usbguard and drop todo

2025-01-28 21:28:00 -08:00 · 2025-01-28 21:28:00 -08:00 · d5f82d159e
commit d5f82d159e
parent 3e9d8af023
5 changed files with 20 additions and 14 deletions
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@ nix flake config! this is just used on my personal computer

 ## users

-this flake is built upon a single user system for all hosts, enforced by [`modules/user.nix`](./modules/user.nix). this makes it alot easier to make modules that use nixos and `home-manager`
+this flake is built upon a single user system for all hosts, enforced by [`modules/user.nix`](./modules/user.nix). this makes it a lot easier to make modules that use nixos and `home-manager`

 for something more server oriented, check out [`nix-server`](https://git.reidlab.pink/reidlab/nix-server)

@ -14,15 +14,3 @@ each host should have these files:

  - `default.nix`, contains everything relating to the basic system
  - `hardware.nix`, hardware configuration.
-
-## todo
-
-  - multi architecture configuration ([nix-systems](https://github.com/nix-systems/nix-systems)?)
-  - hidpi option ? mostly auto these days though
-  - better theming for hyprlock, rofi, dunst (accent for hyprlock & dunst, variants for rofi)
-  - some way for border radius, border, tranparency theme options
-  - tags for pip and popups in hyprland config
-  - make wl-clip-persist and networkmanager applet systemd services?
-  - gtk cursors are MESSED UP. top priority rn
-  - niri.. yum
-  - international keyboard for Spanish
--- a/modules/desktop/dunst.nix
+++ b/modules/desktop/dunst.nix
@ -17,6 +17,7 @@ in {
          follow = "mouse";
          width = 300;
          height = 145;
+          # TODO: make more dynamic
          frame_color = "#f5c2e7"; # catppuccin pink

          origin = "top-right";
--- a/modules/desktop/hyprlock.nix
+++ b/modules/desktop/hyprlock.nix
@ -57,6 +57,7 @@ in {
            position = "0, 105";
            text = "cmd[update:1000] echo \"<span font_weight='1000'>$(date +'%H')</span>\"";
            font_size = 78;
+            # TODO: make more dynamic
            color = "rgb(f5c2e7)"; # catppuccin pink
            font_family = config.modules.desktop.fonts.fonts.sansSerif.family;
            halign = "center"; valign = "center";
--- a/modules/desktop/themes/catppuccin/rofi.rasi
+++ b/modules/desktop/themes/catppuccin/rofi.rasi
@ -20,6 +20,7 @@ window {
  height: 500px;
  border: 1px;
  border-radius: 1em;
+  /* TODO: make more dynamic */
  border-color: @pink;
  background-color: @bg-col;
 }
--- a/modules/security.nix
+++ b/modules/security.nix
@ -63,7 +63,22 @@ in {
    # personal computer? no firewall ty :3
    networking.firewall.enable = false;

-    # TODO: usbguard
+
+    services.usbguard = {
+      IPCAllowedUsers = [ "root" "${env.mainUser}" ];
+      presentDevicePolicy = "allow";
+      rules = ''
+        allow with-interface equals { 08:*:* }
+
+        # reject devices with suspicious combination of interfaces (ex. mass storage + keyboard)
+        reject with-interface all-of { 08:*:* 03:00:* }
+        reject with-interface all-of { 08:*:* 03:01:* }
+        reject with-interface all-of { 08:*:* e0:*:* }
+        reject with-interface all-of { 08:*:* 02:*:* }
+      '';
+    };
+
+    services.fwupd.enable = true;
  } // (mkIf cfg.useDoas {
    security.sudo.enable = false;
    security.doas.enable = true;