nevaforget/moonlock
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
moonlock/README.md
nevaforget 3e610bdb4b
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 3s
Details
fix: audit LOW fixes — docs, rustdoc, scope, debug gate, lto fat (v0.6.12) 
- Update CLAUDE.md and README.md to reflect the blur range [0,200] that
  the code has clamped to since v0.6.8.
- Move the // SYNC: comment above the /// doc on MAX_BLUR_DIMENSION so
  rustdoc renders one coherent paragraph instead of a truncated sentence.
- Narrow check_account visibility to pub(crate) and document the caller
  precondition (username must come from users::get_current_user()).
- Gate MOONLOCK_DEBUG behind #[cfg(debug_assertions)]. Release builds
  always run at LevelFilter::Info so a session script cannot escalate
  journal verbosity to leak fprintd / D-Bus internals.
- Document why pam_setcred is deliberately not called in authenticate().
- Release profile: lto = "fat" instead of "thin" — doubles release build
  time for better cross-crate inlining on the auth + i18n hot paths.
2026-04-24 14:05:17 +02:00

2.3 KiB
Raw Permalink Blame History

Moonlock

A secure Wayland lockscreen with GTK4, PAM authentication and fingerprint support. Part of the Moonarch ecosystem.

Features

  • ext-session-lock-v1 — Protocol-guaranteed screen locking (compositor keeps screen locked on crash, exit(1) in release if unsupported)
  • PAM authentication — Uses system PAM stack (/etc/pam.d/moonlock) with 30s timeout and generation counter
  • Fingerprint unlock — fprintd D-Bus integration with sender validation, async init (window appears instantly), pam_acct_mgmt check after verify, auto-resume on transient errors
  • Multi-monitor + hotplug — Lockscreen on every monitor with shared blur and avatar caches; monitors added after suspend/resume get windows automatically via connect_monitor signal
  • GPU blur — Background blur via GskBlurNode (downscale to max 1920px, configurable 0200)
  • i18n — German and English (auto-detected)
  • Faillock warning — Progressive UI warning after failed attempts, PAM decides lockout
  • Panic safety — Panic hook logs but never unlocks (installed before logging)
  • Password wipingZeroize on drop from GTK entry through PAM FFI layer
  • Journal loggingjournalctl -t moonlock, debug level via MOONLOCK_DEBUG env var

Requirements

  • GTK 4
  • gtk4-session-lock (ext-session-lock-v1 support)
  • PAM (/etc/pam.d/moonlock)
  • Optional: fprintd for fingerprint support

Building

cargo build --release

Installation

# Install binary
sudo install -Dm755 target/release/moonlock /usr/bin/moonlock

# Install PAM config
sudo install -Dm644 config/moonlock-pam /etc/pam.d/moonlock

# Optional: Install example config
sudo install -Dm644 config/moonlock.toml.example /etc/moonlock/moonlock.toml.example

Configuration

Create /etc/moonlock/moonlock.toml or ~/.config/moonlock/moonlock.toml:

background_path = "/usr/share/wallpapers/moon.jpg"
background_blur = 40.0    # 0.0200.0, optional
fingerprint_enabled = true

Usage

Typically launched via keybind in your Wayland compositor:

# Niri keybind example
binds {
    Mod+L { spawn "moonlock"; }
}

Development

cargo test
cargo build --release
LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock

License

MIT