From f4a4edf47872498b29f2a2959ecce718634500f4 Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Wed, 25 Feb 2026 23:24:23 -0800
Subject: [PATCH] fix networking online target + ntfy notifications

---
 common/network/pia-vpn/service-container.nix | 18 ++++++++++++++++++
 common/network/pia-vpn/vpn-container.nix     |  3 +++
 common/ntfy-alerts.nix                       |  7 +++++++
 3 files changed, 28 insertions(+)

diff --git a/common/network/pia-vpn/service-container.nix b/common/network/pia-vpn/service-container.nix
index 385477f..c8f7ef0 100644
--- a/common/network/pia-vpn/service-container.nix
+++ b/common/network/pia-vpn/service-container.nix
@@ -47,6 +47,24 @@ let
       # DNS through VPN container (queries go through WG tunnel = no DNS leak)
       networking.nameservers = [ cfg.vpnAddress ];
 
+      # Wait for actual VPN connectivity before network-online.target.
+      # Without this, services start before the VPN tunnel is ready and failures
+      # can't be reported to ntfy (no outbound connectivity yet).
+      systemd.services.wait-for-vpn = {
+        description = "Wait for VPN connectivity";
+        before = [ "network-online.target" ];
+        wantedBy = [ "network-online.target" ];
+        after = [ "systemd-networkd-wait-online.service" ];
+        serviceConfig.Type = "oneshot";
+        path = [ pkgs.iputils ];
+        script = ''
+          until ping -c1 -W2 1.1.1.1 >/dev/null 2>&1; do
+            echo "Waiting for VPN connectivity..."
+            sleep 1
+          done
+        '';
+      };
+
       # Trust the bridge interface (host reaches us directly for nginx)
       networking.firewall.trustedInterfaces = [ "eth0" ];
 
diff --git a/common/network/pia-vpn/vpn-container.nix b/common/network/pia-vpn/vpn-container.nix
index 091d32f..32ed038 100644
--- a/common/network/pia-vpn/vpn-container.nix
+++ b/common/network/pia-vpn/vpn-container.nix
@@ -91,6 +91,9 @@ in
           # Ignore WG interface for wait-online (it's configured manually, not by networkd)
           systemd.network.wait-online.ignoredInterfaces = [ cfg.interfaceName ];
 
+          # Route ntfy alerts through the host proxy (VPN container has no gateway on eth0)
+          ntfy-alerts.curlExtraArgs = "--proxy http://${cfg.hostAddress}:${toString cfg.proxyPort}";
+
           # Enable forwarding so bridge traffic can go through WG
           boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
 
diff --git a/common/ntfy-alerts.nix b/common/ntfy-alerts.nix
index aa92897..617ccc7 100644
--- a/common/ntfy-alerts.nix
+++ b/common/ntfy-alerts.nix
@@ -16,6 +16,12 @@ in
       default = "service-failures";
       description = "ntfy topic to publish alerts to.";
     };
+
+    curlExtraArgs = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+      description = "Extra arguments to pass to curl (e.g. --proxy http://host:port).";
+    };
   };
 
   config = lib.mkIf config.thisMachine.hasRole."ntfy" {
@@ -33,6 +39,7 @@ in
           ${lib.getExe pkgs.curl} \
             --fail --silent --show-error \
             --max-time 30 --retry 3 \
+            ${cfg.curlExtraArgs} \
             -H "Authorization: Bearer $NTFY_TOKEN" \
             -H "Title: Service failure on ${config.networking.hostName}" \
             -H "Priority: high" \