nixos: services: wireguard: add 'simpleManagement'
All checks were successful
ci/woodpecker/push/check Pipeline was successful

This makes it easier to manage the VPN services, as they don't require a
password prompt to be brought up/down.
This commit is contained in:
Bruno BELANYI 2023-12-14 11:10:14 +00:00
parent 9ddd59eac8
commit 1faa8d9acf

View file

@ -100,6 +100,8 @@ in
options.my.services.wireguard = with lib; { options.my.services.wireguard = with lib; {
enable = mkEnableOption "Wireguard VPN service"; enable = mkEnableOption "Wireguard VPN service";
simpleManagement = my.mkDisableOption "manage units without password prompts";
startAtBoot = mkEnableOption '' startAtBoot = mkEnableOption ''
Should the VPN service be started at boot. Must be true for the server to Should the VPN service be started at boot. Must be true for the server to
work reliably. work reliably.
@ -273,5 +275,24 @@ in
after = [ "wg-quick-${cfg.iface}.service" ]; after = [ "wg-quick-${cfg.iface}.service" ];
}; };
}) })
# Make it possible to manage those units without using passwords, for admins
(lib.mkIf cfg.simpleManagement {
environment.etc."polkit-1/rules.d/50-wg-quick.rules".text = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
var unit = action.lookup("unit")
if (unit == "wg-quick-${cfg.iface}.service" || unit == "wg-quick-${cfg.internal.name}.service") {
var verb = action.lookup("verb");
if (verb == "start" || verb == "stop" || verb == "restart") {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
}
}
}
});
'';
})
]); ]);
} }