services: wireguard: allow disabling service

Only the server *needs* to have wireguard up at all times. However a
laptop or desktop probably doesn't need it up at all times.
This commit is contained in:
Bruno BELANYI 2021-04-23 18:29:06 +00:00
parent f79fcd020b
commit 84b61b25b3
2 changed files with 11 additions and 0 deletions

View file

@ -103,6 +103,7 @@ in
# Simple, in-kernel VPN # Simple, in-kernel VPN
wireguard = { wireguard = {
enable = true; enable = true;
startAtBoot = true; # Server must be started to ensure clients can connect
}; };
}; };

View file

@ -24,6 +24,11 @@ in
options.my.services.wireguard = with lib; { options.my.services.wireguard = with lib; {
enable = mkEnableOption "Wireguard VPN service"; enable = mkEnableOption "Wireguard VPN service";
startAtBoot = mkEnableOption ''
Should the VPN service be started at boot. Must be true for the server to
work reliably.
'';
iface = mkOption { iface = mkOption {
type = types.str; type = types.str;
default = "wg"; default = "wg";
@ -162,4 +167,9 @@ in
firewall.allowedUDPPorts = [ cfg.port ]; firewall.allowedUDPPorts = [ cfg.port ];
}; };
# Do not start the service by making it not wanted by any unit
config.systemd.services.wg-quick-wg = lib.mkIf (!cfg.startAtBoot) {
wantedBy = lib.mkForce [ ];
};
} }