fix: Switch proxy socket to directory-level bind mount for stability

Fixes LXC bind mount issue where socket-level mounts break when the
socket is recreated by systemd. Following Codex's recommendation to
bind mount the directory instead of the file.

Changes:
- Socket path: /run/pulse-temp-proxy/pulse-temp-proxy.sock
- Systemd: RuntimeDirectory=pulse-temp-proxy (auto-creates /run/pulse-temp-proxy)
- Systemd: RuntimeDirectoryMode=0770 for group access
- LXC mount: Bind entire /run/pulse-temp-proxy directory
- Install script: Upgrades old socket-level mounts to directory-level
- Install script: Detects and handles bind mount changes

This survives socket recreations and container restarts. The directory
mount persists even when systemd unlinks/recreates the socket file.

Related to #528

cmd/pulse-temp-proxy/main.go

@@ -22,7 +22,7 @@ var (
 )
 
 const (
-	defaultSocketPath = "/var/run/pulse-temp-proxy.sock"
+	defaultSocketPath = "/run/pulse-temp-proxy/pulse-temp-proxy.sock"
 	defaultSSHKeyPath = "/var/lib/pulse-temp-proxy/ssh"
 )
 

internal/tempproxy/client.go

@@ -11,7 +11,7 @@ import (
 )
 
 const (
-	defaultSocketPath = "/var/run/pulse-temp-proxy.sock"
+	defaultSocketPath = "/run/pulse-temp-proxy/pulse-temp-proxy.sock"
 	defaultTimeout    = 10 * time.Second
 )
 

scripts/install-temp-proxy.sh

@@ -71,7 +71,8 @@ print_info "Installing pulse-temp-proxy for container $CTID"
 
 BINARY_PATH="/usr/local/bin/pulse-temp-proxy"
 SERVICE_PATH="/etc/systemd/system/pulse-temp-proxy.service"
-SOCKET_PATH="/var/run/pulse-temp-proxy.sock"
+RUNTIME_DIR="/run/pulse-temp-proxy"
+SOCKET_PATH="/run/pulse-temp-proxy/pulse-temp-proxy.sock"
 SSH_DIR="/var/lib/pulse-temp-proxy/ssh"
 
 # Install binary - either from local file or download from GitHub
@@ -152,12 +153,16 @@ ExecStart=/usr/local/bin/pulse-temp-proxy
 Restart=on-failure
 RestartSec=5s
 
+# Runtime directory for socket
+RuntimeDirectory=pulse-temp-proxy
+RuntimeDirectoryMode=0770
+
 # Security hardening
 NoNewPrivileges=true
 PrivateTmp=true
 ProtectSystem=strict
 ProtectHome=true
-ReadWritePaths=/var/lib/pulse-temp-proxy /var/run
+ReadWritePaths=/var/lib/pulse-temp-proxy
 
 # Logging
 StandardOutput=journal
@@ -191,28 +196,38 @@ fi
 
 print_info "Socket ready at $SOCKET_PATH"
 
-# Configure LXC bind mount
+# Configure LXC bind mount - mount entire directory for socket stability
 LXC_CONFIG="/etc/pve/lxc/${CTID}.conf"
-BIND_ENTRY="lxc.mount.entry: /var/run/pulse-temp-proxy.sock var/run/pulse-temp-proxy.sock none bind,create=file 0 0"
+BIND_ENTRY="lxc.mount.entry: /run/pulse-temp-proxy run/pulse-temp-proxy none bind,create=dir 0 0"
 
 # Check if bind mount already exists
-if grep -q "pulse-temp-proxy.sock" "$LXC_CONFIG"; then
+if grep -q "pulse-temp-proxy" "$LXC_CONFIG"; then
     print_info "Bind mount already configured in LXC config"
+    # Remove old socket-level bind if it exists
+    if grep -q "pulse-temp-proxy.sock" "$LXC_CONFIG"; then
+        print_info "Upgrading from socket-level to directory-level bind mount..."
+        sed -i '/pulse-temp-proxy\.sock/d' "$LXC_CONFIG"
+        echo "$BIND_ENTRY" >> "$LXC_CONFIG"
+        NEEDS_RESTART=true
+    fi
 else
     print_info "Adding bind mount to LXC config..."
     echo "$BIND_ENTRY" >> "$LXC_CONFIG"
+    NEEDS_RESTART=true
+fi
 
-    # Restart container to apply bind mount
+# Restart container to apply bind mount if needed
+if [[ "${NEEDS_RESTART:-false}" == "true" ]]; then
     print_info "Restarting container to apply bind mount..."
     pct stop "$CTID" || true
     sleep 2
     pct start "$CTID"
-    sleep 3
+    sleep 5
 fi
 
 # Verify socket is accessible in container
 print_info "Verifying socket accessibility..."
-if pct exec "$CTID" -- test -S /var/run/pulse-temp-proxy.sock; then
+if pct exec "$CTID" -- test -S /run/pulse-temp-proxy/pulse-temp-proxy.sock; then
     print_info "Socket is accessible in container"
 else
     print_warn "Socket is not yet accessible in container"