install.fairie/home/.chezmoiscripts/universal/run_before_53-configure-sys-usb.sh.tmpl
2023-12-23 10:18:29 +00:00

34 lines
1.6 KiB
Cheetah

{{- if (eq .host.distro.id "qubes") -}}
#!/usr/bin/env bash
# @file Qubes `sys-usb`
# @brief Enables `sys-usb` and configures it with ideal security settings
# @description
# This script ensures that Qubes uses `sys-usb` for USB connections. It also optimizes the configuration
# by applying security configurations that the Qubes documentation recommends.
{{ includeTemplate "universal/profile-before" }}
{{ includeTemplate "universal/logg-before" }}
### Enable sys-usb
logg info 'Modifying Salt configuration to be able to enable sys-usb'
qubesctl top.enabled pillar=True || EXIT_CODE=$?
qubesctl state.highstate || EXIT_CODE=$?
logg info 'Ensuring sys-net-as-usbvm is removed'
qubesctl top.disable qvm.sys-net-as-usbvm pillar=True || EXIT_CODE=$?
logg info 'Ensuring sys-usb is setup and that it is properly configured with the keyboard'
qubesctl state.sls qvm.usb-keyboard
### Configure USB keyboard settings
if [ "{{ .qubes.promptKeyboards }}" = 'true' ]; then
logg info 'Ensure USB keyboards are only allows to connect after prompt is answered'
logg warn 'This can potentially lock you out if all you have are USB keyboards'
echo "sys-usb dom0 ask,user=root,default_target=dom0" | sudo tee /etc/qubes-rpc/policy/qubes.InputKeyboard
else
logg info 'Ensuring USB keyboards can connect without a prompt'
echo "sys-usb dom0 allow,user=root" | sudo tee /etc/qubes-rpc/policy/qubes.InputKeyboard
fi
### Configure USB mouse settings
logg info 'Ensuring newly connected USB mouse devices are only allowed to connect after a prompt is accepted'
echo "sys-usb dom0 ask,default_target=dom0" | sudo tee /etc/qubes-rpc/policy/qubes.InputMouse
{{ end -}}