feat(suspend): disable system suspend until hardened kernel resume issue is fixed

linux-hardened wedges on resume from S3 (NVMe/i915/iwlwifi driver UAF
exposed by INIT_ON_FREE + slab hardening). Until root-caused, take
suspend off the table while keeping lock + DPMS intact.

- etc/systemd/logind.conf.d/20-no-suspend.conf: lid close, suspend
  key, hibernate key all map to 'lock'; IdleAction=ignore (swayidle
  drives DPMS+swaylock independently).
- run_onchange_after_deploy-etc.sh.tmpl: mask sleep.target,
  suspend.target, hibernate.target, hybrid-sleep.target,
  suspend-then-hibernate.target via /etc/systemd/system -> /dev/null
  symlinks. Catches 'systemctl suspend' from any source.
- dot_config/sway/config: XF86Sleep and system-mode 's' now run
  loginctl lock-session instead of systemctl suspend.
- dot_config/sway/executable_power-menu.sh: drop Suspend entry.
- KEYBINDS.md: reflect new behaviour.

To re-enable later: remove the logind drop-in + symlink loop, then
sudo systemctl daemon-reload.

5 files changed, 47 insertions, 21 deletions

diff --git a/KEYBINDS.md b/KEYBINDS.md
index 898c78c..9040c2a 100644
--- a/KEYBINDS.md
+++ b/KEYBINDS.md
@@ -326,7 +326,7 @@ Mod key: `Super` (Mod4). Only personal additions beyond sway defaults listed.
 | `XF86AudioMicMute`      | Mic mute toggle                                               |
 | `XF86Bluetooth`         | Bluetooth power toggle (bluetoothctl)                         |
 | `XF86ScreenSaver`       | Lock screen + pause media (same as Super+Shift+s)             |
-| `XF86Sleep`             | Suspend system (systemctl suspend)                            |
+| `XF86Sleep`             | Lock session (suspend disabled — see logind drop-in)          |
 | `XF86WLAN`              | Toggle Wi-Fi (rfkill)                                         |
 | `XF86RFKill`            | Toggle all radios (rfkill)                                    |
 | `Super+Shift+Return`    | Open ghostty with yazi (file manager)                         |
@@ -364,18 +364,18 @@ runs the action and exits the mode; `Escape` or `Return` exits without
 acting. Provides non-XF86 access to the rare hardware toggles and TUI
 launchers.
 
-| In `system` mode  | XF86 equivalent | Action                       |
-| ----------------- | --------------- | ---------------------------- |
-| `b`               | `XF86Bluetooth` | Bluetooth power toggle       |
-| `w`               | `XF86WLAN`      | Wi-Fi toggle (rfkill wifi)   |
-| `r`               | `XF86RFKill`    | Toggle all radios (rfkill)   |
-| `s`               | `XF86Sleep`     | Suspend (systemctl suspend)  |
-| `d`               | `XF86Display`   | Display mode toggle          |
-| `v`               | `XF86Tools`     | Floating pulsemixer          |
-| `k`               | `XF86Keyboard`  | Floating glow KEYBINDS.md    |
-| `m`               | `XF86Favorites` | Notification picker          |
-| `n`               | —               | Toggle Do-Not-Disturb (mako) |
-| `Escape`/`Return` | —               | exit submode                 |
+| In `system` mode  | XF86 equivalent | Action                          |
+| ----------------- | --------------- | ------------------------------- |
+| `b`               | `XF86Bluetooth` | Bluetooth power toggle          |
+| `w`               | `XF86WLAN`      | Wi-Fi toggle (rfkill wifi)      |
+| `r`               | `XF86RFKill`    | Toggle all radios (rfkill)      |
+| `s`               | `XF86Sleep`     | Lock session (suspend disabled) |
+| `d`               | `XF86Display`   | Display mode toggle             |
+| `v`               | `XF86Tools`     | Floating pulsemixer             |
+| `k`               | `XF86Keyboard`  | Floating glow KEYBINDS.md       |
+| `m`               | `XF86Favorites` | Notification picker             |
+| `n`               | —               | Toggle Do-Not-Disturb (mako)    |
+| `Escape`/`Return` | —               | exit submode                    |
 
 ## Typing / Input
 
diff --git a/dot_config/sway/config b/dot_config/sway/config
index 48e5993..817e7c4 100644
--- a/dot_config/sway/config
+++ b/dot_config/sway/config
@@ -173,7 +173,7 @@ bindsym $mod+Ctrl+bracketleft exec ~/.config/sway/brightness-osd.sh down
 bindsym XF86AudioMicMute exec pactl set-source-mute @DEFAULT_SOURCE@ toggle
 bindsym XF86Bluetooth exec ~/.config/sway/bt-toggle.sh
 bindsym XF86ScreenSaver exec "playerctl -a pause; swaylock -f -e -c 000000"
-bindsym XF86Sleep exec systemctl suspend
+bindsym XF86Sleep exec loginctl lock-session
 bindsym XF86WLAN exec ~/.config/waybar/wifi-toggle.sh
 bindsym XF86RFKill exec rfkill toggle all
 
@@ -225,13 +225,13 @@ bindsym $mod+z mode "qr"
 
 # System / hardware submode — non-XF86 alternatives for the rarely used
 # hardware toggles and TUI launchers above. Enter with Super+x; mnemonic
-# letters (b=bluetooth, w=wifi, r=rfkill, s=sleep, d=display,
+# letters (b=bluetooth, w=wifi, r=rfkill, s=lock-session, d=display,
 # v=volume-mixer, k=keybinds, m=notification-picker).
 mode "system" {
     bindsym b exec ~/.config/sway/bt-toggle.sh, mode "default"
     bindsym w exec ~/.config/waybar/wifi-toggle.sh, mode "default"
     bindsym r exec rfkill toggle all, mode "default"
-    bindsym s exec systemctl suspend, mode "default"
+    bindsym s exec loginctl lock-session, mode "default"
     bindsym d exec ~/.config/sway/display-toggle.sh, mode "default"
     bindsym v exec $term --class=floating -e pulsemixer, mode "default"
     bindsym k exec $term --class=floating -e glow -p ~/dotfiles/KEYBINDS.md, mode "default"
diff --git a/dot_config/sway/executable_power-menu.sh b/dot_config/sway/executable_power-menu.sh
index 999259c..0a7de91 100644
--- a/dot_config/sway/executable_power-menu.sh
+++ b/dot_config/sway/executable_power-menu.sh
@@ -2,9 +2,10 @@
 # Keyboard-driven power menu via wofi --dmenu (j/k navigation).
 set -eu
 
+# Suspend entry intentionally omitted while suspend is disabled
+# system-wide. See etc/systemd/logind.conf.d/20-no-suspend.conf.
 choice=$(printf '%s\n' \
   "  Lock" \
-  "  Suspend" \
   "  Logout" \
   "  Reboot" \
   "  Poweroff" |
@@ -17,10 +18,6 @@ case "$choice" in
     playerctl -a pause
     exec swaylock -f -e -c 000000
     ;;
-  *Suspend)
-    playerctl -a pause
-    exec systemctl suspend
-    ;;
   *Logout) exec swaymsg exit ;;
   *Reboot) exec systemctl reboot ;;
   *Poweroff) exec systemctl poweroff ;;
diff --git a/etc/systemd/logind.conf.d/20-no-suspend.conf b/etc/systemd/logind.conf.d/20-no-suspend.conf
new file mode 100644
index 0000000..1b58aa4
--- /dev/null
+++ b/etc/systemd/logind.conf.d/20-no-suspend.conf
@@ -0,0 +1,17 @@
+[Login]
+# Suspend is disabled while the linux-hardened wake-from-S3 hang is
+# unresolved (NVMe / i915 / iwlwifi driver UAF surfaced by INIT_ON_FREE
+# + slab hardening). Lid close, suspend/hibernate keys, and idle action
+# all fall back to session lock instead of suspend. The sleep/suspend/
+# hibernate targets are also masked at the unit level via the etc/
+# deploy script as belt-and-braces against `systemctl suspend` from
+# anywhere. Screen-off (DPMS) and swaylock continue to be driven by
+# swayidle and are unaffected.
+HandleLidSwitch=lock
+HandleLidSwitchExternalPower=lock
+HandleLidSwitchDocked=ignore
+HandleSuspendKey=lock
+HandleSuspendKeyLongPress=ignore
+HandleHibernateKey=lock
+HandleHibernateKeyLongPress=ignore
+IdleAction=ignore
diff --git a/run_onchange_after_deploy-etc.sh.tmpl b/run_onchange_after_deploy-etc.sh.tmpl
index 743675a..a60d833 100755
--- a/run_onchange_after_deploy-etc.sh.tmpl
+++ b/run_onchange_after_deploy-etc.sh.tmpl
@@ -30,6 +30,18 @@ done
 # sudo-rs: /etc/pam.d/sudo-i is a symlink to /etc/pam.d/sudo
 sudo ln -sfT sudo /etc/pam.d/sudo-i
 
+# Mask sleep/suspend/hibernate at the unit level. See
+# etc/systemd/logind.conf.d/20-no-suspend.conf for context. This blocks
+# `systemctl suspend` from any source (manual, scripts, GUI menus) in
+# addition to the logind key/lid handler overrides. To re-enable:
+# remove these symlinks (and revert the logind drop-in) then
+# `sudo systemctl daemon-reload`.
+for target in sleep.target suspend.target hibernate.target \
+  hybrid-sleep.target suspend-then-hibernate.target; do
+  sudo ln -sfT /dev/null "/etc/systemd/system/$target"
+done
+sudo systemctl daemon-reload
+
 # Reload systemd-logind so changes under /etc/systemd/logind.conf.d/
 # (e.g. HandlePowerKey overrides) take effect without dropping sessions.
 sudo systemctl kill -s HUP systemd-logind