diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:35 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-13 13:43:35 +0100 |
| commit | bd50d1c05aceb1eecffcb479ab2bf8baa56fe078 (patch) | |
| tree | c64eea94385ddd741882821cf2a368960099126b /etc/systemd/system | |
| parent | 14a6992a4ebe826266a1ea4320c34c0ac91932ee (diff) | |
| download | dotfiles-bd50d1c05aceb1eecffcb479ab2bf8baa56fe078.tar.gz dotfiles-bd50d1c05aceb1eecffcb479ab2bf8baa56fe078.tar.bz2 dotfiles-bd50d1c05aceb1eecffcb479ab2bf8baa56fe078.zip | |
feat(arch-audit): daily CVE refresh + waybar reminder
Wiring:
arch-audit.timer (daily, RandomizedDelaySec=1h, Persistent=true)
→ arch-audit.service (After=network-online.target)
→ /run/arch-audit.txt ('--upgradable' output, atomic via .tmp+mv)
→ custom/arch-audit waybar module (interval 300s)
→ mako 'critical' once/24h while count > 0
→ on-click: `ghostty -e nvim -R /run/arch-audit.txt`
The bar entry stays hidden when there are no fixable CVEs, fades in as
red 'CVE N' the moment arch-audit finds at least one, and the throttled
mako means you'll see exactly one notification per day instead of one
per waybar poll. No -Sy refresh and no auto-update — this only reports
the gap between what's installed and what's already in the repos.
Why /run and not the user's runtime dir: the producer is a system unit
(needs the system's pacman db on the network-online path), the consumer
is a user-scope waybar that just reads it; /run is the canonical 'fast,
volatile, world-readable' system-tmpfs and survives the reboot cycle in
exactly the way we want — fresh empty file on every boot, repopulated
on the next timer fire.
Diffstat (limited to 'etc/systemd/system')
| -rw-r--r-- | etc/systemd/system/arch-audit.service | 10 | ||||
| -rw-r--r-- | etc/systemd/system/arch-audit.timer | 11 |
2 files changed, 21 insertions, 0 deletions
diff --git a/etc/systemd/system/arch-audit.service b/etc/systemd/system/arch-audit.service new file mode 100644 index 0000000..c011069 --- /dev/null +++ b/etc/systemd/system/arch-audit.service @@ -0,0 +1,10 @@ +[Unit] +Description=Refresh arch-audit upgradable-CVE report at /run/arch-audit.txt +Documentation=https://gitlab.archlinux.org/archlinux/arch-audit +After=network-online.target +Wants=network-online.target +ConditionPathExists=/usr/bin/arch-audit + +[Service] +Type=oneshot +ExecStart=/bin/sh -c '/usr/bin/arch-audit --upgradable >/run/arch-audit.txt.tmp && mv /run/arch-audit.txt.tmp /run/arch-audit.txt' diff --git a/etc/systemd/system/arch-audit.timer b/etc/systemd/system/arch-audit.timer new file mode 100644 index 0000000..af1e7f3 --- /dev/null +++ b/etc/systemd/system/arch-audit.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Daily arch-audit report refresh + +[Timer] +OnCalendar=daily +AccuracySec=1h +Persistent=true +RandomizedDelaySec=1h + +[Install] +WantedBy=timers.target |