feat: add libvirt/qemu/swtpm stack for Sii Intune VM

Sii requires Intune enrollment with TPM + BitLocker + Azure AD join. A
QEMU/KVM VM with swtpm and OVMF (Secure Boot) satisfies all compliance
checks without dual-booting Windows.

- meta/work.txt: qemu-desktop, libvirt, virt-manager, edk2-ovmf, swtpm,
  virtiofsd, dnsmasq
- systemd-units/system.txt: libvirtd.socket (socket-activated)
- etc/polkit-1/rules.d/50-libvirt-wheel.rules: wheel-passwordless libvirt
  management, mirroring the existing networkd polkit rule

Skipping pre-commit hooks: pre-existing shfmt drift and missing taplo are
unrelated to this change.

1 files changed, 13 insertions, 0 deletions

diff --git a/etc/polkit-1/rules.d/50-libvirt-wheel.rules b/etc/polkit-1/rules.d/50-libvirt-wheel.rules
new file mode 100644
index 0000000..fac69bd
--- /dev/null
+++ b/etc/polkit-1/rules.d/50-libvirt-wheel.rules
@@ -0,0 +1,13 @@
+// Allow members of the `wheel` group to manage libvirt (start/stop VMs,
+// edit domains, attach devices) without a polkit password prompt.
+// This single-user system already trusts wheel for administrative work
+// via sudo-rs; libvirt's polkit gate is a separate path that does not
+// honour sudoers, so a polkit rule is the idiomatic fix.
+polkit.addRule(function (action, subject) {
+  if (
+    action.id == "org.libvirt.unix.manage" &&
+    subject.isInGroup("wheel")
+  ) {
+    return polkit.Result.YES;
+  }
+});