Group K: enable user systemd lingering for persistent user services

[thompsonson]

User-level systemd units (systemctl --user) die on logout unless the user has lingering enabled. Today that matters for dev-daemon.service (from thompsonson/dev); tomorrow it will matter for microvm@*.service (see Group B / thompsonson/dev#11) and potentially other user-scope daemons.

Single line to fix: sudo loginctl enable-linger "$USER". Needs to live somewhere explicit because it requires sudo and can't be done from chezmoi apply.

Proposed shape

Consolidate Linux sudo-required bootstrap into a single script, rather than scattering one-liners across per-feature setup scripts. Group B (#27) already proposes dot_local/share/dev-sandbox/setup-host.sh. Promote that to a more general dot_local/share/dotfiles-bootstrap/setup-host-linux.sh and have it handle:

1. loginctl enable-linger "$USER" (this issue).
2. vhost_vsock module load + /etc/modules-load.d/vhost-vsock.conf (from Group B: microVM sandbox host prep (Linux only, depends on A) #27 — fold in here).
3. Verify /dev/kvm perms + kvm group membership (from Group B: microVM sandbox host prep (Linux only, depends on A) #27 — fold in here).
4. (Future) nftables skeleton if/when the dev egress-proxy story wants host-level rules.

Script is idempotent, prints what it did vs what was already set, never destructive. Matches the pattern from thompsonson/dev scripts/install.sh --systemd — explicit, sudo-scoped, user-triggered.

Changes

New dot_local/share/dotfiles-bootstrap/setup-host-linux.sh

Shebang + set -euo pipefail. Header comment explains it requires sudo and is one-shot on a new machine. Each step:

step_linger() {
  if loginctl show-user "$USER" 2>/dev/null | grep -q '^Linger=yes'; then
    echo "  lingering: already enabled"
  else
    echo "  lingering: enabling"
    sudo loginctl enable-linger "$USER"
  fi
}

Same shape for vsock module, /dev/kvm group check, etc. Final report at end: "Ready / Missing" summary.

docs/sandbox.md (from #27) + README.md

Cross-link the setup script in the "new machine" onboarding path:

### New Linux machine
1. Install chezmoi and init this repo.
2. `chezmoi apply`.
3. `sudo ~/.local/share/dotfiles-bootstrap/setup-host-linux.sh` — enables user lingering, loads kernel modules, verifies kvm perms. One-shot.

macOS

No equivalent script needed today. Leave a stub setup-host-macos.sh that says "nothing required" to keep the onboarding docs symmetric, or omit entirely.

Verification checklist

• Fresh Pop!_OS VM: after chezmoi apply, running the script enables lingering; second run is a no-op.
• loginctl show-user $USER | grep Linger=yes after first run.
• systemctl --user start dev-daemon.service + logout + re-login: daemon still running.
• Script fails loudly if run without sudo (not silently partially).
• macOS apply is unaffected (script is Linux-only; opt-in path).

Scope notes

• This issue replaces the setup-host.sh scope in Group B (Group B: microVM sandbox host prep (Linux only, depends on A) #27) — rather than having two overlapping scripts (dev-sandbox/setup-host.sh + this), Group B should reference this one and add its microVM-specific steps into it.
• Consider whether to file a rename PR against Group B: microVM sandbox host prep (Linux only, depends on A) #27 or fold this issue into Group B: microVM sandbox host prep (Linux only, depends on A) #27. My read: keep them separate, because lingering matters independently of whether the user wants microVM support, and this makes the boundary explicit.

Related

• Touches Group B: microVM sandbox host prep (Linux only, depends on A) #27 (Group B) — overlaps on setup-host.sh. Resolve by making this the canonical script and Group B: microVM sandbox host prep (Linux only, depends on A) #27 adding microVM steps to it.
• thompsonson/dev — contrib/systemd/dev-daemon.service is the original motivator; users installing with scripts/install.sh --systemd today hit this silently when they logout.