Qubes packages (Its alive!)

nixos/modules/misc/ids.nix

@@ -689,6 +689,8 @@ in
       # References:
       # https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes
 
+      qubes = 999; # Qubes dom0 expects gid 999
+
       onepassword = 31001; # 1Password requires that its GID be larger than 1000
       onepassword-cli = 31002; # 1Password requires that its GID be larger than 1000
 

nixos/modules/module-list.nix

@@ -1716,6 +1716,7 @@
   ./virtualisation/parallels-guest.nix
   ./virtualisation/podman/default.nix
   ./virtualisation/qemu-guest-agent.nix
+  ./virtualisation/qubes-dom0.nix
   ./virtualisation/rosetta.nix
   ./virtualisation/spice-usb-redirection.nix
   ./virtualisation/virtualbox-guest.nix

nixos/modules/services/desktop-managers/plasma6.nix

@@ -58,6 +58,7 @@ in {
     ];
 
     qt.enable = true;
+    programs.xwayland.enable = true;
     environment.systemPackages = with kdePackages; let
       requiredPackages = [
         qtwayland # Hack? To make everything run on Wayland
@@ -87,7 +88,6 @@ in {
 
         # Core Plasma parts
         kwin
-        pkgs.xwayland
         kscreen
         libkscreen
         kscreenlocker

nixos/modules/services/security/usbguard.nix

@@ -13,6 +13,8 @@ let
   daemonConf = ''
     # generated by nixos/modules/services/security/usbguard.nix
     RuleFile=${ruleFile}
+    # usual configuration
+    RuleFolder=/etc/usbguard/rules.d
     ImplicitPolicyTarget=${cfg.implicitPolicyTarget}
     PresentDevicePolicy=${cfg.presentDevicePolicy}
     PresentControllerPolicy=${cfg.presentControllerPolicy}
@@ -24,6 +26,7 @@ let
     IPCAllowedGroups=${concatStringsSep " " cfg.IPCAllowedGroups}
     IPCAccessControlFiles=/var/lib/usbguard/IPCAccessControl.d/
     DeviceRulesWithPort=${boolToString cfg.deviceRulesWithPort}
+    AuditBackend=${cfg.AuditBackend}
     # HACK: that way audit logs still land in the journal
     AuditFilePath=/dev/null
   '';
@@ -149,6 +152,15 @@ in
         '';
       };
 
+      AuditBackend = mkOption {
+        type = types.enum ["FileAudit" "LinuxAudit"];
+        default = "FileAudit";
+        example = "LinuxAudit";
+        description = ''
+          USBGuard audit events log backend.
+        '';
+      };
+
       deviceRulesWithPort = mkOption {
         type = types.bool;
         default = false;
@@ -157,6 +169,14 @@ in
         '';
       };
 
+      packages = mkOption {
+        type = types.listOf types.package;
+        default = [ ];
+        description = ''
+          Packages containing USBGuard rules in `/etc/usbguard/rules.d`
+        '';
+      };
+
       dbus.enable = mkEnableOption "USBGuard dbus daemon";
     };
   };
@@ -252,6 +272,12 @@ in
             }
         });
       '';
+
+    environment.etc."usbguard/rules.d".source = pkgs.symlinkJoin {
+      name = "rules.d";
+      paths = cfg.packages;
+      stripPrefix = "/etc/usbguard/rules.d";
+    };
   };
   imports = [
     (mkRemovedOptionModule [ "services" "usbguard" "IPCAccessControlFiles" ] "The usbguard module now hardcodes IPCAccessControlFiles to /var/lib/usbguard/IPCAccessControl.d.")