From 498926ae5dcff59caca9e4ffe20879249675707e Mon Sep 17 00:00:00 2001 From: alexz Date: Sat, 17 Jan 2026 10:12:26 +0000 Subject: [PATCH] cistech-tunnel: Auto-fetch server cert, add VPN password field - entrypoint.sh: Auto-fetch pin-sha256 from VPN URL if not provided - config.json: Remove OC_SERVERCERT (auto-fetched), add OC_PASSWORD - docker-compose.json: Add OC_PASSWORD env var Co-Authored-By: Claude Opus 4.5 --- apps/cistech-tunnel/config.json | 17 ++++++------- apps/cistech-tunnel/docker-compose.json | 2 +- apps/cistech-tunnel/source/entrypoint.sh | 32 +++++++++++++++++++++++- 3 files changed, 40 insertions(+), 11 deletions(-) diff --git a/apps/cistech-tunnel/config.json b/apps/cistech-tunnel/config.json index 70f7ad7..d95ff64 100755 --- a/apps/cistech-tunnel/config.json +++ b/apps/cistech-tunnel/config.json @@ -22,21 +22,20 @@ "type": "text", "env_variable": "OC_URL", "required": true, - "default": "https://vpn.example.com" + "default": "https://vpn.cistech.net/Employees" }, { - "label": "Server Certificate", - "type": "text", - "env_variable": "OC_SERVERCERT", - "required": true, - "default": "pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0=" - }, - { - "label": "Username", + "label": "Username (email)", "type": "text", "env_variable": "OC_USER", "required": true }, + { + "label": "VPN Password", + "type": "password", + "env_variable": "OC_PASSWORD", + "required": true + }, { "label": "TOTP Secret", "type": "password", diff --git a/apps/cistech-tunnel/docker-compose.json b/apps/cistech-tunnel/docker-compose.json index ae10fac..78dd46b 100755 --- a/apps/cistech-tunnel/docker-compose.json +++ b/apps/cistech-tunnel/docker-compose.json @@ -11,8 +11,8 @@ "devices": ["/dev/net/tun"], "environment": [ { "key": "OC_URL", "value": "${OC_URL}" }, - { "key": "OC_SERVERCERT", "value": "${OC_SERVERCERT}" }, { "key": "OC_USER", "value": "${OC_USER}" }, + { "key": "OC_PASSWORD", "value": "${OC_PASSWORD}" }, { "key": "OC_TOTP_SECRET", "value": "${OC_TOTP_SECRET}" }, { "key": "VNC_PASSWORD", "value": "${VNC_PASSWORD}" }, { "key": "NOVNC_PORT", "value": "6902" } diff --git a/apps/cistech-tunnel/source/entrypoint.sh b/apps/cistech-tunnel/source/entrypoint.sh index 130c423..a00cfd1 100755 --- a/apps/cistech-tunnel/source/entrypoint.sh +++ b/apps/cistech-tunnel/source/entrypoint.sh @@ -2,13 +2,42 @@ set -euo pipefail : "${OC_URL:?OC_URL required}" -: "${OC_SERVERCERT:?OC_SERVERCERT required}" + +# Auto-fetch server certificate pin if not provided +get_server_cert_pin() { + local url="$1" + local host=$(echo "$url" | sed -E 's|https?://([^/:]+).*|\1|') + local port=443 + + echo "Fetching certificate pin from $host:$port..." >&2 + + # Get certificate and compute pin-sha256 + local pin=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | \ + openssl x509 -pubkey -noout 2>/dev/null | \ + openssl pkey -pubin -outform DER 2>/dev/null | \ + openssl dgst -sha256 -binary | \ + base64) + + if [[ -n "$pin" ]]; then + echo "pin-sha256:$pin" + else + echo "ERROR: Failed to fetch certificate from $host" >&2 + return 1 + fi +} + +# Get or fetch OC_SERVERCERT +if [[ -z "${OC_SERVERCERT:-}" ]]; then + OC_SERVERCERT=$(get_server_cert_pin "$OC_URL") + echo "Auto-detected server cert: $OC_SERVERCERT" +fi NOVNC_PORT="${NOVNC_PORT:-6901}" VNC_PASSWORD="${VNC_PASSWORD:-changeme}" DISPLAY_ADDR="${DISPLAY:-:1}" OC_INTERFACE="${OC_INTERFACE:-tun0}" OC_USER="${OC_USER:-}" +OC_PASSWORD="${OC_PASSWORD:-}" OC_TOTP_SECRET="${OC_TOTP_SECRET:-}" # Default to hidden browser if OC_USER is set @@ -45,6 +74,7 @@ export OC_URL="$OC_URL" export OC_SERVERCERT="$OC_SERVERCERT" export OC_INTERFACE="$OC_INTERFACE" export OC_USER="$OC_USER" +export OC_PASSWORD="$OC_PASSWORD" export OC_SSO_ARGS_DEFAULT="$OC_SSO_ARGS_DEFAULT" export OC_SSO_ARGS="${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT}" export OC_AUTHGROUP="${OC_AUTHGROUP:-}"