My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/.chezmoiignore?h=master 2026-05-29T10:18:15Z 2026-05-29T10:18:15Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:15Z urn:sha1:6e0c5c33438e5e898bd075c33a45b3abf9d1b26b Confirmed root cause: this hardware's S3 (deep) firmware path triggers a fatal wake-from-suspend hang only on linux-hardened. INIT_ON_FREE + slab hardening + tighter locking turn a latent driver race that stock linux gets away with into an unrecoverable panic so early the journal isn't even flushed. mem_sleep_default=s2idle bypasses the BIOS S3 path entirely (s0ix is a pure-kernel low-power state) and suspends/resumes reliably under hardened. This is a widespread Lenovo S3 firmware issue across post-2018 ThinkPads (see Ubuntu T560, X1C9/10/11 reports). Lenovo themselves moved newer firmwares to s2idle-only. Not a linux-hardened bug per se; just hardened being a strict enough kernel to make the bug fatal. Keep: * mem_sleep_default=s2idle in etc/kernel/cmdline-linux-hardened.tmpl (only the hardened UKI; stock linux keeps unchanged shared cmdline) Revert (all the diagnostic / speculative scaffolding from the last few commits): * MODULES=(intel_lpss_pci) → MODULES=() — Arch wiki touchpad fix was not the cause here * nmi_watchdog=panic softlockup_panic=1 panic=10 — only needed to auto-reboot during diagnosis * no_console_suspend — diagnostic-only * etc/systemd/logind.conf.d/20-no-suspend.conf — masking workaround * sleep-target masking block in run_onchange_after_deploy-etc.sh.tmpl, replaced with a one-shot cleanup that removes any leftover /dev/null symlinks from systems that ran the previous version * systemd-pstore.service from systemd-units/system.txt — added only to catch the diagnostic panic * diagnose-suspend.sh helper (and its .gitignore/.chezmoiignore entries) * sway suspend → lock-session keybind workaround * power-menu.sh Suspend entry restoration * KEYBINDS.md docs 2026-05-29T10:18:14Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:14Z urn:sha1:e2a7a2fdb9ba66e777ec1a8c0d3c9301cc21bdab Split the hardened UKI cmdline off the shared etc/kernel/cmdline.tmpl so we can carry workarounds without poking the stock linux build. Daily-driving linux-hardened on this hardware has reliably hung on resume from S3: black screen, blinking caps-lock + power LED, only the power button helps. The kernel journal stops at 'PM: suspend entry (deep)' with nothing after, so the freeze is below the level where logs can flush — characteristic of a hard hang inside a device driver's suspend/resume callback rather than a userspace bug. linux-hardened defaults init_on_free=1, which zeroes pages on free. On Intel + iwlwifi/i915/nvme stacks this routinely surfaces latent UAFs as suspend hangs that are invisible on stock linux. Drop that knob to 0 for the hardened cmdline as the working hypothesis. Add nmi_watchdog=panic, softlockup_panic=1, panic=10 so if the next attempt still wedges, a stuck CPU self-panics and auto-reboots within ~10s, giving us a 'journalctl -b -1 -k' trace to look at instead of having to force-power-off blindly. Stock linux is untouched. 2026-05-29T10:18:13Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:13Z urn:sha1:aabcdc206246aa935790908f2ab7e7edcc88b3b9 fuse-overlayfs is dog-slow on `podman commit` (and noticeably slower than native overlay/btrfs for layer extraction in general) because every read/write round-trips through a FUSE daemon. The kernel overlay driver does not support btrfs as a lowerdir, so on a btrfs root fs the choices were: - fuse-overlayfs (slow, but works) - btrfs (native subvolume + CoW snapshot per layer; fast) Switching graph drivers is destructive — the on-disk layout is incompatible, so a one-time `podman system reset --force` is required. A migration helper script lives at the repo root (gitignored, chezmoiignored) that snapshots stateful containers, exports images and volumes, runs the reset, and restores everything on the new driver. Drops fuse-overlayfs from meta/base.txt — no longer needed and pulls in libfuse3 transitively for nothing. (Flatpak still depends on it for its own sandbox; pacman won't actually uninstall the binary while flatpak is around — that's fine.) VM (nix/vm.nix) is unaffected: it sets its own storage.conf inline with driver=overlay since its rootfs is ext4. 2026-05-20T12:56:09Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-20T12:56:09Z urn:sha1:de5146c7976e1fb38e8d1f82c30544462d881100 Restructures the Home-Manager profile to support both the Arch host and the Ubuntu remote-dev VM from the same flake. - remote-dev/ → nix/ (hard rename; .chezmoiignore updated) - home.nix split into common.nix (shared), vm.nix (Mason runtime carve-outs + podman stack), host.nix (gpg scdaemon delegation to system pcscd) - flake.nix exposes homeConfigurations.{vm,host} via a mkProfile helper - rj alias in dot_zshrc updated to ~/.local/share/dotfiles/nix - bootstrap.sh / justfile updated to use #vm against the new path The split is behaviour-preserving for the VM: vm.nix + common.nix together carry the same package set as the previous home.nix. host.nix is provisioned but not yet wired into bootstrap (phase p8). Phase 1 of the nix-on-host migration plan. 2026-05-13T12:43:42Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:42Z urn:sha1:60cd24cecc400d4381f5e6243940b5d0e760e4f9 New remote-dev/ subdir with a Home-Manager flake that provisions a headless dev environment on a remote Ubuntu 22.04 VM accessed via SSH. Shares nvim, zellij, zsh, direnv, and ghostty configs from the same dotfiles repo via mkOutOfStoreSymlink (no rebuilds on config edits). CLI tool set mirrors the dev-tool subset of meta/base.txt; sysadmin tools (procs, gdu, duf), lazygit, and node/yarn (only needed for markdown-preview on GUI hosts) are excluded. bootstrap.sh is one-shot: installs Nix via Determinate Systems installer, clones the repo to ~/.local/share/dotfiles, runs home-manager switch, and chshes to the nix-store zsh. dot_config/zsh/dot_zshrc loses its hardcoded Arch plugin/git-prompt paths in favour of a fallback search: Arch path first, then $HOME/.nix-profile/share/. Same file works on host and VM. .chezmoiignore: exclude remote-dev/ from chezmoi deploy on the host. 2026-05-13T12:43:15Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:15Z urn:sha1:d1637e55b2bbc564a56fdbbaa22f45c14d8fc0c4 Mirror the firefox/ pattern for Thunderbird: - thunderbird/user.js: telemetry off, safe-browsing off, remote images blocked, read receipts disabled, plain-text compose with flowed wrap at 72, vertical pane, calendar on Monday start - run_onchange_after_deploy-thunderbird.sh.tmpl: detects default profile and copies tracked files in on any change - meta/mail.txt: add thunderbird package (official repo) - .chezmoiignore: exclude thunderbird/ from $HOME deployment - README: mention Thunderbird + Bridge + Radicale stack Accounts/credentials/mailbox data stay local per profile. 2026-05-13T12:43:09Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:09Z urn:sha1:2f8796ea38d9b463eededd0bbce9af291c086e7b The seeded lockfile offered little value for a single-user setup: fresh bootstraps will resolve version specs at install time, and any meaningful pinning is already expressed in init.lua's vim.pack.add() specs. Added an explicit .chezmoiignore entry so the runtime file doesn't show up as drift. 2026-04-21T00:25:02Z sommerfeld sommerfeld@sommerfeld.dev 2026-04-21T00:25:02Z urn:sha1:201932ce77d8e7ca6fc66e3feb41cebdf68eb573 .chezmoiignore: - remove create-efi.sh (deleted in UKI migration) - remove dot-prefixed entries (.editorconfig, .github/, .worktrees/, .githooks/, .stylua.toml, .prettierrc.json, .ruff_cache); chezmoi already ignores source paths beginning with '.' by default (reserved chezmoi names aside) .chezmoi.toml.tmpl: - drop unused data.hostname (not referenced by any template) 2026-04-21T00:25:02Z sommerfeld sommerfeld@sommerfeld.dev 2026-04-21T00:25:02Z urn:sha1:932deff228dd3d0a33527b2256c3a675b45696a1 bootstrap.sh is host-only bootstrapping and should not deploy into $HOME. The xdg-user-dirs-update.service user unit (shipped enabled by the xdg-user-dirs package) rewrites ~/.config/user-dirs.dirs on login, clobbering the tracked short-path variant (docs/dl/pics/vids). Mask it by symlinking to /dev/null. 2026-04-21T00:24:38Z sommerfeld sommerfeld@sommerfeld.dev 2026-04-21T00:24:38Z urn:sha1:f8024b5097eb42119c9aa55ade98630df041f4f2