From 41b3d3112985f196fabdea2f328033a87a69a603 Mon Sep 17 00:00:00 2001
From: Charlie Root <charlie@charlieroot.dev>
Date: Sun, 6 Apr 2025 23:17:40 +0200
Subject: [PATCH] usbguard: add enable option, enable on temperance

---
 hosts/temperance/configuration.nix   |  1 +
 modules/services/usbguard/module.nix | 31 +++++++++++++++++-----------
 2 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/hosts/temperance/configuration.nix b/hosts/temperance/configuration.nix
index e83bf4a..17abeb0 100644
--- a/hosts/temperance/configuration.nix
+++ b/hosts/temperance/configuration.nix
@@ -80,6 +80,7 @@ in {
 
     services = {
       locate.enable = true;
+      usbguard.enable = true;
 
       media.mpd = {
         enable = true;
diff --git a/modules/services/usbguard/module.nix b/modules/services/usbguard/module.nix
index bf4cd0a..9bdaa71 100644
--- a/modules/services/usbguard/module.nix
+++ b/modules/services/usbguard/module.nix
@@ -5,19 +5,26 @@
   ...
 }: let
   inherit (config.meta.mainUser) username;
+  inherit (lib.modules) mkIf;
+  inherit (lib.options) mkEnableOption;
+  cfg = config.modules.services.usbguard;
 in {
-  environment.systemPackages = [pkgs.usbguard];
-  services.usbguard = {
-    IPCAllowedUsers = ["root" "${username}"];
-    presentDevicePolicy = "allow";
-    rules = ''
-      allow with-interface equals { 08:*:* }
+  options.modules.services.usbguard.enable = mkEnableOption "usbguard";
+  config = mkIf cfg.enable {
+    environment.systemPackages = [pkgs.usbguard];
+    services.usbguard = {
+      enable = true;
+      IPCAllowedUsers = ["root" "${username}"];
+      presentDevicePolicy = "allow";
+      rules = ''
+        allow with-interface equals { 08:*:* }
 
-      # Reject devices with suspicious combination of interfaces
-      reject with-interface all-of { 08:*:* 03:00:* }
-      reject with-interface all-of { 08:*:* 03:01:* }
-      reject with-interface all-of { 08:*:* e0:*:* }
-      reject with-interface all-of { 08:*:* 02:*:* }
-    '';
+        # Reject devices with suspicious combination of interfaces
+        reject with-interface all-of { 08:*:* 03:00:* }
+        reject with-interface all-of { 08:*:* 03:01:* }
+        reject with-interface all-of { 08:*:* e0:*:* }
+        reject with-interface all-of { 08:*:* 02:*:* }
+      '';
+    };
   };
 }