b12f/nixpkgs
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

nixos/usbguard: restore ruleFile option

Browse source
This commit is contained in:
Janik H. 2023-09-20 13:55:55 +02:00
parent f0b0a2fa2b
commit 3b673297e7
No known key found for this signature in database
1 changed files with 15 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
nixos/modules/services/security/usbguard.nix
View file

@ -7,10 +7,8 @@ let
# valid policy options
policy = (types.enum [ "allow" "block" "reject" "keep" "apply-policy" ]);
defaultRuleFile = "/var/lib/usbguard/rules.conf";
# decide what file to use for rules
ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else defaultRuleFile;
ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else cfg.ruleFile;
daemonConf = ''
# generated by nixos/modules/services/security/usbguard.nix
@ -51,6 +49,19 @@ in
'';
};
ruleFile = mkOption {
type = types.nullOr types.path;
default = /var/lib/usbguard/rules.conf;
example = /run/secrets/usbguard-rules;
description = lib.mdDoc ''
This tells the USBGuard daemon which file to load as policy rule set.
The file can be changed manually or via the IPC interface assuming it has the right file permissions.
For more details see {manpage}`usbguard-rules.conf(5)`.
'';
};
rules = mkOption {
type = types.nullOr types.lines;
default = null;
@ -63,8 +74,7 @@ in
be changed by the IPC interface.
If you do not set this option, the USBGuard daemon will load
it's policy rule set from `${defaultRuleFile}`.
This file can be changed manually or via the IPC interface.
it's policy rule set from the option configured in `services.usbguard.ruleFile`.
Running `usbguard generate-policy` as root will
generate a config for your currently plugged in devices.
@ -248,7 +258,6 @@ in
'';
};
imports = [
(mkRemovedOptionModule [ "services" "usbguard" "ruleFile" ] "The usbguard module now uses ${defaultRuleFile} as ruleFile. Alternatively, use services.usbguard.rules to configure rules.")
(mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d.")
(mkRemovedOptionModule [ "services" "usbguard" "auditFilePath" ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.")
(mkRenamedOptionModule [ "services" "usbguard" "implictPolicyTarget" ] [ "services" "usbguard" "implicitPolicyTarget" ])