5 files changed, 94 insertions, 1 deletions

diff --git a/deployment/services/dns.scm b/deployment/services/dns.scm
index fb77804..3b423b0 100644
--- a/deployment/services/dns.scm
+++ b/deployment/services/dns.scm
@@ -19,7 +19,8 @@
 ;;; If not, see <https://www.gnu.org/licenses/>.
 
 (define-module (deployment services dns)
-  #:export     (knot-service-aisaka)
+  #:export     (knot-service-aisaka
+                wireguard-endpoint)
   #:use-module (gnu services)
   #:use-module (gnu services dns))
 
@@ -34,6 +35,10 @@
                  ip-otvarta
                  " -all\""))
 
+(define wireguard-endpoint
+  (string-append ip-multimedia
+                 ":51820"))
+
 (define-zone-entries marekpasnikowski.pl-entries
   ("@"               ttl "IN" "A"     ip-otvarta)
   ("1"               ttl "IN" "A"     ip-otvarta)
diff --git a/deployment/services/vpn.scm b/deployment/services/vpn.scm
new file mode 100644
index 0000000..5cf58d8
--- /dev/null
+++ b/deployment/services/vpn.scm
@@ -0,0 +1,79 @@
+;;; SPDX-License-Identifier: GPL-3.0-or-later
+;;; SPDX-FileCopyrightText: 2026 Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+;;; COPYRIGHT NOTICE
+;;;
+;;; Copyright 2026, Marek Paśnikowski <marek@marekpasnikowski.pl>
+
+;;; LICENSE NOTICE
+;;;
+;;; This library is free software: you can redistribute it and/or modify it under the terms of
+;;; the GNU General Public License as published by the Free Software Foundation,
+;;; either version 3 of the License, or (at your option) any later version.
+;;;
+;;; This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+;;; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+;;; See the GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License along with this library.
+;;; If not, see <https://www.gnu.org/licenses/>.
+
+(define-module (deployment services vpn)
+  #:export     (wireguard-service-aisaka
+                wireguard-service-giewont
+                wireguard-service-rakan)
+  #:use-module (gnu services)
+  #:use-module (gnu services vpn)
+  #:use-module (sovereign services vpn)
+  #:use-module ((deployment services dns)
+                #:prefix deployment:services:dns:))
+
+(define wireguard-peer-aisaka
+  (wireguard-peer
+   (inherit     %wireguard-peer)
+   (name        "aisaka")
+   (endpoint    deployment:services:dns:wireguard-endpoint)
+   (public-key  "7B6fgIKVZs6DWN3hdDGlYI8XpvHWGCjZKh6kbY/KKg8=")))
+
+(define wireguard-peer-giewont
+  (wireguard-peer
+   (inherit     %wireguard-peer)
+   (name        "giewont")
+   (public-key  "/XsuEpAHX1iEc5abcmY9sYTx8qETAuSLjEmx5ekqfwM=")
+   (allowed-ips (list "10.0.0.2/32"))))
+
+(define wireguard-peer-rakan
+  (wireguard-peer
+   (inherit     %wireguard-peer)
+   (name        "rakan")
+   (public-key  "vOEJivgw9C7wZwYX3Kiqw3Ycl6wErr8N9z3BmkhF0Us=")
+   (allowed-ips (list "10.0.0.3/32"))))
+
+(define wireguard-configuration-aisaka
+  (wireguard-configuration
+   (inherit %wireguard-configuration)
+   (peers   (list wireguard-peer-giewont
+                  wireguard-peer-rakan))))
+
+(define wireguard-configuration-giewont
+  (wireguard-configuration
+   (inherit   %wireguard-configuration)
+   (addresses (list "10.0.0.2/24"))
+   (peers     (list wireguard-peer-aisaka))))
+
+(define wireguard-configuration-rakan
+  (wireguard-configuration
+   (inherit   %wireguard-configuration)
+   (addresses (list "10.0.0.3/24"))
+   (peers     (list wireguard-peer-aisaka))))
+
+(define wireguard-service-aisaka
+  (wireguard-service wireguard-configuration-aisaka))
+
+(define wireguard-service-giewont
+  (wireguard-service wireguard-configuration-giewont))
+
+(define wireguard-service-rakan
+  (wireguard-service wireguard-configuration-rakan))
+
+;;; EOF
diff --git a/deployment/system.scm b/deployment/system.scm
index 1eaeb49..7c17a83 100644
--- a/deployment/system.scm
+++ b/deployment/system.scm
@@ -33,6 +33,8 @@
                 #:prefix deployment:services:matrix:)
   #:use-module ((deployment services networking)
                 #:prefix deployment:services:networking:)
+  #:use-module ((deployment services vpn)
+                #:prefix deployment:services:vpn:)
   #:use-module ((deployment services web)
                 #:prefix deployment:services:web:)
   #:use-module ((deployment system aisaka)
@@ -136,6 +138,7 @@
                                    deployment:system:aisaka:radicale
                                    deployment:services:mail:smtp-service-aisaka
                                    deployment:system:aisaka:static-networking
+                                   deployment:services:vpn:wireguard-service-aisaka
                                    deployment:system:aisaka:%sovereign-services*))
    (pam-services            (gnu:system:pam:base-pam-services))
    (privileged-programs     gnu:system:%default-privileged-programs)
diff --git a/deployment/system/cokolwiek.scm b/deployment/system/cokolwiek.scm
index f6fc542..873e559 100644
--- a/deployment/system/cokolwiek.scm
+++ b/deployment/system/cokolwiek.scm
@@ -20,6 +20,8 @@
 
 (define-module (deployment system cokolwiek)
   #:use-module (sovereign bootloader)
+  #:use-module ( (deployment services vpn)
+                 #:prefix deployment:services:vpn:)
   #:use-module ( (gnu packages package-management)
                  #:prefix gnu:packages:package-management:)
   #:use-module ( (gnu services)
@@ -94,6 +96,7 @@
                                    gnu:system:linux-initrd:%base-initrd-modules))
       (l-services           (cons* l-guix-home-service
                                    sovereign:packages:protonmail:nogui-profile
+                                   deployment:services:vpn:wireguard-service-giewont
                                    sovereign:systems:%sovereign-services))
       (l-swap-devices       (list swap))
       (l-users              (cons* users:id1000:uid1000-account
diff --git a/deployment/system/rakan.scm b/deployment/system/rakan.scm
index 48adec5..0f9b8d5 100644
--- a/deployment/system/rakan.scm
+++ b/deployment/system/rakan.scm
@@ -24,6 +24,8 @@
   #:use-module (sovereign bootloader)
   #:use-module ( (deployment gexp)
                  #:prefix deployment:gexp:)
+  #:use-module ( (deployment services vpn)
+                 #:prefix deployment:services:vpn:)
   #:use-module ( (gnu home)
                  #:prefix gnu:home:)
   #:use-module ( (gnu home services)
@@ -272,6 +274,7 @@
                                    sovereign:packages:protonmail:nogui-profile
                                    offload-auth
                                    samba-service
+                                   deployment:services:vpn:wireguard-service-rakan
                                    sovereign:systems:%sovereign-services))
    (pam-services            (gnu:system:pam:base-pam-services))
    (privileged-programs     gnu:system:%default-privileged-programs)