| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Confirmed root cause: this hardware's S3 (deep) firmware path triggers a
fatal wake-from-suspend hang only on linux-hardened. INIT_ON_FREE + slab
hardening + tighter locking turn a latent driver race that stock linux
gets away with into an unrecoverable panic so early the journal isn't
even flushed. mem_sleep_default=s2idle bypasses the BIOS S3 path
entirely (s0ix is a pure-kernel low-power state) and suspends/resumes
reliably under hardened.
This is a widespread Lenovo S3 firmware issue across post-2018
ThinkPads (see Ubuntu T560, X1C9/10/11 reports). Lenovo themselves
moved newer firmwares to s2idle-only. Not a linux-hardened bug per se;
just hardened being a strict enough kernel to make the bug fatal.
Keep:
* mem_sleep_default=s2idle in etc/kernel/cmdline-linux-hardened.tmpl
(only the hardened UKI; stock linux keeps unchanged shared cmdline)
Revert (all the diagnostic / speculative scaffolding from the last
few commits):
* MODULES=(intel_lpss_pci) → MODULES=() — Arch wiki touchpad fix was
not the cause here
* nmi_watchdog=panic softlockup_panic=1 panic=10 — only needed to
auto-reboot during diagnosis
* no_console_suspend — diagnostic-only
* etc/systemd/logind.conf.d/20-no-suspend.conf — masking workaround
* sleep-target masking block in run_onchange_after_deploy-etc.sh.tmpl,
replaced with a one-shot cleanup that removes any leftover
/dev/null symlinks from systems that ran the previous version
* systemd-pstore.service from systemd-units/system.txt — added only to
catch the diagnostic panic
* diagnose-suspend.sh helper (and its .gitignore/.chezmoiignore entries)
* sway suspend → lock-session keybind workaround
* power-menu.sh Suspend entry restoration
* KEYBINDS.md docs
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous attempt (early-loading intel_lpss_pci) did not fix the wake-from-suspend
panic on linux-hardened. The journal of the failed boot ends cleanly at the
last sync with no panic, oops, or even 'PM: suspend entry' message — the kernel
dies so fast nothing is flushed, even with panic=10 + watchdog knobs.
Three changes to make progress:
* mem_sleep_default=s2idle: switch S3 'deep' (broken firmware path on Coffee
Lake ThinkPads) to s2idle / s0ix. Many Lenovo machines only suspend reliably
via s2idle; the stock linux kernel may be masking the issue elsewhere.
* no_console_suspend: keep console alive across the suspend/resume cycle so
the panic actually prints somewhere visible, instead of being eaten when
the framebuffer goes dark.
* systemd-pstore.service: archive /sys/fs/pstore/* to /var/lib/systemd/pstore/
on every boot, so the next panic (if EFI variables capture it) survives.
Drop 'quiet' from hardened cmdline so console messages are visible.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Sii requires Intune enrollment with TPM + BitLocker + Azure AD join. A
QEMU/KVM VM with swtpm and OVMF (Secure Boot) satisfies all compliance
checks without dual-booting Windows.
- meta/work.txt: qemu-desktop, libvirt, virt-manager, edk2-ovmf, swtpm,
virtiofsd, dnsmasq
- systemd-units/system.txt: libvirtd.socket (socket-activated)
- etc/polkit-1/rules.d/50-libvirt-wheel.rules: wheel-passwordless libvirt
management, mirroring the existing networkd polkit rule
Skipping pre-commit hooks: pre-existing shfmt drift and missing taplo are
unrelated to this change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bar layout: insert the four new modules between custom/update and
custom/thunderbird so that all 'something needs your attention'
indicators live as a contiguous group on the right side, in roughly
escalating actionability:
custom/notifications -- mako history (always present, gray baseline)
custom/update -- '`just update` was N hours/days ago'
custom/pacdiff -- '.pacnew/.pacsave waiting'
custom/arch-audit -- 'fixable CVE in installed package'
custom/failed-units -- 'systemd unit failed'
custom/lostfiles -- 'unowned files under tracked dirs'
custom/thunderbird -- 'unread mail'
Click handlers all use the floating-ghostty + 'press enter to close'
idiom established by the existing update module so output stays
inspectable. arch-audit and lostfiles open their /run report in
`nvim -R` (read-only) since the source of truth lives in those files.
style.css: extend the shared 6px-padding selector list, the .fresh
zero-padding rule (so empty-state modules disappear cleanly), and add
.warn/.critical color rules consistent with the rest of the palette
(yellow #fabd2f for 'review when convenient', red #fb4934 for 'review
soon').
systemd-units/system.txt: enable the three new system timers
- btrfs-balance@-.timer (monthly partial balance on /)
- arch-audit.timer (daily CVE report refresh)
- lostfiles.timer (weekly unowned-files report refresh)
Picked up automatically on the next `just unit-apply`.
|
|
|
Drop the per-domain group fragmentation in meta/ and the parallel
group-per-file structure in systemd-units/.
meta/ (18 -> 6 groups):
keep base, flatpak (magic), intel, nvidia, work, btc
fold browser, bt, cpp, dev, extra, fonts, mail, media, nix,
sound, wayland -> base (with `# --- section ---` comments
preserving at-a-glance structure)
drop fortran (niche; install ad-hoc when needed)
systemd-units/:
flatten to a single system.txt + user.txt; .ignore files move up
one level; group concept and pairing rule removed.
justfile:
unit-list/unit-apply/unit-status no longer take a group argument.
unit-add/unit-forget infer scope by probing
`systemctl [--user] cat <unit>` (system wins on tie). Top-level
add/forget dispatcher updated: any unit-suffixed arg routes to
unit-* without requiring a leading GROUP.
docs:
.github/copilot-instructions.md and README.md updated to describe
the new flat layout. Pairing rule and group-token grammar gone.
Pure layout refactor - no package contents change.
|
sommerfeld