feat(hardware): auto-detect audio, bluetooth, camera with declarative override

README.md

@@ -287,7 +287,7 @@ The bootstrap auto-switches to dracut when `method: tpm2` is set. Override via `
 | `desktop.*`        | dict   | see below      | Desktop environment settings (see [4.2.5](#425-systemfeaturesdesktop)) |
 | `firmware.*`       | dict   | see below      | Vendor firmware blobs and CPU microcode (see [4.2.6](#426-systemfeaturesfirmware)) |
 | `gpu.*`            | dict   | see below      | Mesa/Vulkan and per-vendor GPU userspace (see [4.2.7](#427-systemfeaturesgpu)) |
-| `peripherals.*`    | dict   | see below      | Fingerprint readers, webcams, DisplayLink (see [4.2.8](#428-systemfeaturesperipherals)) |
+| `peripherals.*`    | dict   | see below      | Fingerprint, camera, audio, bluetooth, DisplayLink (see [4.2.8](#428-systemfeaturesperipherals)) |
 | `hardware.*`       | dict   | see below      | Hardware-detection profile override (see [4.2.9](#429-systemfeatureshardware)) |
 
 **Initramfs generator auto-detection:** RedHat -> dracut, Arch -> mkinitcpio, Debian/Ubuntu -> initramfs-tools.
@@ -359,13 +359,20 @@ automatically when needed. Debian uses `nvidia-driver` from the `non-free` compo
 managed `sources.list`). Ubuntu uses `restricted`. Arch ships both `nvidia-open-dkms` and `nvidia-dkms` in
 the `extra` repository - no third-party setup required.
 
+> **Known limitation - Nvidia on Enterprise Linux (AlmaLinux/Rocky/RHEL):** the EL `akmod-nvidia*`
+> packages live in RPMFusion non-free, and the bootstrap only enables RPMFusion automatically on
+> **Fedora**, not on EL. So Nvidia on a bare EL desktop is best-effort: enable RPMFusion (or supply the
+> driver repo) out of band, or it falls back to `nouveau`. EL desktops are not a primary target.
+
 #### 4.2.8 `system.features.peripherals`
 
 | Key           | Type            | Default | Description                                                |
 | ------------- | --------------- | ------- | ---------------------------------------------------------- |
 | `enabled`     | bool \| `auto`  | `auto`  | Master switch. `auto` follows `desktop.enabled`            |
 | `fingerprint` | bool \| `auto`  | `auto`  | `fprintd`/`libfprint`. `auto` = install when reader detected |
-| `webcam`      | bool \| `auto`  | `auto`  | `v4l-utils` and userspace tooling. `auto` follows `enabled` |
+| `camera`      | bool \| `auto`  | `auto`  | `v4l-utils` for UVC webcams. `auto` = install when a UVC/IPU6 camera is detected (IPU6 out-of-tree stack is logged, not auto-installed) |
+| `audio`       | bool \| `auto`  | `auto`  | SOF firmware + ALSA UCM. `auto` = install when an audio device is detected |
+| `bluetooth`   | bool \| `auto`  | `auto`  | `bluez`. `auto` = install when a Bluetooth controller is detected |
 | `displaylink` | bool            | `false` | DisplayLink dock support (explicit opt-in; see notes)      |
 
 Fingerprint detection scans `lsusb` for known reader vendor IDs (Synaptics, Validity, Goodix, Elan, Egis,
@@ -381,7 +388,8 @@ must still be installed manually from DisplayLink's site after first boot. Arch
 
 | Key       | Type | Default | Description                                                          |
 | --------- | ---- | ------- | -------------------------------------------------------------------- |
-| `profile` | dict | `{}`    | Hardware-detection override; empty means autodetect from live host   |
+| `profile` | dict | `{}`    | Full override: non-empty SKIPS detection (golden image); empty = autodetect |
+| group fields | mixed | --   | `cpu`/`gpus`/`wireless`/`audio`/`camera`/`fingerprint`/`bluetooth`/`packages`/`disable`/`kernel_params` MERGE over autodetect (see below) |
 
 When empty, hardware is detected at the start of the bootstrap. When set, detection is skipped and the
 supplied profile drives package selection - this is the **golden-image** flow: bake an image with a fixed
@@ -402,6 +410,38 @@ system:
         fingerprint: false            # set true to force fprintd install
 ```
 
+The same keys (minus `profile`) can also be set **directly under `hardware`** as a
+declarative **hardware group** that MERGES over auto-detection (auto-detect = base; the
+group supplements/overrides it). Unlike `profile`, which skips detection entirely, the
+group keeps detection running and layers on top - use it to pin everything a known device
+needs so nothing is ever under-set.
+
+| Key                       | Type | Merge semantics                                          |
+| ------------------------- | ---- | -------------------------------------------------------- |
+| `cpu`                     | str  | pin the CPU vendor (overrides detection when non-empty)  |
+| `gpus`/`wireless`/`audio` | list | union with the detected vendor codes                     |
+| `camera`                  | dict | `{uvc, ipu6}` booleans OR'd with detection               |
+| `fingerprint`/`bluetooth` | bool | OR'd with detection (force-on)                           |
+| `packages`                | dict | per-`os_family` extra packages, added to the install set (deduped; empty entries dropped) |
+| `disable`                 | list | feature/vendor names force-off, applied last             |
+| `kernel_params`           | list | extra kernel cmdline params, appended to the bootloader   |
+
+Example - a laptop with an Intel IPU6 camera (out-of-tree stack) and a Cirrus amp, pinned
+in a group's `group_vars`:
+
+```yaml
+system:
+  features:
+    hardware:
+      bluetooth: true                 # force-on if detection misses the combo card
+      camera:
+        ipu6: true                    # force the IPU6 path
+      packages:                       # out-of-tree/AUR bits detection must not auto-install
+        Archlinux: [intel-ipu6-dkms, v4l2-relayd, linux-firmware-cirrus]
+      disable: [displaylink]          # never pull DisplayLink on this device
+      kernel_params: ["i915.enable_psr=0"]
+```
+
 ### 4.3 `hypervisor` Dictionary
 
 | Key          | Type   | Default | Description                                          |