usbguard: generate policy for connected devices

Also nftables: don't start the service right away (the nftables module might not be loaded immediately)
2022-03-22 00:16:49 +07:00 · 2022-03-22 00:16:49 +07:00 · 81c89d0ecb
parent a3595c7e21
commit 81c89d0ecb
3 changed files with 18 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -68,7 +68,7 @@ $ sudo ansible-playbook -v setup.yml
 - [ ] [libudev-zero](https://github.com/illiliti/libudev-zero/)
 - [x] ACPI events
 - [ ] Better way to handle libvirt's firewall rules (currently hardcoded)
- [ ] /etc/security/access.conf (maybe)
+- [ ] /etc/security/access.conf (maybe?)
 - [ ] snapper / btrbk (rootfs=btrfs)

 ## 📄 License
--- a/roles/nftables/tasks/main.yml
+++ b/roles/nftables/tasks/main.yml
@ -17,4 +17,3 @@
    name: nftables
    runlevel: default
    enabled: yes
-    state: started
--- a/roles/usbguard/tasks/main.yml
+++ b/roles/usbguard/tasks/main.yml
@ -20,3 +20,20 @@
    runlevel: default
    enabled: yes
    state: started
+
+- name: usbguard | Check whether there are defined policies
+  stat:
+    path: /etc/usbguard/rules.conf
+  register: have_policies
+
+# Or else you will be locked out from your desktop with no keyboards and mice
+- name: usbguard | Generate policies for currently connected devices
+  shell: /usr/bin/usbguard generate-policy > /etc/usbguard/rules.conf
+  when: have_policies.stat.size == 0
+
+- name: usbguard | Ensure correct permissions for /etc/usbguard/rules.conf
+  file:
+    path: /etc/usbguard/rules.conf
+    owner: root
+    group: root
+    mode: 0600