From f23e6251cef53dd00d512f36fb61ce0a92991ca7 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Tue, 12 Dec 2023 14:09:10 +0000 Subject: [PATCH 1/3] nixos: services: wireguard: add VPN conflicts It's now easier to do the right thing when starting a VPN service, whether the other one is running or not. --- modules/nixos/services/wireguard/default.nix | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/modules/nixos/services/wireguard/default.nix b/modules/nixos/services/wireguard/default.nix index fc5518d..a213e71 100644 --- a/modules/nixos/services/wireguard/default.nix +++ b/modules/nixos/services/wireguard/default.nix @@ -261,5 +261,17 @@ in (lib.mkIf (cfg.internal.enable && !cfg.internal.startAtBoot) { systemd.services."wg-quick-${cfg.internal.name}".wantedBy = lib.mkForce [ ]; }) + + # Make systemd shut down one service when starting the other + (lib.mkIf (cfg.internal.enable) { + systemd.services."wg-quick-${cfg.iface}" = { + conflicts = [ "wg-quick-${cfg.internal.name}.service" ]; + after = [ "wg-quick-${cfg.internal.name}.service" ]; + }; + systemd.services."wg-quick-${cfg.internal.name}" = { + conflicts = [ "wg-quick-${cfg.iface}.service" ]; + after = [ "wg-quick-${cfg.iface}.service" ]; + }; + }) ]); } From 9ddd59eac8eab6b233372117cb36c7d2618b905a Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 14 Dec 2023 11:08:15 +0000 Subject: [PATCH 2/3] nixos: system: add polkit One nice thing is that it enables the prompts when using `systemctl`, instead of requiring `sudo`. --- modules/nixos/system/default.nix | 1 + modules/nixos/system/polkit/default.nix | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 modules/nixos/system/polkit/default.nix diff --git a/modules/nixos/system/default.nix b/modules/nixos/system/default.nix index e7a4dd3..e6fb25b 100644 --- a/modules/nixos/system/default.nix +++ b/modules/nixos/system/default.nix @@ -10,6 +10,7 @@ ./nix ./packages ./podman + ./polkit ./printing ./users ]; diff --git a/modules/nixos/system/polkit/default.nix b/modules/nixos/system/polkit/default.nix new file mode 100644 index 0000000..1e5b573 --- /dev/null +++ b/modules/nixos/system/polkit/default.nix @@ -0,0 +1,16 @@ +# Polkit settings +{ config, lib, ... }: +let + cfg = config.my.system.polkit; +in +{ + options.my.system.polkit = with lib; { + enable = my.mkDisableOption "polkit configuration"; + }; + + config = lib.mkIf cfg.enable { + security.polkit = { + enable = true; + }; + }; +} From 1faa8d9acff1857537d3fb35768de2ede64e6b36 Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Thu, 14 Dec 2023 11:10:14 +0000 Subject: [PATCH 3/3] nixos: services: wireguard: add 'simpleManagement' This makes it easier to manage the VPN services, as they don't require a password prompt to be brought up/down. --- modules/nixos/services/wireguard/default.nix | 21 ++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/modules/nixos/services/wireguard/default.nix b/modules/nixos/services/wireguard/default.nix index a213e71..26e54e0 100644 --- a/modules/nixos/services/wireguard/default.nix +++ b/modules/nixos/services/wireguard/default.nix @@ -100,6 +100,8 @@ in options.my.services.wireguard = with lib; { enable = mkEnableOption "Wireguard VPN service"; + simpleManagement = my.mkDisableOption "manage units without password prompts"; + startAtBoot = mkEnableOption '' Should the VPN service be started at boot. Must be true for the server to work reliably. @@ -273,5 +275,24 @@ in after = [ "wg-quick-${cfg.iface}.service" ]; }; }) + + # Make it possible to manage those units without using passwords, for admins + (lib.mkIf cfg.simpleManagement { + environment.etc."polkit-1/rules.d/50-wg-quick.rules".text = '' + polkit.addRule(function(action, subject) { + if (action.id == "org.freedesktop.systemd1.manage-units") { + var unit = action.lookup("unit") + if (unit == "wg-quick-${cfg.iface}.service" || unit == "wg-quick-${cfg.internal.name}.service") { + var verb = action.lookup("verb"); + if (verb == "start" || verb == "stop" || verb == "restart") { + if (subject.isInGroup("wheel")) { + return polkit.Result.YES; + } + } + } + } + }); + ''; + }) ]); }