diff --git a/modules/nixos/services/wireguard/default.nix b/modules/nixos/services/wireguard/default.nix
index fc5518d..26e54e0 100644
--- a/modules/nixos/services/wireguard/default.nix
+++ b/modules/nixos/services/wireguard/default.nix
@@ -100,6 +100,8 @@ in
   options.my.services.wireguard = with lib; {
     enable = mkEnableOption "Wireguard VPN service";
 
+    simpleManagement = my.mkDisableOption "manage units without password prompts";
+
     startAtBoot = mkEnableOption ''
       Should the VPN service be started at boot. Must be true for the server to
       work reliably.
@@ -261,5 +263,36 @@ in
     (lib.mkIf (cfg.internal.enable && !cfg.internal.startAtBoot) {
       systemd.services."wg-quick-${cfg.internal.name}".wantedBy = lib.mkForce [ ];
     })
+
+    # Make systemd shut down one service when starting the other
+    (lib.mkIf (cfg.internal.enable) {
+      systemd.services."wg-quick-${cfg.iface}" = {
+        conflicts = [ "wg-quick-${cfg.internal.name}.service" ];
+        after = [ "wg-quick-${cfg.internal.name}.service" ];
+      };
+      systemd.services."wg-quick-${cfg.internal.name}" = {
+        conflicts = [ "wg-quick-${cfg.iface}.service" ];
+        after = [ "wg-quick-${cfg.iface}.service" ];
+      };
+    })
+
+    # Make it possible to manage those units without using passwords, for admins
+    (lib.mkIf cfg.simpleManagement {
+      environment.etc."polkit-1/rules.d/50-wg-quick.rules".text = ''
+        polkit.addRule(function(action, subject) {
+          if (action.id == "org.freedesktop.systemd1.manage-units") {
+            var unit = action.lookup("unit")
+            if (unit == "wg-quick-${cfg.iface}.service" || unit == "wg-quick-${cfg.internal.name}.service") {
+              var verb = action.lookup("verb");
+              if (verb == "start" || verb == "stop" || verb == "restart") {
+                if (subject.isInGroup("wheel")) {
+                  return polkit.Result.YES;
+                }
+              }
+            }
+          }
+        });
+      '';
+    })
   ]);
 }
diff --git a/modules/nixos/system/default.nix b/modules/nixos/system/default.nix
index e7a4dd3..e6fb25b 100644
--- a/modules/nixos/system/default.nix
+++ b/modules/nixos/system/default.nix
@@ -10,6 +10,7 @@
     ./nix
     ./packages
     ./podman
+    ./polkit
     ./printing
     ./users
   ];
diff --git a/modules/nixos/system/polkit/default.nix b/modules/nixos/system/polkit/default.nix
new file mode 100644
index 0000000..1e5b573
--- /dev/null
+++ b/modules/nixos/system/polkit/default.nix
@@ -0,0 +1,16 @@
+# Polkit settings
+{ config, lib, ... }:
+let
+  cfg = config.my.system.polkit;
+in
+{
+  options.my.system.polkit = with lib; {
+    enable = my.mkDisableOption "polkit configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.polkit = {
+      enable = true;
+    };
+  };
+}