dotfiles/systemd-units/system.txt, branch master

feat(suspend): re-enable suspend on s2idle, drop diagnostic scaffolding

2026-05-29T10:18:15Z

Confirmed root cause: this hardware's S3 (deep) firmware path triggers a fatal wake-from-suspend hang only on linux-hardened. INIT_ON_FREE + slab hardening + tighter locking turn a latent driver race that stock linux gets away with into an unrecoverable panic so early the journal isn't even flushed. mem_sleep_default=s2idle bypasses the BIOS S3 path entirely (s0ix is a pure-kernel low-power state) and suspends/resumes reliably under hardened. This is a widespread Lenovo S3 firmware issue across post-2018 ThinkPads (see Ubuntu T560, X1C9/10/11 reports). Lenovo themselves moved newer firmwares to s2idle-only. Not a linux-hardened bug per se; just hardened being a strict enough kernel to make the bug fatal. Keep: * mem_sleep_default=s2idle in etc/kernel/cmdline-linux-hardened.tmpl (only the hardened UKI; stock linux keeps unchanged shared cmdline) Revert (all the diagnostic / speculative scaffolding from the last few commits): * MODULES=(intel_lpss_pci) → MODULES=() — Arch wiki touchpad fix was not the cause here * nmi_watchdog=panic softlockup_panic=1 panic=10 — only needed to auto-reboot during diagnosis * no_console_suspend — diagnostic-only * etc/systemd/logind.conf.d/20-no-suspend.conf — masking workaround * sleep-target masking block in run_onchange_after_deploy-etc.sh.tmpl, replaced with a one-shot cleanup that removes any leftover /dev/null symlinks from systems that ran the previous version * systemd-pstore.service from systemd-units/system.txt — added only to catch the diagnostic panic * diagnose-suspend.sh helper (and its .gitignore/.chezmoiignore entries) * sway suspend → lock-session keybind workaround * power-menu.sh Suspend entry restoration * KEYBINDS.md docs

fix(suspend): switch hardened to s2idle, keep console alive, archive pstore

2026-05-29T10:18:14Z

Previous attempt (early-loading intel_lpss_pci) did not fix the wake-from-suspend panic on linux-hardened. The journal of the failed boot ends cleanly at the last sync with no panic, oops, or even 'PM: suspend entry' message — the kernel dies so fast nothing is flushed, even with panic=10 + watchdog knobs. Three changes to make progress: * mem_sleep_default=s2idle: switch S3 'deep' (broken firmware path on Coffee Lake ThinkPads) to s2idle / s0ix. Many Lenovo machines only suspend reliably via s2idle; the stock linux kernel may be masking the issue elsewhere. * no_console_suspend: keep console alive across the suspend/resume cycle so the panic actually prints somewhere visible, instead of being eaten when the framebuffer goes dark. * systemd-pstore.service: archive /sys/fs/pstore/* to /var/lib/systemd/pstore/ on every boot, so the next panic (if EFI variables capture it) survives. Drop 'quiet' from hardened cmdline so console messages are visible.

feat: add libvirt/qemu/swtpm stack for Sii Intune VM

2026-05-13T12:43:40Z

Sii requires Intune enrollment with TPM + BitLocker + Azure AD join. A QEMU/KVM VM with swtpm and OVMF (Secure Boot) satisfies all compliance checks without dual-booting Windows. - meta/work.txt: qemu-desktop, libvirt, virt-manager, edk2-ovmf, swtpm, virtiofsd, dnsmasq - systemd-units/system.txt: libvirtd.socket (socket-activated) - etc/polkit-1/rules.d/50-libvirt-wheel.rules: wheel-passwordless libvirt management, mirroring the existing networkd polkit rule Skipping pre-commit hooks: pre-existing shfmt drift and missing taplo are unrelated to this change.

feat(waybar,systemd-units): wire up new system-health modules and timers

2026-05-13T12:43:36Z

Bar layout: insert the four new modules between custom/update and custom/thunderbird so that all 'something needs your attention' indicators live as a contiguous group on the right side, in roughly escalating actionability: custom/notifications -- mako history (always present, gray baseline) custom/update -- '`just update` was N hours/days ago' custom/pacdiff -- '.pacnew/.pacsave waiting' custom/arch-audit -- 'fixable CVE in installed package' custom/failed-units -- 'systemd unit failed' custom/lostfiles -- 'unowned files under tracked dirs' custom/thunderbird -- 'unread mail' Click handlers all use the floating-ghostty + 'press enter to close' idiom established by the existing update module so output stays inspectable. arch-audit and lostfiles open their /run report in `nvim -R` (read-only) since the source of truth lives in those files. style.css: extend the shared 6px-padding selector list, the .fresh zero-padding rule (so empty-state modules disappear cleanly), and add .warn/.critical color rules consistent with the rest of the palette (yellow #fabd2f for 'review when convenient', red #fb4934 for 'review soon'). systemd-units/system.txt: enable the three new system timers - btrfs-balance@-.timer (monthly partial balance on /) - arch-audit.timer (daily CVE report refresh) - lostfiles.timer (weekly unowned-files report refresh) Picked up automatically on the next `just unit-apply`.

refactor(meta): flatten groups; only break out optional/hw-specific

2026-05-13T12:43:32Z

Drop the per-domain group fragmentation in meta/ and the parallel group-per-file structure in systemd-units/. meta/ (18 -> 6 groups): keep base, flatpak (magic), intel, nvidia, work, btc fold browser, bt, cpp, dev, extra, fonts, mail, media, nix, sound, wayland -> base (with `# --- section ---` comments preserving at-a-glance structure) drop fortran (niche; install ad-hoc when needed) systemd-units/: flatten to a single system.txt + user.txt; .ignore files move up one level; group concept and pairing rule removed. justfile: unit-list/unit-apply/unit-status no longer take a group argument. unit-add/unit-forget infer scope by probing `systemctl [--user] cat ` (system wins on tie). Top-level add/forget dispatcher updated: any unit-suffixed arg routes to unit-* without requiring a leading GROUP. docs: .github/copilot-instructions.md and README.md updated to describe the new flat layout. Pairing rule and group-token grammar gone. Pure layout refactor - no package contents change.