feat(udev,flatpak): allow ungoogled-chromium to talk to ZSA keyboards

usevia.app uses WebHID to talk to /dev/hidraw* directly. Two layers
were blocking it:

1. Host: no udev rule existed for ZSA boards, so /dev/hidraw nodes
   were root-only. Add etc/udev/rules.d/50-zsa.rules covering the ZSA
   VID 3297 (ErgoDox EZ / Moonlander / Voyager) with TAG+=uaccess so
   logind grants the active session user access. Also include the two
   bootloader VIDs used during firmware flashing for completeness.

2. Sandbox: the chromium flatpak only sees /dev/dri by default. Add a
   --device=all override (flatpak has no finer-grained device knob).
   The host udev rule still gates which hidraw nodes the user can
   actually open, so this isn't a meaningful escalation.

Also wire `udevadm control --reload && udevadm trigger` into the etc
deploy script so rule changes apply without a reboot or replug.

3 files changed, 24 insertions, 0 deletions

diff --git a/etc/udev/rules.d/50-zsa.rules b/etc/udev/rules.d/50-zsa.rules
new file mode 100644
index 0000000..86e443a
--- /dev/null
+++ b/etc/udev/rules.d/50-zsa.rules
@@ -0,0 +1,13 @@
+# ZSA keyboards (ErgoDox EZ, Moonlander, Voyager) raw-HID access.
+# Required for Wally flashing and VIA / usevia.app key-remapping over WebHID.
+# `uaccess` tag delegates permission to the active logind session user,
+# so no plugdev/input group membership is needed.
+KERNEL=="hidraw*", ATTRS{idVendor}=="3297", MODE="0660", TAG+="uaccess"
+
+# STM32 DFU bootloader for Moonlander / Voyager (only fires while flashing).
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="df11", \
+    MODE="0660", TAG+="uaccess"
+
+# Halfkay bootloader (ErgoDox EZ) — used by Wally / Teensy loader.
+SUBSYSTEMS=="usb", ATTRS{idVendor}=="16c0", ATTRS{idProduct}=="0478", \
+    MODE="0660", TAG+="uaccess"
diff --git a/run_onchange_after_deploy-etc.sh.tmpl b/run_onchange_after_deploy-etc.sh.tmpl
index d08f989..ec53c99 100755
--- a/run_onchange_after_deploy-etc.sh.tmpl
+++ b/run_onchange_after_deploy-etc.sh.tmpl
@@ -31,6 +31,11 @@ sudo ln -sfT sudo /etc/pam.d/sudo-i
 # (e.g. HandlePowerKey overrides) take effect without dropping sessions.
 sudo systemctl kill -s HUP systemd-logind
 
+# Reload udev rules and re-trigger so changes in etc/udev/rules.d/ apply
+# to already-plugged devices without a reboot or replug.
+sudo udevadm control --reload
+sudo udevadm trigger
+
 # Make sudo-rs the system-wide sudo via /usr/local/bin precedence.
 # Targets may not exist yet on first bootstrap (sudo-rs is installed by
 # the subsequent pkg-apply step); the symlinks resolve once it lands.
diff --git a/run_onchange_after_deploy-flatpak-overrides.sh.tmpl b/run_onchange_after_deploy-flatpak-overrides.sh.tmpl
index 0456883..fb73022 100644
--- a/run_onchange_after_deploy-flatpak-overrides.sh.tmpl
+++ b/run_onchange_after_deploy-flatpak-overrides.sh.tmpl
@@ -19,3 +19,9 @@ apply io.mpv.Mpv --filesystem=xdg-config/mpv:ro
 # LibreWolf needs raw /dev access for v4l2 webcams. Flatpak has no
 # finer-grained device option, so this opens video/dri/snd at once.
 apply io.gitlab.librewolf-community --device=all
+
+# Ungoogled Chromium needs /dev/hidraw* for WebHID (e.g. usevia.app
+# configuring ZSA keyboards). --device=all is the only knob flatpak
+# offers; the host udev rule (etc/udev/rules.d/50-zsa.rules) restricts
+# which hidraw nodes the user can actually open.
+apply io.github.ungoogled_software.ungoogled_chromium --device=all