feat: systemd-notify improve notification msg on disconnect and errors

Author: tprasadtp

README.md

@@ -26,7 +26,7 @@
 
 > [!WARNING]
 >
-> [gVisor](https://gvisor.dev) and cgroup v1 runtime is **NOT** supported!
+> [gVisor](https://gvisor.dev) and cgroup v1 are **NOT** supported!
 
 Images are published at [ghcr.io/tprasadtp/protonwire][ghcr].
 
@@ -65,7 +65,7 @@ Images are published at [ghcr.io/tprasadtp/protonwire][ghcr].
     AllowedIPs = 0.0.0.0/0
     Endpoint = 91.229.23.180:51820
     ```
-- Only thing needed from the above config is `PrivateKey`.
+- You will `PrivateKey` and optionally `Endpoint`(without port part) from the above config.
 - See https://protonvpn.com/support/wireguard-configurations/ for more info.
 
 ## Environment Variables & Config
@@ -78,6 +78,12 @@ in following locations.
   - `/run/secrets/protonwire-private-key`
   - `/run/secrets/protonwire/private-key`
   - `${CREDENTIALS_DIRECTORY}/private-key` (Only if `$CREDENTIALS_DIRECTORY` is set)
+  - `${CREDENTIALS_DIRECTORY}/protonwire-private-key` (Only if `$CREDENTIALS_DIRECTORY` is set)
+
+> [!IMPORTANT]
+>
+> Private key file **MUST NOT** be world-readable.
+
 
 | Name | Default/Required | Description
 |---|---|---
@@ -86,7 +92,7 @@ in following locations.
 | `IPCHECK_URL` | https://protonwire-api.vercel.app/v1/client/ip  | (String) URL to check client IP.
 | `IPCHECK_INTERVAL` | `60` | (Integer) Interval between internal health-checks in seconds. Set this to `0` to disable IP checks.
 | `SKIP_DNS_CONFIG` | false | (Boolean) Set this to `1` or `true` to skip configuring DNS.
-| `KILL_SWITCH`     | false | (Boolean) Enable KillSwitch (Experimental and can cause issues)
+| `KILL_SWITCH`     | false | (Boolean) Enable KillSwitch (Experimental)
 
 ## PROTONVPN_SERVER
 
@@ -260,19 +266,20 @@ This section covers running containers via podman. But for deployments use
 - Create a podman secret for private key
 
     ```console
-    sudo podman secret create protonwire-private-key <PRIVATE_KEY|PATH_TO_PRIVATE_KEY>
+    podman secret create protonwire-private-key <PRIVATE_KEY|PATH_TO_PRIVATE_KEY>
     ```
 
 - Run _protonwire_ container.
 
     ```console
-    sudo podman run \
+    podman run \
         -it \
+        --rm \
         --init \
         --replace \
         --tz=local \
         --tmpfs=/tmp \
-        --name=protonwire-demo \
+        --name=protonwire \
         --secret="protonwire-private-key,mode=600" \
         --env=PROTONVPN_SERVER="nl-free-127.protonvpn.net" \
         --env=DEBUG=0 \
@@ -293,12 +300,12 @@ we are using caddy to proxy website which shows IP info. Replace these with your
 container(s) like [pyload](https://github.com/pyload/pyload#docker-images), [firefox](https://docs.linuxserver.io/images/docker-firefox) etc.
 
     ```console
-    sudo podman run \
+    podman run \
         -it \
         --rm \
         --tz=local \
         --name=protonwire-demo-app \
-        --network=container:protonwire-demo \
+        --network=container:protonwire \
         docker.io/library/caddy:latest \
         caddy reverse-proxy --change-host-header --from :8000 --to https://ip.me:443
     ```
@@ -355,7 +362,6 @@ For example, we can run caddy to proxy `https://ip.me/` via VPN. Visiting http:/
         -it \
         --rm \
         --net=container:protonwire \
-        --name=protonwire-demo \
         caddy:latest \
         caddy reverse-proxy \
             --change-host-header \

Vagrantfile

@@ -156,7 +156,7 @@ Vagrant.configure("2") do |config|
 
     $libvirt_provision = <<-SCRIPT
     echo "---------------------------------"
-    echo "Installing qemu daemon"
+    echo "Installing qemu-guest-agent"
     echo "---------------------------------"
     apt-get update
     apt-get install -y qemu-guest-agent

protonwire

@@ -640,13 +640,13 @@ function protonvpn_looper_cmd() {
             log_warning "Not verifying connection, as healthchecks are disabled"
         fi
     else
-        log_error "Failed to connect to ${PROTONVPN_SERVER}"
+        log_error "Failed to connect to ${PROTONVPN_SERVER:-NA}"
         if [[ -z $(ip link show protonwire0 type wireguard 2>/dev/null) ]]; then
             log_debug "Wireguard interface for protonwire is not present."
             return 1
         fi
         if __has_notify_socket; then
-            __systemd_notify "STATUS=Failed to connect to - ${PROTONVPN_SERVER}"
+            __systemd_notify "STATUS=Failed to connect to - ${PROTONVPN_SERVER:-NA}"
         fi
         __protonvpn_disconnect
         return 1
@@ -696,17 +696,29 @@ function protonvpn_looper_cmd() {
             fi
 
             if [[ $__PROTONWIRE_HC_ERRORS -ge ${max_verify_attemps} ]]; then
-                log_error "Connection verification ($((__PROTONWIRE_HC_ERRORS))/${IPCHECK_THRESHOLD:-5}) failed"
+                log_error "Connection verification (${__PROTONWIRE_HC_ERRORS}/${max_verify_attemps}) failed"
+                if __has_notify_socket; then
+                    __systemd_notify "Connection verification failed (${__PROTONWIRE_HC_ERRORS}/${max_verify_attemps}) "
+                else
+                    log_debug "No systemd notify socket found, skiping reconnect notification"
+                fi
                 break
             fi
 
             sleep "${sleep_int:-120}" &
             wait $!
 
             if ! __protonvpn_verify_connection; then
-                log_error "Failed to verify connection ($((__PROTONWIRE_HC_ERRORS + 1))/${IPCHECK_THRESHOLD:-5})"
+                local xt=$((__PROTONWIRE_HC_ERRORS + 1))
+                log_error "Failed to verify connection (${xt}/${max_verify_attemps})"
                 ((++__PROTONWIRE_HC_ERRORS))
                 log_warning "Attempting to re-connect to ${PROTONVPN_SERVER}"
+                if __has_notify_socket; then
+                    __systemd_notify "Attempting to re-connect to ${PROTONVPN_SERVER} (${xt}/${max_verify_attemps})"
+                else
+                    log_debug "No systemd notify socket found, skiping reconnect notification"
+                fi
+
                 if __protonvpn_connect; then
                     sleep 2 & # avoid transient errors
                     wait $!
@@ -1732,32 +1744,30 @@ function __protonvpn_connect() {
     else
         log_debug "WIREGUARD_PRIVATE_KEY is not set"
         declare -a lookup_paths=(
-            "/etc/protonwire/private-key"
             "/etc/protonwire/protonwire-private-key"
             "/etc/protonwire/protonvpn-private-key"
             "/etc/protonwire/wireguard-private-key"
+            "/etc/protonwire/private-key"
 
-            "/run/secrets/private-key"
             "/run/secrets/protonwire-private-key"
             "/run/secrets/protonvpn-private-key"
             "/run/secrets/wireguard-private-key"
+            "/run/secrets/private-key"
 
-            "/run/secrets/protonwire/private-key"
             "/run/secrets/protonwire/protonwire-private-key"
             "/run/secrets/protonwire/protonvpn-private-key"
-            "/run/secrets/protonwire/protonvpn-private-key"
-
-            "/run/credentials/private-key"
-            "/run/credentials/protonwire-private-key"
-            "/run/credentials/protonvpn-private-key"
-            "/run/credentials/protonvpn-private-key"
-
-            "/run/credentials/protonwire/private-key"
-            "/run/credentials/protonwire/protonwire-private-key"
-            "/run/credentials/protonwire/protonvpn-private-key"
-            "/run/credentials/protonwire/protonvpn-private-key"
+            "/run/secrets/protonwire/wireguard-private-key"
+            "/run/secrets/protonwire/private-key"
         )
 
+        # If CREDENTIALS_DIRECTORY is defined, use it (for systemd-creds)
+        if [[ -n $CREDENTIALS_DIRECTORY ]]; then
+            lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/protonwire-private-key")
+            lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/protonvpn-private-key")
+            lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/wireguard-private-key")
+            lookup_paths+=("${CREDENTIALS_DIRECTORY%/}/private-key")
+        fi
+
         for lookup_path in "${lookup_paths[@]}"; do
             if [[ -f ${lookup_path} ]]; then
                 if __is_usable_keyfile "${lookup_path}"; then
@@ -2140,6 +2150,7 @@ function __protonvpn_disconnect() {
 
     if __has_notify_socket; then
         log_debug "Notify to systemd that vpn is disconnecting"
+        __systemd_notify "Disconnecting from ${PROTONVPN_SERVER:-NA}"
         __systemd_notify "STOPPING=1"
     else
         log_debug "No systemd notify socket found, skiping stopping notification"
@@ -2197,8 +2208,17 @@ function __protonvpn_disconnect() {
     fi
 
     if [[ $errs -eq 0 ]]; then
+        if __has_notify_socket; then
+            log_debug "Notify to systemd that vpn has disconnected"
+            __systemd_notify "Disconnected"
+        fi
         return 0
     fi
+
+    if __has_notify_socket; then
+        log_debug "Notify to systemd that vpn disconnection errored"
+        __systemd_notify "Failed to disconnect"
+    fi
     return 1
 }