diff --git a/apps/rego-tunnel/build/Dockerfile b/apps/rego-tunnel/build/Dockerfile
new file mode 100644
index 0000000..5b6574e
--- /dev/null
+++ b/apps/rego-tunnel/build/Dockerfile
@@ -0,0 +1,25 @@
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y \
+    qemu-system-x86 \
+    qemu-utils \
+    novnc \
+    websockify \
+    openssh-server \
+    supervisor \
+    && rm -rf /var/lib/apt/lists/*
+
+# Setup SSH
+RUN mkdir /var/run/sshd && \
+    echo 'root:vmpassword' | chpasswd && \
+    sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
+
+WORKDIR /vm
+
+COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+COPY start-vm.sh /usr/local/bin/start-vm.sh
+RUN chmod +x /usr/local/bin/start-vm.sh
+
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
diff --git a/apps/rego-tunnel/build/docker-compose.yml b/apps/rego-tunnel/build/docker-compose.yml
new file mode 100644
index 0000000..b856e49
--- /dev/null
+++ b/apps/rego-tunnel/build/docker-compose.yml
@@ -0,0 +1,16 @@
+services:
+  linux-vm:
+    build: .
+    container_name: linux-vm
+    privileged: true
+    devices:
+      - /dev/kvm:/dev/kvm
+    ports:
+      - "16800:6080"    # noVNC web access
+      - "15900:5900"    # VM raw VNC
+    volumes:
+      - /home/alexz/linux-vm.qcow2:/vm/linux-vm.qcow2
+    environment:
+      - VM_RAM=8G
+      - VM_CPUS=4
+    restart: unless-stopped
diff --git a/apps/rego-tunnel/build/start-vm.sh b/apps/rego-tunnel/build/start-vm.sh
new file mode 100755
index 0000000..24d2922
--- /dev/null
+++ b/apps/rego-tunnel/build/start-vm.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+exec qemu-system-x86_64 \
+    -enable-kvm \
+    -cpu host \
+    -m ${VM_RAM:-8G} \
+    -smp ${VM_CPUS:-4} \
+    -hda /vm/linux-vm.qcow2 \
+    -netdev user,id=net0,hostfwd=tcp::2222-:22 \
+    -device virtio-net-pci,netdev=net0 \
+    -vnc :0 \
+    -vga virtio \
+    -usb \
+    -device usb-tablet
diff --git a/apps/rego-tunnel/build/supervisord.conf b/apps/rego-tunnel/build/supervisord.conf
new file mode 100644
index 0000000..a76b77a
--- /dev/null
+++ b/apps/rego-tunnel/build/supervisord.conf
@@ -0,0 +1,22 @@
+[supervisord]
+nodaemon=true
+logfile=/var/log/supervisord.log
+
+[program:sshd]
+command=/usr/sbin/sshd -D
+autostart=true
+autorestart=true
+
+[program:qemu]
+command=/usr/local/bin/start-vm.sh
+autostart=true
+autorestart=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:novnc]
+command=/usr/share/novnc/utils/novnc_proxy --vnc localhost:5900 --listen 6080
+autostart=true
+autorestart=true