nevaforget/moonarch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
moonarch/defaults/etc/systemd/system/moonarch-batsaver.service
nevaforget 8aaf7cae5b fix: audit MEDIUM fixes — merge fallback, service hardening, CI token 
- moonarch-waybar: on merge failure, remove the stale output so waybar
  falls back to the system config (previously it kept running with stale
  merged data despite the error notification claiming otherwise).
- moonarch-doctor: hoist INSTALLED assignment above both OFFICIAL and AUR
  blocks so the script survives set -u when only aur.txt is present.
- zshrc parse_git_branch: gate on git rev-parse and replace three grep
  subshells with bash pattern matching, cutting prompt latency from
  ~5 subprocesses per render to 2 (status + symbolic-ref).
- moonarch-batsaver.service: validate the threshold is an integer 1-100
  before writing to sysfs, add NoNewPrivileges and protection directives
  instead of relying on kernel validation alone.
- ci/act-runner/Dockerfile: drop the broad "pacman -Sy *" sudoers entry
  (only -S --needed is required by makepkg), and pin run.sh to
  act_runner:0.3.1 so it cannot drift ahead of the pinned binary.
- .gitea/workflows/update-pkgver.yaml: push via credential.helper=store
  with a chmod 600 temp file instead of `git -c http.extraHeader=...`,
  so the token no longer shows up in /proc/PID/cmdline.
2026-04-24 13:15:52 +02:00

28 lines
1.1 KiB
Desktop File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# ABOUTME: Restores battery charge threshold from saved state on boot.
# ABOUTME: Only runs on laptops with threshold support and a saved state file.
[Unit]
Description=Restore battery conservation mode threshold
After=sysinit.target
ConditionPathExists=/sys/class/power_supply/BAT0/charge_control_end_threshold
ConditionPathExists=/var/lib/moonarch/batsaver-threshold
[Service]
Type=oneshot
# Validate the threshold (integer 1100) before writing. The state file is
# written by wheel-group users via moonarch-batsaver-toggle; the kernel rejects
# non-numeric values on sysfs, but validating here prevents noise on boot and
# makes the trust boundary explicit.
ExecStart=/bin/sh -c 'V=$(cat /var/lib/moonarch/batsaver-threshold); case "$V" in ""|*[!0-9]*) exit 0;; esac; [ "$V" -ge 1 ] && [ "$V" -le 100 ] && printf %s "$V" > /sys/class/power_supply/BAT0/charge_control_end_threshold'
NoNewPrivileges=true
ProtectHome=true
PrivateTmp=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictNamespaces=true
RestrictRealtime=true
LockPersonality=true
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink