My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/etc/systemd/system?h=master 2026-05-13T12:43:39Z 2026-05-13T12:43:39Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:39Z urn:sha1:2026f98babdcdd34c09eb59479a02a5603fc70a2 Upstream lostfiles has no extension mechanism; the weekly report ends up dominated by files this repo intentionally deploys plus host-private files we deliberately don't track plus regenerated GTK caches. Add etc/lostfiles.ignore.tmpl which renders /etc/lostfiles.ignore from two sources: 1. Every file under etc/ in the repo (auto-enumerated at chezmoi-apply time, same find-sort pattern the etc deploy script uses). This keeps the ignore list in sync with what we actually deploy with zero manual maintenance. 2. A static block for: the sudo-i symlink, host-private systemd-networkd units (99-hodor*, 99-mandibles*) which contain WireGuard secrets, the getty@tty1 autologin override which contains the username, and known pacman-hook-generated caches under /usr/lib/{gdk-pixbuf-2.0,gtk-4.0}/. Wrap /usr/bin/lostfiles in lostfiles.service via grep -vFxf, with a fallback when /etc/lostfiles.ignore doesn't yet exist (first deploy). 2026-05-13T12:43:35Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:35Z urn:sha1:54eacef87b906835f9778d9c4b02128398bf88d0 Wiring (mirrors arch-audit, with weekly cadence and Nice=19/idle I/O): lostfiles.timer (weekly, Persistent=true, RandomizedDelaySec=1h) → lostfiles.service → /run/lostfiles.txt (default mode — strict produces too many false positives for a passive reminder) → custom/lostfiles waybar module (interval 600s) → mako 'normal' once/7d while count > 0 → on-click: `ghostty -e nvim -R /run/lostfiles.txt` Default mode (no `strict` argument) is intentional: it already filters the package's curated false-positive list at /etc/lostfiles.conf, which is what we want for a low-noise weekly nudge. Switching to `strict` is a one-line change in lostfiles.service if signal-vs-noise tilts later. 2026-05-13T12:43:35Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:35Z urn:sha1:bd50d1c05aceb1eecffcb479ab2bf8baa56fe078 Wiring: arch-audit.timer (daily, RandomizedDelaySec=1h, Persistent=true) → arch-audit.service (After=network-online.target) → /run/arch-audit.txt ('--upgradable' output, atomic via .tmp+mv) → custom/arch-audit waybar module (interval 300s) → mako 'critical' once/24h while count > 0 → on-click: `ghostty -e nvim -R /run/arch-audit.txt` The bar entry stays hidden when there are no fixable CVEs, fades in as red 'CVE N' the moment arch-audit finds at least one, and the throttled mako means you'll see exactly one notification per day instead of one per waybar poll. No -Sy refresh and no auto-update — this only reports the gap between what's installed and what's already in the repos. Why /run and not the user's runtime dir: the producer is a system unit (needs the system's pacman db on the network-online path), the consumer is a user-scope waybar that just reads it; /run is the canonical 'fast, volatile, world-readable' system-tmpfs and survives the reboot cycle in exactly the way we want — fresh empty file on every boot, repopulated on the next timer fire. 2026-05-13T12:43:35Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:35Z urn:sha1:14a6992a4ebe826266a1ea4320c34c0ac91932ee Template service+timer that runs `btrfs balance start -dusage=50 -musage=50 %f` once a month on the instance's mount path. Mirrors the shape of the stock btrfs-scrub@.{service,timer} so the operational model is identical: enable btrfs-balance@-.timer for /, btrfs-balance@\ x2dhome.timer for /home, etc. Why a partial balance and not a full one: full `btrfs balance start` rewrites every block group, which on a multi-TB volume takes hours and can chew through enormous amounts of CSUM/free-space-tree work. `-dusage=50 -musage=50` only consolidates block groups that are less than half full, which is exactly the operation that reclaims space 'lost' to fragmentation after lots of small writes — the only practical reason a healthy single-disk btrfs needs balancing at all. `Nice=19 IOSchedulingClass=idle` keeps it out of the way of foreground work; `KillSignal=SIGINT` (same as btrfs-scrub) lets a graceful Ctrl-C checkpoint the operation cleanly. Persistent=true catches the run on next boot if the machine was off when the timer fired. Enabled in systemd-units/system.txt as btrfs-balance@-.timer (root volume only — /home isn't a separate subvolume on this machine). 2026-05-13T12:43:12Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:12Z urn:sha1:2fbb87210468ace88ee1749116d1763df52e8a73 setterm only affects the Linux console (TERM=linux); sway's KMS/DRM session is unaffected. Wakes on any keypress.