| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
Type=ether matches ALL L2 ethernet interfaces, including libvirt-created
vnet* tap devices. Without Name= negations, when a VM starts its tap is
pulled into bond0 instead of staying with virbr0, killing DHCP/NAT for
the guest (Windows ends up with a 169.254.x APIPA address).
Add Name= negations to skip libvirt taps/bridges, generic taps, and
common container engine virtual interfaces.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upstream lostfiles has no extension mechanism; the weekly report ends
up dominated by files this repo intentionally deploys plus host-private
files we deliberately don't track plus regenerated GTK caches.
Add etc/lostfiles.ignore.tmpl which renders /etc/lostfiles.ignore from
two sources:
1. Every file under etc/ in the repo (auto-enumerated at chezmoi-apply
time, same find-sort pattern the etc deploy script uses). This
keeps the ignore list in sync with what we actually deploy with
zero manual maintenance.
2. A static block for: the sudo-i symlink, host-private
systemd-networkd units (99-hodor*, 99-mandibles*) which contain
WireGuard secrets, the getty@tty1 autologin override which
contains the username, and known pacman-hook-generated caches
under /usr/lib/{gdk-pixbuf-2.0,gtk-4.0}/.
Wrap /usr/bin/lostfiles in lostfiles.service via grep -vFxf, with a
fallback when /etc/lostfiles.ignore doesn't yet exist (first deploy).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wiring (mirrors arch-audit, with weekly cadence and Nice=19/idle I/O):
lostfiles.timer (weekly, Persistent=true, RandomizedDelaySec=1h)
→ lostfiles.service
→ /run/lostfiles.txt (default mode — strict produces too many
false positives for a passive reminder)
→ custom/lostfiles waybar module (interval 600s)
→ mako 'normal' once/7d while count > 0
→ on-click: `ghostty -e nvim -R /run/lostfiles.txt`
Default mode (no `strict` argument) is intentional: it already filters
the package's curated false-positive list at /etc/lostfiles.conf, which
is what we want for a low-noise weekly nudge. Switching to `strict` is
a one-line change in lostfiles.service if signal-vs-noise tilts later.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Wiring:
arch-audit.timer (daily, RandomizedDelaySec=1h, Persistent=true)
→ arch-audit.service (After=network-online.target)
→ /run/arch-audit.txt ('--upgradable' output, atomic via .tmp+mv)
→ custom/arch-audit waybar module (interval 300s)
→ mako 'critical' once/24h while count > 0
→ on-click: `ghostty -e nvim -R /run/arch-audit.txt`
The bar entry stays hidden when there are no fixable CVEs, fades in as
red 'CVE N' the moment arch-audit finds at least one, and the throttled
mako means you'll see exactly one notification per day instead of one
per waybar poll. No -Sy refresh and no auto-update — this only reports
the gap between what's installed and what's already in the repos.
Why /run and not the user's runtime dir: the producer is a system unit
(needs the system's pacman db on the network-online path), the consumer
is a user-scope waybar that just reads it; /run is the canonical 'fast,
volatile, world-readable' system-tmpfs and survives the reboot cycle in
exactly the way we want — fresh empty file on every boot, repopulated
on the next timer fire.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Template service+timer that runs `btrfs balance start -dusage=50
-musage=50 %f` once a month on the instance's mount path. Mirrors the
shape of the stock btrfs-scrub@.{service,timer} so the operational
model is identical: enable btrfs-balance@-.timer for /, btrfs-balance@\
x2dhome.timer for /home, etc.
Why a partial balance and not a full one: full `btrfs balance start`
rewrites every block group, which on a multi-TB volume takes hours and
can chew through enormous amounts of CSUM/free-space-tree work.
`-dusage=50 -musage=50` only consolidates block groups that are less
than half full, which is exactly the operation that reclaims space
'lost' to fragmentation after lots of small writes — the only practical
reason a healthy single-disk btrfs needs balancing at all.
`Nice=19 IOSchedulingClass=idle` keeps it out of the way of foreground
work; `KillSignal=SIGINT` (same as btrfs-scrub) lets a graceful Ctrl-C
checkpoint the operation cleanly. Persistent=true catches the run on
next boot if the machine was off when the timer fired.
Enabled in systemd-units/system.txt as btrfs-balance@-.timer (root
volume only — /home isn't a separate subvolume on this machine).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The Shokz dongle emits KEY_POWER press without a matching release on
USB disconnect; logind classified that as a long-press after 5s and
fired HandlePowerKeyLongPress=poweroff (confirmed in journal: 'Power
key pressed long. Powering off...').
There is no policy that distinguishes 'real 5s hold of power button'
from 'misbehaving device that never sends release'. Ignore both.
Clean shutdowns now require systemctl poweroff or GUI menus; a very
long hold of the physical power button still force-offs via firmware.
|
| |
|
|
|
|
| |
The drop-in is generic policy, not tied to one device. Reword the
comment to reflect that any USB device emitting spurious KEY_POWER
(headsets, KVM switches, cheap keyboards) is covered.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Shokz OpenMeet dongle (3511:2EF2) emits KEY_POWER on USB
enumeration and on headset power transitions, which logind handles
with HandlePowerKey=poweroff and immediately shuts the host down.
The previous attempt — an hwdb scancode remap of c0030 to reserved —
sets the udev property correctly but the kernel does not honor
EVIOCSKEYCODE for this device's HID consumer-page mapping (verified:
KEY_POWER 116 still appears in the evdev keymap after udevadm trigger
and libinput still reports it). Drop the hwdb file and the
systemd-hwdb hooks from the etc deploy script.
Replace with a logind drop-in that sets HandlePowerKey=ignore and
HandlePowerKeyLongPress=poweroff. Single-tap power events from any
source become no-ops; a 5s hold still shuts the machine down, so the
real hardware-power-button safety net is preserved. Add a HUP to
systemd-logind in the deploy script so the change takes effect
without restarting the daemon.
|
| |
|
|
|
| |
setterm only affects the Linux console (TERM=linux); sway's KMS/DRM
session is unaffected. Wakes on any keypress.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- New dot_config/systemd/user/swayidle.service, pulled in by
sway-session.target alongside mako/display-watcher/poweralertd. Same
lifetime as the rest of the session: starts after graphical-session,
restarts on failure, stops on logout.
- Drop the swayidle exec from sway config (was unmanaged background
process with no restart, no logging hookup).
- Revert etc/systemd/logind.conf overrides: swayidle handles idle-lock
directly via Wayland ext-idle-notifier, so the logind IdleAction
belt-and-suspenders is redundant. Run just etc-reset
/etc/systemd/logind.conf on the host to restore pristine.
|
| |
|
|
|
|
|
|
|
|
|
| |
- logind: IdleAction=lock, IdleActionSec=5min. systemd emits a lock
signal at 5min idle (session becomes locked from logind PoV; swayidle
listens and invokes swaylock).
- swayidle: lock at 5min, blank display at 6min, lock before sleep.
Closes the gap where lid-close or manual suspend would wake to an
unlocked session.
- swaylock: add -i (--ignore-empty-password) to ignore accidental Enter.
- meta/wayland: add swayidle.
|
| |
|
|
|
|
| |
User scopes (e.g. ghostty surface containing zellij) inherit timeouts
from the user manager, not /etc/systemd/system.conf.d. Without this,
zellij sessions stall reboot for 90s before SIGKILL.
|
| |
|
|
|
| |
Cap at 8 GiB, zstd compression. Tune VM for RAM-backed swap:
high swappiness, no read-ahead clustering.
|
| |
|
|
|
|
|
|
|
| |
All 44 lines are comments/section headers — zero active settings.
Tracking was useless: no real state to preserve, and 'just etc'
would surface any future drift anyway.
The live /etc/systemd/resolved.conf on the host is unaffected;
chezmoi's deploy-etc script only installs files, never removes.
|
| |
|
|
|
|
|
| |
Type=ether and Type=wlan match every interface of that class.
Add comments pointing out that future USB/Thunderbolt dongles
would get auto-enslaved into bond0, and how to narrow the match
if that becomes undesirable.
|
| |
|
|
|
|
|
| |
Adopted via 'just etc-add' after 'just etc-drift' surfaced them:
locale.conf, locale.gen, mkinitcpio.conf, mkinitcpio.d/linux.preset,
pacman.conf, resolved.conf, systemd/network/30-bond*, and the shokz
udev blacklist rule.
|
| |
|
sommerfeld
Arnold Sommerfeld