diff --git a/machines/porthos/services.nix b/machines/porthos/services.nix index ee38894..9bc99e7 100644 --- a/machines/porthos/services.nix +++ b/machines/porthos/services.nix @@ -103,6 +103,7 @@ in # Simple, in-kernel VPN wireguard = { enable = true; + startAtBoot = true; # Server must be started to ensure clients can connect }; }; diff --git a/services/wireguard.nix b/services/wireguard.nix index f7615a2..ef75f2e 100644 --- a/services/wireguard.nix +++ b/services/wireguard.nix @@ -24,6 +24,11 @@ in options.my.services.wireguard = with lib; { enable = mkEnableOption "Wireguard VPN service"; + startAtBoot = mkEnableOption '' + Should the VPN service be started at boot. Must be true for the server to + work reliably. + ''; + iface = mkOption { type = types.str; default = "wg"; @@ -162,4 +167,9 @@ in firewall.allowedUDPPorts = [ cfg.port ]; }; + + # Do not start the service by making it not wanted by any unit + config.systemd.services.wg-quick-wg = lib.mkIf (!cfg.startAtBoot) { + wantedBy = lib.mkForce [ ]; + }; }