Unverified Commit a0db07da authored by 0x4A6F's avatar 0x4A6F Committed by GitHub
Browse files

Merge pull request #256295 from Janik-Haag/usbguard 

nixos/usbguard: restore ruleFile option
parents af044ad3 3b673297

nixos/modules/services/security/usbguard.nix

+15 −6
Original line number Diff line number Diff line
@@ -7,10 +7,8 @@ let 
  # valid policy options

  policy = (types.enum [ "allow" "block" "reject" "keep" "apply-policy" ]);



  defaultRuleFile = "/var/lib/usbguard/rules.conf";



  # decide what file to use for rules

  ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else defaultRuleFile;

  ruleFile = if cfg.rules != null then pkgs.writeText "usbguard-rules" cfg.rules else cfg.ruleFile;



  daemonConf = ''

    # generated by nixos/modules/services/security/usbguard.nix
@@ -51,6 +49,19 @@ in 
        '';

      };



      ruleFile = mkOption {

        type = types.nullOr types.path;

        default = /var/lib/usbguard/rules.conf;

        example = /run/secrets/usbguard-rules;

        description = lib.mdDoc ''

          This tells the USBGuard daemon which file to load as policy rule set.



          The file can be changed manually or via the IPC interface assuming it has the right file permissions.



          For more details see {manpage}`usbguard-rules.conf(5)`.

        '';



      };

      rules = mkOption {

        type = types.nullOr types.lines;

        default = null;
@@ -63,8 +74,7 @@ in 
          be changed by the IPC interface.



          If you do not set this option, the USBGuard daemon will load

          it's policy rule set from `${defaultRuleFile}`.

          This file can be changed manually or via the IPC interface.

          it's policy rule set from the option configured in `services.usbguard.ruleFile`.



          Running `usbguard generate-policy` as root will

          generate a config for your currently plugged in devices.
@@ -248,7 +258,6 @@ in 
      '';

  };

  imports = [

    (mkRemovedOptionModule [ "services" "usbguard" "ruleFile" ] "The usbguard module now uses ${defaultRuleFile} as ruleFile. Alternatively, use services.usbguard.rules to configure rules.")

    (mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d.")

    (mkRemovedOptionModule [ "services" "usbguard" "auditFilePath" ] "Removed usbguard module audit log files. Audit logs can be found in the systemd journal.")

    (mkRenamedOptionModule [ "services" "usbguard" "implictPolicyTarget" ] [ "services" "usbguard" "implicitPolicyTarget" ])