r/protonvpn: Move remote_addrs file to /var

If `/` is mounted read-only, as is usually the case, the Proton VPN
watchdog cannot update the `remote_addrs` configuration file.  It needs
to be stored in a directory that is guaranteed to be writable.

roles/protonvpn/files/protonvpn-watchdog.py

@@ -102,7 +102,7 @@ class AsyncDaemon(BaseAsyncDaemon):
     )
     CONFIG = os.environ.get(
         'PROTONVPN_CONFIG',
-        '/etc/strongswan/swanctl/conf.d/protonvpn.remote_addrs',
+        '/var/lib/protonvpn/remote_addrs',
     )
 
     def __init__(self) -> None:
@@ -215,6 +215,8 @@ class AsyncDaemon(BaseAsyncDaemon):
         if not self.serverlist:
             log.error('Cannot reconfigure: no known servers!')
             return
+        if not os.path.isdir(os.path.dirname(self.CONFIG)):
+            os.makedirs(os.path.dirname(self.CONFIG))
         fd = os.open(self.CONFIG, os.O_CREAT | os.O_RDWR, 0o644)
         with open(fd, 'r+', encoding='utf-8') as f:
             line = f.readline()

roles/protonvpn/tasks/main.yml

@@ -16,9 +16,19 @@
   tags:
   - strongswan-config
   - protonvpn-config
+- name: ensure protonvpn state directory exists
+  file:
+    path: /var/lib/protonvpn
+    mode: u=rwx,go=rx
+    owner: root
+    group: root
+    state: directory
+  tags:
+  - strongswan-config
+  - protonvpn-config
 - name: ensure protonvpn remote address is configured
   copy:
-    dest: /etc/strongswan/swanctl/conf.d/protonvpn.remote_addrs
+    dest: /var/lib/protonvpn/remote_addrs
     mode: '0640'
     content: >
       remote_addrs = {{ protonvpn_server }}

roles/protonvpn/templates/protonvpn.conf.j2

@@ -1,7 +1,7 @@
 connections {
     protonvpn {
         local_addrs = %any
-        include protonvpn.remote_addrs
+        include /var/lib/protonvpn/remote_addrs
         vips = 0.0.0.0,::
         keyingtries = 0
         dpd_delay = 10s