From bd50d1c05aceb1eecffcb479ab2bf8baa56fe078 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 13 May 2026 13:43:35 +0100 Subject: feat(arch-audit): daily CVE refresh + waybar reminder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Wiring: arch-audit.timer (daily, RandomizedDelaySec=1h, Persistent=true) → arch-audit.service (After=network-online.target) → /run/arch-audit.txt ('--upgradable' output, atomic via .tmp+mv) → custom/arch-audit waybar module (interval 300s) → mako 'critical' once/24h while count > 0 → on-click: `ghostty -e nvim -R /run/arch-audit.txt` The bar entry stays hidden when there are no fixable CVEs, fades in as red 'CVE N' the moment arch-audit finds at least one, and the throttled mako means you'll see exactly one notification per day instead of one per waybar poll. No -Sy refresh and no auto-update — this only reports the gap between what's installed and what's already in the repos. Why /run and not the user's runtime dir: the producer is a system unit (needs the system's pacman db on the network-online path), the consumer is a user-scope waybar that just reads it; /run is the canonical 'fast, volatile, world-readable' system-tmpfs and survives the reboot cycle in exactly the way we want — fresh empty file on every boot, repopulated on the next timer fire. --- dot_config/waybar/executable_arch-audit-status.sh | 46 +++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100755 dot_config/waybar/executable_arch-audit-status.sh (limited to 'dot_config/waybar/executable_arch-audit-status.sh') diff --git a/dot_config/waybar/executable_arch-audit-status.sh b/dot_config/waybar/executable_arch-audit-status.sh new file mode 100755 index 0000000..73edf6f --- /dev/null +++ b/dot_config/waybar/executable_arch-audit-status.sh @@ -0,0 +1,46 @@ +#!/bin/sh +# Waybar custom/arch-audit: shows count of installed packages with known +# CVEs that already have a fix available in the repos. Source of truth +# is /run/arch-audit.txt, refreshed daily by arch-audit.timer (system +# scope). Hidden when zero or report missing. +# +# Mako throttled to once per 24h via a stamp in $XDG_RUNTIME_DIR. + +set -eu + +REPORT=/run/arch-audit.txt +STATE=${XDG_RUNTIME_DIR:-/tmp}/waybar-arch-audit-notified + +emit_empty() { + printf '{"text":"","class":"fresh","tooltip":""}\n' + exit 0 +} + +[ -r "$REPORT" ] || emit_empty + +count=$(grep -c . "$REPORT" 2>/dev/null || :) +case "$count" in '' | *[!0-9]*) count=0 ;; esac + +[ "$count" -eq 0 ] && emit_empty + +text="CVE ${count}" +tooltip="${count} package(s) with fixable CVEs — click to view, then run \`just update\`" +printf '{"text":"%s","class":"critical","tooltip":"%s"}\n' "$text" "$tooltip" + +now=$(date +%s) +last_notified=0 +if [ -f "$STATE" ]; then + last_notified=$(cat "$STATE" 2>/dev/null || printf 0) + case "$last_notified" in '' | *[!0-9]*) last_notified=0 ;; esac +fi + +if [ $((now - last_notified)) -ge 86400 ] && + command -v notify-send >/dev/null 2>&1; then + notify-send \ + --app-name=arch-audit \ + --urgency=critical \ + --icon=security-medium \ + "Security updates available" \ + "${count} installed package(s) have fixable CVEs. Run \`just update\`." + printf '%s\n' "$now" >"$STATE" +fi -- cgit v1.3.1