WIP: reenable usbguard !!! Possibly broken

2023-10-17 21:51:49 +02:00 · 2023-10-17 21:51:49 +02:00 · 1715f33f53
parent f24c21b787
commit 1715f33f53
8 changed files with 22 additions and 25 deletions
--- a/modules/config/default.nix
+++ b/modules/config/default.nix
@ -10,7 +10,7 @@
    ./ssh.nix
    ./system.nix
    ./xdg.nix
-    #./usbguard
+    ./usbguard.nix

    ../../users/root

--- a/modules/config/usbguard.nix
+++ b/modules/config/usbguard.nix
@ -0,0 +1,7 @@
+{config, ...}: {
+  agenix.secrets.usbguard.rekeyFile = ../../secrets/usbguard.rules.age;
+  services.usbguard = {
+    rules = builtins.readFile config.age.secrets.usbguard.path;
+    enable = true;
+  };
+}
--- a/modules/config/usbguard/default.nix
+++ b/modules/config/usbguard/default.nix
@ -1,6 +0,0 @@
-{
-  services.usbguard = {
-    rules = builtins.readFile ./rules.rules;
-    enable = true;
-  };
-}
--- a/modules/config/usbguard/rules.rules
+++ b/modules/config/usbguard/rules.rules
@ -1,18 +0,0 @@
-allow id 046d:0893 serial "6DD0C605" name "Logitech StreamCam" hash "/aR2Emikr/GHtaHc064MiPF5wJN8l4GvBKkQjpkofz8=" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 01:01:00 01:02:00 01:02:00 01:02:00 01:02:00 01:02:00 ff:ff:00 03:00:00 }
-allow id 19f7:0003 serial "" name "RODE NT-USB" hash "1xrmi3l5Z/NuY33kzCFehCT+3IycT8xdHCIeDw5IFeQ=" with-interface { 01:01:00 01:02:00 01:02:00 01:02:00 01:02:00 03:00:00 }
-allow id 1050:0407 serial "" name "YubiKey OTP+FIDO+CCID" hash "Q+A8QQReKclmBSaDIYja0w4Bx6ld2IU6wF7HFKdtJ3Q=" with-interface { 03:01:01 03:00:00 0b:00:00 }
-allow id 0fd9:0060 serial "AL31H1B01852" name "Stream Deck" hash "iEklGuteHgV0NQqrqJUtjRZP+U/TjqlpZ57qiHG4jzE=" with-interface 03:00:00
-allow id 28bd:0075 serial "" name "G430S" hash "gQb86Xi+ev+qpobH93Lk9mQfXlZ6IWzYMVvwwjXMfGo=" with-interface { 03:01:02 03:01:02 03:00:00 }
-
-allow id 0b95:6801 serial "00000002" name "AX68002" hash "bu444EGndlyLkGaXB7RotBGCdpiJzLSpi5cz3g00tsY=" with-interface { 03:01:01 03:01:02 03:01:02 }
-
-allow id 0951:16b7 serial "" name "HyperX Alloy FPS Mechanical Gaming Keyboard" hash "K6ejqPmRbXIugkpv2/6Zxm4KwjftJBApzlDE+YELiqM=" with-interface { 03:01:01 03:01:02 03:01:00 }
-allow id 046d:c534 serial "" name "USB Receiver" hash "2Tmol95c6dv//0RiOpMlUD2f72+S/vuJuIfLIZ2rNXc=" with-interface { 03:01:01 03:01:02 }
-allow id 046d:c539 serial "" name "USB Receiver" hash "h5tO4bdFoMAsoal6HTa8yXCasmsW1tdRZKf1yIQFDgE=" with-interface { 03:01:01 03:01:02 03:00:00 }
-
-allow id 28de:2400 serial "00000001" name "3D Camera" hash "9/MSYNlECtJw4EAd4mI5si/gcDJ3tWHgCEvMxl9DQQw=" with-interface { 0e:01:00 0e:02:00 }
-allow id 28de:2300 serial "LHR-64CBB640" name "Index HMD" hash "E1km0vmcOdKrMZ0GttZHH9U/V1V/ynGVL7eYRXw8/Fg=" with-interface { 03:00:00 03:00:00 03:00:00 }
-allow id 28de:2102 serial "0C879D3C66-RYB" name "Valve VR Radio" hash "24Uu6UvmnVtn+VtqfZdVf916jVdl7rBn0FLbtLj4VxY=" with-interface { 03:00:00 02:02:00 0a:00:00 }
-allow id 28de:2102 serial "08829178E1-LYM" name "Valve VR Radio & HMD Mic" hash "7IhwRpCk0Y0wjSo2xdBTwkywfg2jcb94pdDwtsPgbQU=" with-interface { 03:00:00 01:01:00 01:02:00 01:02:00 }
-
-llow id *:* with-interface one-of { 09:*:* }
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -1,4 +1,5 @@
 [
+  (import ./scripts)
  (_self: super: {
    zsh-histdb-skim = super.callPackage ./zsh-histdb-skim.nix {};
    zsh-histdb = super.callPackage ./zsh-histdb.nix {};
--- a/pkgs/scripts/default.nix
+++ b/pkgs/scripts/default.nix
@ -0,0 +1,5 @@
+_final: prev: {
+  scripts = {
+    usbguardw = prev.callPackage ./usbguardw.nix {};
+  };
+}
--- a/pkgs/scripts/usbguardw.nix
+++ b/pkgs/scripts/usbguardw.nix
@ -0,0 +1,8 @@
+{writeShellApplication}:
+writeShellApplication {
+  name = "usguardw";
+  text = ''
+    set -euo pipefail
+    printenv
+  '';
+}
--- a/secrets/usbguard.rules.age
+++ b/secrets/usbguard.rules.age