#!/bin/sh
# Bounce the system-scope snx-rs (Check Point) tunnel around suspend/hibernate.
#
# Problem: during suspend the IKE SA keepalive is interrupted and the SAML
# session cookie may expire. snx-rs doesn't detect this — the daemon
# happily sits on dead sockets after resume, so `snxctl status` reports
# "Connected" while no traffic actually goes through. The user has to
# manually disconnect+reconnect (which re-triggers the SAML browser flow).
#
# Fix: stop the daemon before suspend, start it after resume. The tunnel
# is left disconnected on resume — user clicks the waybar toggle (or any
# `snxctl connect`) to re-establish, which goes through SAML if and only
# if the cached cookie has actually expired. Net result:
#   - waybar correctly shows "disconnected" immediately on resume
#   - one click reconnects (often without re-doing SAML)
#   - no stale "Connected"-but-dead state
#
# Invoked by systemd-suspend(8) / -hibernate / -hybrid-sleep with
#   $1 = pre|post   $2 = suspend|hibernate|hybrid-sleep|suspend-then-hibernate
set -eu

case "$1" in
  pre) action=stop ;;
  post) action=start ;;
  *) exit 0 ;;
esac

# The command-mode daemon runs as a system service because it configures
# routes, DNS, and tunnel interfaces. Ignore missing/disabled states so this
# hook remains harmless on non-work profiles.
systemctl is-enabled snx-rs.service >/dev/null 2>&1 || exit 0
systemctl "$action" snx-rs.service || true