Compare commits
No commits in common. "4716c8a07d8dfbf991bcec8ada45a4f8bb883855" and "aa8a6f5acebc6825f71d5dbac9ce9033f8b5fcde" have entirely different histories.
4716c8a07d
...
aa8a6f5ace
@ -222,7 +222,7 @@ An encrypted swap partition can optionally be set up using BTRFS later.
|
||||
All commands prefixed with `#` are expected to be run as the `root` user. Make sure to enter a strong encryption password during `luksFormat` (and then remember it!).
|
||||
|
||||
```shell
|
||||
# cryptsetup luksFormat --type=luks2 /dev/nvme0n1p2
|
||||
# cryptsetup luksFormat --type=luk2 /dev/nvme0n1p2
|
||||
# cryptsetup open /dev/nvme0n1p2 cryptroot
|
||||
```
|
||||
|
||||
|
@ -169,8 +169,8 @@
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Run firefox in wayland.
|
||||
home.sessionVariables.MOZ_ENABLE_WAYLAND = "1";
|
||||
};
|
||||
|
||||
# Run firefox in wayland.
|
||||
home.sessionVariables.MOZ_ENABLE_WAYLAND = "1";
|
||||
}
|
||||
|
@ -1,60 +0,0 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
options.snowflake.hardware.usbguard = {
|
||||
# WARNING: be very careful before turning on usbguard. It'll has the potential
|
||||
# to disable your keyboard and render your system useless. To use this
|
||||
# module follow the following steps.
|
||||
#
|
||||
# 1. Enable this module while keeping the service.enable option set to false.
|
||||
# This will only install usbguard onto your system without enabling the
|
||||
# usbguard systemd service.
|
||||
# 2. Do not connect any USB devices to your laptop. Or only connect
|
||||
# trusted, frequently used devices
|
||||
# 3. use the command `usbguard generate-policy` to generate the usbguard
|
||||
# "rules". This will generate a list of devices which are trusted and can
|
||||
# be interfaced with the system without explicit approval. This include
|
||||
# your inbuilt keyboard, webcam etc
|
||||
# 4. set the output of this command as the value for the "rules" option,
|
||||
# and set the "service.enable" option to true
|
||||
#
|
||||
# Ref:
|
||||
# - https://github.com/USBGuard/usbguard/blob/main/doc/man/usbguard-rules.conf.5.adoc
|
||||
|
||||
# FAQ
|
||||
# - to connect a new USB device
|
||||
# - run `sudo usbguard watch` in a tty
|
||||
# - connect your device
|
||||
# - find the device ID from the tty running `usbguard watch`
|
||||
# - run `sudo usbguard allow-device {device_id}` to allow the device to
|
||||
# interface with the system
|
||||
|
||||
enable = lib.mkEnableOption "Enable usbguard module, only installs the package";
|
||||
|
||||
service.enable = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Enable the usbguard service";
|
||||
};
|
||||
|
||||
rules = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
description = "Usbguard rules for default devices which are allowed to be connected";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf config.snowflake.hardware.usbguard.enable {
|
||||
environment.systemPackages = [pkgs.usbguard];
|
||||
|
||||
services.usbguard = {
|
||||
enable = config.snowflake.hardware.usbguard.service.enable;
|
||||
rules = config.snowflake.hardware.usbguard.rules;
|
||||
dbus.enable = true;
|
||||
IPCAllowedGroups = ["wheel"];
|
||||
};
|
||||
};
|
||||
}
|
@ -54,28 +54,6 @@
|
||||
hardware.bluetooth.enable = true;
|
||||
hardware.yubico.enable = true;
|
||||
|
||||
hardware.usbguard = {
|
||||
enable = true;
|
||||
service.enable = true;
|
||||
rules = ''
|
||||
allow id 1d6b:0002 serial "0000:00:0d.0" name "xHCI Host Controller" hash "d3YN7OD60Ggqc9hClW0/al6tlFEshidDnQKzZRRk410=" parent-hash "Y1kBdG1uWQr5CjULQs7uh2F6pHgFb6VDHcWLk83v+tE=" with-interface 09:00:00 with-connect-type ""
|
||||
allow id 1d6b:0003 serial "0000:00:0d.0" name "xHCI Host Controller" hash "4Q3Ski/Lqi8RbTFr10zFlIpagY9AKVMszyzBQJVKE+c=" parent-hash "Y1kBdG1uWQr5CjULQs7uh2F6pHgFb6VDHcWLk83v+tE=" with-interface 09:00:00 with-connect-type ""
|
||||
allow id 1d6b:0002 serial "0000:00:14.0" name "xHCI Host Controller" hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
|
||||
allow id 1d6b:0003 serial "0000:00:14.0" name "xHCI Host Controller" hash "prM+Jby/bFHCn2lNjQdAMbgc6tse3xVx+hZwjOPHSdQ=" parent-hash "rV9bfLq7c2eA4tYjVjwO4bxhm+y6GgZpl9J60L0fBkY=" with-interface 09:00:00 with-connect-type ""
|
||||
allow id 0bda:0411 serial "" name "USB3.2 Hub" hash "WfY2L4vTgeqoijkio8APWsywYF88RGioDTmQYgrwFWQ=" parent-hash "4Q3Ski/Lqi8RbTFr10zFlIpagY9AKVMszyzBQJVKE+c=" via-port "2-1" with-interface 09:00:00 with-connect-type "hotplug"
|
||||
allow id 0bda:5411 serial "" name "USB2.1 Hub" hash "3L4WgoHAw84HzheIfj3futScEN4fKgpTxcy8/f/7LZc=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" via-port "3-3" with-interface { 09:00:01 09:00:02 } with-connect-type "hotplug"
|
||||
allow id 06cb:0123 serial "a791cab37011" name "" hash "sw4ze+9ZwZmVtduvB8usJ46HkIEiAeSjaLpbcQF8Jvs=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface ff:00:00 with-connect-type "not used"
|
||||
allow id 04f2:b7e0 serial "0001" name "Integrated Camera" hash "ZYgg5bziBh/fUAZv1fclNEfj+8XRrFavcVHenzbXzdM=" parent-hash "jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=" with-interface { 0e:01:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:01:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 0e:02:01 fe:01:01 } with-connect-type "not used"
|
||||
allow id 8087:0036 serial "" name "" hash "XwbcZSrllifsnXXcFkmww6DJnTpumS/N2rYZllwTvH4=" parent-hash "jEP/6WzviqdJ5VSeTUY8Pat CNBKeaREvo2OqdplND/o=" via-port "3-10" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type "not used"
|
||||
allow id 0bda:8153 serial "3213000001" name "USB 10/100/1000 LAN" hash "A1AuNE+AAY9gDVu7aI2vdF3SaxGcOfkQGHi9ZXSQ2rY=" parent-hash "WfY2L4vTgeqoijkio8APWsywYF88RGioDTmQYgrwFWQ=" with-interface { ff:ff:00 02:06:00 0a:00:00 0a:00:00 } with-connect-type "unknown"
|
||||
allow id 0bda:0411 serial "" name "USB3.2 Hub" hash "WfY2L4vTgeqoijkio8APWsywYF88RGioDTmQYgrwFWQ=" parent-hash "WfY2L4vTgeqoijkio8APWsywYF88RGioDTmQYgrwFWQ=" via-port "2-1.2" with-interface 09:00:00 with-connect-type "unknown"
|
||||
allow id 0bda:5411 serial "" name "USB2.1 Hub" hash "3L4WgoHAw84HzheIfj3futScEN4fKgpTxcy8/f/7LZc=" parent-hash "3L4WgoHAw84HzheIfj3futScEN4fKgpTxcy8/f/7LZc=" via-port "3-3.2" with-interface { 09:00:01 09:00:02 } with-connect-type "unknown"
|
||||
allow id 0bda:1100 serial "" name "HID Device" hash "5qV38hE0ACWm79QYAOtGSKu9XWKXnOma2l8bhjeTCYU=" parent-hash "3L4WgoHAw84HzheIfj3futScEN4fKgpTxcy8/f/7LZc=" via-port "3-3.5" with-interface 03:00:00 with-connect-type "unknown"
|
||||
allow id 046d:c08b serial "126639653638" name "G502 HERO Gaming Mouse" hash "kDBrbfHYxgALCAE/mY1ZXOaFyPa3qL5VowXrI++l7zI=" parent-hash "3L4WgoHAw84HzheIfj3futScEN4fKgpTxcy8/f/7LZc=" with-interface { 03:01:02 03:00:00 } with-connect-type "unknown"
|
||||
allow id 05ac:024f serial "" name "Keychron K2" hash "P0EEuXdfPcoHSkHSzrh8ufjXNa6gxX5mRrLbafVqmWE=" parent-hash "3L4WgoHAw84HzheIfj3futScEN4fKgpTxcy8/f/7LZc=" via-port "3-3.2.2" with-interface { 03:01:01 03:01:02 } with-connect-type "unknown"
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.enable = true;
|
||||
networking.networkManager.enable = true;
|
||||
networking.iwd.enable = true;
|
||||
|
Loading…
Reference in New Issue
Block a user