Manage new Framework laptop

12 files changed, 403 insertions, 4 deletions

diff --git a/regenerate-secrets.sh b/regenerate-secrets.sh
index 08d54821..1451d5b6 100755
--- a/regenerate-secrets.sh
+++ b/regenerate-secrets.sh
@@ -10,8 +10,9 @@ port () {
 
 hostkey () {
   case $1 in
-    # lap has no SSH host keys, so use a special age key.
+    # Laptops have no SSH host keys, so use a special age key.
     lap) echo age1r2q54q6phf47ssc2wrw6enpdlghfaj0pdhp879se4d47zlkgq4sskzlj25 ;;
+    frm) echo age1wm9cn6pwguc6a26ltlf39c00qlyka8c48dfc2fcj9w7j522ekcaq5hg2e8 ;;
     *) ssh-keygen -F "[$1.twilken.net]:$(port "$1")" |
          awk '$2 == "ssh-ed25519" { print $2, $3 }' ;;
   esac
@@ -30,9 +31,9 @@ store_restic () {
 }
 
 # Wireguard secret keys and pre-shared keys.
-for host in lap lud vin; do
+for host in lap lud vin frm; do
   store "$host" "computers/wireguard/private/$host" "tw/system/files/wireguard/$host.key.enc"
-  for host2 in lap lud vin pi3 fp4; do
+  for host2 in lap lud vin pi3 fp4 frm; do
     [ $host = $host2 ] && continue
     store "$host" "computers/wireguard/preshared/$host-$host2" "tw/system/files/wireguard/$host-$host2.psk.enc"
   done
diff --git a/tw/services/files/wireguard/frm-fp4.psk.enc b/tw/services/files/wireguard/frm-fp4.psk.enc
new file mode 100644
index 00000000..9331caa0
--- /dev/null
+++ b/tw/services/files/wireguard/frm-fp4.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGdWRZamxwdTJ1ZjArZVZa
+TngzTGpualZiRDZPTlNBcW5hVGlFQTNWTVgwCndlQ2x3UEpjYkJqU25YRThMb0Uv
+d250OWJWbVZ5S3l3eHB3cGVKNWhBMFUKLS0tIEZDK1hveWk5QzI3OTBmZTRoMDZz
+c1MzRWNYbkc4MXluZ3lCK21ScndaaEkKx4a+8MdoHqDBdmkX1St7qa5zG2CQ4R+z
+3HWUtAI3woUWoC+S2FM31glN5ZFKqWCmU2oUJKrvc9H338hvMgYneY3vzDIU4hoE
+oOyau8c=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/frm-lap.psk.enc b/tw/services/files/wireguard/frm-lap.psk.enc
new file mode 100644
index 00000000..ea83fdee
--- /dev/null
+++ b/tw/services/files/wireguard/frm-lap.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM3RJM0ZyMzZVellNb2w4
+dWpnRlhWNy9Od3FjL051WVNYMVVhc0tQMEc0CjlCamtxUE9uTHRrSkpLeDJYSE1C
+dXo3SFFaTU5ac0tMUnpIUHdnN3FiTXMKLS0tIHp5NHR4enNPR1piTHRRUjJVbEJ6
+QmlRWXhRU2VSNTFUUWUvQ011SFE0MkEKpyz/6Q7UEZhqbrtJlsx5g7irZ94BeGCj
+Xo5VWUFXv2IHpDBP8TkQzPyJo+eDXOERumLeAWt0/Vx6I//VxsJgAj4v+sgRdDDM
+mnZ7Hv4=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/frm-lud.psk.enc b/tw/services/files/wireguard/frm-lud.psk.enc
new file mode 100644
index 00000000..025c2501
--- /dev/null
+++ b/tw/services/files/wireguard/frm-lud.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdHc3MitWWjlHcEhGR1l2
+VmhLNklqMkUvRng3aHNUMktoZlZ2ZDliV3pzCkVYTk5TOXVNcnIxalNYbHBlbm9K
+MG4vTmFuS3NVbEVyRjVzZnRVTmFWZTgKLS0tIFFWcENXdDNVU0Y1cFBJcFpGRlR5
+UFlQSW8vUWcxWmlWRWVIWVQwZlEyMjgKHpjhFm/yzFzw76a+FyV1bwQyWzQ6fQxM
+/F4G+JtFyrTla5C7MKXlyXStpXRjXV+8lHJSfgbCQbLRGCJFG84eCsv8AJIaVtDV
+8XnHZms=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/frm-pi3.psk.enc b/tw/services/files/wireguard/frm-pi3.psk.enc
new file mode 100644
index 00000000..119a7b99
--- /dev/null
+++ b/tw/services/files/wireguard/frm-pi3.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQM1Y4NXNmVFBhOVZFaDRO
+dy9ZdU5rTHk0T2JRUFBqVnFTNjBDT25PbUNZCmdGTHYzU0RET25mWkZGa0hwUHFK
+bmlxajFoci83VjZGWndCMWo5K0RUSVkKLS0tIFdOdFlCa3lvMXhGVEV1VU91eHly
+UjRtbUNvUjBDbEo1aW14YXI5MmM1TTgKjS13mwy5dY2fx1boKstTbqb4QjIFMo8j
+eToNx9Lq6KWyOEqE84oQHHgOxzYGKCerrxwTRcaTCKKaxeUwvau5VkbzMeRdRUMj
+iWJXDj8=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/frm-vin.psk.enc b/tw/services/files/wireguard/frm-vin.psk.enc
new file mode 100644
index 00000000..0d08ec3e
--- /dev/null
+++ b/tw/services/files/wireguard/frm-vin.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRjlZMzlwakdIQmx0Zzk2
+TjJWelFQK1p0YUYrS1Y5djd3TEloME5SS1NBCnlLMkg1WHRVZ2k5T2VORzlpaDZI
+RlNmQWNDK0s5dVRNVjRjQnNOOVBWM0EKLS0tIFVhL1ZJT1lveVd1OW16YkVuWUtr
+OW55WHFUdGd6SGZUSll5MjcvYSsrUkUKoEYFPmE+gx2Jzsn00pceiN7mekclWPTf
+xwQiX1qkST3+KjYd1wNCvv60eU2OCKE2LpdELYGXn6FTV7EiK0QZEBQHM1xNqyKV
+kjx+AvA=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/frm.key.enc b/tw/services/files/wireguard/frm.key.enc
new file mode 100644
index 00000000..8e2a1f82
--- /dev/null
+++ b/tw/services/files/wireguard/frm.key.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNdU5HZEViSzNYYTB5NE93
+eXZ0VVRESGozSlFvd2pjL2M0Ri9CbmJ3bUNrCmgwUnQzejVaLzIzdDUxTVRtN3Jj
+aG1oUzRHb0ZBL3VvTkp1aHAwMytIdUUKLS0tIDdlREVBTnd5alBYVGJmRmNRNDky
+Vnl2eFg2VmZjcEpOd1M2eFhFUDNOTXMKn9BhStBgbP79DPvU2RXUmyZnFf8QY91J
+HcM+3r9rfFeSfGOE4Z2UEmy+k83LC1tam1KRS9ak7CEVCRCMWfRmTeI3BfS2QCl5
+9Ab7lzs=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/lap-frm.psk.enc b/tw/services/files/wireguard/lap-frm.psk.enc
new file mode 100644
index 00000000..91977395
--- /dev/null
+++ b/tw/services/files/wireguard/lap-frm.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZT21JeHlsYi9pREVPenpC
+R3dIaUpBeC9Lb2NRazRwcEEvSHQvaVJKekFrCldlNlRpWXMvSEFUWTBZT1F0L0Z1
+ZnNuY0poQ0ZQS013aFF5SHdUTjdHUkkKLS0tIE8vY2haWTdwZE9zMnBueGx5Nm1L
+WjNVbDFRcEhqNUtpaWlwNHFnNmJMd1UKhWgbbnN10725uP1Ofvav7gzYuVwsyzmN
+FFNrwMI0pVtRKUPH3i+7cKpMYdfGF5iKCIz7JOc3XdzTgAQc7lqxS5LKiMBK6lVl
+Cjxds94=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/lud-frm.psk.enc b/tw/services/files/wireguard/lud-frm.psk.enc
new file mode 100644
index 00000000..ad1ff758
--- /dev/null
+++ b/tw/services/files/wireguard/lud-frm.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA0ZXR5
+MDRuNnBOSnhwWjNBZ1FzVFliUEF4dnk4aXVXVUx0N0NSYVBMbW1BCmJBeDUwbjVY
+UGZ6ckJXeG5XdkJ0NW8xTFJEV0UwN0ZnUEt6QmIxRExDNEkKLS0tIGJuRTVqVnhz
+MXM1SXBPR1dEdDVWWlN1cGFzU0N6RFdLQi83MFBNU3NGT0EKViTwHGDX7oCwl+Fg
+ASRwy0oTXZowSGn7WO2Ko95PfCEJMILt8JoYdggGh6PvPcpOLxemt6tfn8ISXvDK
+NCo5BHemt6k1ikqM2HBRH04=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/files/wireguard/vin-frm.psk.enc b/tw/services/files/wireguard/vin-frm.psk.enc
new file mode 100644
index 00000000..3cbfee12
--- /dev/null
+++ b/tw/services/files/wireguard/vin-frm.psk.enc
@@ -0,0 +1,8 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBWMWZu
+Vkd6clRTd05lUE1IdHRGa1JxclpjRHNNelQzUkVtbG9hOWgwUkVzClJQRXZWTytL
+SGFpTmpXU2tXVUMwem5kQURPb2U5N2RVS0Z4SmZ4dk9MbDgKLS0tIEloQkpJVVU4
+MDhPaExndGo4NzFyRFNEODRJOE40T2lXYnhOS28rZGdBUlUKfrQeK72CdIFwxTaR
+T+nXLL8Ol7zPv0xyLdsbz6naLfa+kdWIo++pqowKAb5QRKkWo8cBVsMYoCIGD3cS
+3nd+DcYi1vOrOm94rGSnOYI=
+-----END AGE ENCRYPTED FILE-----
diff --git a/tw/services/wireguard.scm b/tw/services/wireguard.scm
index e975fe46..4a69be8c 100644
--- a/tw/services/wireguard.scm
+++ b/tw/services/wireguard.scm
@@ -47,7 +47,13 @@
        (endpoint "pi3.twilken.net:58922")
        (public-key "pi3/ThUH4qDTuyvNQIiiyy2dbziF/xLRTwO0+vcUoVY=")
        (preshared-key "/etc/wireguard/pi3.psk")
-       (allowed-ips '("10.0.0.5/32" "fc00::5/128"))))))
+       (allowed-ips '("10.0.0.5/32" "fc00::5/128"))))
+    ("frm.twilken.net" .
+     ,(wireguard-peer
+       (name "frm.wg")
+       (public-key "frm/YGu1BfXUl4jrN0PTFMNdTQXWPSuY1wEpz5W9C2Y=")
+       (preshared-key "/etc/wireguard/frm.psk")
+       (allowed-ips '("10.0.0.6/32" "fc00::6/128"))))))
 
 (define (wireguard-peers-list? object)
   (and (list? object)
diff --git a/tw/system/frm.scm b/tw/system/frm.scm
new file mode 100644
index 00000000..f19d36ce
--- /dev/null
+++ b/tw/system/frm.scm
@@ -0,0 +1,320 @@
+;; This is an operating system configuration file for a fairly minimal
+;; "desktop" setup with i3 where the /home partition partition is
+;; encrypted with LUKS.
+;;
+;; https://guix.gnu.org/manual/en/html_node/operating_002dsystem-Reference.html
+
+(define-module (tw system frm)
+  #:use-module (gnu)
+  #:use-module (gnu bootloader grub)
+  #:use-module (gnu system locale)
+  #:use-module (gnu system nss)
+  #:use-module (guix gexp)
+  #:use-module (guix packages)
+  #:use-module ((nongnu packages linux)
+                #:prefix nongnu:)   ; don't interfere with (gnu packages linux)
+  #:use-module ((nongnu system linux-initrd)
+                #:prefix nongnu:)
+  #:use-module (tw channels)
+  #:use-module (tw packages scanner)
+  #:use-module (tw services secrets)
+  #:use-module (tw services wireguard)
+  #:use-module (tw system))
+
+(use-package-modules android certs cups disk docker file-systems gnome guile
+                     kerberos linux mtools pulseaudio search shells tls wm xorg)
+
+(use-service-modules admin authentication avahi base cups dbus desktop docker
+                     kerberos linux mcron networking pm shepherd syncthing vpn xorg)
+
+(define efi-system-partition          ; /dev/nvme0n1p1
+  (uuid "D8C7-2624" 'fat))
+(define root-partition                ; /dev/nvme0n1p2
+  (uuid "62fb4710-33d1-4eaf-aaaa-43d16ab26a58" 'btrfs))
+
+(define touchpad-xorg-config
+  (@@ (tw system lap) touchpad-xorg-config))
+
+(define set-timezone-script
+  (@@ (tw system lap) set-timezone-script))
+
+(define custom-xorg-config
+  (xorg-configuration
+   (keyboard-layout %british-keyboard)
+   (extra-config (list touchpad-xorg-config))))
+
+(define-public %frm-system
+  (operating-system
+    (host-name "frm.twilken.net")
+    (timezone "Europe/Paris")
+    (locale "en_GB.utf8")
+    (locale-definitions
+     (list (locale-definition (name "en_GB.utf8") (source "en_GB"))
+           (locale-definition (name "en_US.utf8") (source "en_US"))
+           (locale-definition (name "fr_FR.utf8") (source "fr_FR"))))
+
+    ;; Allow resolution of '.local' host names with mDNS.
+    (name-service-switch %mdns-host-lookup-nss)
+
+    ;; Choose UK English X11 keyboard layout.
+    (keyboard-layout %british-keyboard)
+
+    ;; Use the UEFI variant of GRUB with the EFI System
+    ;; Partition mounted on /boot/efi.
+    (bootloader
+     (bootloader-configuration
+      (bootloader grub-efi-bootloader)
+      (targets '("/boot/efi"))
+      ;; Note: keyboard-layout is ignored by non-grub bootloaders.
+      (keyboard-layout keyboard-layout)))
+
+    ;; Use non-free kernel to load non-free firmware (e.g. for wifi).
+    (kernel nongnu:linux)
+    (initrd nongnu:microcode-initrd)
+    (firmware (cons* nongnu:amdgpu-firmware  ; TODO: wifi firmware?
+                     %base-firmware))
+
+    (file-systems
+     (cons* (file-system
+              (device root-partition)
+              (mount-point "/")
+              (flags '(no-atime))
+              (options (alist->file-system-options
+                        '("ssd" ("compress" . "zstd"))))
+              (type "btrfs"))
+            (file-system
+              (device efi-system-partition)
+              (mount-point "/boot/efi")
+              (flags '(no-atime))
+              (type "vfat"))
+            ;; Put /home in a subvolume for better accounting/snapshotting potential.
+            (file-system
+              (device root-partition)
+              (mount-point "/home")
+              (flags '(no-atime))
+              (options (alist->file-system-options
+                        '("ssd" ("compress" . "zstd")
+                          ("subvol" . "home"))))
+              (type "btrfs"))
+            %base-file-systems))
+
+    ;; Members of the wheel group are allowed to use sudo.
+    (users (cons* (user-account
+                   (name "timo")
+                   (comment "Timo Wilken")
+                   (group "users")
+                   (supplementary-groups
+                    '("wheel" "audio" "video" "docker" "adbusers"))
+                   (shell (file-append zsh "/bin/zsh")))
+                  %base-user-accounts))
+
+    (sudoers-file
+     (plain-file "sudoers"
+       (string-append
+        ;; We need to preserve $TERMINFO so that programs under sudo can
+        ;; find kitty's terminfo files. This is possibly unsafe; sudo
+        ;; explicitly deletes this variable by default.
+        "Defaults env_keep += \"TERMINFO\"\n"
+        (plain-file-content %sudoers-specification)
+        ;; In addition to the default rules, allow admins to power off
+        ;; the computer. They'll have to use the system binaries, not
+        ;; those from their user profile, as /etc/sudoers requires
+        ;; absolute paths to commands.
+        "%wheel ALL=(ALL) NOPASSWD: "
+        "/run/current-system/profile/sbin/halt, "
+        "/run/current-system/profile/sbin/reboot, "
+        "/run/current-system/profile/sbin/shutdown\n")))
+
+    ;; This is where we specify system-wide packages.
+    (packages
+     (cons*
+      ;; System stuff
+      cups docker mit-krb5
+      ;; File systems
+      dosfstools mtools ntfs-3g
+      ;; Desktop and drivers
+      ;; FIXME: lightdm depends on python-2, but the build throws an
+      ;; error that python2 is not supported.
+      ;; TODO: Does lightdm have a service I need to enable?
+      ;;lightdm lightdm-gtk-greeter
+      pulseaudio xf86-video-amdgpu
+      ;; Adds /sys/class/backlight entries for external monitors.
+      ;; Not needed for laptop display.
+      ;; ddcci-driver-linux
+      i3-gaps  ; install i3 here so gdm can see its xsession file
+      i3lock   ; we need a system service to make i3lock setuid root
+      ;; We need to install gnome-keyring here so its PAM module is
+      ;; enabled properly (by its service; see below).
+      ;; nheko needs gnome-keyring to store secrets (kwallet doesn't do dbus).
+      gnome-keyring
+      ;; It's probably easiest to install geoclue system-wide, so it
+      ;; gets added to `%desktop-services' and redshift can access the
+      ;; location.
+      geoclue
+      ;; Base packages
+      %base-system-packages))
+
+    ;; Use the "desktop" services, which include the X11
+    ;; log-in service, networking with NetworkManager, and more.
+    ;; See info '(guix)Services' for useful services.
+    (services
+     (cons*
+      (service syncthing-service-type
+        (syncthing-configuration
+         (user "timo")))
+
+      (service cups-service-type
+        (cups-configuration
+         (web-interface? #t)
+         (default-shared? #f)
+         ;; See info '(guix)Printing Services' for more extensions.
+         (extensions
+          (list cups-filters foomatic-filters brlaser))))
+
+      (service bluetooth-service-type)
+
+      (service tw-wireguard-service-type
+        (tw-wireguard-configuration
+         (this-host host-name)))
+
+      (service docker-service-type
+        (docker-configuration))
+
+      (service krb5-service-type
+        (krb5-configuration
+         (default-realm "CERN.CH")
+         (rdns? #f)
+         (realms (list (krb5-realm
+                        (name "CERN.CH")
+                        (default-domain "cern.ch")
+                        (kdc "cerndc.cern.ch"))))))
+
+      (service tlp-service-type
+        (tlp-configuration))   ; TODO: configure properly
+
+      (service thermald-service-type
+        (thermald-configuration
+         (adaptive? #t)))
+
+      (service earlyoom-service-type
+        (earlyoom-configuration))  ; TODO: configure at least `avoid-regexp'
+
+      (service fprintd-service-type)
+
+      ;; Install i3lock as a setuid binary, so it can talk to PAM.
+      (service screen-locker-service-type
+        (screen-locker-configuration
+         (name "i3lock")
+         (program (file-append i3lock "/bin/i3lock"))))
+
+      ;; gnome-keyring is not in `%desktop-services' by default,
+      ;; but needs to be there to add itself to /etc/pam.d/.
+      ;; If using a DM other than GDM, add it to `pam-services' in
+      ;; `gnome-keyring-configuration' (see its docs).
+      (service gnome-keyring-service-type
+        (gnome-keyring-configuration))
+
+      (udev-rules-service 'android android-udev-rules #:groups '("adbusers"))
+
+      (set-xorg-configuration custom-xorg-config)
+
+      (service unattended-upgrade-service-type
+        (unattended-upgrade-configuration
+         (schedule "0 21 * * *")       ; every night at 21:00, when the laptop is turned on
+         (maximum-duration (* 40 60))  ; 40 minutes to allow for slow downloads
+         (channels %system-channels)
+         (operating-system-expression
+          #~(@ (tw system frm) %frm-system))
+         (services-to-restart
+          ;; Anything that won't cause disruption when restarting.
+          '(syncthing-timo earlyoom thermald tlp wireguard-wg0 mcron))))
+
+      (simple-service 'disk-maintenance mcron-service-type
+        ;; I don't think jobs run on boot if they would have run when the
+        ;; computer was turned off, so choose a time when the computer is
+        ;; probably turned on.
+        (list #~(job "45 21 * * *" "guix gc -d 2w -F 25G")  ; after unattended-upgrade
+              #~(job "0 22 * * *"  ; after guix gc
+                     (string-append #$(file-append util-linux "/sbin/fstrim")
+                                    " --fstab --verbose"))))
+
+      (extra-special-file "/etc/NetworkManager/dispatcher.d/09-set-timezone"
+        (program-file "set-timezone" set-timezone-script))
+
+      (simple-service 'scanning-services shepherd-root-service-type
+        (list
+         (shepherd-service
+          (documentation "Expose USB scanners over IPP.")
+          (provision '(ipp-usb))
+          (requirement '(networking))   ; only on localhost, though
+          (start #~(make-forkexec-constructor
+                    (list #$(file-append ipp-usb "/bin/ipp-usb") "standalone")))
+          (stop #~(make-kill-destructor)))))
+
+      ;; Since Guix 953c65ffdd4, build-machines can be directly specified in
+      ;; `guix-configuration'. However, this doesn't allow the dynamic
+      ;; selection of build machines as is done here.
+      (extra-special-file "/etc/guix/machines.scm"
+        (scheme-file "machines.scm"
+          #~(let ((lud (build-machine
+                        (name "lud.twilken.net")
+                        (systems '("x86_64-linux"))
+                        (port '#$(assoc-ref %ssh-ports "lud.twilken.net"))
+                        (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGqXbxv3a2bZyGjnEirVCMtRBeLKW/ha8ULSR9Xye4Z1")
+                        (user "timo")
+                        (private-key "/home/timo/.local/share/ssh-keys/id_rsa")
+                        (speed 1/3)))   ; 4 cores, 16 GB RAM
+                  (vin (build-machine
+                        (name "vin.twilken.net")
+                        (systems '("x86_64-linux"))
+                        (port '#$(assoc-ref %ssh-ports "vin.twilken.net"))
+                        (host-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEEpdfKxzoCwg53TKPF5YxgUwhGF+bELAyBGdxagQroJ")
+                        (user "timo")
+                        (private-key "/home/timo/.local/share/ssh-keys/id_rsa")
+                        (speed 2/3))))  ; 8 cores, 16 GB RAM
+              (use-modules (ice-9 popen)
+                           (ice-9 textual-ports)
+                           (ice-9 regex))
+              (let* ((regexp (make-regexp "^GENERAL\\.CONNECTION:[[:space:]]+TLAN$" regexp/newline))
+                     (pipe (open-pipe* OPEN_READ #$(file-append network-manager "/bin/nmcli")
+                                       "device" "show" "wlp3s0"))
+                     (at-home? (regexp-exec regexp (get-string-all pipe))))
+                (close-pipe pipe)
+                ;; Only offload to vin when at home, as the network connection is too bad otherwise.
+                (if at-home?
+                    (list vin)
+                    (list lud))))))
+
+      ;; Set up a secrets config for WireGuard to extend.
+      (service secrets-service-type
+        (secrets-configuration
+         (host-key "/etc/secrets.key")))  ; we have no SSH host keys, so use a custom key
+
+      (modify-services (append %system-channel-services %desktop-services)
+        ;; Let sane find the airscan backend. ipp-usb needs to be running separately.
+        (sane-service-type _ => sane-backends/airscan)
+
+        (gdm-service-type
+         config =>
+         (gdm-configuration
+          (inherit config)
+          (auto-login? #f)
+          (default-user "timo")
+          (xorg-configuration custom-xorg-config)))
+
+        (geoclue-service-type
+         config =>
+         (geoclue-configuration
+          (inherit config)
+          (applications
+           (cons* (geoclue-application "redshift" #:system? #f)
+                  %standard-geoclue-applications))))
+
+        (login-service-type
+         config =>
+         (login-configuration
+          (inherit config)
+          (motd (plain-file "no-motd" ""))
+          (allow-empty-passwords? #f))))))))
+
+%frm-system