feat(suspend): disable system suspend until hardened kernel resume issue is fixed

linux-hardened wedges on resume from S3 (NVMe/i915/iwlwifi driver UAF
exposed by INIT_ON_FREE + slab hardening). Until root-caused, take
suspend off the table while keeping lock + DPMS intact.

- etc/systemd/logind.conf.d/20-no-suspend.conf: lid close, suspend
  key, hibernate key all map to 'lock'; IdleAction=ignore (swayidle
  drives DPMS+swaylock independently).
- run_onchange_after_deploy-etc.sh.tmpl: mask sleep.target,
  suspend.target, hibernate.target, hybrid-sleep.target,
  suspend-then-hibernate.target via /etc/systemd/system -> /dev/null
  symlinks. Catches 'systemctl suspend' from any source.
- dot_config/sway/config: XF86Sleep and system-mode 's' now run
  loginctl lock-session instead of systemctl suspend.
- dot_config/sway/executable_power-menu.sh: drop Suspend entry.
- KEYBINDS.md: reflect new behaviour.

To re-enable later: remove the logind drop-in + symlink loop, then
sudo systemctl daemon-reload.

1 files changed, 17 insertions, 0 deletions

diff --git a/etc/systemd/logind.conf.d/20-no-suspend.conf b/etc/systemd/logind.conf.d/20-no-suspend.conf
new file mode 100644
index 0000000..1b58aa4
--- /dev/null
+++ b/etc/systemd/logind.conf.d/20-no-suspend.conf
@@ -0,0 +1,17 @@
+[Login]
+# Suspend is disabled while the linux-hardened wake-from-S3 hang is
+# unresolved (NVMe / i915 / iwlwifi driver UAF surfaced by INIT_ON_FREE
+# + slab hardening). Lid close, suspend/hibernate keys, and idle action
+# all fall back to session lock instead of suspend. The sleep/suspend/
+# hibernate targets are also masked at the unit level via the etc/
+# deploy script as belt-and-braces against `systemctl suspend` from
+# anywhere. Screen-off (DPMS) and swaylock continue to be driven by
+# swayidle and are unaffected.
+HandleLidSwitch=lock
+HandleLidSwitchExternalPower=lock
+HandleLidSwitchDocked=ignore
+HandleSuspendKey=lock
+HandleSuspendKeyLongPress=ignore
+HandleHibernateKey=lock
+HandleHibernateKeyLongPress=ignore
+IdleAction=ignore