(services): add initial deployment of Wireguard VPN

2 files changed, 85 insertions, 1 deletions

diff --git a/deployment/services/dns.scm b/deployment/services/dns.scm
index fb77804..3b423b0 100644
--- a/deployment/services/dns.scm
+++ b/deployment/services/dns.scm
@@ -19,7 +19,8 @@
 ;;; If not, see <https://www.gnu.org/licenses/>.
 
 (define-module (deployment services dns)
-  #:export     (knot-service-aisaka)
+  #:export     (knot-service-aisaka
+                wireguard-endpoint)
   #:use-module (gnu services)
   #:use-module (gnu services dns))
 
@@ -34,6 +35,10 @@
                  ip-otvarta
                  " -all\""))
 
+(define wireguard-endpoint
+  (string-append ip-multimedia
+                 ":51820"))
+
 (define-zone-entries marekpasnikowski.pl-entries
   ("@"               ttl "IN" "A"     ip-otvarta)
   ("1"               ttl "IN" "A"     ip-otvarta)
diff --git a/deployment/services/vpn.scm b/deployment/services/vpn.scm
new file mode 100644
index 0000000..269305d
--- /dev/null
+++ b/deployment/services/vpn.scm
@@ -0,0 +1,79 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; SPDX-FileCopyrightText: 2026 Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+;;; COPYRIGHT NOTICE
+;;;
+;;; Copyright 2026, Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+;;; LICENSE NOTICE
+;;;
+;;; This library is free software: you can redistribute it and/or modify it under the terms of
+;;; the GNU General Public License as published by the Free Software Foundation,
+;;; either version 3 of the License, or (at your option) any later version.
+;;;
+;;; This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+;;; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+;;; See the GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License along with this library.
+;;; If not, see <https://www.gnu.org/licenses/>.
+
+(define-module (deployment services vpn)
+  #:export     (wireguard-service-aisaka
+                wireguard-service-giewont
+                wireguard-service-rakan)
+  #:use-module (gnu services)
+  #:use-module (gnu services vpn)
+  #:use-module (sovereign services vpn)
+  #:use-module ((deployment services dns)
+                #:prefix deployment:services:dns:))
+
+(define wireguard-peer-aisaka
+  (wireguard-peer
+   (inherit    %wireguard-peer)
+   (name       "aisaka")
+   (endpoint   deployment:services:dns:wireguard-endpoint)
+   (public-key "7B6fgIKVZs6DWN3hdDGlYI8XpvHWGCjZKh6kbY/KKg8=")))
+
+(define wireguard-peer-giewont
+  (wireguard-peer
+   (inherit    %wireguard-peer)
+   (name       "giewont")
+   (endpoint   deployment:services:dns:wireguard-endpoint)
+   (public-key "/XsuEpAHX1iEc5abcmY9sYTx8qETAuSLjEmx5ekqfwM=")))
+
+(define wireguard-peer-rakan
+  (wireguard-peer
+   (inherit     %wireguard-peer)
+   (name        "rakan")
+   (public-key  "vOEJivgw9C7wZwYX3Kiqw3Ycl6wErr8N9z3BmkhF0Us=")
+   (allowed-ips (list "10.0.0.3/32"))))
+
+(define wireguard-configuration-aisaka
+  (wireguard-configuration
+   (inherit %wireguard-configuration)
+   (peers   (list wireguard-peer-giewont
+                  wireguard-peer-rakan))))
+
+(define wireguard-configuration-giewont
+  (wireguard-configuration
+   (inherit   %wireguard-configuration)
+   (addresses (list "10.0.0.2/32"))
+   (peers     (list wireguard-peer-aisaka))))
+
+(define wireguard-configuration-rakan
+  (wireguard-configuration
+   (inherit   %wireguard-configuration)
+   (addresses (list "10.0.0.3/32"))
+   (peers     (list wireguard-peer-aisaka))))
+
+(define wireguard-service-aisaka
+  (wireguard-service wireguard-configuration-aisaka))
+
+(define wireguard-service-giewont
+  (wireguard-service wireguard-configuration-giewont))
+
+(define wireguard-service-rakan
+  (wireguard-service wireguard-configuration-rakan))
+
+;;; EOF