From bd50d1c05aceb1eecffcb479ab2bf8baa56fe078 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 13 May 2026 13:43:35 +0100 Subject: feat(arch-audit): daily CVE refresh + waybar reminder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wiring: arch-audit.timer (daily, RandomizedDelaySec=1h, Persistent=true) → arch-audit.service (After=network-online.target) → /run/arch-audit.txt ('--upgradable' output, atomic via .tmp+mv) → custom/arch-audit waybar module (interval 300s) → mako 'critical' once/24h while count > 0 → on-click: `ghostty -e nvim -R /run/arch-audit.txt` The bar entry stays hidden when there are no fixable CVEs, fades in as red 'CVE N' the moment arch-audit finds at least one, and the throttled mako means you'll see exactly one notification per day instead of one per waybar poll. No -Sy refresh and no auto-update — this only reports the gap between what's installed and what's already in the repos. Why /run and not the user's runtime dir: the producer is a system unit (needs the system's pacman db on the network-online path), the consumer is a user-scope waybar that just reads it; /run is the canonical 'fast, volatile, world-readable' system-tmpfs and survives the reboot cycle in exactly the way we want — fresh empty file on every boot, repopulated on the next timer fire. --- dot_config/waybar/executable_arch-audit-status.sh | 46 +++++++++++++++++++++++ etc/systemd/system/arch-audit.service | 10 +++++ etc/systemd/system/arch-audit.timer | 11 ++++++ 3 files changed, 67 insertions(+) create mode 100755 dot_config/waybar/executable_arch-audit-status.sh create mode 100644 etc/systemd/system/arch-audit.service create mode 100644 etc/systemd/system/arch-audit.timer diff --git a/dot_config/waybar/executable_arch-audit-status.sh b/dot_config/waybar/executable_arch-audit-status.sh new file mode 100755 index 0000000..73edf6f --- /dev/null +++ b/dot_config/waybar/executable_arch-audit-status.sh @@ -0,0 +1,46 @@ +#!/bin/sh +# Waybar custom/arch-audit: shows count of installed packages with known +# CVEs that already have a fix available in the repos. Source of truth +# is /run/arch-audit.txt, refreshed daily by arch-audit.timer (system +# scope). Hidden when zero or report missing. +# +# Mako throttled to once per 24h via a stamp in $XDG_RUNTIME_DIR. + +set -eu + +REPORT=/run/arch-audit.txt +STATE=${XDG_RUNTIME_DIR:-/tmp}/waybar-arch-audit-notified + +emit_empty() { + printf '{"text":"","class":"fresh","tooltip":""}\n' + exit 0 +} + +[ -r "$REPORT" ] || emit_empty + +count=$(grep -c . "$REPORT" 2>/dev/null || :) +case "$count" in '' | *[!0-9]*) count=0 ;; esac + +[ "$count" -eq 0 ] && emit_empty + +text="CVE ${count}" +tooltip="${count} package(s) with fixable CVEs — click to view, then run \`just update\`" +printf '{"text":"%s","class":"critical","tooltip":"%s"}\n' "$text" "$tooltip" + +now=$(date +%s) +last_notified=0 +if [ -f "$STATE" ]; then + last_notified=$(cat "$STATE" 2>/dev/null || printf 0) + case "$last_notified" in '' | *[!0-9]*) last_notified=0 ;; esac +fi + +if [ $((now - last_notified)) -ge 86400 ] && + command -v notify-send >/dev/null 2>&1; then + notify-send \ + --app-name=arch-audit \ + --urgency=critical \ + --icon=security-medium \ + "Security updates available" \ + "${count} installed package(s) have fixable CVEs. Run \`just update\`." + printf '%s\n' "$now" >"$STATE" +fi diff --git a/etc/systemd/system/arch-audit.service b/etc/systemd/system/arch-audit.service new file mode 100644 index 0000000..c011069 --- /dev/null +++ b/etc/systemd/system/arch-audit.service @@ -0,0 +1,10 @@ +[Unit] +Description=Refresh arch-audit upgradable-CVE report at /run/arch-audit.txt +Documentation=https://gitlab.archlinux.org/archlinux/arch-audit +After=network-online.target +Wants=network-online.target +ConditionPathExists=/usr/bin/arch-audit + +[Service] +Type=oneshot +ExecStart=/bin/sh -c '/usr/bin/arch-audit --upgradable >/run/arch-audit.txt.tmp && mv /run/arch-audit.txt.tmp /run/arch-audit.txt' diff --git a/etc/systemd/system/arch-audit.timer b/etc/systemd/system/arch-audit.timer new file mode 100644 index 0000000..af1e7f3 --- /dev/null +++ b/etc/systemd/system/arch-audit.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Daily arch-audit report refresh + +[Timer] +OnCalendar=daily +AccuracySec=1h +Persistent=true +RandomizedDelaySec=1h + +[Install] +WantedBy=timers.target -- cgit v1.3.1