49 Commits

Author SHA1 Message Date
8aaf7cae5b fix: audit MEDIUM fixes — merge fallback, service hardening, CI token
- moonarch-waybar: on merge failure, remove the stale output so waybar
  falls back to the system config (previously it kept running with stale
  merged data despite the error notification claiming otherwise).
- moonarch-doctor: hoist INSTALLED assignment above both OFFICIAL and AUR
  blocks so the script survives set -u when only aur.txt is present.
- zshrc parse_git_branch: gate on git rev-parse and replace three grep
  subshells with bash pattern matching, cutting prompt latency from
  ~5 subprocesses per render to 2 (status + symbolic-ref).
- moonarch-batsaver.service: validate the threshold is an integer 1-100
  before writing to sysfs, add NoNewPrivileges and protection directives
  instead of relying on kernel validation alone.
- ci/act-runner/Dockerfile: drop the broad "pacman -Sy *" sudoers entry
  (only -S --needed is required by makepkg), and pin run.sh to
  act_runner:0.3.1 so it cannot drift ahead of the pinned binary.
- .gitea/workflows/update-pkgver.yaml: push via credential.helper=store
  with a chmod 600 temp file instead of `git -c http.extraHeader=...`,
  so the token no longer shows up in /proc/PID/cmdline.
2026-04-24 13:15:52 +02:00
8485a63ab7 fix(moonup): read prompts from /dev/tty, robust GUI pause
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 3s
Pacman/paru can drain or close stdin, so after the first interactive step
the EXIT trap's pause was silently skipped (the `-t 0` check failed) and
every subsequent confirm() prompt hit EOF — which with `[[ -z $response ]]`
auto-accepted, letting install/remove actions run unattended.

- _pause_on_exit: drop the `-t 0` guard and read from /dev/tty
- confirm(): read from /dev/tty so EOF on stdin can't masquerade as "yes"
- Move the trap installation above the gettext i18n init so an early
  failure (e.g. missing gettext) still triggers the pause message.
2026-04-23 08:08:52 +02:00
6e14258ad9 fix(doctor): drop obsolete paru repo check, cover walker + nautilus
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 3s
The `[moonarch-pkgbuilds]` paru-repo check was a false failure: that
mechanism was retired on 2026-04-20 and the install hook strips the
legacy paru.conf section on upgrade.

Audit of the rest of the doctor surfaced two related gaps — the
user-services loop skipped `walker.service` and `nautilus.service`,
even though moonarch-git ships both and enables them via
graphical-session.target.wants. Added them to the loop and filled in
the missing `wlsunset` in the CLAUDE.md listing.
2026-04-22 08:56:23 +02:00
9432bc4831 fix(post-install): seed stasis config into user home
Stasis ignores /etc/xdg/ and only reads ~/.config/stasis/stasis.rune
(primary) or /etc/stasis/stasis.rune (fallback). On first start with no
user config it writes its own hardcoded default, so Moonarch's tuned
idle plans were never active on fresh installs.

Seed the template from /etc/xdg/stasis/stasis.rune into the user home
before stasis ever starts, only if the user file is missing. See
DECISIONS.md for verification against upstream v1.1.0.
2026-04-22 08:49:04 +02:00
373bfd4a9b fix(moonup): keep terminal open on errors via EXIT trap
The previous end-of-script `read` never ran when `set -e` aborted mid-way
(pacman conflict, paru failure, Ctrl+C), so foot closed on errors —
exactly when the user most needs to see the output.

Move the pause into a trap on EXIT, gated by `MOONUP_WAIT=1` so CLI use
stays non-interactive. Waybar on-click now sets the env var.
2026-04-22 08:23:25 +02:00
971a6eb577 refactor(install): restore fresh-install flow, drop transform.sh and personas
Long-standing gaps in post-install.sh plus cleanup:

- post-install.sh:18 was `sudo pacman -S paru` on the wrong
  assumption paru had landed in [extra]. Verified: paru/paru-bin
  are AUR-only. Restored the original git-clone + makepkg
  bootstrap, added the rust buildep that archinstall does not
  pull in.
- post-install.sh never installed AUR extras — walker, elephant,
  waypaper, stasis, themes all silently skipped. Now pulls
  packages/aur.txt after moonarch-git.
- packages/official.txt: drop glab, go, npm (unused) and rustup
  (only needed for the paru build, handled imperatively now).
- packages/aur.txt: add walker-bin (was missing entirely).
- transform.sh + legacy update.sh shim removed — transform was
  never used in practice.
- Apollo persona block out of CLAUDE.md, prior DECISIONS entries
  rewritten from Apollo/Ragnar to ClaudeCode.
- README Transform section and scripts/ listing trimmed.
- lib.sh ABOUTME updated — only post-install.sh sources it now.
2026-04-21 09:04:23 +02:00
0a38347cb9 feat(install): registry-only path, drop paru --pkgbuilds from setup
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 2s
post-install.sh and transform.sh no longer write paru.conf entries for
the PKGBUILD repo — the Arch registry is the single source of truth.
pacman -Sy + paru -S moonarch-git now suffices. See DECISIONS.md.
2026-04-20 14:20:02 +02:00
f4f6ede2a7 feat: i18n moonarch-update via pacman gettext + inline DE
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 2s
Prompts and log lines now follow the user's LANG. Reuses pacman's
gettext catalog for strings with matching upstream msgids
(Proceed with installation?, [Y/n], Starting full system upgrade...,
Do you want to remove these packages?). Moonarch-specific strings
go through an inline _t "en" "de" helper keyed off ${LANG%%.*}.

confirm() switches to pacman-style: :: prefix, default Y, accepts
y/Y/j/J. No PKGBUILD change — gettext ships with base.
2026-04-19 15:47:28 +02:00
0433f08f08 feat: manage wlsunset via systemd user service
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 4s
Move nightlight from niri spawn-at-startup to a systemd user service
with After=kanshi.service to ensure all outputs are configured before
wlsunset starts. Toggle now uses enable/disable --now for persistent
state across reboots.
2026-04-14 17:42:24 +02:00
9bc753e092 fix: use niri include instead of copying system config to user dir
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 2s
transform.sh was hard-copying /etc/xdg/niri/config.kdl to ~/.config/niri/,
causing the user config to go stale after system updates. Now seeds a minimal
user config with `include "/etc/xdg/niri/config.kdl"` so system defaults
always stay current and users can add overrides below the include.
2026-04-11 21:03:42 +02:00
b8753bf84f fix: remove docker from defaults, fix cliphist-image ordering cycle
Docker is a dev dependency, not a desktop environment default. Remove
from package list, archinstall config, services and README.

Fix systemd ordering cycle that prevented cliphist-image from starting:
cliphist-text had After=graphical-session.target which combined with
PartOf= and cliphist-image's After=cliphist-text created a cycle.
2026-04-10 08:18:55 +02:00
a55c7ea9d1 feat: add moonarch-doctor system health checker
Diagnostic script that verifies services, configs, packages and paths
against the expected moonarch system state. Reports pass/fail/warn with
colored output and summary. Deployed as moonarch-doctor (alias: moondoc).
2026-04-10 08:18:45 +02:00
ab066724f0 fix: keep terminal open after moonarch-update completes
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 3s
Add "press any key" prompt when running interactively (stdin is a TTY).
Remove dead wrapper in defaults/bin/ that was overwritten by PKGBUILD.
2026-04-10 07:33:46 +02:00
f6869c9cea fix: detect implicitly installed packages in moonarch-update
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 3s
Use pacman -Qq (all installed) instead of -Qqe (explicit only) so
packages installed as dependencies are not falsely reported as missing.
2026-04-09 11:47:51 +02:00
ac2b210a1f fix: audit remediation — security, quality and performance fixes
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 3s
- CI Dockerfile: verify act_runner SHA256, restrict sudoers to safe
  pacman arguments (S-C1, S-C2)
- cliphist: split into cliphist-text + cliphist-image services with
  Type=simple for proper PID tracking and restart (Q-C3)
- batsaver-toggle: validate sysfs input as numeric, check state file
  write (Q-C2, S-W2)
- udev battery rule: add ACTION=="add" filter to avoid firing on
  every battery event (Q-W3)
- cpugov: replace eval with direct expansion, switch waybar module
  to signal-based updates, send SIGRTMIN+10 after toggle (Q-W1,
  S-W1, P-W4)
- Remove docker group auto-assignment from install scripts (S-I1)
2026-04-08 11:45:56 +02:00
037d311607 refactor: clean up Waybar styles, remove user-defaults mechanism
- Remove defaults/user/ and the user-defaults copy loop from
  post-install.sh and transform.sh — Waybar falls back to
  /etc/xdg/waybar/ via XDG spec, no provisioning needed.
- Remove USER_DEFAULTS constant from lib.sh.
- Clean up style.css: remove dead selectors (#net, #cava,
  #custom-updates, #custom-notification), commented-out blocks,
  empty rules, duplicate properties, and hardcoded hex color.
- Restructure module styling: generic top-level box via
  > widget > *, group children reset via widget widget > *,
  explicit exceptions for workspaces/taskbar/window.
- Normalize section comments and whitespace.
- Update README to remove user/waybar/ from project structure.
2026-04-07 17:27:47 +02:00
62495d8e3d fix: prevent kanshi config from breaking wdisplays-persistent
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 3s
Remove ABOUTME comments from kanshi default config — they broke
the profile parser in wdisplays-persistent store.c, preventing
config saves. Also skip kanshi in transform.sh when user profiles
already exist, since display layouts are machine-specific.
2026-04-07 12:23:06 +02:00
80c395fc14 feat: add cliphist service, move user services to /etc/systemd/user/
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 2s
- Add cliphist.service that wipes clipboard history on session start
  (crash-safe: cleans up at next boot, not at shutdown)
- Move kanshi, walker, nautilus services from ~/.config/systemd/user/
  to /etc/systemd/user/ (system-level defaults, consistent with
  moonarch's config philosophy)
- Remove cliphist spawn-sh-at-startup from niri config (managed by
  systemd service now)
- Add cliphist to USER_SERVICES in post-install.sh and transform.sh

Closes #1
2026-04-07 11:27:49 +02:00
25baf88a2a fix: move paru repo config into moonarch.install to break bootstrap loop
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 3s
The paru PKGBUILD repo config was only set up by post-install.sh and
transform.sh. If the config was missing on an existing system,
moonarch-git couldn't update — the fix required the package that
delivers the fix.

Now moonarch.install sets up the config on every install/upgrade.
post-install.sh keeps it for first-time bootstrap (before moonarch-git
exists). transform.sh no longer manages it.
2026-04-07 11:11:58 +02:00
29550b8a14 fix: audit remediation — 6 fixes across quality, performance, security
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 2s
Q-01: Fix broken upower regex in moonarch-btnote (lookaheads never matched)
Q-02: Fix transform.sh paru repo section name ([moonarch] → [moonarch-pkgbuilds]),
      config path (~/.config → /etc), and partial sync (-Sy → -Syu)
Q-03: Add missing stasis package to aur.txt (idle management broken on fresh install)
S-01: Switch CI git clones from HTTP to HTTPS (MITM risk in Docker network)
S-02: Restrict CI builder sudo to /usr/bin/pacman only
P-01: Refactor moonarch-waybar-gpustat — remove while loop, use jq --arg style
2026-04-07 10:50:57 +02:00
0fba63571c fix: harden GPG key import with fingerprint verification and cleanup
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 2s
The registry signing key was imported without verifying its fingerprint,
allowing a MITM or compromised server to inject a rogue key. Now checks
the downloaded key against a pinned fingerprint before import. Also adds
trap EXIT for tempfile cleanup and rejects empty curl responses.
2026-04-06 23:08:01 +02:00
23a14e95d5 fix: enable stasis idle manager in user services
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 3s
stasis ships its own systemd user service but was missing from the
USER_SERVICES array in both post-install and transform scripts.
2026-04-06 22:55:33 +02:00
1004a0b986 Fix paru PKGBUILD repo name collision with pacman registry
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 2s
Both the pacman package registry and the paru PKGBUILD repo used
[moonarch] as section name, causing paru to fail resolving PKGBUILD
upgrade targets against the wrong repo. Renamed PKGBUILD repo to
[moonarch-pkgbuilds] and moved config from ~/.config/paru/paru.conf
to system-wide /etc/paru.conf.
2026-04-02 08:52:26 +02:00
7f06c8e501 Add Moonarch package registry setup with signed packages
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 1s
Import Gitea Arch registry key dynamically and configure pacman
with SigLevel = Required DatabaseOptional. Key ID is extracted
from the downloaded key file to avoid hardcoding.
2026-04-01 18:09:10 +02:00
5b37bfe525 Pin linux-zen kernel in archinstall config, add quiet boot param
- Set kernels to linux-zen in user_configuration.json to skip
  interactive kernel selection during install
- Add post-install step to append quiet to non-fallback systemd-boot
  entries for clean boot output
2026-03-31 11:17:36 +02:00
1e19f08776 fix: shell script quoting and argument injection hardening
Audit fixes for command injection risks in helper scripts:
- moonarch-cpugov: eval for quoted COMMANDS expansion (pkexec context)
- moonarch-btnote: while+read with process substitution, quoted vars
- moonarch-vpn: -- guard before connection name in nmcli calls
- post-install.sh: else-logging when USER_DEFAULTS dir missing
2026-03-31 11:06:14 +02:00
f2a28f8577 docs: fix README, remove gtklock and wlogout remnants
README: fix keybind (wlogout → moonset), remove gtklock from project
structure, correct package counts, remove nonexistent install-themes.sh,
mark update.sh as legacy wrapper.
Remove gtklock packages (5) and wlogout from package lists.
Remove defaults/xdg/gtklock/ config directory.
Remove stale foot/waybar overrides from transform.sh.
2026-03-31 09:36:20 +02:00
684d54e0c2 Deploy moonarch config overrides for walker, foot, and waybar
These configs are owned by their respective packages in /etc/xdg/ so
the XDG copy loop installs the package defaults instead of ours.
Overwrite with moonarch versions from /usr/share/moonarch/ after the
loop.
2026-03-30 23:45:52 +02:00
3acb71a210 Fix GTK4 theme comment to match Grey accent 2026-03-30 23:34:26 +02:00
c011672bc2 Install packages from package lists in transform script
The pre-flight summary already computed missing packages but never
installed them. Now installs both official and AUR packages after
moonarch-git.
2026-03-30 23:03:58 +02:00
59a0e500f2 Fix transform failing on root-owned XDG config dirs
cp -r from /etc/xdg/ preserved root ownership on directories,
causing rm -rf to fail on subsequent runs. Add --no-preserve=ownership
to cp and escalated rm fallback for existing root-owned dirs.
2026-03-30 22:49:42 +02:00
2fba1b571d Make backup optional in transform script 2026-03-30 22:32:54 +02:00
5947d9af43 fix: use paru -Syu instead of -Sy to avoid partial upgrade state 2026-03-30 16:09:06 +02:00
4d9cbe7ce2 Replace Rofi with Walker as application launcher
Walker (GTK4 + Elephant backend) replaces rofi-lbonn-wayland-git as the
central launcher and menu framework.

Native Walker providers replace 5 custom rofi scripts:
- App launcher (desktopapplications provider)
- Clipboard (clipboard provider, replaces cliphist frontend)
- Bluetooth (bluetooth provider, replaces bluetoothctl script)
- Volume/audio (wireplumber provider)
- Sink switcher (wireplumber provider)

3 scripts ported to Walker dmenu mode:
- moonarch-vpn (nmcli)
- moonarch-cpugov (auto-cpufreq)
- moonarch-sink-switcher (pactl)

Settings menu (moonarch-setmen) removed — apps are findable via Walker
app search directly.

Walker theme (gtk-inherit) inherits all colors from the active GTK4
theme instead of hardcoding Catppuccin values.

Walker and Elephant run as systemd user services for instant startup.

Also standardizes GTK theme to Colloid-Grey-Dark-Catppuccin across all
config files (was inconsistent between gsettings and file configs).

Old rofi configs preserved in legacy/rofi/ for reference.
2026-03-30 12:06:25 +02:00
07264510dd Fix audit findings, replace wlogout with moonset
Bug fixes from quality and security audits:
- moonarch-capsnote: use value[0] instead of value[2]
- moonarch-btnote: guard empty PER_INT before integer comparison
- moonarch-clipboard + niri config: use XDG_RUNTIME_DIR instead of UID 1000
- moonarch-waybar-hidpp: use charging icon when charging
- moonarch-waybar-gpustat: find gpu_busy_percent dynamically across hwmon*
- post-install/transform: use systemctl --user cat for service detection
- post-install/transform: install paru from [extra] instead of AUR clone

Replace wlogout with moonset in niri keybind and waybar on-click.
Remove moonarch-session (dead code, replaced by moonset) and wlogout
layout config.
2026-03-29 21:23:03 +02:00
7d7cbec2ca Delegate file deployment to moonarch-git package
Refactor post-install.sh and transform.sh to install moonarch-git via
paru instead of manually copying configs, scripts, and themes. Remove
install-themes.sh (replaced by sweet-cursors-git dependency). Replace
update.sh with deprecation notice that forwards to the package-provided
moonarch-update in /usr/bin/.
2026-03-29 18:53:57 +02:00
a6a5a709a0 Add moonarch-update for package-based system maintenance
Simplified updater that reads package lists from /usr/share/moonarch/
instead of syncing a git repo. Designed to be shipped by the
moonarch-git package as /usr/bin/moonarch-update.
2026-03-29 17:15:07 +02:00
1679fcfb30 Make /opt/moonarch root-owned for multi-user support
Remove chown from archinstall custom-commands so the repo stays
root:root. Use sudo for git operations in update.sh. Any user with
sudo can now run moonarch-update without owning the repo.
2026-03-29 15:23:39 +02:00
72c221897f Add --dry-run flag to transform.sh
Shows pre-flight summary with package diff, config change counts,
and detected conflicts without modifying the system.
2026-03-29 15:12:41 +02:00
9d26f04af6 Add transform script for existing Arch+Wayland systems
Extract shared helpers into lib.sh (log, err, confirm, path constants)
and refactor post-install.sh + update.sh to source it.

New transform.sh converts an existing Arch+Wayland system to Moonarch:
pre-flight summary, config backup, DM conflict resolution, PulseAudio
removal, full package install, and hard overwrite of all configs.

Also migrate kanshi from niri spawn-at-startup to systemd user service.
2026-03-29 15:03:44 +02:00
24d70db2cf fix: migrate swww to awww, add per-user GTK4 symlinks
swww was renamed to awww (codeberg.org/LGFae/awww). Update package
list, README references, and add compatibility symlinks in post-install
so waypaper keeps working until it supports awww natively.

Also add per-user ~/.config/gtk-4.0/ symlinks — libadwaita ignores the
system-wide /etc/xdg/ fallback, so apps like Nautilus need user-level
CSS links to pick up the Catppuccin theme.
2026-03-29 14:14:06 +02:00
eaf30724aa fix missing packages, remove dead code, replace ponymix with pactl
- Add wl-clipboard, libnotify, upower, bluez, bluez-utils to official.txt
- Remove stow (installed but never used)
- Remove dead moonlock.service cp block from post-install.sh
- Rewrite moonarch-sink-switcher and moonarch-volume to use pactl
  instead of ponymix (already available via libpulse)
2026-03-29 14:00:51 +02:00
0a266510e0 i18n: migrate all German text to English
Enforce the repo convention that committed text is English.
Translates ABOUTME headers, code comments, log/error messages,
shell prompts, and documentation across all files.
CLAUDE.md files remain in German per policy.
2026-03-28 14:53:23 +01:00
f5d94e8bc0 fix: replace manual moongreet/moonset installs with paru repo
The old fallbacks used git clone + makepkg and uv pip install, which
are fragile and bypass the moonarch-pkgbuilds repo. Now sets up the
paru custom repo and installs all three packages via paru -S.
2026-03-28 14:30:09 +01:00
44dee82f35 User-Config-Defaults für Waybar mit Include der systemweiten Config
Post-Install kopiert defaults/user/ nach ~/.config/, aber nur wenn
die Dateien noch nicht existieren. Waybar-Beispiele zeigen wie man
die systemweite Config per include/import erweitert (z.B. Peripherie-Akkus).
2026-03-27 17:03:38 +01:00
8e59f9298a moonset-Installation und moonlock-Service in post-install ergänzen
Post-Install klont und installiert moonset aus Gitea und
richtet den moonlock systemd User-Service ein.
2026-03-27 15:26:45 +01:00
b43720082d Theming auf Colloid-Catppuccin und UbuntuSans Nerd Font vereinheitlichen
- GTK-Theme von catppuccin-mocha-lavender auf Colloid-Catppuccin umgestellt
- Systemweite GTK4-Symlinks in /etc/xdg/gtk-4.0/ für libadwaita Dark-Mode
- gsettings für Theme, Color-Scheme, Icon-Theme und Font im post-install
- Alle Fonts (Hack, JetBrainsMono, MonarchOS) auf UbuntuSans Nerd Font
- Paketlisten: Colloid-Pakete statt catppuccin-gtk/newaita, ttf-ubuntusans-nerd
2026-03-26 22:17:03 +01:00
f79128b1a6 feat: regreet durch moongreet ersetzen, einheitliches Default-Wallpaper
Greeter von regreet (niri-Wrapper) auf moongreet (GTK4 + gtk4-layer-shell)
umgestellt. moongreet wird direkt aus dem Gitea-Repo gebaut.

Ein einziges Wallpaper unter /usr/share/moonarch/wallpaper.jpg dient jetzt
als Default fuer Desktop (waypaper), Lockscreen (gtklock) und Greeter
(moongreet).
2026-03-26 12:17:18 +01:00
5d2ce00455 Initial commit: Moonarch reproduzierbares Arch-Linux-Setup
Niri-basierter Wayland-Desktop mit greetd/regreet, Catppuccin Mocha
Theming, Rofi-Menus, Waybar und vollstaendiger Post-Install-Automatisierung.

Archinstall-Config klont das Repo automatisch via custom-commands,
danach genuegt ein einzelner Befehl fuer die komplette Einrichtung.
2026-03-23 17:42:26 +01:00