services: wireguard: allow disabling service
Only the server *needs* to have wireguard up at all times. However a laptop or desktop probably doesn't need it up at all times.
This commit is contained in:
parent
f79fcd020b
commit
84b61b25b3
|
@ -103,6 +103,7 @@ in
|
||||||
# Simple, in-kernel VPN
|
# Simple, in-kernel VPN
|
||||||
wireguard = {
|
wireguard = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
startAtBoot = true; # Server must be started to ensure clients can connect
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -24,6 +24,11 @@ in
|
||||||
options.my.services.wireguard = with lib; {
|
options.my.services.wireguard = with lib; {
|
||||||
enable = mkEnableOption "Wireguard VPN service";
|
enable = mkEnableOption "Wireguard VPN service";
|
||||||
|
|
||||||
|
startAtBoot = mkEnableOption ''
|
||||||
|
Should the VPN service be started at boot. Must be true for the server to
|
||||||
|
work reliably.
|
||||||
|
'';
|
||||||
|
|
||||||
iface = mkOption {
|
iface = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "wg";
|
default = "wg";
|
||||||
|
@ -162,4 +167,9 @@ in
|
||||||
|
|
||||||
firewall.allowedUDPPorts = [ cfg.port ];
|
firewall.allowedUDPPorts = [ cfg.port ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Do not start the service by making it not wanted by any unit
|
||||||
|
config.systemd.services.wg-quick-wg = lib.mkIf (!cfg.startAtBoot) {
|
||||||
|
wantedBy = lib.mkForce [ ];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue