From 596d699abc6751e6d6c2d69838ede7d9448b4aa9 Mon Sep 17 00:00:00 2001
From: Charlie Root <charlie@charlieroot.dev>
Date: Sun, 6 Apr 2025 22:08:59 +0200
Subject: [PATCH] usbguard/module.nix: init

---
 modules/services/usbguard/module.nix | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 modules/services/usbguard/module.nix

diff --git a/modules/services/usbguard/module.nix b/modules/services/usbguard/module.nix
new file mode 100644
index 0000000..bf4cd0a
--- /dev/null
+++ b/modules/services/usbguard/module.nix
@@ -0,0 +1,23 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (config.meta.mainUser) username;
+in {
+  environment.systemPackages = [pkgs.usbguard];
+  services.usbguard = {
+    IPCAllowedUsers = ["root" "${username}"];
+    presentDevicePolicy = "allow";
+    rules = ''
+      allow with-interface equals { 08:*:* }
+
+      # Reject devices with suspicious combination of interfaces
+      reject with-interface all-of { 08:*:* 03:00:* }
+      reject with-interface all-of { 08:*:* 03:01:* }
+      reject with-interface all-of { 08:*:* e0:*:* }
+      reject with-interface all-of { 08:*:* 02:*:* }
+    '';
+  };
+}