea.Cmd) {
 	case key.Matches(msg, listKeys.Open):
 		if item := m.actionList.SelectedItem(); item != nil {
 			a := item.(actionItem)
+			if a.nixos && m.selectedDev != nil {
+				rule := guard.NixOSRule(*m.selectedDev, a.status)
+				return m, func() tea.Msg { return nixRuleMsg{rule: rule} }
+			}
 			return m, doAction(m.selectedDev.ID, a.fn, a.permanent)
 		}
 	}
@@ -271,8 +305,13 @@ func (m Model) renderActionSelect() string {
 	title := popupTitleStyle.Foreground(color).Width(innerW).Render(dev.Name)
 	hint := lipgloss.NewStyle().Foreground(colorMuted).Width(innerW).Render("↑↓ navigate  enter confirm  esc cancel")
 
-	content := strings.Join([]string{title, m.actionList.View(), "", hint}, "\n")
-	return popupStyle.Width(innerW).Render(content)
+	parts := []string{title, m.actionList.View(), ""}
+	if m.rulesManaged {
+		nixosHint := lipgloss.NewStyle().Foreground(colorMuted).Width(innerW).Render("[NixOS: perm rules printed on exit]")
+		parts = append(parts, nixosHint)
+	}
+	parts = append(parts, hint)
+	return popupStyle.Width(innerW).Render(strings.Join(parts, "\n"))
 }
 
 func (m Model) popupOuterWidth() int {
@@ -290,15 +329,30 @@ func (m Model) actionListInnerWidth() int {
 	return m.popupOuterWidth() - 8 // border(2) + padding_h(6)
 }
 
+func (m Model) defaultNotice() string {
+	if m.rulesManaged {
+		return "Rules managed by NixOS config: permanent actions will print NixOS rules on exit."
+	}
+	return ""
+}
+
+func (m Model) actionItemCount() int {
+	return 6
+}
+
 // updateActionListSize sizes the action list and toggles pagination based on available space.
 // When there is enough room for all items: pagination is hidden and height is set exactly,
 // avoiding the phantom line that bubbles/list reserves when showPagination=true.
 // When space is limited: pagination is shown naturally by bubbles/list.
 func (m *Model) updateActionListSize() {
-	const items = 6
+	items := m.actionItemCount()
 	innerW := m.actionListInnerWidth()
-	// popup overhead: border(2) + padding_v(2) + title(1) + blank(1) + hint(1) = 7
-	available := m.height - 7 - 2 // 2 lines margin
+	// popup overhead: border(2) + padding_v(2) + title(1) + blank(1) + hint(1) = 7; +1 for NixOS footer
+	overhead := 7
+	if m.rulesManaged {
+		overhead = 8
+	}
+	available := m.height - overhead - 2 // 2 lines margin
 	if available >= items {
 		m.actionList.SetShowPagination(false)
 		m.actionList.SetSize(innerW, items)
@@ -347,3 +401,46 @@ func doAction(id int, fn func(int, bool) error, permanent bool) tea.Cmd {
 		return actionMsg{err: fn(id, permanent)}
 	}
 }
+
+type actionBinding struct {
+	binding       key.Binding
+	fn            func(int, bool) error
+	perm          bool
+	needsWritable bool
+}
+
+var deviceActionBindings = []actionBinding{
+	{listKeys.Allow, guard.AllowDevice, false, false},
+	{listKeys.AllowPerm, guard.AllowDevice, true, true},
+	{listKeys.Block, guard.BlockDevice, false, false},
+	{listKeys.BlockPerm, guard.BlockDevice, true, true},
+	{listKeys.Reject, guard.RejectDevice, false, false},
+	{listKeys.RejectPerm, guard.RejectDevice, true, true},
+}
+
+func (m Model) deviceActionCmd(msg tea.KeyPressMsg, id int) tea.Cmd {
+	for _, b := range deviceActionBindings {
+		if (!b.needsWritable || !m.rulesManaged) && key.Matches(msg, b.binding) {
+			return doAction(id, b.fn, b.perm)
+		}
+	}
+	return nil
+}
+
+func (m Model) updateMouseWheel(msg tea.MouseWheelMsg) (tea.Model, tea.Cmd) {
+	switch msg.Button {
+	case tea.MouseWheelUp:
+		if m.state == statePopup {
+			m.actionList.CursorUp()
+		} else {
+			m.list.CursorUp()
+		}
+	case tea.MouseWheelDown:
+		if m.state == statePopup {
+			m.actionList.CursorDown()
+		} else {
+			m.list.CursorDown()
+		}
+	}
+	return m, nil
+}

internal/ui/styles.go

@@ -48,7 +48,5 @@ var (
 
 	popupTitleStyle = lipgloss.NewStyle().Bold(true).MarginBottom(1)
 
-	keyHintStyle = lipgloss.NewStyle().Foreground(colorAccent).Bold(true)
-	warnStyle    = lipgloss.NewStyle().Foreground(colorRejected)
-	errStyle     = lipgloss.NewStyle().Foreground(colorBlocked).Bold(true)
+	warnStyle = lipgloss.NewStyle().Foreground(colorRejected)
 )

main.go

@@ -23,8 +23,19 @@ func main() {
 	}
 
 	p := tea.NewProgram(ui.New())
-	if _, err := p.Run(); err != nil {
+	m, err := p.Run()
+	if err != nil {
 		fmt.Fprintln(os.Stderr, err)
 		os.Exit(1)
 	}
+	if fm, ok := m.(ui.Model); ok {
+		if rules := fm.PendingRules(); len(rules) > 0 {
+			fmt.Println("# Add to your NixOS configuration:")
+			fmt.Println("services.usbguard.rules = lib.mkAfter ''")
+			for _, rule := range rules {
+				fmt.Println(" ", rule)
+			}
+			fmt.Println("'';")
+		}
+	}
 }