diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:35 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:35 +0100 |
| commit | bd50d1c05aceb1eecffcb479ab2bf8baa56fe078 (patch) | |
| tree | c64eea94385ddd741882821cf2a368960099126b /dot_config/waybar | |
| parent | 14a6992a4ebe826266a1ea4320c34c0ac91932ee (diff) | |
| download | dotfiles-bd50d1c05aceb1eecffcb479ab2bf8baa56fe078.tar.gz dotfiles-bd50d1c05aceb1eecffcb479ab2bf8baa56fe078.tar.bz2 dotfiles-bd50d1c05aceb1eecffcb479ab2bf8baa56fe078.zip | |
feat(arch-audit): daily CVE refresh + waybar reminder
Wiring:
arch-audit.timer (daily, RandomizedDelaySec=1h, Persistent=true)
→ arch-audit.service (After=network-online.target)
→ /run/arch-audit.txt ('--upgradable' output, atomic via .tmp+mv)
→ custom/arch-audit waybar module (interval 300s)
→ mako 'critical' once/24h while count > 0
→ on-click: `ghostty -e nvim -R /run/arch-audit.txt`
The bar entry stays hidden when there are no fixable CVEs, fades in as
red 'CVE N' the moment arch-audit finds at least one, and the throttled
mako means you'll see exactly one notification per day instead of one
per waybar poll. No -Sy refresh and no auto-update — this only reports
the gap between what's installed and what's already in the repos.
Why /run and not the user's runtime dir: the producer is a system unit
(needs the system's pacman db on the network-online path), the consumer
is a user-scope waybar that just reads it; /run is the canonical 'fast,
volatile, world-readable' system-tmpfs and survives the reboot cycle in
exactly the way we want — fresh empty file on every boot, repopulated
on the next timer fire.
Diffstat (limited to 'dot_config/waybar')
| -rwxr-xr-x | dot_config/waybar/executable_arch-audit-status.sh | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/dot_config/waybar/executable_arch-audit-status.sh b/dot_config/waybar/executable_arch-audit-status.sh new file mode 100755 index 0000000..73edf6f --- /dev/null +++ b/dot_config/waybar/executable_arch-audit-status.sh @@ -0,0 +1,46 @@ +#!/bin/sh +# Waybar custom/arch-audit: shows count of installed packages with known +# CVEs that already have a fix available in the repos. Source of truth +# is /run/arch-audit.txt, refreshed daily by arch-audit.timer (system +# scope). Hidden when zero or report missing. +# +# Mako throttled to once per 24h via a stamp in $XDG_RUNTIME_DIR. + +set -eu + +REPORT=/run/arch-audit.txt +STATE=${XDG_RUNTIME_DIR:-/tmp}/waybar-arch-audit-notified + +emit_empty() { + printf '{"text":"","class":"fresh","tooltip":""}\n' + exit 0 +} + +[ -r "$REPORT" ] || emit_empty + +count=$(grep -c . "$REPORT" 2>/dev/null || :) +case "$count" in '' | *[!0-9]*) count=0 ;; esac + +[ "$count" -eq 0 ] && emit_empty + +text="CVE ${count}" +tooltip="${count} package(s) with fixable CVEs — click to view, then run \`just update\`" +printf '{"text":"%s","class":"critical","tooltip":"%s"}\n' "$text" "$tooltip" + +now=$(date +%s) +last_notified=0 +if [ -f "$STATE" ]; then + last_notified=$(cat "$STATE" 2>/dev/null || printf 0) + case "$last_notified" in '' | *[!0-9]*) last_notified=0 ;; esac +fi + +if [ $((now - last_notified)) -ge 86400 ] && + command -v notify-send >/dev/null 2>&1; then + notify-send \ + --app-name=arch-audit \ + --urgency=critical \ + --icon=security-medium \ + "Security updates available" \ + "${count} installed package(s) have fixable CVEs. Run \`just update\`." + printf '%s\n' "$now" >"$STATE" +fi |