Major home configuration overhaul

- load Catppuccin themes for some things
- add various useful packages
- declare more useful user services
- manage SSH config through home-configuration.scm
- manage extra Guix channels through home-configuration.scm

1 files changed, 338 insertions, 91 deletions

diff --git a/home-configuration.scm b/home-configuration.scm
index bd82d32b..e8692ef3 100644
--- a/home-configuration.scm
+++ b/home-configuration.scm
@@ -7,72 +7,149 @@
 ;; See also, for some tips:
 ;; https://github.com/alezost/shepherd-config/blob/master/init.scm
 
-;; TODO: Move from Xorg/i3 to Wayland/sway.
-;; TODO: Theme stuff using https://github.com/catppuccin -- needs
-;; integration into config files. Can I do something fancy using
-;; `computed-file' to combine catppuccin-provided configs with my own,
-;; e.g. for kitty and rofi?
-;; Integrate upstream (ctp) configs into ~/guix-home using git submodules?
-;; https://github.com/catppuccin/rofi
+;; TODO: Integrate upstream (ctp) configs into ~/guix-home using git submodules:
+;; https://github.com/catppuccin/grub   ; TODO: make this system-wide
+;; https://github.com/catppuccin/tty    ; system-wide
+;; https://github.com/catppuccin/papirus-folders
+;; https://github.com/catppuccin/Kvantum
+;; https://github.com/catppuccin/fzf
 ;; https://github.com/catppuccin/obs
-;; https://github.com/catppuccin/waybar
 ;; https://github.com/catppuccin/insomnia
-;; https://github.com/catppuccin/kitty
+;; https://github.com/catppuccin/neomutt
+;; https://github.com/catppuccin/zathura
+;; https://github.com/catppuccin/firefox  ; for icecat
+
+;; Manual installation needed?
+;; https://github.com/catppuccin/dark-reader
+;; https://github.com/catppuccin/github
 
 (use-modules (gnu home)
              (gnu home services)
              (gnu home services desktop)
+             (gnu home services guix)
+             (gnu home services pm)
              (gnu home services shells)
              (gnu home services shepherd)
+             (gnu home services ssh)
              (gnu packages)
              (gnu services)
              (gnu services shepherd)
+             (guix channels)
              (guix gexp))
 
+(fluid-set! read-eval? #t)  ; allow #. read expansions in this file
+
+;; One of "latte" (light theme), "frappe", "macchiato", "mocha" (dark
+;; themes); ordered brightest to darkest.
+;; Set and use this at read time so that `local-file' gets a literal
+;; argument. Anything else confuses it and causes it to search
+;; relative to the working directory, not this file's directory.
+#.(define catppuccin-theme-variant "mocha")
+
 (define* (package-binary specification #:optional (binary specification))
   "Get the path of BINARY inside the package referred to by SPECIFICATION."
-  (file-append (specification->package specification) "/bin/" binary))
+  (file-append (specification->package specification)
+               (string-append "/bin/" binary)))
+
+;; See also: `file-join' in (gnu home services ssh).
+(define (combined-text-file name . files)
+  "A file which is the concatenation of the contents of other files."
+  ;; We need to use #$output for `computed-file' to work.
+  ;; Of course this isn't documented anywhere!
+  (computed-file name
+    (with-imported-modules '((guix build utils))  ; for `dump-port'
+      #~(begin
+          (use-modules (guix build utils))
+          (call-with-output-file #$output
+            (lambda (oport)
+              (for-each (lambda (in-file)
+                          (call-with-input-file in-file
+                            (lambda (iport)
+                              (dump-port iport oport))))
+                        '#$files)))))))
+
+(define (text-file/substitutions name input-file . substitutions)
+  "A file containing another file's content with regexp substitutions.
+Each item in SUBSTITUTIONS is a `cons' of a regular expression and a
+replacement spec (to which `regexp-substitute/global' is applied)."
+  (computed-file name
+    (with-imported-modules '((ice-9 regex)
+                             (ice-9 textual-ports))
+      #~(begin
+          (use-modules (ice-9 regex)
+                       (ice-9 textual-ports))
+          (call-with-output-file #$output
+            (lambda (oport)
+              (call-with-input-file #$input-file
+                (lambda (iport)
+                  (let loop ((output (get-string-all iport))
+                             (substitutions '#$substitutions))
+                    (if (null? substitutions)
+                        (put-string oport output)
+                        (loop (call-with-output-string
+                                (lambda (sport)
+                                  (apply regexp-substitute/global
+                                         sport
+                                         (caar substitutions)
+                                         output
+                                         (cdar substitutions))))
+                              (cdr substitutions))))))))))))
 
 (home-environment
- ;; Below is the list of packages that will show up in your
- ;; Home profile, under ~/.guix-home/profile.
  (packages
+  ;; These packages will show up in the home profile, under ~/.guix-home/profile.
   (cons*
    ;; Install only bind-utils like dig, not the full suite.
    (list (specification->package "bind") "utils")
    (specifications->packages
     '(;; CLI tools
-      "dos2unix" "dropbear" "emacs" "emacs-use-package" "file" "git"
-      "imagemagick" "lesspipe" "nvme-cli" "openssh" "powertop"
-      "python" "rsync" "sbcl" "smartmontools" "source-highlight" "tk"
-      "tlp" "tmux" "tree" "unzip" "zip"
+      "adb" "dos2unix" "file" "fzf" "git" "imagemagick" "jq"
+      "lesspipe" "nvme-cli" "openssh" "powertop" "pv" "python" "rsync"
+      "sbcl" "smartmontools" "source-highlight" "tk" "tlp" "tmux"
+      "tree" "xxd" "zip" "unzip"
+      ;; Emacs
+      "emacs" "emacs-use-package" "emacs-editorconfig"  ; TODO: set up EditorConfig
       ;; Shell
       "zsh" "zsh-autosuggestions" "zsh-syntax-highlighting" "zsh-autopair"
       ;; i3 and Xorg. i3 itself must be installed system-wide for gdm to pick it up.
       ;; acpilight is a drop-in xbacklight replacement, as xbacklight doesn't work on my system.
-      "acpilight" "i3status" "dunst" "rofi" "rofi-pass" "hsetroot"
+      "acpilight" "i3status" "dunst" "rofi" "hsetroot"
       "xdot" "xclip" "xdotool" "xdpyinfo" "xev" "xfd" "xfontsel"
-      "xinput" "xkill" "xprop" "xrandr" "xrdb" "xsel" "xwininfo"
+      "xinput" "xkill" "xprop" "xrandr" "xrdb" "xsel" "xset"
+      "xwininfo"
       ;; GUI programs
-      "arandr" "gnupg" "pinentry-rofi" "icecat" "kitty" "nheko"
-      "neomutt" "password-store"
-      "gnome-keyring"  ; nheko needs gnome-keyring to store secrets over dbus (kwallet doesn't do dbus).
-      "geoclue"  ; for redshift
+      "arandr" "gnupg" "pinentry-rofi" "gimp" "inkscape" "icecat"
+      "kitty" "mpv" "nheko" "neomutt" "password-store"
+      "signal-desktop" "simple-scan" "zathura" "zoom"
+      ;; kitty uses this, but does not pull it in by default.
+      ;; TODO: kitty still doesn't find libstartup-notification-1.so,
+      ;; even though it's installed by this package. Maybe kitty needs
+      ;; its rpath adjusted?
+      "startup-notification"
+      ;; Ranger can do code highlighting using python-pygments and
+      ;; image previews in kitty using python-pillow.
+      "ranger" "python-pygments" "python-pillow"
+      ; "gnome-keyring"  ; installed system-wide; see system-configuration.scm
+      ; "geoclue"  ; for redshift -- installed system-wide
       ;; Fonts
-      "font-libertinus"
-      "font-inconsolata" "font-fira-sans" "font-fira-code"
-      ;; Monospace fonts to try out!
-      "font-mononoki"     ; https://madmalik.github.io/mononoki/
-      "font-victor-mono"  ; https://rubjo.github.io/victor-mono/
+      "font-inconsolata" "font-fira-code" "font-fira-sans"
+      "font-libertinus" "font-openmoji"
       ;; Theming
-      "orchis-theme" "hicolor-icon-theme"))))
+      "papirus-icon-theme"
+      ;; My own packages -- needs GUIX_PACKAGE_PATH to be set; see below.
+      "catppuccin-gtk-theme"
+      "catppuccin-mocha-dark-cursors"
+      "simutrans"))))
 
- ;; Below is the list of Home services.  To search for available
- ;; services, run 'guix home search KEYWORD' in a terminal.
+ ;; To search for available home services, run 'guix home search KEYWORD'.
  (services
   (list
-   ;; TODO: xrdb -merge ~/.Xdefaults && xrdb -merge ~/.Xresources
+   ;; Batsignal: battery level notifications.
+   (service home-batsignal-service-type
+            (home-batsignal-configuration
+             (batteries '("BAT0"))))
 
+   ;; Redshift: make the screen turn redder at night.
    (service home-redshift-service-type
             (home-redshift-configuration
              ;; See info '(guix)Desktop Home Services'.
@@ -87,56 +164,114 @@
              (nighttime-brightness 0.7)
              (extra-content "fade=0")))  ; with fade=1, restarting redshift causes flickering for a few secs
 
+   ;; The dbus service doesn't seem to be added automatically.
+   (service home-dbus-service-type (home-dbus-configuration))
+
+   ;; User shepherd services.
    (simple-service
     'user-services home-shepherd-service-type
     (list
      (shepherd-service
-      (documentation "User Emacs daemon; connect using emacsclient.")
+      (documentation "Emacs server; connect using emacsclient.")
       (provision '(emacs))
       (start #~(make-forkexec-constructor
                 (list #$(package-binary "emacs") "--fg-daemon")))
       (stop #~(make-kill-destructor)))
      (shepherd-service
-      (documentation "User GPG agent daemon.")
+      (documentation "GPG agent; caches key passwords.")
       (provision '(gpg-agent))
       (start #~(lambda _
                  (invoke #$(package-binary "gnupg" "gpg-agent")
                          "--daemon" "--no-detach")))
       (stop #~(lambda _
-                (invoke "gpg-connect-agent" "killagent" "/bye"))))))
-
-   (service home-xdg-configuration-files-service-type
-            `(;; All alibuild needs is an empty file.
-              ("alibuild/disable-analytics" ,(plain-file "alibuild-disable-analytics" ""))
-              ("git/config" ,(local-file "gitconfig"))
-              ("gtk-3.0/settings.ini" ,(local-file "gtk3.ini"))
-              ("htop/htoprc" ,(local-file "htoprc"))
-              ("i3/config" ,(local-file "i3.conf"))
-              ("i3status/config" ,(local-file "i3status.conf"))
-              ("kitty/kitty.conf"
-               ,(text-file* "kitty.conf"
+                (invoke "gpg-connect-agent" "killagent" "/bye"))))
+     (shepherd-service
+      (documentation "Dunst notification daemon; displays desktop notifications.")
+      (provision '(dunst))
+      (start #~(make-forkexec-constructor
+                (list #$(package-binary "dunst"))))
+      (stop #~(make-kill-destructor)))
+     (shepherd-service
+      (documentation "Source Xresources on login.")
+      (provision '(xrdb))
+      (one-shot? #t)
+      (start #~(lambda _
+                 ;; TODO: put these files in ~/.config.
+                 (invoke #$(package-binary "xrdb") "-merge"
+                         (string-append (getenv "HOME") ".Xdefaults")
+                         (string-append (getenv "HOME") ".Xresources")))))
+     (shepherd-service
+      (documentation "Set up X displays on login.")
+      (provision '(xorg-setup))
+      (one-shot? #t)
+      (start #~(lambda _
+                 ;; Turn off the monitors if there is no input for 10 minutes.
+                 (invoke #$(package-binary "xset") "dpms" "600" "600" "600")
+                 (invoke #$(package-binary "xrandr")
+                         "--output" "eDP-1" "--auto"
+                         ;; Don't use --auto for this monitor. That
+                         ;; configures it at 60 Hz, which causes
+                         ;; it to briefly turn off every few minutes.
+                         "--output" "HDMI-1-1" "--mode" "2560x1440" "--rate" "120.00"
+                         "--right-of" "eDP-1"))))))
+
+   ;; User configuration files in $XDG_CONFIG_HOME.
+   (service
+    home-xdg-configuration-files-service-type
+    `(;; All alibuild needs is an empty file.
+      ("alibuild/disable-analytics"
+       ,(plain-file "alibuild-disable-analytics" ""))
+      ("dunst/dunstrc" ,(local-file "dunstrc"))
+      ("dunst/dunstrc.d/50-catppuccin.conf"
+       ,(local-file #.(string-append "catppuccin/dunst/src/"
+                                     catppuccin-theme-variant ".conf")
+                    "dunst-theme.conf"))
+      ("git/config" ,(local-file "gitconfig"))
+      ("gtk-2.0/gtkrc" ,(local-file "gtk2.ini"))
+      ("gtk-3.0/settings.ini" ,(local-file "gtk3.ini"))
+      ("htop/htoprc" ,(local-file "htoprc"))
+      ("i3/config" ,(local-file "i3.conf"))
+      ("i3status/config" ,(local-file "i3status.conf"))
+      ("kitty/diff.conf"
+       ,(local-file #.(string-append "catppuccin/kitty/diff-"
+                                     catppuccin-theme-variant ".conf")
+                    "kitty-diff-theme.conf"))
+      ("kitty/kitty.conf"
+       ,(combined-text-file "kitty.conf"
                             (local-file "kitty.conf")
-                            (local-file "catppuccin/kitty/mocha.conf")))
-              ("lesskey" ,(local-file "lesskey"))))
-
-   (service home-files-service-type
-            `(;; https://sw.kovidgoyal.net/kitty/kittens/diff/
-              (".local/bin/kdiff"
-               ,(program-file "kdiff" #~(apply execl #$(package-binary "kitty")
-                                               "+kitten" "diff" (cdr (command-line)))))
-              ;; GnuPG config files must be in ~/.local/share/gnupg, not ~/.config,
-              ;; so we can't use `home-xdg-configuration-files-service-type'.
-              (".local/share/gnupg/gpg.conf" ,(local-file "gpg.conf"))
-              (".local/share/gnupg/gpg-agent.conf"
-               ;; We need to use #$output for `computed-file' to work.
-               ;; Of course this isn't documented anywhere!
-               ,(computed-file "gpg-agent.conf" #~(call-with-output-file #$output
-                                                    (lambda (port)
-                                                      (format port "\
-pinentry-program ~a
+                            (local-file #.(string-append "catppuccin/kitty/"
+                                                         catppuccin-theme-variant ".conf")
+                                        "kitty-theme.conf")))
+      ("lesskey" ,(local-file "lesskey"))
+      ("ranger/rc.conf" ,(local-file "ranger.conf"))
+      ("rofi/config.rasi"
+       ,(text-file/substitutions "rofi-config.rasi"
+          (local-file "catppuccin/rofi/basic/.config/rofi/config.rasi")
+          '("Oranchelo" pre "Papirus" post)                 ; icon theme
+          '("alacritty" pre "rofi-sensible-terminal" post)  ; default terminal
+          '("catppuccin-mocha" pre "catppuccin" post)))     ; @theme name
+      ("rofi/themes/catppuccin.rasi"
+       ,(text-file/substitutions "catppuccin.rasi"
+         (local-file #.(string-append "catppuccin/rofi/basic/.local/share/rofi/themes/catppuccin-"
+                                      catppuccin-theme-variant ".rasi"))
+         '("JetBrainsMono Nerd Font 14" pre "Fira Sans 12" post)))))   ; default font
+
+   (service
+    home-files-service-type
+    `((".icons/default/index.theme" ,(local-file "cursors.ini"))
+      ;; https://sw.kovidgoyal.net/kitty/kittens/diff/
+      (".local/bin/kdiff"
+       ,(program-file "kdiff" #~(apply execl #$(package-binary "kitty") "kitty"
+                                       "+kitten" "diff" (cdr (command-line)))))
+      ;; GnuPG config files must be in ~/.local/share/gnupg, not ~/.config,
+      ;; so we can't use `home-xdg-configuration-files-service-type'.
+      (".local/share/gnupg/gpg.conf" ,(local-file "gpg.conf"))
+      (".local/share/gnupg/gpg-agent.conf"
+       ,(mixed-text-file "gpg-agent.conf" "\
+pinentry-program " (package-binary "pinentry-rofi") "
 # Needed if spawning lots of parallel gpg --decrypt processes. https://dev.gnupg.org/T3530
 auto-expand-secmem
-" #$(package-binary "pinentry-rofi"))))))))
+"))))
 
    (service home-zsh-service-type
             (home-zsh-configuration
@@ -144,30 +279,31 @@ auto-expand-secmem
                           (local-file "prompt.zsh")))))
 
    (simple-service
-    'env-vars home-environment-variables-service-type
-    ;; The `home-xdg-base-directories' service (enabled by default) sets $XDG_* variables for us.
-    `(("GUIX_PACKAGE_PATH" . "$HOME/packages/guix")
-      ;; ("GUILE_LOAD_PATH" .
-      ;;  "$XDG_CONFIG_HOME/guix/current/share/guile/site/3.0${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH")
-      ;; ("GUILE_LOAD_COMPILED_PATH" .
-      ;;  ,(string-append
-      ;;    "$XDG_CONFIG_HOME/guix/current/lib/guile/3.0/site-ccache:"
-      ;;    "$XDG_CONFIG_HOME/guix/current/share/guile/site/3.0"
-      ;;    "${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"))
+    'custom-environment-variables home-environment-variables-service-type
+    `(;; Path to my own package definitions. If invoking `guix home'
+      ;; afresh, this needs to be set manually to find these packages.
+      ("GUIX_PACKAGE_PATH" . "$HOME/src/packages/guix")
 
-      ;; Auto-compilation is annoying and creates a bunch of files that are never cleaned up.
-      ("GUILE_AUTO_COMPILE" . "0")
+      ;; Prepend my own binaries to $PATH. These should probably all
+      ;; be managed through `home-files-service-type'.
+      ("PATH" . "$HOME/.local/bin${PATH:+:}$PATH")
 
+      ;; Default terminal-related applications
       ("EDITOR" . "emacsclient -qc")
+      ;; Tell emacsclient to return immediately after opening the
+      ;; file. I can't put this in $EDITOR as many programs expect
+      ;; $EDITOR to exit only when the user is done editing.
+      ("ASYNC_EDITOR" . "emacsclient -qcn")
       ("TERMINAL" . "kitty")
       ("PAGER" . "less")
       ;; Guix force-overrides $LESS by default, so force-force it to do what I want instead.
-      ("GUIX_PAGER" . "env -u LESS less --ignore-case --quit-if-one-screen --RAW-CONTROL-CHARS --LONG-PROMPT --chop-long-lines")
+      ;; `less' reads the `lesskey' file configured above.
+      ("GUIX_PAGER" . "env -u LESS less")
 
       ;; Shell history -- primarily for zsh, but Emacs' eshell uses this too
       ("HISTSIZE" . "10000000")
 
-      ("NVIM_TUI_ENABLE_CURSOR_SHAPE" . "1")
+      ;; ("NVIM_TUI_ENABLE_CURSOR_SHAPE" . "1")
       ("LEDGER_FILE" . "$HOME/sync/ledger/ledger.journal")
       ("GTAGSLABEL" . "pygments")
 
@@ -178,27 +314,44 @@ auto-expand-secmem
 
       ;; For appmenu/global menu in Java applications.
       ;; https://gitlab.com/vala-panel-project/vala-panel-appmenu#experimental-features
-      ("JAYATANA_FORCE" . "1")
-      ;; Appmenu; GTK look-and-feel; XDG compliance in Java
+      ;; ("JAYATANA_FORCE" . "1")
+      ;; Appmenu and GTK look-and-feel in Java
       ;; https://wiki.manjaro.org/index.php?title=Set_all_Java_apps_to_use_GTK%2B_font_%26_theme_settings
       ;; TODO: install jayatana and add "-javaagent:/usr/share/java/jayatanaag.jar" option
       ("_JAVA_OPTIONS" .
        ,(string-append
          "$_JAVA_OPTIONS${_JAVA_OPTIONS:+ }-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true "
          "-Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel "
-         "-Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel "
-         "-Djava.util.prefs.userRoot=$XDG_CONFIG_HOME/java"))
+         "-Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel"))
 
       ;; For programs from kde-servicemenus-pdf.
-      ("LANGUAGE" . "en")
+      ;; ("LANGUAGE" . "en")
 
-      ;; Smooth trackpad scrolling in Firefox.
+      ;; Smooth trackpad scrolling in Firefox/Icecat.
       ;; https://wiki.archlinux.org/index.php/Firefox/Tweaks#Pixel-perfect_trackpad_scrolling
       ("MOZ_USE_XINPUT2" . "1")
 
-      ;; XDG basedir spec compliance for various programs
-      ;; See: https://wiki.archlinux.org/index.php/XDG_Base_Directory for a list of programs
-      ("ANDROID_EMULATOR_HOME" . "$XDG_DATA_HOME/android-emulator")
+      ;; Auto-compilation is annoying and creates a bunch of files that are never cleaned up.
+      ("GUILE_AUTO_COMPILE" . "0")
+
+      ;; For some reason, Guix doesn't seem to add these paths automatically.
+      ("GUILE_LOAD_PATH" .
+       ,(string-append
+         "$GUIX_PACKAGE_PATH:"
+         "$XDG_CONFIG_HOME/guix/current/share/guile/site/3.0"
+         "${GUILE_LOAD_PATH:+:}$GUILE_LOAD_PATH"))
+      ("GUILE_LOAD_COMPILED_PATH" .
+       ,(string-append
+         "$XDG_CONFIG_HOME/guix/current/lib/guile/3.0/site-ccache:"
+         "$XDG_CONFIG_HOME/guix/current/share/guile/site/3.0"
+         "${GUILE_LOAD_COMPILED_PATH:+:}$GUILE_LOAD_COMPILED_PATH"))))
+
+   ;; XDG basedir spec compliance for various programs
+   ;; See: https://wiki.archlinux.org/index.php/XDG_Base_Directory for a list of programs.
+   ;; The `home-xdg-base-directories' service (enabled by default) sets $XDG_* variables for us.
+   (simple-service
+    'xdg-spec-compliance home-environment-variables-service-type
+    `(("ANDROID_EMULATOR_HOME" . "$XDG_DATA_HOME/android-emulator")
       ("ASPELL_CONF" . "per-conf $XDG_CONFIG_HOME/aspell/aspell.conf; home-dir $XDG_DATA_HOME/aspell")
       ("BUP_DIR" . "$XDG_DATA_HOME/bup")
       ("CARGO_HOME" . "$XDG_DATA_HOME/cargo")
@@ -212,6 +365,9 @@ auto-expand-secmem
       ("INPUTRC" . "$XDG_CONFIG_HOME/readline/inputrc")
       ("IPYTHONDIR" . "$XDG_CONFIG_HOME/ipython")
       ("JUPYTER_CONFIG_DIR" . "$XDG_CONFIG_HOME/jupyter")
+      ;; KONAN_DATA_DIR=~/.konan by default; grows to multiple GiB.
+      ;; https://discuss.kotlinlang.org/t/change-konan-folder-location/18309
+      ("KONAN_DATA_DIR" . "$XDG_CACHE_HOME/konan")
       ("NPM_CONFIG_USERCONFIG" . "$XDG_CONFIG_HOME/npm/npmrc")
       ("PASSWORD_STORE_DIR" . "$XDG_DATA_HOME/password-store")
       ("PLTUSERHOME" . "$XDG_DATA_HOME/racket")
@@ -225,7 +381,98 @@ auto-expand-secmem
       ("XCOMPOSECACHE" . "$XDG_CACHE_HOME/X11/XCompose")
       ("XCOMPOSEFILE" . "$XDG_CONFIG_HOME/X11/XCompose")
       ("ZDOTDIR" . "$XDG_CONFIG_HOME/zsh")
-      ;; ("ZPLUG_HOME" . "$XDG_DATA_HOME/zplug")
-      ;; KONAN_DATA_DIR=~/.konan by default; grows to multiple GiB.
-      ;; https://discuss.kotlinlang.org/t/change-konan-folder-location/18309
-      ("KONAN_DATA_DIR" . "$XDG_CACHE_HOME/konan"))))))
+      ("_JAVA_OPTIONS" .
+       "$_JAVA_OPTIONS${_JAVA_OPTIONS:+ }-Djava.util.prefs.userRoot=$XDG_CONFIG_HOME/java")))
+
+   (service
+    home-openssh-service-type
+    (home-openssh-configuration
+     (hosts
+      (let ((my-hosts/ports
+             '(("vin.twilken.net" . 50022)
+               ("vin.wg" . 50022)
+               ("pi3.twilken.net" . 51022)
+               ("pi3.wg" . 51022)
+               ("lud.twilken.net" . 22022)
+               ("lud.wg" . 22)
+               ("matrix.twilken.net" . 22022)))
+            (git-hosts
+             '("github.com" "ssh.github.com" "bitbucket.org" "gitlab.cern.ch"))
+            (cern-ci-hosts/users
+             '(("alimonitor.cern.ch" . "alibuild")
+               ("alinsure.cern.ch" . "alibuild")
+               ("alibuildmac*.cern.ch" . "alibuild")
+               ("aido*osx*.cern.ch" . "alibuild")
+               ("alibuild*.cern.ch" . "root")
+               ("alissandra*.cern.ch" . "root")
+               ("alimesos*.cern.ch" . "root")
+               ("alientest*.cern.ch" . "root")
+               ("aliflow*.cern.ch" . "root")
+               ("alijenkins*.cern.ch" . "root"))))
+
+        (define (cern-extra-content delegate-kerberos-credentials?)
+          (string-append "\
+# Kerberos authentication
+GSSAPIAuthentication yes
+GSSAPIDelegateCredentials " (if delegate-kerberos-credentials? "yes" "no") "
+PreferredAuthentications gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
+ProxyJump \"twilken@lxplus.cern.ch\"
+"))
+
+        ;; Earlier rules overwrite later ones.
+        `(,(openssh-host (name "*.srcf.net") (user "tw466"))
+          ,(openssh-host (name "*.fritz.box")
+                         (extra-content "ProxyJump lud.twilken.net"))
+          ,@(map (lambda (host port)
+                   (openssh-host (name host) (port port) (user "timo")))
+                 (map car my-hosts/ports)
+                 (map cdr my-hosts/ports))
+          ,@(map (lambda (host) (openssh-host (name host) (user "git"))) git-hosts)
+          ;; BitBucket apparently only supports ssh-rsa.
+          ,(openssh-host (name "bitbucket.org")
+                         (host-key-algorithms '("+ssh-rsa"))
+                         (accepted-key-types '("+ssh-rsa"))
+                         (identity-file "~/.ssh/id_rsa"))
+          ,(openssh-host (name "gitlab.cern.ch")
+                         (port 7999)
+                         (extra-content "ProxyJump none"))  ; no jump needed
+          ;; Avoid ProxyJump loops.
+          ,(openssh-host (name "lxplus.cern.ch")
+                         (extra-content "ProxyJump none"))
+          ,(openssh-host (name "twilkendesktop.cern.ch")
+                         (port 22022)
+                         (forward-x11? #t))
+          ,@(map (lambda (host user)
+                   (openssh-host (name host)
+                                 (user user)
+                                 (identity-file "~/.ssh/alicern_id_rsa")
+                                 (extra-content (cern-extra-content #f))))
+                 (map car cern-ci-hosts/users)
+                 (map cdr cern-ci-hosts/users))
+          ,(openssh-host (name "*.cern.ch")
+                         (user "twilken")
+                         (identity-file "~/.ssh/cern_id_rsa")
+                         (extra-content (cern-extra-content #t))))))))
+
+   (service
+    home-channels-service-type
+    (list
+     ;; Nonguix is also needed system-wide for non-free drivers!
+     (channel
+      (name 'nonguix)
+      (url "https://gitlab.com/nonguix/nonguix")
+      ;; Enable signature verification:
+      (introduction
+       (make-channel-introduction
+        "897c1a470da759236cc11798f4e0a5f7d4d59fbc"
+        (openpgp-fingerprint
+         "2A39 3FFF 68F4 EF7A 3D29  12AF 6F51 20A0 22FB B2D5"))))
+     (channel
+      (name 'guix-gaming-games)
+      (url "https://gitlab.com/guix-gaming-channels/games")
+      ;; Enable signature verification:
+      (introduction
+       (make-channel-introduction
+        "c23d64f1b8cc086659f8781b27ab6c7314c5cca5"
+        (openpgp-fingerprint
+         "50F3 3E2E 5B0C 3D90 0424  ABE8 9BDC F497 A4BB CC7F")))))))))