revert(cistech-tunnel): restore to original working state at a7691b1

- Removed shared/ folder (host routing scripts)
- Restored original config.json, docker-compose.json
- Restored original Dockerfile and entrypoint.sh

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/cistech-tunnel/source/Dockerfile

@@ -4,9 +4,12 @@ ENV DEBIAN_FRONTEND=noninteractive \
     VIRTUAL_ENV=/opt/venv \
     PATH=/opt/venv/bin:$PATH \
     QTWEBENGINE_DISABLE_SANDBOX=1 \
-    QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu"
-# Credentials come from environment variables at runtime:
-# OC_URL, OC_SERVERCERT, OC_USER, OC_TOTP_SECRET, VNC_PASSWORD
+    QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu" \
+    OC_URL="https://vpn.cistech.net/Employees" \
+    OC_SERVERCERT="pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0=" \
+    OC_USER="alex.zaw@cistech.net" \
+    OC_TOTP_SECRET="t6ypnjqvyx2yvw2l" \
+    VNC_PASSWORD="Az@83278327\$\$@@"
 
 RUN apt-get update && apt-get install -y \
     openconnect iproute2 iptables ca-certificates \

apps/cistech-tunnel/source/entrypoint.sh

@@ -2,42 +2,13 @@
 set -euo pipefail
 
 : "${OC_URL:?OC_URL required}"
-
-# Auto-fetch server certificate pin if not provided
-get_server_cert_pin() {
-  local url="$1"
-  local host=$(echo "$url" | sed -E 's|https?://([^/:]+).*|\1|')
-  local port=443
-
-  echo "Fetching certificate pin from $host:$port..." >&2
-
-  # Get certificate and compute pin-sha256
-  local pin=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | \
-    openssl x509 -pubkey -noout 2>/dev/null | \
-    openssl pkey -pubin -outform DER 2>/dev/null | \
-    openssl dgst -sha256 -binary | \
-    base64)
-
-  if [[ -n "$pin" ]]; then
-    echo "pin-sha256:$pin"
-  else
-    echo "ERROR: Failed to fetch certificate from $host" >&2
-    return 1
-  fi
-}
-
-# Get or fetch OC_SERVERCERT
-if [[ -z "${OC_SERVERCERT:-}" ]]; then
-  OC_SERVERCERT=$(get_server_cert_pin "$OC_URL")
-  echo "Auto-detected server cert: $OC_SERVERCERT"
-fi
+: "${OC_SERVERCERT:?OC_SERVERCERT required}"
 
 NOVNC_PORT="${NOVNC_PORT:-6901}"
 VNC_PASSWORD="${VNC_PASSWORD:-changeme}"
 DISPLAY_ADDR="${DISPLAY:-:1}"
 OC_INTERFACE="${OC_INTERFACE:-tun0}"
 OC_USER="${OC_USER:-}"
-OC_PASSWORD="${OC_PASSWORD:-}"
 OC_TOTP_SECRET="${OC_TOTP_SECRET:-}"
 
 # Default to hidden browser if OC_USER is set
@@ -74,7 +45,6 @@ export OC_URL="$OC_URL"
 export OC_SERVERCERT="$OC_SERVERCERT"
 export OC_INTERFACE="$OC_INTERFACE"
 export OC_USER="$OC_USER"
-export OC_PASSWORD="$OC_PASSWORD"
 export OC_SSO_ARGS_DEFAULT="$OC_SSO_ARGS_DEFAULT"
 export OC_SSO_ARGS="${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT}"
 export OC_AUTHGROUP="${OC_AUTHGROUP:-}"
@@ -96,14 +66,8 @@ ENVFILE
 source /etc/vpn.env
 echo "[$(date)] Starting VPN connection..."
 
-# Set password for openconnect
-export OPENCONNECT_PASSWORD="$OC_PASSWORD"
-
 # openconnect-sso reads TOTP from keyring automatically
-# Pass password via stdin for SSO form if needed
-if [[ -n "$OC_USER" && -n "$OC_PASSWORD" ]]; then
-  echo "$OC_PASSWORD" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
-elif [[ -n "$OC_USER" ]]; then
+if [[ -n "$OC_USER" ]]; then
   echo "" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
 else
   openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
@@ -196,12 +160,6 @@ setup_nat() {
         iptables -t nat -C POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE 2>/dev/null || \
           iptables -t nat -A POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE
         echo "NAT enabled on $OC_INTERFACE"
-
-        # Trigger host routing service
-        if [ -d /runtime ]; then
-          touch /runtime/restart-routing
-          echo "Host routing trigger sent"
-        fi
         break
       fi
       sleep 2