Update cistech-tunnel: proper image tag, clean Dockerfile, add TOTP field

- docker-compose.json: Use git.alexzaw.dev/alexz/cistech-vpn:latest
- config.json: Add OC_TOTP_SECRET field, keep server cert as default
- Dockerfile: Remove hardcoded credentials (come from env at runtime)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/cistech-tunnel/docker-compose.json

@@ -1,20 +1,22 @@
 {
+  "schemaVersion": 2,
   "services": [
     {
       "name": "cistech-tunnel",
-      "image": "cistech-vpn:latest",
+      "image": "git.alexzaw.dev/alexz/cistech-vpn:latest",
       "isMain": true,
       "internalPort": 6902,
       "privileged": true,
       "capAdd": ["NET_ADMIN"],
-      "devices": ["/dev/net/tun:/dev/net/tun"],
-      "environment": {
-        "OC_URL": "${OC_URL}",
-        "OC_SERVERCERT": "${OC_SERVERCERT}",
-        "OC_USER": "${OC_USER}",
-        "VNC_PASSWORD": "${VNC_PASSWORD}",
-        "NOVNC_PORT": "6902"
-      },
+      "devices": ["/dev/net/tun"],
+      "environment": [
+        { "key": "OC_URL", "value": "${OC_URL}" },
+        { "key": "OC_SERVERCERT", "value": "${OC_SERVERCERT}" },
+        { "key": "OC_USER", "value": "${OC_USER}" },
+        { "key": "OC_TOTP_SECRET", "value": "${OC_TOTP_SECRET}" },
+        { "key": "VNC_PASSWORD", "value": "${VNC_PASSWORD}" },
+        { "key": "NOVNC_PORT", "value": "6902" }
+      ],
       "volumes": [
         { "hostPath": "${APP_DATA_DIR}/data", "containerPath": "/root" },
         { "hostPath": "${APP_DATA_DIR}", "containerPath": "/runtime" }