My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/systemd-units/system?h=master 2026-05-13T12:43:32Z 2026-05-13T12:43:32Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:32Z urn:sha1:2970b9dddc6b89705a6836fa0864fb841925ff6f Drop the per-domain group fragmentation in meta/ and the parallel group-per-file structure in systemd-units/. meta/ (18 -> 6 groups): keep base, flatpak (magic), intel, nvidia, work, btc fold browser, bt, cpp, dev, extra, fonts, mail, media, nix, sound, wayland -> base (with `# --- section ---` comments preserving at-a-glance structure) drop fortran (niche; install ad-hoc when needed) systemd-units/: flatten to a single system.txt + user.txt; .ignore files move up one level; group concept and pairing rule removed. justfile: unit-list/unit-apply/unit-status no longer take a group argument. unit-add/unit-forget infer scope by probing `systemctl [--user] cat <unit>` (system wins on tie). Top-level add/forget dispatcher updated: any unit-suffixed arg routes to unit-* without requiring a leading GROUP. docs: .github/copilot-instructions.md and README.md updated to describe the new flat layout. Pairing rule and group-token grammar gone. Pure layout refactor - no package contents change. 2026-05-13T12:43:28Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:28Z urn:sha1:815d341df9ea5f11d121c96505a9a9e4e887056a - systemd-units/system/bt.txt: new file pairing the meta/bt.txt group; enables bluetooth.service via 'just unit-apply' - waybar: add the built-in bluetooth module; on-click runs the same bt-toggle.sh that XF86Bluetooth has always invoked. Status colors: blue when adapter is up, green when a device is connected, gray off - sway: XF86WLAN now runs wifi-toggle.sh (iwd D-Bus) instead of 'rfkill toggle wifi'. The latter required rfkill group membership (user is in wheel only), and aligning on the busctl path means the keybind and the waybar click drive the same code XF86RFKill (panic-disable all radios) keeps using 'rfkill toggle all' — that scope is genuinely rfkill-shaped. 2026-05-13T12:43:24Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:24Z urn:sha1:ebad39adab212ab4e26f9a98befa0048c7eea710 Install Nix (multi-user daemon) on Arch and wire up direnv so any project can declare its toolchain in a flake.nix and get a hermetic dev shell on cd. No NixOS, no home-manager, no migration off paru/chezmoi — just one new package manager scoped to project dev shells. - meta/nix.txt: nix from extra repo - meta/dev.txt: direnv (general-purpose, not nix-specific) - systemd-units/system/nix.txt: nix-daemon.socket (socket-activated) - etc/nix/nix.conf: enable flakes + nix-command, trusted-users=@wheel, auto-optimise-store, keep-outputs/derivations so direnv envs survive GC - dot_config/direnv/direnvrc: load nix-direnv 3.1.1 via source_url with pinned sha256 (not packaged for Arch; refusing -git AUR) - dot_config/nix/templates/{flake.nix,dev/}: flake template usable via 'nix flake init -t ~/.config/nix/templates' - dot_config/zsh/dot_zshrc: 'eval "$(direnv hook zsh)"' 2026-05-13T12:43:22Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:22Z urn:sha1:ac0654daf06a9d01fd264d96c00c8ab47b90cb73 Default-deny inbound, allow outbound. Scoped to 'inet filter' with 'destroy table' on reload so podman/netavark tables are preserved. - meta/base.txt: add nftables - systemd-units/system/base.txt: enable nftables.service - etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6 essentials, DHCPv6 client, default-drop input/forward, accept output) - etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route, log_martians - README.md: firewall section with reload caveat 2026-05-13T12:43:21Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:21Z urn:sha1:32be4dc72b09caa91430a18d15b35622f166898e Move the three existing files into systemd-units/system/ and seed systemd-units/user/ with a .ignore stub. Teach the unit-* recipes a user:/system: group-token prefix (bare names keep system semantics for back-compat). unit-apply and unit-status now walk both scopes; user units go through 'systemctl --user' (no sudo), system units via 'sudo systemctl' as before. Soft-fail per unit preserved for both scopes. Top-level add/forget dispatchers need no changes: the unit-extension sniff already routes anything ending in .service/.timer/etc to unit-*, and user:base passes through as the group token. Docs updated in README.md and .github/copilot-instructions.md.