diff --git a/hosts/sam-4screen-desktop/configuration.nix b/hosts/sam-4screen-desktop/configuration.nix
index aec2591..6684176 100644
--- a/hosts/sam-4screen-desktop/configuration.nix
+++ b/hosts/sam-4screen-desktop/configuration.nix
@@ -30,29 +30,72 @@
   # ---
   networking.networkmanager.enable = true;
 
-  networking.networkmanager.ensureProfiles.profiles."Wired connection 1" = {
-    connection = {
-      id = "Wired connection 1";
-      type = "802-3-ethernet";
-      interface-name = "enp0s31f6";
-      autoconnect = "true";
-    };
+  # Static IP policy:
+  # - You confirmed the static IP must be on Wi-Fi SSID "Aussie Broadband 8729"
+  # - Do NOT store Wi-Fi secrets (PSK) in git-tracked Nix files
+  #
+  # Approach:
+  # - Connect to Wi-Fi normally via nmtui/nmcli/GUI (credentials stored locally by NM)
+  # - On activation, this dispatcher script enforces the static IP/DNS/gateway
+  #   only for that SSID on interface wlp4s2.
+  environment.etc."NetworkManager/dispatcher.d/10-wlp4s2-static-ip-aussie-broadband-8729".source =
+    pkgs.writeShellScript "10-wlp4s2-static-ip-aussie-broadband-8729" ''
+      set -euo pipefail
 
-    ethernet = { };
+      IFACE="$1"
+      STATUS="$2"
 
-    ipv4 = {
-      method = "manual";
-      addresses = [ "192.168.20.27/24" ];
-      gateway = "192.168.20.1";
-      dns = "192.168.20.35;192.168.20.13;";
-      ignore-auto-dns = "true";
-      never-default = "false";
-    };
+      TARGET_ID="Aussie Broadband 8729"
+      NMCLI="${pkgs.networkmanager}/bin/nmcli"
 
-    ipv6 = {
-      method = "auto";
-    };
-  };
+      # Only touch the Wi-Fi interface you specified.
+      if [[ "$IFACE" != "wlp4s2" ]]; then
+        exit 0
+      fi
+
+      # Apply on pre-up/up so settings are in place as early as possible.
+      case "$STATUS" in
+        pre-up|up) ;;
+        *) exit 0 ;;
+      esac
+
+      # NetworkManager dispatcher provides these env vars.
+      # If they are missing, we can't safely target the right connection.
+      if [[ -z "''${CONNECTION_UUID:-}" ]]; then
+        exit 0
+      fi
+
+      # Ensure it is actually a Wi-Fi connection.
+      TYPE="$("$NMCLI" -g connection.type connection show "$CONNECTION_UUID" 2>/dev/null || true)"
+      if [[ "$TYPE" != "802-11-wireless" ]]; then
+        exit 0
+      fi
+
+      # Determine the connection "id" (name). This is typically the SSID, but not always.
+      CONN_ID="$("$NMCLI" -g connection.id connection show "$CONNECTION_UUID" 2>/dev/null || true)"
+      if [[ "$CONN_ID" != "$TARGET_ID" ]]; then
+        exit 0
+      fi
+
+      # Enforce your confirmed static IPv4 configuration.
+      "$NMCLI" connection modify "$CONNECTION_UUID" \
+        ipv4.method manual \
+        ipv4.addresses "192.168.20.27/24" \
+        ipv4.gateway "192.168.20.1" \
+        ipv4.dns "192.168.20.35 192.168.20.13" \
+        ipv4.ignore-auto-dns yes \
+        ipv6.method auto
+
+      # NOTE:
+      # This modifies the connection profile. If the connection is already "up",
+      # you may need to reconnect once for all settings to apply immediately:
+      #   nmcli connection down "$CONNECTION_UUID"
+      #   nmcli connection up "$CONNECTION_UUID"
+
+      exit 0
+    '';
+
+  environment.etc."NetworkManager/dispatcher.d/10-wlp4s2-static-ip-aussie-broadband-8729".mode = "0755";
 
   # ---
   # Users
@@ -123,6 +166,11 @@
     wireplumber.enable = true;
   };
 
+  # ---
+  # Swap (zram; no hibernation)
+  # ---
+  zramSwap.enable = true;
+
   # ---
   # Docker
   # ---