nixos: services: wireguard: add 'simpleManagement'
All checks were successful
ci/woodpecker/push/check Pipeline was successful

This makes it easier to manage the VPN services, as they don't require a
password prompt to be brought up/down.
This commit is contained in:
Bruno BELANYI 2023-12-14 11:10:14 +00:00
parent 9ddd59eac8
commit 1faa8d9acf

View file

@ -100,6 +100,8 @@ in
options.my.services.wireguard = with lib; {
enable = mkEnableOption "Wireguard VPN service";
simpleManagement = my.mkDisableOption "manage units without password prompts";
startAtBoot = mkEnableOption ''
Should the VPN service be started at boot. Must be true for the server to
work reliably.
@ -273,5 +275,24 @@ in
after = [ "wg-quick-${cfg.iface}.service" ];
};
})
# Make it possible to manage those units without using passwords, for admins
(lib.mkIf cfg.simpleManagement {
environment.etc."polkit-1/rules.d/50-wg-quick.rules".text = ''
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
var unit = action.lookup("unit")
if (unit == "wg-quick-${cfg.iface}.service" || unit == "wg-quick-${cfg.internal.name}.service") {
var verb = action.lookup("verb");
if (verb == "start" || verb == "stop" || verb == "restart") {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
}
}
}
});
'';
})
]);
}