From 16b7a66c0168fbe0a950823d4230674917f518cb Mon Sep 17 00:00:00 2001
From: alexz <me@alexzaw.dev>
Date: Wed, 4 Feb 2026 20:39:20 +0000
Subject: [PATCH] cistech-tunnel: move all scripts to dynamic mounts

- Move entrypoint.sh from build/scripts/ to shared/ (no longer baked into image)
- Add entrypoint directive to docker-compose.json pointing to /shared/entrypoint.sh
- Update entrypoint.sh to reference /shared/startup-vnc.sh instead of /opt/scripts/
- Bump tipi_version to 7

All scripts are now dynamically controlled via volume mounts from the shared/
directory. The Docker image is a clean base with only packages installed.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../build/scripts/entrypoint.sh               | 80 -------------------
 apps/cistech-tunnel/config.json               |  2 +-
 apps/cistech-tunnel/docker-compose.json       |  1 +
 apps/cistech-tunnel/shared/entrypoint.sh      |  4 +-
 4 files changed, 3 insertions(+), 84 deletions(-)
 delete mode 100644 apps/cistech-tunnel/build/scripts/entrypoint.sh

diff --git a/apps/cistech-tunnel/build/scripts/entrypoint.sh b/apps/cistech-tunnel/build/scripts/entrypoint.sh
deleted file mode 100644
index 96bf7f4..0000000
--- a/apps/cistech-tunnel/build/scripts/entrypoint.sh
+++ /dev/null
@@ -1,80 +0,0 @@
-#!/bin/bash
-# Entrypoint: VNC password setup + DNS fix + start VNC
-
-set -euo pipefail
-
-# Force software rendering (no GPU/OpenGL)
-export QT_QUICK_BACKEND=software
-export LIBGL_ALWAYS_SOFTWARE=1
-export GALLIUM_DRIVER=llvmpipe
-export MESA_GL_VERSION_OVERRIDE=3.3
-
-# Qt/Chromium flags for running as root
-export QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu --use-gl=swiftshader"
-export QTWEBENGINE_DISABLE_SANDBOX=1
-
-# Setup TigerVNC password file from env var (passed by runtipi)
-if [ -n "${VNC_PASSWORD:-}" ]; then
-    mkdir -p /root/.vnc
-    printf '%s\n%s\n' "$VNC_PASSWORD" "$VNC_PASSWORD" | vncpasswd -f > /root/.vnc/passwd
-    chmod 600 /root/.vnc/passwd
-fi
-
-# DNS fix - unmount Docker's read-only mounts
-cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
-cp /etc/hosts /tmp/hosts.bak 2>/dev/null || true
-umount /etc/resolv.conf 2>/dev/null || true
-umount /etc/hosts 2>/dev/null || true
-cat /tmp/resolv.conf.bak > /etc/resolv.conf 2>/dev/null || echo "nameserver 8.8.8.8" > /etc/resolv.conf
-cat /tmp/hosts.bak > /etc/hosts 2>/dev/null || echo "127.0.0.1 localhost" > /etc/hosts
-
-# Enable IP forwarding
-echo 1 > /proc/sys/net/ipv4/ip_forward
-echo "[entrypoint] IP forwarding enabled"
-
-# Generate openconnect-sso config from environment variables
-mkdir -p /root/.config/openconnect-sso
-cat > /root/.config/openconnect-sso/config.toml << EOF
-on_disconnect = ""
-
-[default_profile]
-address = "${VPN_HOST:-}"
-user_group = ""
-name = ""
-
-[credentials]
-username = "${VPN_EMAIL:-}"
-
-[auto_fill_rules]
-[[auto_fill_rules."https://*"]]
-selector = "div[id=passwordError]"
-action = "stop"
-
-[[auto_fill_rules."https://*"]]
-selector = "input[type=email]"
-fill = "username"
-
-[[auto_fill_rules."https://*"]]
-selector = "input[name=passwd]"
-fill = "password"
-
-[[auto_fill_rules."https://*"]]
-selector = "input[data-report-event=Signin_Submit]"
-action = "click"
-
-[[auto_fill_rules."https://*"]]
-selector = "div[data-value=PhoneAppOTP]"
-action = "click"
-
-[[auto_fill_rules."https://*"]]
-selector = "a[id=signInAnotherWay]"
-action = "click"
-
-[[auto_fill_rules."https://*"]]
-selector = "input[id=idTxtBx_SAOTCC_OTC]"
-fill = "totp"
-EOF
-echo "[entrypoint] openconnect-sso config generated"
-
-# Start VNC server
-exec /opt/scripts/startup-vnc.sh
diff --git a/apps/cistech-tunnel/config.json b/apps/cistech-tunnel/config.json
index 7bfeec8..341a0f8 100755
--- a/apps/cistech-tunnel/config.json
+++ b/apps/cistech-tunnel/config.json
@@ -6,7 +6,7 @@
   "dynamic_config": true,
   "id": "cistech-tunnel",
   "description": "openconnect-sso in Docker with noVNC web UI for accessing cistech environments. Native Docker - no VM overhead.",
-  "tipi_version": 6,
+  "tipi_version": 7,
   "version": "5.1.14.145",
   "categories": [
     "utilities"
diff --git a/apps/cistech-tunnel/docker-compose.json b/apps/cistech-tunnel/docker-compose.json
index 60ae4e3..661edaf 100755
--- a/apps/cistech-tunnel/docker-compose.json
+++ b/apps/cistech-tunnel/docker-compose.json
@@ -4,6 +4,7 @@
     {
       "name": "cistech-tunnel",
       "image": "git.alexzaw.dev/alexz/openconnect-vpn:latest",
+      "entrypoint": "/shared/entrypoint.sh",
       "environment": [
         {
           "key": "VPN_EMAIL",
diff --git a/apps/cistech-tunnel/shared/entrypoint.sh b/apps/cistech-tunnel/shared/entrypoint.sh
index d119321..c560f94 100644
--- a/apps/cistech-tunnel/shared/entrypoint.sh
+++ b/apps/cistech-tunnel/shared/entrypoint.sh
@@ -10,7 +10,7 @@ export GALLIUM_DRIVER=llvmpipe
 export MESA_GL_VERSION_OVERRIDE=3.3
 
 # Qt/Chromium flags for running as root
-export QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu"
+export QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu --use-gl=swiftshader"
 export QTWEBENGINE_DISABLE_SANDBOX=1
 
 # Setup TigerVNC password file from env var (passed by runtipi)
@@ -77,6 +77,4 @@ EOF
 echo "[entrypoint] openconnect-sso config generated"
 
 # Start VNC server
-chmod +x /shared/*
-chmod +x /root/.vnc/xstartup
 exec /shared/startup-vnc.sh