dotfiles/etc/polkit-1/rules.d, branch master

dotfiles/etc/polkit-1/rules.d, branch master My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/etc/polkit-1/rules.d?h=master 2026-05-29T10:18:12Z feat(polkit): restrict systemd + udisks system actions to active local sessions 2026-05-29T10:18:12Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-29T10:18:12Z urn:sha1:cdf6350a7ad530feee509c63675ff6cc74cb7ced Two narrow defence-in-depth rules: - 52-systemd-local-only: org.freedesktop.systemd1.* requires both subject.local and subject.active. Wheel-via-sudo-rs is on a different path (sudoers) and is not affected. Stops a non-active or remote polkit caller from start/stop/restart of system units. - 53-udisks-system-mount: filesystem-mount-system and modify-system require subject.active. The everyday USB auto-mount path uses filesystem-mount (no -system suffix) and is unaffected. Audited against current workflow (virt-manager, networkctl, USB mount, bluetoothctl, fwupdmgr) — none of these break. feat: add libvirt/qemu/swtpm stack for Sii Intune VM 2026-05-13T12:43:40Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:40Z urn:sha1:90f98cb17a432beaffd7975f631ab31afdfded1b Sii requires Intune enrollment with TPM + BitLocker + Azure AD join. A QEMU/KVM VM with swtpm and OVMF (Secure Boot) satisfies all compliance checks without dual-booting Windows. - meta/work.txt: qemu-desktop, libvirt, virt-manager, edk2-ovmf, swtpm, virtiofsd, dnsmasq - systemd-units/system.txt: libvirtd.socket (socket-activated) - etc/polkit-1/rules.d/50-libvirt-wheel.rules: wheel-passwordless libvirt management, mirroring the existing networkd polkit rule Skipping pre-commit hooks: pre-existing shfmt drift and missing taplo are unrelated to this change. feat(waybar,sway): htop click handler, app keybinds, VPN toggle 2026-05-13T12:43:33Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:33Z urn:sha1:da1de8c64955f2ca5bb4891764e4b183f4250566 waybar: - cpu / custom/memory: on-click opens floating ghostty with htop - new custom/vpn module between custom/memory and network#bond: shows 'VPN' coloured by interface UP flag (green up, dim down); on-click toggles networkctl up/down hodor; SIGRTMIN+8 used for instant refresh after toggle sway: - Super+Shift+Return -> ghostty -e yazi - Super+Shift+b -> librewolf vpn-toggle.sh runs networkctl (no sudo) thanks to a new polkit rule allowing wheel-group members to invoke org.freedesktop.network1.* without a password prompt. systemd-networkd's polkit gate is a separate path from sudoers, so this is the idiomatic fix. KEYBINDS.md updated for both new sway bindings.