Security: Enabling USBGuard in a safe way

I have the configs to enable usbguard in my security.nix nixosModule, but still commented out.

Normally, a script reads the currently connected USB devices and allows them permanently.

From then one, one uses the cli to allow devices. Does this work the same on NixOS? Can I export the usbguard config from my current Fedora Kinoite install, and use it to allow.some devices deterministically?

Does this happen in the Nix eval phase too? Or are there other issues? It would be breat if users could just enable it, and it would work

Assuming that by current config you mean your currently rules file then it seems like that should work? Set services.usbguard.ruleFile to wherever you plonked your file from the Fedora install (this must be a string, not a path, otherwise it will be copied into the store etc etc), and don’t set services.usbguard.rules. I don’t use usbguard, but now that you have pointed it out, I have use cases!