feat(suspend): bounce snx-rs around system sleep

snx-rs (Check Point VPN) doesn't notice that its tunnel died during
suspend: the IKE keepalive is interrupted and the SAML cookie may
expire, but the daemon happily sits on dead sockets after resume.
`snxctl status` keeps reporting "Connected" while no traffic
actually flows, so the user has to manually disconnect+reconnect.

Install an /etc/systemd/system-sleep/ hook that stops the user-scope
snx-rs.service before suspend and starts it on resume. The tunnel is
left disconnected after resume; the waybar toggle (or any
`snxctl connect`) re-establishes it, going through SAML only if the
cached cookie has actually expired.

The hook enumerates logged-in users via loginctl and skips any that
don't have snx-rs.service enabled, so it's a no-op on machines that
don't use the VPN.

Also teach run_onchange_after_deploy-etc.sh.tmpl to install files
under etc/systemd/system-sleep/ with mode 0755 (systemd ignores
sleep hooks that aren't executable).

1 files changed, 3 insertions, 0 deletions

diff --git a/run_onchange_after_deploy-etc.sh.tmpl b/run_onchange_after_deploy-etc.sh.tmpl
index d08f989..743675a 100755
--- a/run_onchange_after_deploy-etc.sh.tmpl
+++ b/run_onchange_after_deploy-etc.sh.tmpl
@@ -18,6 +18,9 @@ find etc -type f ! -name .ignore | while IFS= read -r src; do
     etc/sudoers-rs)
       sudo install -D -m 0440 -o root -g root "$src" "/${src}"
       ;;
+    etc/systemd/system-sleep/*)
+      sudo install -D -m 0755 -o root -g root "$src" "/${src}"
+      ;;
     *)
       sudo install -D -m 0644 -o root -g root "$src" "/${src}"
       ;;