;; This is an operating system configuration file for a fairly minimal
;; "desktop" setup with i3 where the /home partition partition is
;; encrypted with LUKS.
;;
;; https://guix.gnu.org/manual/en/html_node/operating_002dsystem-Reference.html

(define-module (tw system frm)
  #:use-module (gnu)
  #:use-module (gnu bootloader grub)
  #:use-module (gnu packages linux)
  #:use-module (gnu packages shells)
  #:use-module (gnu services admin)
  #:use-module (gnu services desktop)
  #:use-module (gnu services pm)
  #:use-module (gnu services syncthing)
  #:use-module (gnu system locale)
  #:use-module (gnu system nss)
  #:use-module (guix gexp)
  #:use-module (guix packages)
  #:use-module ((guix utils)
                #:select (substitute-keyword-arguments))
  #:use-module ((nongnu packages linux)
                #:prefix nongnu:)   ; don't interfere with (gnu packages linux)
  #:use-module ((nongnu system linux-initrd)
                #:prefix nongnu:)
  #:use-module ((nonguix licenses)
                #:prefix nongnu:)
  #:use-module (tw channels)
  #:use-module (tw services secrets)
  #:use-module (tw system))

(define efi-system-partition          ; /dev/nvme0n1p1
  (uuid "D8C7-2624" 'fat))
(define root-partition                ; /dev/nvme0n1p2
  (uuid "62fb4710-33d1-4eaf-aaaa-43d16ab26a58" 'btrfs))

(define select-firmware
  (@@ (nongnu packages linux) select-firmware))

(define-public mt7922-firmware
  (package
    (inherit nongnu:linux-firmware)
    (name "mt7922-firmware")
    (arguments
     `(#:license-file-regexp "LICENSE.mediatek"
       ,@(substitute-keyword-arguments (package-arguments nongnu:linux-firmware)
           ((#:phases phases)
            `(modify-phases ,phases
               (add-after 'unpack 'select-firmware
                 ,(select-firmware "^mediatek/.*7922.*")))))))
    (home-page "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/mediatek")
    (synopsis "Nonfree firmware for Mediatek MT7922 (AMD RZ616) wireless chips")
    (description "Nonfree firmware for AMD RZ616 Wi-Fi and Bluetooth chips.
These are actually Mediatek MT7922 chips.")
    (license
     (nongnu:nonfree
      (string-append
       "https://git.kernel.org/pub/scm/linux/kernel/git/firmware"
       "/linux-firmware.git/plain/LICENSE.mediatek")))))

(define-public %frm-system
  (operating-system
    (host-name "frm.twilken.net")
    (timezone "Europe/Paris")
    (locale "en_GB.utf8")
    (locale-definitions
     (list (locale-definition (name "en_GB.utf8") (source "en_GB"))
           (locale-definition (name "en_US.utf8") (source "en_US"))
           (locale-definition (name "fr_FR.utf8") (source "fr_FR"))))

    ;; Allow resolution of '.local' host names with mDNS.
    (name-service-switch %mdns-host-lookup-nss)

    ;; Choose UK English X11 keyboard layout.
    (keyboard-layout %british-keyboard)

    ;; Use the UEFI variant of GRUB with the EFI System
    ;; Partition mounted on /boot/efi.
    (bootloader
     (bootloader-configuration
      (bootloader grub-efi-bootloader)
      (targets '("/boot/efi"))
      ;; Note: keyboard-layout is ignored by non-grub bootloaders.
      (keyboard-layout keyboard-layout)))

    ;; Use non-free kernel to load non-free firmware (e.g. for wifi).
    ;; Enable MT7921 module for Mediatek MT7922 (AMD RZ616) WiFi card.
    ;; The MT7921E module is for the card connected via PCIe, which it is
    ;; (it's in an M.2 slot).  Alternatives are S (SDIO) and U (USB).
    (kernel (nongnu:corrupt-linux linux-libre #:configs '("CONFIG_MT7921E=m")))
    (kernel-loadable-modules (list ddcci-driver-linux))
    (initrd nongnu:microcode-initrd)
    (firmware (cons* nongnu:amdgpu-firmware mt7922-firmware %base-firmware))

    (file-systems
     (cons* (file-system
              (device root-partition)
              (mount-point "/")
              (flags '(no-atime))
              (options (alist->file-system-options
                        '("ssd" ("compress" . "zstd"))))
              (type "btrfs"))
            (file-system
              (device efi-system-partition)
              (mount-point "/boot/efi")
              (flags '(no-atime))
              (type "vfat"))
            ;; Put /home in a subvolume for better accounting/snapshotting potential.
            (file-system
              (device root-partition)
              (mount-point "/home")
              (flags '(no-atime))
              (options (alist->file-system-options
                        '("ssd" ("compress" . "zstd")
                          ("subvol" . "home"))))
              (type "btrfs"))
            %base-file-systems))

    ;; Members of the wheel group are allowed to use sudo.
    (users (cons* (user-account
                   (name "timo")
                   (comment "Timo Wilken")
                   (group "users")
                   (supplementary-groups
                    '("wheel" "audio" "video" "docker" "adbusers"))
                   (shell (file-append zsh "/bin/zsh")))
                  %base-user-accounts))

    (sudoers-file
     (plain-file "sudoers"
       (string-append
        ;; We need to preserve $TERMINFO so that programs under sudo can
        ;; find kitty's terminfo files. This is possibly unsafe; sudo
        ;; explicitly deletes this variable by default.
        "Defaults env_keep += \"TERMINFO\"\n"
        (plain-file-content %sudoers-specification)
        ;; In addition to the default rules, allow admins to power off
        ;; the computer. They'll have to use the system binaries, not
        ;; those from their user profile, as /etc/sudoers requires
        ;; absolute paths to commands.
        "%wheel ALL=(ALL) NOPASSWD: "
        "/run/current-system/profile/sbin/halt, "
        "/run/current-system/profile/sbin/reboot, "
        "/run/current-system/profile/sbin/shutdown\n")))

    ;; This is where we specify system-wide packages.
    (packages %enduser-system-packages)

    ;; Use the "desktop" services, which include the X11
    ;; log-in service, networking with NetworkManager, and more.
    ;; See info '(guix)Services' for useful services.
    (services
     (cons*
      (service syncthing-service-type
        (syncthing-configuration
         (user "timo")))

      (service bluetooth-service-type)

      (service tlp-service-type)   ; TODO: configure properly

      ;; fprintd complains about missing firmware, but fwpud doesn't find any.
      ;; (service fprintd-service-type)

      (service unattended-upgrade-service-type
        (unattended-upgrade-configuration
         (schedule "0 21 * * *")       ; every night at 21:00, when the laptop is turned on
         (maximum-duration (* 40 60))  ; 40 minutes to allow for slow downloads
         (channels %system-channels)
         (operating-system-expression
          #~(@ (tw system frm) %frm-system))
         (services-to-restart
          ;; Anything that won't cause disruption when restarting.
          '(syncthing-timo earlyoom thermald tlp wireguard-wg0 mcron))))

      ;; Set up a secrets config for WireGuard to extend.
      (service secrets-service-type
        (secrets-configuration
         ;; TODO: reencrypt with SSH host key
         (host-key "/etc/secrets.key")))  ; we have no SSH host keys, so use a custom key

      (enduser-system-services
       #:host-name host-name
       #:cores 12
       #:wireless-interface "wlp1s0"
       #:backlight-device "amdgpu_bl0")))))

%frm-system