fix vpn and add rofi toggle

Hetzner/axiomania.nix

@@ -11,6 +11,7 @@
   networking.firewall = {
     allowedTCPPorts = [ 22 80 443 2222 ];
     allowedUDPPorts = [ 51820 53 ]; # Wireguard, Adguard DNS
+    checkReversePath = "loose"; # Required for WireGuard NAT
   };
 
   # ============================================================================
@@ -259,7 +260,7 @@
   # NAT for Wireguard clients to access the internet
   networking.nat = {
     enable = true;
-    externalInterface = "ens3";
+    externalInterface = "enp1s0";
     internalInterfaces = [ "wg0" ];
   };
 

Rofi/Scripts/system.sh

@@ -35,6 +35,12 @@ get_brightness_external() {
     fi
 }
 get_power_profile() { powerprofilesctl get 2>/dev/null || echo "balanced"; }
+get_vpn_status() {
+    if systemctl is-active wg-quick-wg-vpn &>/dev/null; then echo "vpn"
+    elif systemctl is-active wg-quick-wg-services &>/dev/null; then echo "services"
+    else echo "off"
+    fi
+}
 
 get_default_sink_id() {
     wpctl inspect @DEFAULT_AUDIO_SINK@ 2>/dev/null | head -1 | awk '{print $2}' | tr -d ','
@@ -85,6 +91,12 @@ show_main() {
     echo "󰃟  Brightness"
     echo "󰤨  WiFi"
     echo "󰂯  Bluetooth"
+    local vpn_status=$(get_vpn_status)
+    case "$vpn_status" in
+        services) echo "󰒄  VPN: Services" ;;
+        vpn) echo "󰛳  VPN: Full + AdBlock" ;;
+        *) echo "󰲛  VPN: Off" ;;
+    esac
     echo "󱐋  Power Profile"
     echo "󰐥  Power"
 }
@@ -177,6 +189,19 @@ handle_main() {
     case "$SELECTION" in
         *"Sound"*) show_sound ;;
         *"Brightness"*) show_brightness ;;
+        *"VPN:"*)
+            local vpn_status=$(get_vpn_status)
+            case "$vpn_status" in
+                off) busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager StartUnit ss wg-quick-wg-services.service replace &>/dev/null ;;
+                services)
+                    busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager StopUnit ss wg-quick-wg-services.service replace &>/dev/null
+                    busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager StartUnit ss wg-quick-wg-vpn.service replace &>/dev/null ;;
+                vpn)
+                    busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager StopUnit ss wg-quick-wg-vpn.service replace &>/dev/null
+                    busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager StartUnit ss wg-quick-wg-services.service replace &>/dev/null ;;
+            esac
+            sleep 1
+            show_main ;;
         *"WiFi"*) coproc (rofi-network-manager &); exit 0 ;;
         *"Bluetooth"*) coproc (rofi-bluetooth &); exit 0 ;;
         *"Power Profile"*) show_power_profile ;;

configuration.nix

@@ -85,6 +85,18 @@
 
   programs.nix-ld.enable = true;
 
+  # Allow lebowski to toggle WireGuard without password
+  security.polkit.extraConfig = ''
+    polkit.addRule(function(action, subject) {
+      if (action.id == "org.freedesktop.systemd1.manage-units" &&
+          subject.user == "lebowski" &&
+          (action.lookup("unit") == "wg-quick-wg-services.service" ||
+           action.lookup("unit") == "wg-quick-wg-vpn.service")) {
+        return polkit.Result.YES;
+      }
+    });
+  '';
+
   services.pulseaudio.enable = false;
   security.rtkit.enable = true;