nixos: services: wireguard: add 'simpleManagement'

This makes it easier to manage the VPN services, as they don't require a password prompt to be brought up/down.
nixos: system: add polkit
2023-12-14 11:23:28 +00:00 · 2023-12-14 11:23:28 +00:00 · 2023-12-14 11:23:28 +00:00
3 changed files with 50 additions and 0 deletions
--- a/modules/nixos/services/wireguard/default.nix
+++ b/modules/nixos/services/wireguard/default.nix
@ -100,6 +100,8 @@ in
  options.my.services.wireguard = with lib; {
    enable = mkEnableOption "Wireguard VPN service";

+    simpleManagement = my.mkDisableOption "manage units without password prompts";
+
    startAtBoot = mkEnableOption ''
      Should the VPN service be started at boot. Must be true for the server to
      work reliably.
@ -261,5 +263,36 @@ in
    (lib.mkIf (cfg.internal.enable && !cfg.internal.startAtBoot) {
      systemd.services."wg-quick-${cfg.internal.name}".wantedBy = lib.mkForce [ ];
    })
+
+    # Make systemd shut down one service when starting the other
+    (lib.mkIf (cfg.internal.enable) {
+      systemd.services."wg-quick-${cfg.iface}" = {
+        conflicts = [ "wg-quick-${cfg.internal.name}.service" ];
+        after = [ "wg-quick-${cfg.internal.name}.service" ];
+      };
+      systemd.services."wg-quick-${cfg.internal.name}" = {
+        conflicts = [ "wg-quick-${cfg.iface}.service" ];
+        after = [ "wg-quick-${cfg.iface}.service" ];
+      };
+    })
+
+    # Make it possible to manage those units without using passwords, for admins
+    (lib.mkIf cfg.simpleManagement {
+      environment.etc."polkit-1/rules.d/50-wg-quick.rules".text = ''
+        polkit.addRule(function(action, subject) {
+          if (action.id == "org.freedesktop.systemd1.manage-units") {
+            var unit = action.lookup("unit")
+            if (unit == "wg-quick-${cfg.iface}.service" || unit == "wg-quick-${cfg.internal.name}.service") {
+              var verb = action.lookup("verb");
+              if (verb == "start" || verb == "stop" || verb == "restart") {
+                if (subject.isInGroup("wheel")) {
+                  return polkit.Result.YES;
+                }
+              }
+            }
+          }
+        });
+      '';
+    })
  ]);
 }
--- a/modules/nixos/system/default.nix
+++ b/modules/nixos/system/default.nix
@ -10,6 +10,7 @@
    ./nix
    ./packages
    ./podman
+    ./polkit
    ./printing
    ./users
  ];
--- a/modules/nixos/system/polkit/default.nix
+++ b/modules/nixos/system/polkit/default.nix
@ -0,0 +1,16 @@
+# Polkit settings
+{ config, lib, ... }:
+let
+  cfg = config.my.system.polkit;
+in
+{
+  options.my.system.polkit = with lib; {
+    enable = my.mkDisableOption "polkit configuration";
+  };
+
+  config = lib.mkIf cfg.enable {
+    security.polkit = {
+      enable = true;
+    };
+  };
+}
Author	SHA1	Message	Date
Bruno BELANYI	1faa8d9acf	nixos: services: wireguard: add 'simpleManagement' All checks were successful ci/woodpecker/push/check Pipeline was successful Details This makes it easier to manage the VPN services, as they don't require a password prompt to be brought up/down.	2023-12-14 11:23:28 +00:00
Bruno BELANYI	9ddd59eac8	nixos: system: add polkit One nice thing is that it enables the prompts when using `systemctl`, instead of requiring `sudo`.	2023-12-14 11:23:28 +00:00
Bruno BELANYI	f23e6251ce	nixos: services: wireguard: add VPN conflicts It's now easier to do the right thing when starting a VPN service, whether the other one is running or not.	2023-12-14 11:23:28 +00:00