diff options
| -rwxr-xr-x | etc/systemd/system-sleep/50-snx-rs | 45 | ||||
| -rwxr-xr-x | run_onchange_after_deploy-etc.sh.tmpl | 3 |
2 files changed, 48 insertions, 0 deletions
diff --git a/etc/systemd/system-sleep/50-snx-rs b/etc/systemd/system-sleep/50-snx-rs new file mode 100755 index 0000000..5241126 --- /dev/null +++ b/etc/systemd/system-sleep/50-snx-rs @@ -0,0 +1,45 @@ +#!/bin/sh +# Bounce the user-scope snx-rs (Check Point) tunnel around suspend/hibernate. +# +# Problem: during suspend the IKE SA keepalive is interrupted and the SAML +# session cookie may expire. snx-rs doesn't detect this — the daemon +# happily sits on dead sockets after resume, so `snxctl status` reports +# "Connected" while no traffic actually goes through. The user has to +# manually disconnect+reconnect (which re-triggers the SAML browser flow). +# +# Fix: stop the daemon before suspend, start it after resume. The tunnel +# is left disconnected on resume — user clicks the waybar toggle (or any +# `snxctl connect`) to re-establish, which goes through SAML if and only +# if the cached cookie has actually expired. Net result: +# - waybar correctly shows "disconnected" immediately on resume +# - one click reconnects (often without re-doing SAML) +# - no stale "Connected"-but-dead state +# +# Invoked by systemd-suspend(8) / -hibernate / -hybrid-sleep with +# $1 = pre|post $2 = suspend|hibernate|hybrid-sleep|suspend-then-hibernate +set -eu + +case "$1" in + pre) action=stop ;; + post) action=start ;; + *) exit 0 ;; +esac + +# Iterate over every logged-in user that has the snx-rs.service enabled. +# loginctl list-users gives us "UID USER" pairs. +loginctl list-users --no-legend 2>/dev/null | + awk '{print $1, $2}' | + while read -r uid user; do + [ -n "$uid" ] && [ -n "$user" ] || continue + runtime="/run/user/$uid" + [ -d "$runtime" ] || continue + # Skip users without snx-rs enabled to avoid spurious "Unit not found". + runuser -u "$user" -- env \ + "XDG_RUNTIME_DIR=$runtime" \ + "DBUS_SESSION_BUS_ADDRESS=unix:path=$runtime/bus" \ + systemctl --user is-enabled snx-rs.service >/dev/null 2>&1 || continue + runuser -u "$user" -- env \ + "XDG_RUNTIME_DIR=$runtime" \ + "DBUS_SESSION_BUS_ADDRESS=unix:path=$runtime/bus" \ + systemctl --user "$action" snx-rs.service || true + done diff --git a/run_onchange_after_deploy-etc.sh.tmpl b/run_onchange_after_deploy-etc.sh.tmpl index d08f989..743675a 100755 --- a/run_onchange_after_deploy-etc.sh.tmpl +++ b/run_onchange_after_deploy-etc.sh.tmpl @@ -18,6 +18,9 @@ find etc -type f ! -name .ignore | while IFS= read -r src; do etc/sudoers-rs) sudo install -D -m 0440 -o root -g root "$src" "/${src}" ;; + etc/systemd/system-sleep/*) + sudo install -D -m 0755 -o root -g root "$src" "/${src}" + ;; *) sudo install -D -m 0644 -o root -g root "$src" "/${src}" ;; |