#!/bin/sh
# Bounce the user-scope snx-rs (Check Point) tunnel around suspend/hibernate.
#
# Problem: during suspend the IKE SA keepalive is interrupted and the SAML
# session cookie may expire. snx-rs doesn't detect this — the daemon
# happily sits on dead sockets after resume, so `snxctl status` reports
# "Connected" while no traffic actually goes through. The user has to
# manually disconnect+reconnect (which re-triggers the SAML browser flow).
#
# Fix: stop the daemon before suspend, start it after resume. The tunnel
# is left disconnected on resume — user clicks the waybar toggle (or any
# `snxctl connect`) to re-establish, which goes through SAML if and only
# if the cached cookie has actually expired. Net result:
#   - waybar correctly shows "disconnected" immediately on resume
#   - one click reconnects (often without re-doing SAML)
#   - no stale "Connected"-but-dead state
#
# Invoked by systemd-suspend(8) / -hibernate / -hybrid-sleep with
#   $1 = pre|post   $2 = suspend|hibernate|hybrid-sleep|suspend-then-hibernate
set -eu

case "$1" in
  pre) action=stop ;;
  post) action=start ;;
  *) exit 0 ;;
esac

# Iterate over every logged-in user that has the snx-rs.service enabled.
# loginctl list-users gives us "UID USER" pairs.
loginctl list-users --no-legend 2>/dev/null |
  awk '{print $1, $2}' |
  while read -r uid user; do
    [ -n "$uid" ] && [ -n "$user" ] || continue
    runtime="/run/user/$uid"
    [ -d "$runtime" ] || continue
    # Skip users without snx-rs enabled to avoid spurious "Unit not found".
    runuser -u "$user" -- env \
      "XDG_RUNTIME_DIR=$runtime" \
      "DBUS_SESSION_BUS_ADDRESS=unix:path=$runtime/bus" \
      systemctl --user is-enabled snx-rs.service >/dev/null 2>&1 || continue
    runuser -u "$user" -- env \
      "XDG_RUNTIME_DIR=$runtime" \
      "DBUS_SESSION_BUS_ADDRESS=unix:path=$runtime/bus" \
      systemctl --user "$action" snx-rs.service || true
  done