.

2026-01-17 10:53:29 +00:00
parent 48d0407c79
commit e462edd99b
11 changed files with 268 additions and 599 deletions
--- a/apps/cistech-tunnel/build/.gitignore
+++ b/apps/cistech-tunnel/build/.gitignore
@@ -0,0 +1,2 @@
+# Large binary files - track tar.gz but not 7z
+*.7z
--- a/apps/cistech-tunnel/build/Dockerfile
+++ b/apps/cistech-tunnel/build/Dockerfile
@@ -16,22 +16,23 @@ ENV NOVNC_PORT=6080
 ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright
 ENV VIRTUAL_ENV=/opt/venv
 ENV PATH=/opt/venv/bin:$PATH
-ENV QTWEBENGINE_DISABLE_SANDBOX=1
-ENV QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu"

-# Install system dependencies
+# Install systemd and dependencies
 RUN apt-get update && apt-get install -y \
-    openconnect \
-    iproute2 \
+    systemd \
+    systemd-sysv \
+    dbus \
+    dbus-x11 \
+    libgtk-3-0 \
+    libglib2.0-0 \
+    libstdc++6 \
    iptables \
-    ca-certificates \
-    python3 \
-    python3-pip \
-    python3-venv \
-    vpnc-scripts \
-    curl \
-    wget \
-    openssh-client \
+    libxml2 \
+    network-manager \
+    zlib1g \
+    policykit-1 \
+    xdg-utils \
+    libwebkit2gtk-4.0-37 \
    tigervnc-standalone-server \
    tigervnc-common \
    novnc \
@@ -40,66 +41,65 @@ RUN apt-get update && apt-get install -y \
    xterm \
    procps \
    net-tools \
+    curl \
+    iproute2 \
+    iputils-ping \
    nano \
    x11vnc \
    xvfb \
    fluxbox \
+    xdotool \
    oathtool \
-    xauth \
+    openconnect \
+    python3 \
+    python3-pip \
+    python3-venv \
+    vpnc-scripts \
+    libasound2 \
    libnss3 \
    libatk1.0-0 \
    libatk-bridge2.0-0 \
-    libx11-6 \
-    libx11-xcb1 \
    libxcomposite1 \
    libxrandr2 \
    libgbm1 \
    libxdamage1 \
    libpango-1.0-0 \
    fonts-liberation \
-    libegl1 \
-    libgl1 \
-    libopengl0 \
-    libdbus-1-3 \
-    libglib2.0-0 \
-    libxkbcommon0 \
-    libxkbcommon-x11-0 \
-    libxcb1 \
-    libxcb-cursor0 \
-    libxcb-icccm4 \
-    libxcb-image0 \
-    libxcb-keysyms1 \
-    libxcb-render0 \
-    libxcb-render-util0 \
-    libxcb-shm0 \
-    libxcb-xfixes0 \
-    libxcb-xinerama0 \
-    libxcb-randr0 \
-    libxcb-glx0 \
-    sudo \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

-# Install libasound (different package name on different Ubuntu versions)
-RUN apt-get update && (apt-get install -y libasound2t64 || apt-get install -y libasound2) && rm -rf /var/lib/apt/lists/*
+# Remove unnecessary systemd services that cause issues in containers
+RUN rm -f /lib/systemd/system/multi-user.target.wants/* \
+    /etc/systemd/system/*.wants/* \
+    /lib/systemd/system/local-fs.target.wants/* \
+    /lib/systemd/system/sockets.target.wants/*udev* \
+    /lib/systemd/system/sockets.target.wants/*initctl* \
+    /lib/systemd/system/sysinit.target.wants/systemd-tmpfiles-setup* \
+    /lib/systemd/system/systemd-update-utmp*

-# Python venv + openconnect-sso + playwright
-RUN python3 -m venv "$VIRTUAL_ENV"
-RUN pip install --no-cache-dir openconnect-sso[full] playwright keyring keyrings.alt && \
+# Install openconnect-sso with playwright
+RUN python3 -m venv "$VIRTUAL_ENV" && \
+    pip install --no-cache-dir openconnect-sso[full] playwright keyring keyrings.alt && \
    python -m playwright install --with-deps chromium

-# Create directories
-RUN mkdir -p /opt/scripts /shared /root/.vnc
+RUN mkdir -p /opt/scripts /shared
+RUN echo 'IyEvYmluL2Jhc2gKc2V0IC1lCmV4cG9ydCBIT01FPScvcm9vdCcKZXhwb3J0IFVTRVI9J3Jvb3QnCnJtIC1mIC90bXAvLlAxLWxvY2sgL3RtcC8uWDExLXVuaXgvWDEgMj4vZGV2L251bGwgfHwgdHJ1ZQpybSAtcmYgL3RtcC8uWCotbG9jayAvdG1wLy5YMTQtdW5peC8qIDI+L2Rldi9udWxsIHx8IHRydWUKZWNobyAiU3RhcnRpbmcgVGlnZXJWTkMgc2VydmVyIG9uIGRpc3BsYXkgOjEuLi4iCnZuY3NlcnZlciA6MSAtZ2VvbWV0cnkgMTI4MHg4MDAgLWRlcHRoIDI0IC1TZWN1cml0eVR5cGVzIFZuY0F1dGggLWxvY2FsaG9zdCBubwpzbGVlcCAyCmVjaG8gIlN0YXJ0aW5nIG5vVk5DIG9uIHBvcnQgJHtOT1ZOQ19QT1JUOi02MDgwfS4uLiIKd2Vic29ja2lmeSAtLXdlYj0vdXNyL3NoYXJlL25vdm5jLyAke05PVk5DX1BPUlQ6LTYwODB9IGxvY2FsaG9zdDo1OTAxICYKdGFpbCAtZiAvcm9vdC8udm5jLyoubG9nCg==' \
+| base64 -d > /opt/scripts/startup-vnc.sh && \
+chmod +x /opt/scripts/startup-vnc.sh

-# Create VNC startup script (embedded)
-RUN echo 'IyEvYmluL2Jhc2gKc2V0IC1lCmV4cG9ydCBIT01FPScvcm9vdCcKZXhwb3J0IFVTRVI9J3Jvb3QnCnJtIC1mIC90bXAvLlgxLWxvY2sgL3RtcC8uWDExLXVuaXgvWDEgMj4vZGV2L251bGwgfHwgdHJ1ZQpybSAtcmYgL3RtcC8uWCotbG9jayAvdG1wLy5YMTEtdW5peC8qIDI+L2Rldi9udWxsIHx8IHRydWUKZWNobyAiU3RhcnRpbmcgVGlnZXJWTkMgc2VydmVyIG9uIGRpc3BsYXkgOjEuLi4iCnZuY3NlcnZlciA6MSAtZ2VvbWV0cnkgMTI4MHg4MDAgLWRlcHRoIDI0IC1TZWN1cml0eVR5cGVzIFZuY0F1dGggLWxvY2FsaG9zdCBubwpzbGVlcCAyCmVjaG8gIlN0YXJ0aW5nIG5vVk5DIG9uIHBvcnQgJHtOT1ZOQ19QT1JUOi02MDgwfS4uLiIKd2Vic29ja2lmeSAtLXdlYj0vdXNyL3NoYXJlL25vdm5jLyAke05PVk5DX1BPUlQ6LTYwODB9IGxvY2FsaG9zdDo1OTAxICYKdGFpbCAtZiAvcm9vdC8udm5jLyoubG9nCg==' \
-    | base64 -d > /opt/scripts/startup-vnc.sh && \
-    chmod +x /opt/scripts/startup-vnc.sh
+RUN echo 'W1VuaXRdCkRlc2NyaXB0aW9uPVZOQyBhbmQgbm9WTkMgU2VydmVyCkFmdGVyPW5ldHdvcmsudGFyZ2V0CgpbU2VydmljZV0KVHlwZT1zaW1wbGUKRXhlY1N0YXJ0PS9vcHQvc2NyaXB0cy9zdGFydHVwLXZuYy5zaApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTUKRW52aXJvbm1lbnQ9SE9NRT0vcm9vdApFbnZpcm9ubWVudD1VU0VSPXJvb3QKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldAo=' \
+| base64 -d > /lib/systemd/system/vnc.service
+RUN chmod 644 /lib/systemd/system/vnc.service && \
+    systemctl enable vnc.service

 # Copy entrypoint script
 COPY scripts/entrypoint.sh /opt/scripts/
 RUN chmod +x /opt/scripts/entrypoint.sh

+VOLUME ["/sys/fs/cgroup"]
+
 EXPOSE 5901 6080

+STOPSIGNAL SIGRTMIN+3
+
 CMD ["/opt/scripts/entrypoint.sh"]
--- a/apps/cistech-tunnel/build/README.md
+++ b/apps/cistech-tunnel/build/README.md
@@ -0,0 +1,51 @@
+# Rego Tunnel - Build Files
+
+This directory contains the Dockerfile and scripts to build the Cisco VPN Docker image.
+
+## Files
+
+- `Dockerfile` - Docker image definition (Ubuntu 22.04 + Cisco Secure Client + noVNC)
+- `cisco-secure-client-full.tar.gz` - Pre-extracted Cisco Secure Client 5.1.14.145
+- `build.sh` - Build and push script
+- `scripts/entrypoint.sh` - Container entrypoint (starts systemd)
+
+## Building
+
+```bash
+cd /etc/runtipi/repos/runtipi/apps/rego-tunnel/build
+./build.sh
+```
+
+This builds and pushes to `git.alexzaw.dev/alexz/cisco-vpn:latest`
+
+To build without pushing:
+```bash
+docker build -t git.alexzaw.dev/alexz/cisco-vpn:latest .
+```
+
+## What's in the image
+
+The Dockerfile creates an image with:
+- Ubuntu 22.04 with systemd
+- Cisco Secure Client 5.1.14.145 (VPN, DART, Posture modules)
+- TigerVNC server + noVNC (web-based VNC)
+- Tools: xdotool, oathtool (for TOTP), xclip, openbox
+
+### Systemd services (baked in)
+- `vpnagentd.service` - Cisco VPN agent
+- `vnc.service` - VNC server + noVNC websockify
+
+### Scripts (baked in via base64 in Dockerfile)
+- `/opt/scripts/startup-vnc.sh` - Starts VNC server and noVNC
+- `/opt/scripts/entrypoint.sh` - Container entrypoint
+
+## Runtime mounts (from shared/)
+
+When running as rego-tunnel app, these are mounted from `shared/`:
+- `/shared/cisco-vpn` - Main VPN automation script
+- `/shared/xstartup` → `/root/.vnc/xstartup` - VNC session startup
+
+## Ports
+
+- `5901` - VNC server
+- `6080` - noVNC web interface
--- a/apps/cistech-tunnel/build/build.sh
+++ b/apps/cistech-tunnel/build/build.sh
@@ -16,7 +16,7 @@ echo ""
 echo "Build complete!"
 echo ""
 echo "To test locally:"
-echo "  docker run -d --privileged --cap-add=NET_ADMIN --device=/dev/net/tun -p 5901:5901 -p 6080:6080 -e VNC_PASSWORD=test ${IMAGE_NAME}:${IMAGE_TAG}"
+echo "  docker run -d --privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cap-add=NET_ADMIN --device=/dev/net/tun -p 5901:5901 -p 6080:6080 ${IMAGE_NAME}:${IMAGE_TAG}"
 echo ""
 echo "Then connect via VNC to localhost:5901 or open noVNC at http://localhost:6080/vnc.html"
-echo ""
+echo ""
--- a/apps/cistech-tunnel/build/scripts/entrypoint.sh
+++ b/apps/cistech-tunnel/build/scripts/entrypoint.sh
@@ -1,16 +1,16 @@
 #!/bin/bash
-# Entrypoint: VNC password setup + DNS fix + start VNC
+# Entrypoint: VNC password setup + DNS fix + systemd

 set -euo pipefail

-# Setup TigerVNC password file from env var
+# Setup TigerVNC password file from env var (passed by runtipi)
+# TigerVNC expects /root/.vnc/passwd when using SecurityTypes=VncAuth.
 if [ -n "${VNC_PASSWORD:-}" ]; then
    mkdir -p /root/.vnc
    printf '%s\n%s\n' "$VNC_PASSWORD" "$VNC_PASSWORD" | vncpasswd -f > /root/.vnc/passwd
    chmod 600 /root/.vnc/passwd
 fi

-# DNS fix for containers
 cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
 cp /etc/hosts /tmp/hosts.bak 2>/dev/null || true
 umount /etc/resolv.conf 2>/dev/null || true
@@ -18,25 +18,7 @@ umount /etc/hosts 2>/dev/null || true
 cat /tmp/resolv.conf.bak > /etc/resolv.conf 2>/dev/null || echo "nameserver 8.8.8.8" > /etc/resolv.conf
 cat /tmp/hosts.bak > /etc/hosts 2>/dev/null || echo "127.0.0.1 localhost" > /etc/hosts

-# Enable IP forwarding
 echo 1 > /proc/sys/net/ipv4/ip_forward
 echo "[entrypoint] IP forwarding enabled"

-# Clean up stale X locks
-rm -f /tmp/.X1-lock /tmp/.X11-unix/X1 2>/dev/null || true
-
-# Start VNC server
-echo "[entrypoint] Starting TigerVNC server..."
-mkdir -p /root/.vnc
-vncserver :1 -geometry 1280x800 -depth 24 -SecurityTypes VncAuth -localhost no
-
-# Wait for VNC to start
-sleep 2
-
-# Start noVNC websockify
-echo "[entrypoint] Starting noVNC on port ${NOVNC_PORT:-6080}..."
-websockify --web=/usr/share/novnc/ ${NOVNC_PORT:-6080} localhost:5901 &
-
-# Keep container running
-echo "[entrypoint] VNC ready. Tailing logs..."
-tail -f /root/.vnc/*.log
+exec /sbin/init