movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-11 04:05:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/services.usbguard: remove with lib;

Browse source
This commit is contained in:
Felix Buehler 2024-12-29 21:50:38 +01:00
parent ee9d6cd0d3
commit 4bcc603cd8
1 changed files with 32 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

66
nixos/modules/services/security/usbguard.nix
View file

@ -4,14 +4,12 @@
pkgs,
...
}:
with lib;
let
cfg = config.services.usbguard;
# valid policy options
policy = (
types.enum [
lib.types.enum [
"allow"
"block"
"reject"
@ -30,13 +28,13 @@ let
PresentDevicePolicy=${cfg.presentDevicePolicy}
PresentControllerPolicy=${cfg.presentControllerPolicy}
InsertedDevicePolicy=${cfg.insertedDevicePolicy}
RestoreControllerDeviceState=${boolToString cfg.restoreControllerDeviceState}
RestoreControllerDeviceState=${lib.boolToString cfg.restoreControllerDeviceState}
# this does not seem useful for endusers to change
DeviceManagerBackend=uevent
IPCAllowedUsers=${concatStringsSep " " cfg.IPCAllowedUsers}
IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups}
IPCAllowedUsers=${lib.concatStringsSep " " cfg.IPCAllowedUsers}
IPCAllowedGroups=${lib.concatStringsSep " " cfg.IPCAllowedGroups}
IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/
DeviceRulesWithPort=${boolToString cfg.deviceRulesWithPort}
DeviceRulesWithPort=${lib.boolToString cfg.deviceRulesWithPort}
# HACK: that way audit logs still land in the journal
AuditFilePath=/dev/null
'';
@ -50,16 +48,16 @@ in
options = {
services.usbguard = {
enable = mkEnableOption "USBGuard daemon";
enable = lib.mkEnableOption "USBGuard daemon";
package = mkPackageOption pkgs "usbguard" {
package = lib.mkPackageOption pkgs "usbguard" {
extraDescription = ''
If you do not need the Qt GUI, use `pkgs.usbguard-nox` to save disk space.
'';
};
ruleFile = mkOption {
type = types.nullOr types.path;
ruleFile = lib.mkOption {
type = lib.types.nullOr lib.types.path;
default = "/var/lib/usbguard/rules.conf";
example = "/run/secrets/usbguard-rules";
description = ''
@ -71,8 +69,8 @@ in
'';
};
rules = mkOption {
type = types.nullOr types.lines;
rules = lib.mkOption {
type = lib.types.nullOr lib.types.lines;
default = null;
example = ''
allow with-interface equals { 08:*:* }
@ -92,8 +90,8 @@ in
'';
};
implicitPolicyTarget = mkOption {
type = types.enum [
implicitPolicyTarget = lib.mkOption {
type = lib.types.enum [
"allow"
"block"
"reject"
@ -106,7 +104,7 @@ in
'';
};
presentDevicePolicy = mkOption {
presentDevicePolicy = lib.mkOption {
type = policy;
default = "apply-policy";
description = ''
@ -117,7 +115,7 @@ in
'';
};
presentControllerPolicy = mkOption {
presentControllerPolicy = lib.mkOption {
type = policy;
default = "keep";
description = ''
@ -126,8 +124,8 @@ in
'';
};
insertedDevicePolicy = mkOption {
type = types.enum [
insertedDevicePolicy = lib.mkOption {
type = lib.types.enum [
"block"
"reject"
"apply-policy"
@ -139,8 +137,8 @@ in
'';
};
restoreControllerDeviceState = mkOption {
type = types.bool;
restoreControllerDeviceState = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
The USBGuard daemon modifies some attributes of controller
@ -151,8 +149,8 @@ in
'';
};
IPCAllowedUsers = mkOption {
type = types.listOf types.str;
IPCAllowedUsers = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ "root" ];
example = [
"root"
@ -163,8 +161,8 @@ in
'';
};
IPCAllowedGroups = mkOption {
type = types.listOf types.str;
IPCAllowedGroups = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "wheel" ];
description = ''
@ -173,21 +171,21 @@ in
'';
};
deviceRulesWithPort = mkOption {
type = types.bool;
deviceRulesWithPort = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Generate device specific rules including the "via-port" attribute.
'';
};
dbus.enable = mkEnableOption "USBGuard dbus daemon";
dbus.enable = lib.mkEnableOption "USBGuard dbus daemon";
};
};
###### implementation
config = mkIf cfg.enable {
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.package ];
@ -239,7 +237,7 @@ in
};
};
usbguard-dbus = mkIf cfg.dbus.enable {
usbguard-dbus = lib.mkIf cfg.dbus.enable {
description = "USBGuard D-Bus Service";
wantedBy = [ "multi-user.target" ];
@ -261,7 +259,7 @@ in
groupCheck =
(lib.concatStrings (map (g: "subject.isInGroup(\"${g}\") || ") cfg.IPCAllowedGroups)) + "false";
in
optionalString cfg.dbus.enable ''
lib.optionalString cfg.dbus.enable ''
polkit.addRule(function(action, subject) {
if ((action.id == "org.usbguard.Policy1.listRules" ||
action.id == "org.usbguard.Policy1.appendRule" ||
@ -278,15 +276,15 @@ in
'';
};
imports = [
(mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ]
(lib.mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ]
"The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d."
)
(mkRemovedOptionModule [
(lib.mkRemovedOptionModule [
"services"
"usbguard"
"auditFilePath"
] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.")
(mkRenamedOptionModule
(lib.mkRenamedOptionModule
[ "services" "usbguard" "implictPolicyTarget" ]
[ "services" "usbguard" "implicitPolicyTarget" ]
)