cistech-tunnel: Auto-fetch server cert, add VPN password field

- entrypoint.sh: Auto-fetch pin-sha256 from VPN URL if not provided
- config.json: Remove OC_SERVERCERT (auto-fetched), add OC_PASSWORD
- docker-compose.json: Add OC_PASSWORD env var

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/cistech-tunnel/config.json

@@ -22,21 +22,20 @@
             "type": "text",
             "env_variable": "OC_URL",
             "required": true,
-            "default": "https://vpn.example.com"
+            "default": "https://vpn.cistech.net/Employees"
         },
         {
-            "label": "Server Certificate",
+            "label": "Username (email)",
-            "type": "text",
-            "env_variable": "OC_SERVERCERT",
-            "required": true,
-            "default": "pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0="
-        },
-        {
-            "label": "Username",
             "type": "text",
             "env_variable": "OC_USER",
             "required": true
         },
+        {
+            "label": "VPN Password",
+            "type": "password",
+            "env_variable": "OC_PASSWORD",
+            "required": true
+        },
         {
             "label": "TOTP Secret",
             "type": "password",

apps/cistech-tunnel/docker-compose.json

@@ -11,8 +11,8 @@
       "devices": ["/dev/net/tun"],
       "environment": [
         { "key": "OC_URL", "value": "${OC_URL}" },
-        { "key": "OC_SERVERCERT", "value": "${OC_SERVERCERT}" },
         { "key": "OC_USER", "value": "${OC_USER}" },
+        { "key": "OC_PASSWORD", "value": "${OC_PASSWORD}" },
         { "key": "OC_TOTP_SECRET", "value": "${OC_TOTP_SECRET}" },
         { "key": "VNC_PASSWORD", "value": "${VNC_PASSWORD}" },
         { "key": "NOVNC_PORT", "value": "6902" }

apps/cistech-tunnel/source/entrypoint.sh

@@ -2,13 +2,42 @@
 set -euo pipefail
 
 : "${OC_URL:?OC_URL required}"
-: "${OC_SERVERCERT:?OC_SERVERCERT required}"
+
+# Auto-fetch server certificate pin if not provided
+get_server_cert_pin() {
+  local url="$1"
+  local host=$(echo "$url" | sed -E 's|https?://([^/:]+).*|\1|')
+  local port=443
+
+  echo "Fetching certificate pin from $host:$port..." >&2
+
+  # Get certificate and compute pin-sha256
+  local pin=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | \
+    openssl x509 -pubkey -noout 2>/dev/null | \
+    openssl pkey -pubin -outform DER 2>/dev/null | \
+    openssl dgst -sha256 -binary | \
+    base64)
+
+  if [[ -n "$pin" ]]; then
+    echo "pin-sha256:$pin"
+  else
+    echo "ERROR: Failed to fetch certificate from $host" >&2
+    return 1
+  fi
+}
+
+# Get or fetch OC_SERVERCERT
+if [[ -z "${OC_SERVERCERT:-}" ]]; then
+  OC_SERVERCERT=$(get_server_cert_pin "$OC_URL")
+  echo "Auto-detected server cert: $OC_SERVERCERT"
+fi
 
 NOVNC_PORT="${NOVNC_PORT:-6901}"
 VNC_PASSWORD="${VNC_PASSWORD:-changeme}"
 DISPLAY_ADDR="${DISPLAY:-:1}"
 OC_INTERFACE="${OC_INTERFACE:-tun0}"
 OC_USER="${OC_USER:-}"
+OC_PASSWORD="${OC_PASSWORD:-}"
 OC_TOTP_SECRET="${OC_TOTP_SECRET:-}"
 
 # Default to hidden browser if OC_USER is set
@@ -45,6 +74,7 @@ export OC_URL="$OC_URL"
 export OC_SERVERCERT="$OC_SERVERCERT"
 export OC_INTERFACE="$OC_INTERFACE"
 export OC_USER="$OC_USER"
+export OC_PASSWORD="$OC_PASSWORD"
 export OC_SSO_ARGS_DEFAULT="$OC_SSO_ARGS_DEFAULT"
 export OC_SSO_ARGS="${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT}"
 export OC_AUTHGROUP="${OC_AUTHGROUP:-}"