From d5f82d159e4fdea0b0ecc3c6f440ded811281d9d Mon Sep 17 00:00:00 2001 From: reidlab Date: Tue, 28 Jan 2025 21:28:00 -0800 Subject: [PATCH] usbguard and drop todo --- README.md | 14 +------------- modules/desktop/dunst.nix | 1 + modules/desktop/hyprlock.nix | 1 + modules/desktop/themes/catppuccin/rofi.rasi | 1 + modules/security.nix | 17 ++++++++++++++++- 5 files changed, 20 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 96692ba..7fe0ab4 100755 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ nix flake config! this is just used on my personal computer ## users -this flake is built upon a single user system for all hosts, enforced by [`modules/user.nix`](./modules/user.nix). this makes it alot easier to make modules that use nixos and `home-manager` +this flake is built upon a single user system for all hosts, enforced by [`modules/user.nix`](./modules/user.nix). this makes it a lot easier to make modules that use nixos and `home-manager` for something more server oriented, check out [`nix-server`](https://git.reidlab.pink/reidlab/nix-server) @@ -14,15 +14,3 @@ each host should have these files: - `default.nix`, contains everything relating to the basic system - `hardware.nix`, hardware configuration. - -## todo - - - multi architecture configuration ([nix-systems](https://github.com/nix-systems/nix-systems)?) - - hidpi option ? mostly auto these days though - - better theming for hyprlock, rofi, dunst (accent for hyprlock & dunst, variants for rofi) - - some way for border radius, border, tranparency theme options - - tags for pip and popups in hyprland config - - make wl-clip-persist and networkmanager applet systemd services? - - gtk cursors are MESSED UP. top priority rn - - niri.. yum - - international keyboard for Spanish diff --git a/modules/desktop/dunst.nix b/modules/desktop/dunst.nix index 9620440..ca2a80d 100644 --- a/modules/desktop/dunst.nix +++ b/modules/desktop/dunst.nix @@ -17,6 +17,7 @@ in { follow = "mouse"; width = 300; height = 145; + # TODO: make more dynamic frame_color = "#f5c2e7"; # catppuccin pink origin = "top-right"; diff --git a/modules/desktop/hyprlock.nix b/modules/desktop/hyprlock.nix index 31c65dc..eca6220 100644 --- a/modules/desktop/hyprlock.nix +++ b/modules/desktop/hyprlock.nix @@ -57,6 +57,7 @@ in { position = "0, 105"; text = "cmd[update:1000] echo \"$(date +'%H')\""; font_size = 78; + # TODO: make more dynamic color = "rgb(f5c2e7)"; # catppuccin pink font_family = config.modules.desktop.fonts.fonts.sansSerif.family; halign = "center"; valign = "center"; diff --git a/modules/desktop/themes/catppuccin/rofi.rasi b/modules/desktop/themes/catppuccin/rofi.rasi index e7783b2..20514d0 100644 --- a/modules/desktop/themes/catppuccin/rofi.rasi +++ b/modules/desktop/themes/catppuccin/rofi.rasi @@ -20,6 +20,7 @@ window { height: 500px; border: 1px; border-radius: 1em; + /* TODO: make more dynamic */ border-color: @pink; background-color: @bg-col; } diff --git a/modules/security.nix b/modules/security.nix index 085f93a..8f8cee2 100755 --- a/modules/security.nix +++ b/modules/security.nix @@ -63,7 +63,22 @@ in { # personal computer? no firewall ty :3 networking.firewall.enable = false; - # TODO: usbguard + + services.usbguard = { + IPCAllowedUsers = [ "root" "${env.mainUser}" ]; + presentDevicePolicy = "allow"; + rules = '' + allow with-interface equals { 08:*:* } + + # reject devices with suspicious combination of interfaces (ex. mass storage + keyboard) + reject with-interface all-of { 08:*:* 03:00:* } + reject with-interface all-of { 08:*:* 03:01:* } + reject with-interface all-of { 08:*:* e0:*:* } + reject with-interface all-of { 08:*:* 02:*:* } + ''; + }; + + services.fwupd.enable = true; } // (mkIf cfg.useDoas { security.sudo.enable = false; security.doas.enable = true;