moonlock/README.md

# Moonlock

A secure Wayland lockscreen with GTK4, PAM authentication and fingerprint support.
Part of the Moonarch ecosystem.

## Features

- **ext-session-lock-v1** — Protocol-guaranteed screen locking (compositor keeps screen locked on crash, `exit(1)` in release if unsupported)
- **PAM authentication** — Uses system PAM stack (`/etc/pam.d/moonlock`) with 30s timeout and generation counter
- **Fingerprint unlock** — fprintd D-Bus integration with sender validation, async init (window appears instantly), `pam_acct_mgmt` check after verify, auto-resume on transient errors
- **Multi-monitor + hotplug** — Lockscreen on every monitor with shared blur and avatar caches; monitors added after suspend/resume get windows automatically via `connect_monitor` signal
- **GPU blur** — Background blur via GskBlurNode (downscale to max 1920px, configurable 0–200)
- **i18n** — German and English (auto-detected)
- **Faillock warning** — Progressive UI warning after failed attempts, PAM decides lockout
- **Panic safety** — Panic hook logs but never unlocks (installed before logging)
- **Password wiping** — `Zeroize` on drop from GTK entry through PAM FFI layer
- **Journal logging** — `journalctl -t moonlock`, debug level via `MOONLOCK_DEBUG` env var

## Requirements

- GTK 4
- gtk4-session-lock (ext-session-lock-v1 support)
- PAM (`/etc/pam.d/moonlock`)
- Optional: fprintd for fingerprint support

## Building

```bash
cargo build --release
```

## Installation

```bash
# Install binary
sudo install -Dm755 target/release/moonlock /usr/bin/moonlock

# Install PAM config
sudo install -Dm644 config/moonlock-pam /etc/pam.d/moonlock

# Optional: Install example config
sudo install -Dm644 config/moonlock.toml.example /etc/moonlock/moonlock.toml.example
```

## Configuration

Create `/etc/moonlock/moonlock.toml` or `~/.config/moonlock/moonlock.toml`:

```toml
background_path = "/usr/share/wallpapers/moon.jpg"
background_blur = 40.0    # 0.0–200.0, optional
fingerprint_enabled = true
```

## Usage

Typically launched via keybind in your Wayland compositor:

```
# Niri keybind example
binds {
    Mod+L { spawn "moonlock"; }
}
```

## Development

```bash
cargo test
cargo build --release
LD_PRELOAD=/usr/lib/libgtk4-layer-shell.so ./target/release/moonlock
```

## License

MIT