cistech-tunnel: Auto-fetch server cert, add VPN password field

- entrypoint.sh: Auto-fetch pin-sha256 from VPN URL if not provided
- config.json: Remove OC_SERVERCERT (auto-fetched), add OC_PASSWORD
- docker-compose.json: Add OC_PASSWORD env var

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/cistech-tunnel/source/entrypoint.sh

@@ -2,13 +2,42 @@
 set -euo pipefail
 
 : "${OC_URL:?OC_URL required}"
-: "${OC_SERVERCERT:?OC_SERVERCERT required}"
+
+# Auto-fetch server certificate pin if not provided
+get_server_cert_pin() {
+  local url="$1"
+  local host=$(echo "$url" | sed -E 's|https?://([^/:]+).*|\1|')
+  local port=443
+
+  echo "Fetching certificate pin from $host:$port..." >&2
+
+  # Get certificate and compute pin-sha256
+  local pin=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | \
+    openssl x509 -pubkey -noout 2>/dev/null | \
+    openssl pkey -pubin -outform DER 2>/dev/null | \
+    openssl dgst -sha256 -binary | \
+    base64)
+
+  if [[ -n "$pin" ]]; then
+    echo "pin-sha256:$pin"
+  else
+    echo "ERROR: Failed to fetch certificate from $host" >&2
+    return 1
+  fi
+}
+
+# Get or fetch OC_SERVERCERT
+if [[ -z "${OC_SERVERCERT:-}" ]]; then
+  OC_SERVERCERT=$(get_server_cert_pin "$OC_URL")
+  echo "Auto-detected server cert: $OC_SERVERCERT"
+fi
 
 NOVNC_PORT="${NOVNC_PORT:-6901}"
 VNC_PASSWORD="${VNC_PASSWORD:-changeme}"
 DISPLAY_ADDR="${DISPLAY:-:1}"
 OC_INTERFACE="${OC_INTERFACE:-tun0}"
 OC_USER="${OC_USER:-}"
+OC_PASSWORD="${OC_PASSWORD:-}"
 OC_TOTP_SECRET="${OC_TOTP_SECRET:-}"
 
 # Default to hidden browser if OC_USER is set
@@ -45,6 +74,7 @@ export OC_URL="$OC_URL"
 export OC_SERVERCERT="$OC_SERVERCERT"
 export OC_INTERFACE="$OC_INTERFACE"
 export OC_USER="$OC_USER"
+export OC_PASSWORD="$OC_PASSWORD"
 export OC_SSO_ARGS_DEFAULT="$OC_SSO_ARGS_DEFAULT"
 export OC_SSO_ARGS="${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT}"
 export OC_AUTHGROUP="${OC_AUTHGROUP:-}"