My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/dot_config/sway/config?h=master 2026-05-29T10:18:15Z 2026-05-29T10:18:15Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:15Z urn:sha1:d1536ec455abc28a2bde34281d4b33cdad398436 Upstream marked org.mozilla.Thunderbird end-of-life. Flathub split it into two replacement IDs: org.mozilla.thunderbird monthly release channel (new default) org.mozilla.thunderbird_esr ESR / long-term-support channel Move to the lowercase monthly-release flatpak, which is what Mozilla now recommends for regular desktop users and gets features at the same cadence as Firefox. Renamed references in: * meta/flatpak.txt - the package list the user installs from * meta/base.txt - comment in the mail-bits section * dot_config/sway/config - window-match app_id rule for marking * dot_config/mimeapps.list - mailto/ics/webcal handler .desktop names * run_onchange_after_deploy-thunderbird.sh.tmpl - profile path under ~/.var/app/<id>/.thunderbird/ * run_onchange_after_deploy-tb-eer.sh.tmpl - flatpak override target and sandbox path for External Editor Revived bridge * run_onchange_after_deploy-pteid-pkcs11.sh.tmpl - Mozilla-family flatpak NSS DB registration list * README.md - doc snippets and xdg-mime example On-host migration: flatpak install -y flathub org.mozilla.thunderbird # Preserve accounts, OpenPGP keys, calendars, EER bridge wrapper: mv ~/.var/app/org.mozilla.Thunderbird ~/.var/app/org.mozilla.thunderbird flatpak uninstall -y org.mozilla.Thunderbird chezmoi apply -v update-desktop-database ~/.local/share/applications 2>/dev/null || true Verify mail handler: xdg-mime query default x-scheme-handler/mailto # -> org.mozilla.thunderbird.desktop 2026-05-29T10:18:15Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:15Z urn:sha1:6e0c5c33438e5e898bd075c33a45b3abf9d1b26b Confirmed root cause: this hardware's S3 (deep) firmware path triggers a fatal wake-from-suspend hang only on linux-hardened. INIT_ON_FREE + slab hardening + tighter locking turn a latent driver race that stock linux gets away with into an unrecoverable panic so early the journal isn't even flushed. mem_sleep_default=s2idle bypasses the BIOS S3 path entirely (s0ix is a pure-kernel low-power state) and suspends/resumes reliably under hardened. This is a widespread Lenovo S3 firmware issue across post-2018 ThinkPads (see Ubuntu T560, X1C9/10/11 reports). Lenovo themselves moved newer firmwares to s2idle-only. Not a linux-hardened bug per se; just hardened being a strict enough kernel to make the bug fatal. Keep: * mem_sleep_default=s2idle in etc/kernel/cmdline-linux-hardened.tmpl (only the hardened UKI; stock linux keeps unchanged shared cmdline) Revert (all the diagnostic / speculative scaffolding from the last few commits): * MODULES=(intel_lpss_pci) → MODULES=() — Arch wiki touchpad fix was not the cause here * nmi_watchdog=panic softlockup_panic=1 panic=10 — only needed to auto-reboot during diagnosis * no_console_suspend — diagnostic-only * etc/systemd/logind.conf.d/20-no-suspend.conf — masking workaround * sleep-target masking block in run_onchange_after_deploy-etc.sh.tmpl, replaced with a one-shot cleanup that removes any leftover /dev/null symlinks from systems that ran the previous version * systemd-pstore.service from systemd-units/system.txt — added only to catch the diagnostic panic * diagnose-suspend.sh helper (and its .gitignore/.chezmoiignore entries) * sway suspend → lock-session keybind workaround * power-menu.sh Suspend entry restoration * KEYBINDS.md docs 2026-05-29T10:18:14Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:14Z urn:sha1:3be68c032c864fa98ed85e54ea5af19976c55ed7 linux-hardened wedges on resume from S3 (NVMe/i915/iwlwifi driver UAF exposed by INIT_ON_FREE + slab hardening). Until root-caused, take suspend off the table while keeping lock + DPMS intact. - etc/systemd/logind.conf.d/20-no-suspend.conf: lid close, suspend key, hibernate key all map to 'lock'; IdleAction=ignore (swayidle drives DPMS+swaylock independently). - run_onchange_after_deploy-etc.sh.tmpl: mask sleep.target, suspend.target, hibernate.target, hybrid-sleep.target, suspend-then-hibernate.target via /etc/systemd/system -> /dev/null symlinks. Catches 'systemctl suspend' from any source. - dot_config/sway/config: XF86Sleep and system-mode 's' now run loginctl lock-session instead of systemctl suspend. - dot_config/sway/executable_power-menu.sh: drop Suspend entry. - KEYBINDS.md: reflect new behaviour. To re-enable later: remove the logind drop-in + symlink loop, then sudo systemctl daemon-reload. 2026-05-22T13:28:18Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-22T13:28:18Z urn:sha1:d674ce8b2050ba472b81d6258b7fc7628d52799e 2026-05-22T09:41:23Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-22T09:41:23Z urn:sha1:844ef0c37a6f10a1c912707c35dd843c44ea92ba Waybar (and other user services) was inheriting the bare pre-login PATH from systemd --user, missing ~/.nix-profile/bin and ~/.local/bin. Modules that call nix-provisioned binaries (pass, python3, ncat from common.nix) silently picked up system copies instead — symptom was waybar showing different output from the same script when invoked manually (thunderbird tb-unread.sh, wifi-status.sh). Also propagate GNUPGHOME and GPG_TTY so pinentry / pass-otp inside user services behave the same as in the interactive shell. 2026-05-20T12:56:08Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-20T12:56:08Z urn:sha1:52e53ad7956f637af3bb87de79934bfda4b74a2e No longer needed. 2026-05-14T09:58:38Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-14T09:58:38Z urn:sha1:13547308fba1eacb8996ebfb9db56f2127a2e70f workspace_auto_back_and_forth yes makes `workspace number N` jump back to the previously focused workspace when N is already current. Applies to both $mod+N keybinds and waybar workspace clicks. 2026-05-14T09:58:38Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-14T09:58:38Z urn:sha1:2b63a5f594b172c8aa75c0d00067db346152022a Fetches the current code from pass-otp's vpn/totp entry and types it into the focused surface with wtype. Falls back to wl-copy + a notification when wtype isn't available or the focused surface lacks virtual-keyboard support (e.g. an Xwayland window). 2026-05-13T12:43:42Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:42Z urn:sha1:26ceab690dff09d5162443b14adccfbe0e9bcd5d Set mako default-timeout=0 so notifications stay until acted upon. With auto-timeout off, mako's list IS the pending set, so the $XDG_RUNTIME_DIR/mako-dismissed bridge becomes dead weight. - mako/config: default-timeout=0; drop redundant [urgency=critical] default-timeout=0 override. - Delete dismiss-visible.sh and restore-pending.sh; sway calls makoctl directly (Mod+n=dismiss, Mod+Shift+n=dismiss --all, Mod+Ctrl+n=restore as undo). - Shrink mako-status.sh to a 20-line counter of makoctl list. - Rename mako-history.py -> notification-picker.py; lists only visible, dismisses via makoctl dismiss -n <id>. - Update waybar config.jsonc on-click path. - Update KEYBINDS.md wording (no more 'marks seen' / 'pending set'). 2026-05-13T12:43:41Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:41Z urn:sha1:506b6f25697e4dd4e3b61c97dceaa5450f2be049 librewolf was migrated from a native package to the flatpak io.gitlab.librewolf-community in commit f5796c7; the $mod+Shift+b binding still called the native binary, so the keybind silently did nothing. Use 'flatpak run' instead.