feat: systemd-notify improve notification on disconnect and errors

Dockerfile

@@ -5,12 +5,11 @@ FROM base
 
 # hadolint ignore=DL3008,DL3009
 RUN --mount=type=tmpfs,target=/var/lib/apt/lists \
- --mount=type=cache,sharing=private,target=/var/cache/apt \
+ --mount=type=tmpfs,target=/var/cache/apt \
  apt-get update && \
  DEBIAN_FRONTEND=noninteractive apt-get install \
  --yes \
  --no-install-recommends \
- --option 'Binary::apt::APT::Keep-Downloaded-Packages=true' \
  ca-certificates \
  netcat-openbsd \
  curl \
@@ -33,4 +32,6 @@ COPY --chown=root:root --chmod=0755 protonwire /usr/bin/protonwire
 
 RUN ln -s /usr/bin/protonwire /usr/bin/protonvpn
 
-CMD [ "/usr/bin/protonwire", "connect", "--container" ]
+ENTRYPOINT [ "/usr/bin/protonwire" ]
+
+CMD [ "connect", "--container" ]

Makefile

@@ -55,47 +55,6 @@ release: ## Build release
 release-prod: ## Build release and publish
  goreleaser release --clean
 
-.PHONY: install
-install: ## Install protonwire
- @if [[ ! -e /etc/polkit-1/localauthority/10-vendor.d ]]; then install -g root -o root -m 755 -d /etc/polkit-1/localauthority/10-vendor.d; fi
- install -g root -o root -m 644 systemd/polkit/protonwire.pkla /etc/polkit-1/localauthority/10-vendor.d/protonwire.pkla
-
- @if [[ ! -e /etc/sysctl.d ]]; then install -g root -o root -m 755 -d /etc/sysctl.d; fi
- install -g root -o root -m 644 systemd/sysctl.d/protonwire.conf /etc/sysctl.d/protonwire.conf
-
- @if [[ ! -e /etc/systemd/system ]]; then install -g root -o root -m 755 -d /etc/systemd/system; fi
- install -g root -o root -m 644 systemd/system/protonwire.service /etc/systemd/system/protonwire.service
-
- @if [[ ! -e /etc/sysusers.d ]]; then install -g root -o root -m 755 -d /etc/sysusers.d; fi
- install -g root -o root -m 644 systemd/sysusers.d/protonwire.conf /etc/sysusers.d/protonwire.conf
-
- @if [[ ! -e /etc/tmpfiles.d ]]; then install -g root -o root -m 755 -d /etc/tmpfiles.d; fi
- install -g root -o root -m 644 systemd/tmpfiles.d/protonwire.conf /etc/tmpfiles.d/protonwire.conf
-
- @if [[ ! -e /usr/local/bin ]]; then install -g root -o root -m 755 -d /usr/local/bin; fi
- install -g root -o root -m 755 protonwire /usr/local/bin/protonwire
-
- @if [[ ! -e /usr/local/man/man1 ]]; then install -g root -o root -m 755 -d /usr/local/man/man1; fi
- help2man --no-info --manual="ProtonWire - ProtonVPN Wireguard Client" ./protonwire | install -g root -o root -m 644 /dev/stdin /usr/local/man/man1/protonwire.1
-
- systemd-sysusers protonwire.conf
- /usr/lib/systemd/systemd-sysctl protonwire.conf
- systemd-tmpfiles --create protonwire.conf
- systemctl daemon-reload
-
-.PHONY: uninstall
-uninstall: ## Uninstall protonwire
- protonwire disable-killswitch || true
- systemctl disable --now protonwire || true
- rm -f /etc/polkit-1/localauthority/10-vendor.d/protonwire.pkla
- rm -f /etc/sysctl.d/protonwire.conf
- rm -f /etc/systemd/system/protonwire.service
- rm -f /etc/sysusers.d/protonwire.conf
- rm -f /etc/tmpfiles.d/protonwire.conf
- rm -f /usr/local/man/man1/protonwire.1
- rm -f /usr/local/bin/protonwire
- systemctl daemon-reload
-
 .PHONY: clean
 clean: ## clean
  rm -rf $(REPO_ROOT)/dist/
@@ -104,4 +63,4 @@ clean: ## clean
 .PHONY: update-readme
 update-readme: ## Update README
  sed -i '/<!--diana::dynamic:protonwire-help:begin-->/,/<!--diana::dynamic:protonwire-help:end-->/!b;//!d;/<!--diana::dynamic:protonwire-help:end-->/e echo "<pre>" && ./protonwire --help && echo "</pre>"' README.md
- sed -i '/<!--diana::dynamic:protonwire-sample-compose-file:begin-->/,/<!--diana::dynamic:protonwire-sample-compose-file:end-->/!b;//!d;/<!--diana::dynamic:protonwire-sample-compose-file:end-->/e echo "\\\`\\\`\\\`yaml" && cat docs/examples/docker-compose-demo.yml && echo "\\\`\\\`\\\`"' README.md
+ sed -i '/<!--diana::dynamic:protonwire-sample-compose-file:begin-->/,/<!--diana::dynamic:protonwire-sample-compose-file:end-->/!b;//!d;/<!--diana::dynamic:protonwire-sample-compose-file:end-->/e echo "\\\`\\\`\\\`yaml" && cat docs/examples/docker/docker-compose.yml && echo "\\\`\\\`\\\`"' README.md

README.md

@@ -260,19 +260,20 @@ This section covers running containers via podman. But for deployments use
 - Create a podman secret for private key
 
  ```console
- sudo podman secret create protonwire-private-key <PRIVATE_KEY|PATH_TO_PRIVATE_KEY>
+ podman secret create protonwire-private-key <PRIVATE_KEY|PATH_TO_PRIVATE_KEY>
  ```
 
 - Run _protonwire_ container.
 
  ```console
- sudo podman run \
+ podman run \
  -it \
+ --rm \
  --init \
  --replace \
  --tz=local \
  --tmpfs=/tmp \
- --name=protonwire-demo \
+ --name=protonwire \
  --secret="protonwire-private-key,mode=600" \
  --env=PROTONVPN_SERVER="nl-free-127.protonvpn.net" \
  --env=DEBUG=0 \
@@ -293,12 +294,12 @@ we are using caddy to proxy website which shows IP info. Replace these with your
 container(s) like [pyload](https://github.com/pyload/pyload#docker-images), [firefox](https://docs.linuxserver.io/images/docker-firefox) etc.
 
  ```console
- sudo podman run \
+ podman run \
  -it \
  --rm \
  --tz=local \
  --name=protonwire-demo-app \
- --network=container:protonwire-demo \
+ --network=container:protonwire \
  docker.io/library/caddy:latest \
  caddy reverse-proxy --change-host-header --from :8000 --to https://ip.me:443
  ```
@@ -355,7 +356,6 @@ For example, we can run caddy to proxy `https://ip.me/` via VPN. Visiting http:/
  -it \
  --rm \
  --net=container:protonwire \
- --name=protonwire-demo \
  caddy:latest \
  caddy reverse-proxy \
  --change-host-header \

docs/examples/podman/README.md

@@ -0,0 +1 @@
+# Podman Systemd Examples

docs/examples/protonwire-example-app.container → docs/examples/podman/protonwire-example-app.container

@@ -2,14 +2,19 @@
 Description=Example application using protonwire VPN container
 Documentation=https://github.com/tprasadtp/protonvpn-docker
 
+# Ensure protonwire container is started and healthy.
+Requires=protonwire.service
 After=protonwire.service
+
+# If protonwire container is stopped, this will be stopped as well.
 BindsTo=protonwire.service
+PartOf=protonwire.service
 
 [Container]
-Pod=protonwire.pod
 Image=docker.io/library/caddy:latest
 Timezone=local
 RunInit=true
+Network=container:protonwire
 Exec=caddy reverse-proxy --change-host-header --from :8000 --to https://ip.me:443
 
 [Install]

docs/examples/podman/protonwire.container

@@ -0,0 +1,63 @@
+[Unit]
+Description=ProtonVPN Container
+Documentation=https://github.com/tprasadtp/protonvpn-docker
+
+[Container]
+# Enable protonwire itself to handle systemd readiness protocol.
+# For podman 5.0 or later it might be tempting to use Notify=healthy
+# but container also posts status information like connected server and
+# exit IP which might be important.
+Notify=true
+
+# Container Name.
+#
+# Alternatively, pod can be used. But pod files are only supported on
+# podman 5.0 or later and require using PodmanArgs as Sysctl is not
+# recognized by the generator.
+ContainerName=protonwire
+
+# Runtime configuration
+Image=ghcr.io/tprasadtp/protonwire:7
+Timezone=local
+RunInit=true
+
+# Server Configuration.
+Environment=PROTONVPN_SERVER=node-nl-03.protonvpn.net
+Environment=KILL_SWITCH=1
+Environment=DEBUG=1
+
+# Private Key
+#
+# This MUST be created before enabling the service.
+Secret=protonwire-private-key,mode=600
+
+# Image specific extra permissions.
+AddCapability=NET_ADMIN
+Sysctl=net.ipv4.conf.all.rp_filter=2
+Sysctl=net.ipv6.conf.all.disable_ipv6=1
+
+# Mounts
+Tmpfs=/tmp
+
+# Healthcheck
+HealthCmd=protonwire check --container --quiet
+HealthInterval=2m
+HealthRetries=3
+HealthStartPeriod=30s
+HealthTimeout=20s
+
+# Ports
+#
+# This example only publishes a single port. port 8000 both on host and container.
+# Add as many ports as your applications require.
+#
+# Try to setup a reverse proxy which understands podman/docker and only expose ports
+# 443 and 80 (should redirect to 443). This ensures that you can reach hosted applications
+# using reverse proxy without re-configuring protonwire container every time a new service
+# is added. This is only a recommendation and not a requirement.
+# Do note that binding to ports < 1024 may require additional work if running in rootless mode.
+# See https://github.com/containers/podman/blob/master/rootless.md
+PublishPort=8000
+
+[Install]
+WantedBy=default.target