refactor(rego-tunnel): Replace QEMU VM with native Docker Cisco VPN

- Switch from linux-vm QEMU image to cisco-vpn native Docker image
- Change port from 8006 to 6080 (noVNC)
- Remove VM-specific config (RAM, CPU, bridges, taps, QEMU)
- Add VPN credential fields (email, password, TOTP, VPN host)
- Add auto-connect and VNC password options
- Update description.md with new documentation
- Simplify Docker requirements (no /dev/kvm needed)

Benefits:
- No QEMU/VM overhead - runs natively in Docker
- Full Cisco Secure Client 5.1.14.145 with GUI
- Auto-login with TOTP support
- Auto-reconnect on disconnect

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/rego-tunnel/config.json

@@ -1,179 +1,79 @@
 {
   "name": "Rego Tunnel",
   "available": true,
-  "port": 8006,
+  "port": 6080,
   "exposable": true,
   "dynamic_config": true,
   "id": "rego-tunnel",
-  "description": "Linux VM with Cisco AnyConnect VPN for accessing Rego environments securely.",
-  "tipi_version": 3,
-  "version": "latest",
+  "description": "Cisco Secure Client VPN in Docker with noVNC web UI for accessing Rego environments. No VM overhead.",
+  "tipi_version": 4,
+  "version": "5.1.14.145",
   "categories": ["utilities"],
-  "short_desc": "Linux VM VPN tunnel to Rego environments.",
+  "short_desc": "Cisco VPN tunnel to Rego environments (native Docker, no VM)",
   "author": "alexz",
   "source": "https://git.alexzaw.dev/alexz/runtipi",
   "form_fields": [
     {
-      "type": "number",
-      "label": "RAM (GB)",
-      "hint": "RAM to assign to the VM (in gigabytes)",
-      "placeholder": "8",
-      "required": true,
-      "env_variable": "WINDOWS_RAM_GB",
-      "default": "8"
-    },
-    {
-      "type": "number",
-      "label": "CPU Cores",
-      "hint": "CPU cores to assign to the VM",
-      "placeholder": "4",
-      "required": true,
-      "env_variable": "WINDOWS_CPU_CORES",
-      "default": "4"
-    },
-    {
-      "type": "text",
-      "label": "VM IP (internal)",
-      "hint": "Internal VM IP on the tap/bridge network",
-      "placeholder": "100.100.0.2",
-      "required": true,
-      "env_variable": "VM_NET_IP",
-      "default": "100.100.0.2"
-    },
-    {
-      "type": "text",
-      "label": "VM MAC",
-      "hint": "Used for DHCP reservation (VM must use DHCP)",
-      "placeholder": "52:54:00:12:34:56",
-      "required": true,
-      "env_variable": "VM_MAC",
-      "default": "52:54:00:12:34:56"
-    },
-    {
-      "type": "text",
-      "label": "Bridge name",
-      "hint": "Linux bridge created inside the container for VM networking",
-      "placeholder": "br-rego-vpn",
-      "required": true,
-      "env_variable": "BRIDGE_NAME",
-      "default": "br-rego-vpn"
-    },
-    {
-      "type": "text",
-      "label": "TAP name",
-      "hint": "Tap interface name used by QEMU",
-      "placeholder": "tap0",
-      "required": true,
-      "env_variable": "TAP_NAME",
-      "default": "tap0"
-    },
-    {
-      "type": "ip",
-      "label": "Bridge CIDR",
-      "hint": "Bridge address/CIDR assigned inside the container",
-      "placeholder": "100.100.0.1",
-      "required": true,
-      "env_variable": "BRIDGE_CIDR",
-      "default": "100.100.0.1"
-    },
-    {
-      "type": "text",
-      "label": "QEMU binary",
-      "hint": "Override the QEMU system binary (e.g. /usr/bin/qemu-system-amd64). Leave empty for default.",
-      "placeholder": "/usr/bin/qemu-system-amd64",
+      "type": "email",
+      "label": "VPN Email",
+      "hint": "Email address for VPN SSO login",
+      "placeholder": "your-email@company.com",
       "required": false,
-      "env_variable": "QEMU_BIN",
-      "default": "/usr/bin/qemu-system-amd64"
+      "env_variable": "VPN_EMAIL",
+      "default": ""
     },
     {
-      "type": "text",
-      "label": "TAP2 name (shared network)",
-      "hint": "Optional second TAP interface for a second VM NIC. Set to enable NIC2 (e.g. tap1).",
-      "placeholder": "tap1",
+      "type": "password",
+      "label": "VPN Password",
+      "hint": "Password for VPN SSO login. Leave empty for manual login via noVNC.",
+      "placeholder": "",
       "required": false,
-      "env_variable": "TAP2_NAME",
-      "default": "tap1"
+      "env_variable": "VPN_PASSWORD",
+      "default": ""
     },
     {
       "type": "text",
-      "label": "Bridge2 name (shared network)",
-      "hint": "Optional second Linux bridge for NIC2 (e.g. br-app).",
-      "placeholder": "br-app",
+      "label": "TOTP Secret",
+      "hint": "Base32 encoded TOTP secret for 2FA (from authenticator app setup). Leave empty if not using TOTP.",
+      "placeholder": "",
       "required": false,
-      "env_variable": "BRIDGE2_NAME",
-      "default": "br-app"
+      "env_variable": "VPN_TOTP_SECRET",
+      "default": ""
     },
     {
       "type": "text",
-      "label": "Bridge2 uplink interface",
-      "hint": "If set, bridge NIC2 onto this container interface (e.g. eth0 for 10.x app network, eth1 for 172.x main network).",
-      "placeholder": "eth0",
+      "label": "VPN Host",
+      "hint": "VPN server hostname (for reference)",
+      "placeholder": "vpn.company.com",
       "required": false,
-      "env_variable": "BRIDGE2_UPLINK_IF",
-      "default": "eth0"
+      "env_variable": "VPN_HOST",
+      "default": ""
     },
     {
-      "type": "text",
-      "label": "Bridge2 CIDR (optional)",
-      "hint": "Optional IPv4/CIDR for Bridge2. If empty and uplink is set, the bridge inherits the uplink IPv4 address.",
-      "placeholder": "10.128.13.2/24",
+      "type": "boolean",
+      "label": "Auto-Connect on Start",
+      "hint": "Automatically connect to VPN when container starts (requires credentials above)",
       "required": false,
-      "env_variable": "BRIDGE2_CIDR",
-      "default": "10.128.13.2/24"
+      "env_variable": "VPN_AUTO_CONNECT",
+      "default": false
     },
     {
-      "type": "text",
-      "label": "VM MAC2 (shared network)",
-      "hint": "Optional MAC for NIC2 (e.g. 52:54:00:12:34:57).",
-      "placeholder": "52:54:00:12:34:57",
+      "type": "password",
+      "label": "VNC Password",
+      "hint": "Password for noVNC web interface",
+      "placeholder": "cisco123",
       "required": false,
-      "env_variable": "VM_MAC2",
-      "default": "52:54:00:12:34:57"
-    },
-    {
-      "type": "ip",
-      "label": "VM subnet",
-      "hint": "Subnet that should be NATed out of the container",
-      "placeholder": "100.100.0.0",
-      "required": true,
-      "env_variable": "VM_SUBNET",
-      "default": "100.100.0.0"
-    },
-    {
-      "type": "ip",
-      "label": "Target IP (routed via VM)",
-      "hint": "Traffic to this IP is routed via the VM (VPN inside the VM)",
-      "placeholder": "10.35.33.230",
-      "required": true,
-      "env_variable": "TARGET_IP",
-      "default": "10.35.33.230"
+      "env_variable": "VNC_PASSWORD",
+      "default": "cisco123"
     },
     {
       "type": "text",
-      "label": "DNS servers",
-      "hint": "DNS servers offered to the VM via DHCP",
-      "placeholder": "1.1.1.1,8.8.8.8",
-      "required": true,
-      "env_variable": "DNS_SERVERS",
-      "default": "1.1.1.1,8.8.8.8"
-    },
-    {
-      "type": "text",
-      "label": "DHCP lease time",
-      "hint": "Lease duration (dnsmasq format, e.g. 12h)",
-      "placeholder": "12h",
-      "required": true,
-      "env_variable": "LEASE_TIME",
-      "default": "12h"
-    },
-    {
-      "type": "text",
-      "label": "Host share directory",
-      "hint": "Host path mounted into the container at /hostshare and exported into the VM",
-      "placeholder": "${APP_DATA_DIR}",
-      "required": true,
-      "env_variable": "HOSTSHARE_DIR",
-      "default": "/etc/runtipi/user-config/runtipi/rego-tunnel/shared"
+      "label": "Basic Auth Users",
+      "hint": "Traefik basic auth users string (htpasswd format). Use generate-traefik-basicauth.sh to create.",
+      "placeholder": "user:$$apr1$$hash",
+      "required": false,
+      "env_variable": "BASICAUTH_USERS",
+      "default": ""
     }
   ],
   "supported_architectures": ["amd64"]