My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/dot_config/sway?h=master 2026-06-05T10:06:02Z 2026-06-05T10:06:02Z sommerfeld sommerfeld@sommerfeld.dev 2026-06-05T10:06:02Z urn:sha1:b0e83e2ee3fc328e55119ee7c1f09ad7ed20a635 2026-05-29T10:18:16Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:16Z urn:sha1:cd1c92b746a51a6994281f34a5f773c37d1d2dfe Both org.mozilla.thunderbird and io.mpv.Mpv are already installed via flatpak, but several places still launched the system binaries (because they were in PATH). Worse, `mpv` was kept on the host *only* for the streamlink-launches-mpv path, and `thunderbird` was being pulled in as a hard dep of external-editor-revived even though it was never the mailer actually used. Untangle both. Thunderbird ----------- * dot_config/sway/executable_tb-toggle.sh, dot_config/sway/executable_tb-autostart.sh: swap `thunderbird` → `flatpak run org.mozilla.thunderbird`. The `app_id` matcher in sway config already targets the flatpak id, so the scratchpad-stash and Super+t toggle keep working unchanged. * etc/pacman.conf: add `AssumeInstalled = thunderbird=999.0-1`. external-editor-revived (AUR) hard-depends on `thunderbird`; this satisfies the dep without installing the package. Run `sudo pacman -Rns thunderbird` after deploy to remove the now-unneeded system binary. * meta/base.txt: document the AssumeInstalled trick next to the external-editor-revived entry. mpv --- * dot_config/streamlink/config: `player=mpv` → `player=flatpak run io.mpv.Mpv`. The flatpak already pulls in our ~/.config/mpv via the read-only filesystem override (see run_onchange_after_deploy-flatpak-overrides.sh.tmpl), so behavior is unchanged. * dot_local/bin/executable_linkhandler: same swap for inline video URLs. * dot_local/bin/executable_mpv: deleted. The wrapper only existed to bwrap /usr/bin/mpv into _sandbox-net-parser; flatpak's own sandbox supersedes that. * dot_local/bin/executable__sandbox-net-parser, dot_local/bin/executable_streamlink: comment refresh — mpv is no longer one of the tools this wraps, and the streamlink wrapper now forwards to the flatpak player rather than nested-bwrap caveats. * meta/base.txt: drop `mpv` from the host package list and update the surrounding comment. README.md: refresh the media row of the stack table to match. On-host steps: chezmoi apply -v sudo pacman -Syu # picks up AssumeInstalled sudo pacman -Rns thunderbird mpv # safe now flatpak install -y flathub org.mozilla.thunderbird io.mpv.Mpv swaymsg reload # pick up new tb scripts 2026-05-29T10:18:15Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:15Z urn:sha1:d1536ec455abc28a2bde34281d4b33cdad398436 Upstream marked org.mozilla.Thunderbird end-of-life. Flathub split it into two replacement IDs: org.mozilla.thunderbird monthly release channel (new default) org.mozilla.thunderbird_esr ESR / long-term-support channel Move to the lowercase monthly-release flatpak, which is what Mozilla now recommends for regular desktop users and gets features at the same cadence as Firefox. Renamed references in: * meta/flatpak.txt - the package list the user installs from * meta/base.txt - comment in the mail-bits section * dot_config/sway/config - window-match app_id rule for marking * dot_config/mimeapps.list - mailto/ics/webcal handler .desktop names * run_onchange_after_deploy-thunderbird.sh.tmpl - profile path under ~/.var/app/<id>/.thunderbird/ * run_onchange_after_deploy-tb-eer.sh.tmpl - flatpak override target and sandbox path for External Editor Revived bridge * run_onchange_after_deploy-pteid-pkcs11.sh.tmpl - Mozilla-family flatpak NSS DB registration list * README.md - doc snippets and xdg-mime example On-host migration: flatpak install -y flathub org.mozilla.thunderbird # Preserve accounts, OpenPGP keys, calendars, EER bridge wrapper: mv ~/.var/app/org.mozilla.Thunderbird ~/.var/app/org.mozilla.thunderbird flatpak uninstall -y org.mozilla.Thunderbird chezmoi apply -v update-desktop-database ~/.local/share/applications 2>/dev/null || true Verify mail handler: xdg-mime query default x-scheme-handler/mailto # -> org.mozilla.thunderbird.desktop 2026-05-29T10:18:15Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:15Z urn:sha1:6e0c5c33438e5e898bd075c33a45b3abf9d1b26b Confirmed root cause: this hardware's S3 (deep) firmware path triggers a fatal wake-from-suspend hang only on linux-hardened. INIT_ON_FREE + slab hardening + tighter locking turn a latent driver race that stock linux gets away with into an unrecoverable panic so early the journal isn't even flushed. mem_sleep_default=s2idle bypasses the BIOS S3 path entirely (s0ix is a pure-kernel low-power state) and suspends/resumes reliably under hardened. This is a widespread Lenovo S3 firmware issue across post-2018 ThinkPads (see Ubuntu T560, X1C9/10/11 reports). Lenovo themselves moved newer firmwares to s2idle-only. Not a linux-hardened bug per se; just hardened being a strict enough kernel to make the bug fatal. Keep: * mem_sleep_default=s2idle in etc/kernel/cmdline-linux-hardened.tmpl (only the hardened UKI; stock linux keeps unchanged shared cmdline) Revert (all the diagnostic / speculative scaffolding from the last few commits): * MODULES=(intel_lpss_pci) → MODULES=() — Arch wiki touchpad fix was not the cause here * nmi_watchdog=panic softlockup_panic=1 panic=10 — only needed to auto-reboot during diagnosis * no_console_suspend — diagnostic-only * etc/systemd/logind.conf.d/20-no-suspend.conf — masking workaround * sleep-target masking block in run_onchange_after_deploy-etc.sh.tmpl, replaced with a one-shot cleanup that removes any leftover /dev/null symlinks from systems that ran the previous version * systemd-pstore.service from systemd-units/system.txt — added only to catch the diagnostic panic * diagnose-suspend.sh helper (and its .gitignore/.chezmoiignore entries) * sway suspend → lock-session keybind workaround * power-menu.sh Suspend entry restoration * KEYBINDS.md docs 2026-05-29T10:18:14Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:14Z urn:sha1:3be68c032c864fa98ed85e54ea5af19976c55ed7 linux-hardened wedges on resume from S3 (NVMe/i915/iwlwifi driver UAF exposed by INIT_ON_FREE + slab hardening). Until root-caused, take suspend off the table while keeping lock + DPMS intact. - etc/systemd/logind.conf.d/20-no-suspend.conf: lid close, suspend key, hibernate key all map to 'lock'; IdleAction=ignore (swayidle drives DPMS+swaylock independently). - run_onchange_after_deploy-etc.sh.tmpl: mask sleep.target, suspend.target, hibernate.target, hybrid-sleep.target, suspend-then-hibernate.target via /etc/systemd/system -> /dev/null symlinks. Catches 'systemctl suspend' from any source. - dot_config/sway/config: XF86Sleep and system-mode 's' now run loginctl lock-session instead of systemctl suspend. - dot_config/sway/executable_power-menu.sh: drop Suspend entry. - KEYBINDS.md: reflect new behaviour. To re-enable later: remove the logind drop-in + symlink loop, then sudo systemctl daemon-reload. 2026-05-22T13:28:18Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-22T13:28:18Z urn:sha1:d674ce8b2050ba472b81d6258b7fc7628d52799e 2026-05-22T09:41:23Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-22T09:41:23Z urn:sha1:844ef0c37a6f10a1c912707c35dd843c44ea92ba Waybar (and other user services) was inheriting the bare pre-login PATH from systemd --user, missing ~/.nix-profile/bin and ~/.local/bin. Modules that call nix-provisioned binaries (pass, python3, ncat from common.nix) silently picked up system copies instead — symptom was waybar showing different output from the same script when invoked manually (thunderbird tb-unread.sh, wifi-status.sh). Also propagate GNUPGHOME and GPG_TTY so pinentry / pass-otp inside user services behave the same as in the interactive shell. 2026-05-20T12:56:08Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-20T12:56:08Z urn:sha1:52e53ad7956f637af3bb87de79934bfda4b74a2e No longer needed. 2026-05-14T09:58:38Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-14T09:58:38Z urn:sha1:13547308fba1eacb8996ebfb9db56f2127a2e70f workspace_auto_back_and_forth yes makes `workspace number N` jump back to the previously focused workspace when N is already current. Applies to both $mod+N keybinds and waybar workspace clicks. 2026-05-14T09:58:38Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-14T09:58:38Z urn:sha1:eb807c911f2c364c1c8a8bd67026b997f2b0d2f0 Drop --hide-search and enable --matching=fuzzy --insensitive so typing 'po' jumps to Poweroff, 'su' to Suspend, etc.