From b52ba03be4102e1ad01d4d013a63cfc8965e1b8e Mon Sep 17 00:00:00 2001
From: alexz <me@alexzaw.dev>
Date: Fri, 16 Jan 2026 20:49:39 +0000
Subject: [PATCH] fix(rego-tunnel): Make app work out of the box from repo

- Add init-rego.sh and xstartup to repo's shared folder
- Update docker-compose.json with all volume mounts
- Update docker-compose.yml with cgroup: host
- Mount scripts directly from repo (not user-config)

Now works on fresh install without any user-config overrides.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 apps/rego-tunnel/docker-compose.json | 34 ++++++++---------
 apps/rego-tunnel/docker-compose.yml  |  6 ++-
 apps/rego-tunnel/shared/init-rego.sh | 56 ++++++++++++++++++++++++++++
 apps/rego-tunnel/shared/xstartup     | 32 ++++++++++++++++
 4 files changed, 107 insertions(+), 21 deletions(-)
 create mode 100644 apps/rego-tunnel/shared/init-rego.sh
 create mode 100644 apps/rego-tunnel/shared/xstartup

diff --git a/apps/rego-tunnel/docker-compose.json b/apps/rego-tunnel/docker-compose.json
index 5447f86..f9b565f 100755
--- a/apps/rego-tunnel/docker-compose.json
+++ b/apps/rego-tunnel/docker-compose.json
@@ -21,10 +21,6 @@
           "key": "VPN_HOST",
           "value": "${VPN_HOST}"
         },
-        {
-          "key": "VPN_AUTO_CONNECT",
-          "value": "${VPN_AUTO_CONNECT}"
-        },
         {
           "key": "VNC_PASSWORD",
           "value": "${VNC_PASSWORD}"
@@ -32,6 +28,10 @@
         {
           "key": "TZ",
           "value": "${TZ}"
+        },
+        {
+          "key": "TARGET_IP",
+          "value": "${TARGET_IP}"
         }
       ],
       "internalPort": 6080,
@@ -39,34 +39,30 @@
         {
           "hostPath": "${APP_DATA_DIR}/config",
           "containerPath": "/config",
-          "readOnly": false,
-          "shared": false,
-          "private": false
+          "readOnly": false
         },
         {
-          "hostPath": "/etc/runtipi/user-config/runtipi/rego-tunnel/shared",
+          "hostPath": "/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared",
           "containerPath": "/shared",
-          "readOnly": false,
-          "shared": false,
-          "private": false
+          "readOnly": false
         },
         {
           "hostPath": "/sys/fs/cgroup",
           "containerPath": "/sys/fs/cgroup",
-          "readOnly": false,
-          "shared": false,
-          "private": false
+          "readOnly": false
         },
         {
-          "hostPath": "/etc/runtipi/user-config/runtipi/rego-tunnel/shared/xstartup",
+          "hostPath": "/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/init-rego.sh",
+          "containerPath": "/opt/scripts/init-vpn.sh",
+          "readOnly": true
+        },
+        {
+          "hostPath": "/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/xstartup",
           "containerPath": "/root/.vnc/xstartup",
-          "readOnly": false,
-          "shared": false,
-          "private": false
+          "readOnly": true
         }
       ],
       "stopGracePeriod": "30s",
-      "sysctls": {},
       "devices": [
         "/dev/net/tun"
       ],
diff --git a/apps/rego-tunnel/docker-compose.yml b/apps/rego-tunnel/docker-compose.yml
index 96bcc7d..c0a7c7e 100755
--- a/apps/rego-tunnel/docker-compose.yml
+++ b/apps/rego-tunnel/docker-compose.yml
@@ -12,15 +12,17 @@ services:
       VPN_PASSWORD: ${VPN_PASSWORD}
       VPN_TOTP_SECRET: ${VPN_TOTP_SECRET}
       VPN_HOST: ${VPN_HOST}
-      VPN_AUTO_CONNECT: ${VPN_AUTO_CONNECT}
       VNC_PASSWORD: ${VNC_PASSWORD}
       TZ: ${TZ}
+      TARGET_IP: ${TARGET_IP}
     ports:
       - ${APP_PORT}:6080
     volumes:
       - ${APP_DATA_DIR}/config:/config
-      - /etc/runtipi/user-config/runtipi/rego-tunnel/shared:/shared
+      - /etc/runtipi/repos/runtipi/apps/rego-tunnel/shared:/shared
       - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      - /etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/init-rego.sh:/opt/scripts/init-vpn.sh:ro
+      - /etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/xstartup:/root/.vnc/xstartup:ro
     labels:
       generated: true
       traefik.enable: true
diff --git a/apps/rego-tunnel/shared/init-rego.sh b/apps/rego-tunnel/shared/init-rego.sh
new file mode 100644
index 0000000..6662c28
--- /dev/null
+++ b/apps/rego-tunnel/shared/init-rego.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+# Rego Tunnel Init Script
+# Combines:
+# 1. DNS unmount fix (from cisco-vpn) - allows VPN to modify /etc/resolv.conf and /etc/hosts
+# 2. Basic network setup (IP forwarding)
+# 3. Starts systemd
+
+set -e
+
+echo "[init-rego] Starting Rego Tunnel initialization..."
+
+# ============================================
+# 1. Fix Docker's read-only bind mounts
+# ============================================
+echo "[init-rego] Fixing DNS bind mounts..."
+
+# Backup current DNS config
+cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
+cp /etc/hosts /tmp/hosts.bak 2>/dev/null || true
+
+# Unmount Docker's bind mounts (required for VPN to modify DNS)
+umount /etc/resolv.conf 2>/dev/null || true
+umount /etc/hosts 2>/dev/null || true
+
+# Restore DNS config as regular writable files
+cat /tmp/resolv.conf.bak > /etc/resolv.conf 2>/dev/null || echo "nameserver 8.8.8.8" > /etc/resolv.conf
+cat /tmp/hosts.bak > /etc/hosts 2>/dev/null || echo "127.0.0.1 localhost" > /etc/hosts
+
+echo "[init-rego] DNS files are now writable"
+
+# ============================================
+# 2. Network Setup
+# ============================================
+echo "[init-rego] Setting up network..."
+
+# Enable IP forwarding
+echo 1 > /proc/sys/net/ipv4/ip_forward
+echo "[init-rego] IP forwarding enabled"
+
+# Note: NAT/forwarding rules for VPN traffic are set up by the cisco-vpn script
+# AFTER the VPN connects (it needs to know the VPN interface name)
+
+# ============================================
+# 3. Make shared scripts executable
+# ============================================
+if [ -d /shared ]; then
+    chmod +x /shared/*.sh 2>/dev/null || true
+    chmod +x /shared/cisco-vpn 2>/dev/null || true
+    echo "[init-rego] Shared scripts made executable"
+fi
+
+# ============================================
+# 4. Start systemd
+# ============================================
+echo "[init-rego] Starting systemd..."
+exec /sbin/init
diff --git a/apps/rego-tunnel/shared/xstartup b/apps/rego-tunnel/shared/xstartup
new file mode 100644
index 0000000..d72d626
--- /dev/null
+++ b/apps/rego-tunnel/shared/xstartup
@@ -0,0 +1,32 @@
+#!/bin/bash
+# VNC xstartup - launches terminal with cisco-vpn script
+# This runs inside the VNC session
+
+unset SESSION_MANAGER
+unset DBUS_SESSION_BUS_ADDRESS
+
+export XDG_RUNTIME_DIR=/tmp/runtime-root
+mkdir -p $XDG_RUNTIME_DIR
+chmod 700 $XDG_RUNTIME_DIR
+
+# GPU/WebKit workarounds for Cisco UI
+export GDK_BACKEND=x11
+export WEBKIT_DISABLE_DMABUF_RENDERER=1
+
+# Start dbus session
+[ -x /usr/bin/dbus-launch ] && eval $(dbus-launch --sh-syntax --exit-with-session)
+
+# Start window manager
+openbox &
+sleep 2
+
+# Make sure the script is executable
+chmod +x /shared/cisco-vpn 2>/dev/null || true
+
+# Start xterm with the cisco-vpn script
+# The script handles everything: vpnagentd, vpnui, auto-login, forwarding
+xterm -fa 'Monospace' -fs 11 -bg black -fg white -geometry 130x45+10+10 \
+    -title "Rego VPN Terminal" \
+    -e "bash -c '/shared/cisco-vpn; exec bash'" &
+
+wait