dotfiles/dot_config/waybar, branch master

Move more host tooling to Nix

2026-06-05T10:06:02Z

fix(waybar): refactor A && B || C patterns to avoid shellcheck SC2015

2026-05-20T13:01:04Z

Older shellcheck (Ubuntu's in CI) flags '[ test ] && cmd || true' as SC2015 because, despite the intent, A && B || C is not equivalent to if-then-else (C runs when A is true but B fails). Replace with explicit 'if … fi' or split into two 'A || continue' guards. Functionally identical, lint-clean across versions.

revert: drop snxctl-chromium wrapper, snx-rs works with default browser now

2026-05-19T14:16:09Z

User confirms snx-rs's SAML loopback no longer needs chromium routing. Remove: - dot_local/bin/snxctl-chromium (PATH-override wrapper) - dot_local/share/snx-rs/bin/xdg-open (chromium shim) - snx-rs LibreWolf SAML note in user-overrides.js The waybar snx-vpn toggle now just runs `snxctl connect` detached, no wrapper indirection.

feat(waybar): snx-rs VPN status indicator + click toggle

2026-05-14T09:58:38Z

New custom/snx-vpn module sits next to custom/vpn (the wireguard one): - snx-vpn-status.sh shells out to `snxctl status` (timeout 2s) and maps the output to three states: down (grey strikethrough), connecting/MFA (amber), up (green). Tooltip shows the full status block when up. - snx-vpn-toggle.sh disconnects when up, runs snxctl-chromium detached when down (so SAML lands in the flatpak ungoogled-chromium without blocking waybar). Both paths refresh the module via SIGRTMIN+9.

style: apply shfmt/prettier/just fmt drift

2026-05-14T09:58:37Z

Pure formatter output from shfmt (2-space indent, '|' line breaks), prettier (KEYBINDS.md), and 'just fmt' (justfile blank line). No behavior change.

refactor(notifications): drop dismissed-state machinery; pending = visible

2026-05-13T12:43:42Z

Set mako default-timeout=0 so notifications stay until acted upon. With auto-timeout off, mako's list IS the pending set, so the $XDG_RUNTIME_DIR/mako-dismissed bridge becomes dead weight. - mako/config: default-timeout=0; drop redundant [urgency=critical] default-timeout=0 override. - Delete dismiss-visible.sh and restore-pending.sh; sway calls makoctl directly (Mod+n=dismiss, Mod+Shift+n=dismiss --all, Mod+Ctrl+n=restore as undo). - Shrink mako-status.sh to a 20-line counter of makoctl list. - Rename mako-history.py -> notification-picker.py; lists only visible, dismisses via makoctl dismiss -n . - Update waybar config.jsonc on-click path. - Update KEYBINDS.md wording (no more 'marks seen' / 'pending set').

fix(mako): Super+Shift+n also clears history from pending count

2026-05-13T12:43:37Z

dismiss-visible.sh's 'all' mode previously only recorded visible notification ids and ran 'makoctl dismiss --all'. Notifications already in mako's history (auto-expired) still counted as pending in waybar's mako-status. Now also append history ids to the dismissed state file so the pending counter actually drops to zero.

fix(sudoers-rs,waybar): pass DIFFPROG (and friends) through sudo-rs

2026-05-13T12:43:36Z

The previous fix sidestepped sudo-rs's env scrubbing by setting DIFFPROG inside a nested root shell. That works but it's the wrong shape — every command that wants to honour a user UX env var would have to do the same dance. Configure the policy once instead. etc/sudoers-rs: Defaults env_keep += "DIFFPROG" Defaults env_keep += "EDITOR VISUAL SUDO_EDITOR GIT_EDITOR" Defaults env_keep += "PAGER MANPAGER GIT_PAGER SYSTEMD_PAGER" Defaults env_keep += "LESS LESSOPEN SYSTEMD_LESS" env_keep is the unconditional pass-through list, so no '-E' is needed on the call site — `DIFFPROG='nvim -d' sudo pacdiff` Just Works, same as it does for `EDITOR=nvim sudo systemctl edit foo`, `PAGER=less sudo journalctl …`, etc. None of these vars influence privilege boundaries; they only configure user-facing program behaviour, so widening env_keep to cover them carries no security trade-off worth accounting for. The existing per-visudo env_keep lines are kept for documentation value (they're now subsumed by the global rule but make the intent explicit at the visudo call sites). The waybar pacdiff click handler reverts to the canonical form `DIFFPROG='nvim -d' sudo pacdiff`, matching the recipe pacman.git ships in /usr/share/doc/pacman/. Will take effect after the next `chezmoi apply` redeploys /etc/sudoers-rs (the run_onchange_after_deploy-etc.sh.tmpl script re-installs it with mode 0440 whenever its hash changes).

fix(waybar): pacdiff click — set DIFFPROG inside the root shell

2026-05-13T12:43:36Z

sudo-rs scrubs the env by default, so neither `DIFFPROG=… sudo pacdiff` nor `sudo DIFFPROG=… pacdiff` reaches pacdiff with the variable set. Sidestep the env-policy question entirely by running sudo sh -c 'DIFFPROG="nvim -d" pacdiff' so the assignment happens inside the privileged shell, after the env-scrubbing boundary. No sudoers-rs change required, and the same form works identically under stock sudo if the user ever switches back.

feat(waybar,systemd-units): wire up new system-health modules and timers

2026-05-13T12:43:36Z

Bar layout: insert the four new modules between custom/update and custom/thunderbird so that all 'something needs your attention' indicators live as a contiguous group on the right side, in roughly escalating actionability: custom/notifications -- mako history (always present, gray baseline) custom/update -- '`just update` was N hours/days ago' custom/pacdiff -- '.pacnew/.pacsave waiting' custom/arch-audit -- 'fixable CVE in installed package' custom/failed-units -- 'systemd unit failed' custom/lostfiles -- 'unowned files under tracked dirs' custom/thunderbird -- 'unread mail' Click handlers all use the floating-ghostty + 'press enter to close' idiom established by the existing update module so output stays inspectable. arch-audit and lostfiles open their /run report in `nvim -R` (read-only) since the source of truth lives in those files. style.css: extend the shared 6px-padding selector list, the .fresh zero-padding rule (so empty-state modules disappear cleanly), and add .warn/.critical color rules consistent with the rest of the palette (yellow #fabd2f for 'review when convenient', red #fb4934 for 'review soon'). systemd-units/system.txt: enable the three new system timers - btrfs-balance@-.timer (monthly partial balance on /) - arch-audit.timer (daily CVE report refresh) - lostfiles.timer (weekly unowned-files report refresh) Picked up automatically on the next `just unit-apply`.