usbguard and drop todo

modules/security.nix

@@ -63,7 +63,22 @@ in {
     # personal computer? no firewall ty :3
     networking.firewall.enable = false;
 
-    # TODO: usbguard
+
+    services.usbguard = {
+      IPCAllowedUsers = [ "root" "${env.mainUser}" ];
+      presentDevicePolicy = "allow";
+      rules = ''
+        allow with-interface equals { 08:*:* }
+
+        # reject devices with suspicious combination of interfaces (ex. mass storage + keyboard)
+        reject with-interface all-of { 08:*:* 03:00:* }
+        reject with-interface all-of { 08:*:* 03:01:* }
+        reject with-interface all-of { 08:*:* e0:*:* }
+        reject with-interface all-of { 08:*:* 02:*:* }
+      '';
+    };
+
+    services.fwupd.enable = true;
   } // (mkIf cfg.useDoas {
     security.sudo.enable = false;
     security.doas.enable = true;