cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

Merge pull request #256295 from Janik-Haag/usbguard

Browse source 
nixos/usbguard: restore ruleFile option
This commit is contained in:
0x4A6F 2023-09-25 22:05:36 +02:00 committed by GitHub
commit a0db07dad5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
nixos/modules/services/security/usbguard.nix
View file

@ -7,10 +7,8 @@ let
# valid policy options # valid policy options
policy = (types.enum [ "allow" "block" "reject" "keep" "apply-policy" ]); policy = (types.enum [ "allow" "block" "reject" "keep" "apply-policy" ]);
defaultRuleFile = "/var/lib/usbguard/rules.conf";
# decide what file to use for rules # decide what file to use for rules
ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else defaultRuleFile; ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else cfg.ruleFile;
daemonConf = '' daemonConf = ''
# generated by nixos/modules/services/security/usbguard.nix # generated by nixos/modules/services/security/usbguard.nix
@ -51,6 +49,19 @@ in
''; '';
}; };
ruleFile = mkOption {
type = types.nullOr types.path;
default = /var/lib/usbguard/rules.conf;
example = /run/secrets/usbguard-rules;
description = lib.mdDoc ''
This tells the USBGuard daemon which file to load as policy rule set.
The file can be changed manually or via the IPC interface assuming it has the right file permissions.
For more details see {manpage}`usbguard-rules.conf(5)`.
'';
};
rules = mkOption { rules = mkOption {
type = types.nullOr types.lines; type = types.nullOr types.lines;
default = null; default = null;
@ -63,8 +74,7 @@ in
be changed by the IPC interface. be changed by the IPC interface.
If you do not set this option, the USBGuard daemon will load If you do not set this option, the USBGuard daemon will load
it's policy rule set from `${defaultRuleFile}`. it's policy rule set from the option configured in `services.usbguard.ruleFile`.
This file can be changed manually or via the IPC interface.
Running `usbguard generate-policy` as root will Running `usbguard generate-policy` as root will
generate a config for your currently plugged in devices. generate a config for your currently plugged in devices.
@ -248,7 +258,6 @@ in
''; '';
}; };
imports = [ imports = [
(mkRemovedOptionModule [ "services" "usbguard" "ruleFile" ] "The usbguard module now uses ${defaultRuleFile} as ruleFile. Alternatively, use services.usbguard.rules to configure rules.")
(mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d.") (mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d.")
(mkRemovedOptionModule [ "services" "usbguard" "auditFilePath" ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.") (mkRemovedOptionModule [ "services" "usbguard" "auditFilePath" ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.")
(mkRenamedOptionModule [ "services" "usbguard" "implictPolicyTarget" ] [ "services" "usbguard" "implicitPolicyTarget" ]) (mkRenamedOptionModule [ "services" "usbguard" "implictPolicyTarget" ] [ "services" "usbguard" "implicitPolicyTarget" ])