From ee6cb6c90d9bf18502a0e3cfbb3590fec026ecf7 Mon Sep 17 00:00:00 2001
From: alexz <me@alexzaw.dev>
Date: Fri, 16 Jan 2026 21:19:55 +0000
Subject: [PATCH] refactor(rego-tunnel): Inline startup-vnc.sh and vnc.service
 in Dockerfile

These two files cannot be overridden at runtime, so they're now
baked directly into the Dockerfile using heredocs.

Remaining scripts (can be overridden at runtime):
- init-vpn.sh
- xstartup
- vpn-connect.sh

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 apps/rego-tunnel/build/Dockerfile             | 61 +++++++++++++------
 apps/rego-tunnel/build/scripts/startup-vnc.sh | 33 ----------
 apps/rego-tunnel/build/scripts/vnc.service    | 14 -----
 3 files changed, 41 insertions(+), 67 deletions(-)
 delete mode 100644 apps/rego-tunnel/build/scripts/startup-vnc.sh
 delete mode 100644 apps/rego-tunnel/build/scripts/vnc.service

diff --git a/apps/rego-tunnel/build/Dockerfile b/apps/rego-tunnel/build/Dockerfile
index f487077..ce6d7c1 100755
--- a/apps/rego-tunnel/build/Dockerfile
+++ b/apps/rego-tunnel/build/Dockerfile
@@ -28,22 +28,18 @@ RUN apt-get update && apt-get install -y \
     policykit-1 \
     xdg-utils \
     libwebkit2gtk-4.0-37 \
-    # VNC
     tigervnc-standalone-server \
     tigervnc-common \
     novnc \
     websockify \
-    # Window manager
     openbox \
     xterm \
-    # Utilities
     procps \
     net-tools \
     curl \
     iproute2 \
     iputils-ping \
     nano \
-    # Automation tools
     xdotool \
     oathtool \
     xclip \
@@ -59,7 +55,7 @@ RUN rm -f /lib/systemd/system/multi-user.target.wants/* \
     /lib/systemd/system/sysinit.target.wants/systemd-tmpfiles-setup* \
     /lib/systemd/system/systemd-update-utmp*
 
-# Copy and extract the FULL Cisco Secure Client installation (VPN + DART + Posture)
+# Copy and extract Cisco Secure Client
 COPY cisco-secure-client-full.tar.gz /tmp/
 RUN tar -xzf /tmp/cisco-secure-client-full.tar.gz -C / && rm /tmp/cisco-secure-client-full.tar.gz
 
@@ -67,13 +63,49 @@ RUN tar -xzf /tmp/cisco-secure-client-full.tar.gz -C / && rm /tmp/cisco-secure-c
 RUN systemctl enable vpnagentd.service
 
 # Create scripts directory
-RUN mkdir -p /opt/scripts
+RUN mkdir -p /opt/scripts /shared
 
-# Copy scripts
+# Inline startup-vnc.sh (cannot be overridden at runtime)
+RUN cat > /opt/scripts/startup-vnc.sh << 'EOF'
+#!/bin/bash
+set -e
+export HOME=/root
+export USER=root
+rm -f /tmp/.X1-lock /tmp/.X11-unix/X1 2>/dev/null || true
+rm -rf /tmp/.X*-lock /tmp/.X11-unix/* 2>/dev/null || true
+echo "Starting TigerVNC server on display :1..."
+vncserver :1 -geometry 1280x800 -depth 24 -SecurityTypes VncAuth -localhost no
+sleep 2
+echo "Starting noVNC on port ${NOVNC_PORT:-6080}..."
+websockify --web=/usr/share/novnc/ ${NOVNC_PORT:-6080} localhost:5901 &
+tail -f /root/.vnc/*.log
+EOF
+RUN chmod +x /opt/scripts/startup-vnc.sh
+
+# Inline vnc.service (cannot be overridden at runtime)
+RUN cat > /lib/systemd/system/vnc.service << 'EOF'
+[Unit]
+Description=VNC and noVNC Server
+After=network.target vpnagentd.service
+
+[Service]
+Type=simple
+ExecStart=/opt/scripts/startup-vnc.sh
+Restart=always
+RestartSec=5
+Environment=HOME=/root
+Environment=USER=root
+
+[Install]
+WantedBy=multi-user.target
+EOF
+RUN systemctl enable vnc.service
+
+# Copy scripts that CAN be overridden at runtime
 COPY scripts/init-vpn.sh /opt/scripts/
-COPY scripts/startup-vnc.sh /opt/scripts/
+COPY scripts/xstartup /root/.vnc/xstartup
 COPY scripts/vpn-connect.sh /opt/scripts/
-RUN chmod +x /opt/scripts/*.sh
+RUN chmod +x /opt/scripts/*.sh /root/.vnc/xstartup
 
 # Setup VNC password (default, can be overridden via mount)
 ARG VNC_PASSWORD=cisco123
@@ -81,17 +113,6 @@ RUN mkdir -p /root/.vnc && \
     echo "${VNC_PASSWORD}" | vncpasswd -f > /root/.vnc/passwd && \
     chmod 600 /root/.vnc/passwd
 
-# VNC xstartup script (can be overridden via mount)
-COPY scripts/xstartup /root/.vnc/xstartup
-RUN chmod +x /root/.vnc/xstartup
-
-# Create systemd service for VNC
-COPY scripts/vnc.service /lib/systemd/system/vnc.service
-RUN systemctl enable vnc.service
-
-# Create shared directory for mounting scripts
-RUN mkdir -p /shared
-
 VOLUME ["/sys/fs/cgroup"]
 
 EXPOSE 5901 6080
diff --git a/apps/rego-tunnel/build/scripts/startup-vnc.sh b/apps/rego-tunnel/build/scripts/startup-vnc.sh
deleted file mode 100644
index a1f721f..0000000
--- a/apps/rego-tunnel/build/scripts/startup-vnc.sh
+++ /dev/null
@@ -1,33 +0,0 @@
-#!/bin/bash
-# VNC and noVNC startup script
-
-set -e
-
-export HOME=/root
-export USER=root
-
-# Clean up any existing VNC locks
-rm -f /tmp/.X1-lock /tmp/.X11-unix/X1 2>/dev/null || true
-rm -rf /tmp/.X*-lock /tmp/.X11-unix/* 2>/dev/null || true
-
-echo "Starting TigerVNC server on display :1..."
-vncserver :1 \
-    -geometry 1280x800 \
-    -depth 24 \
-    -SecurityTypes VncAuth \
-    -localhost no
-
-sleep 2
-
-echo "Starting noVNC on port ${NOVNC_PORT:-6080}..."
-websockify --web=/usr/share/novnc/ ${NOVNC_PORT:-6080} localhost:5901 &
-
-echo ""
-echo "============================================"
-echo "VNC server running on port 5901"
-echo "noVNC web interface: http://localhost:${NOVNC_PORT:-6080}/vnc.html"
-echo "============================================"
-echo ""
-
-# Keep the script running
-tail -f /root/.vnc/*.log
diff --git a/apps/rego-tunnel/build/scripts/vnc.service b/apps/rego-tunnel/build/scripts/vnc.service
deleted file mode 100644
index 2f02518..0000000
--- a/apps/rego-tunnel/build/scripts/vnc.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=VNC and noVNC Server
-After=network.target vpnagentd.service
-
-[Service]
-Type=simple
-ExecStart=/opt/scripts/startup-vnc.sh
-Restart=always
-RestartSec=5
-Environment=HOME=/root
-Environment=USER=root
-
-[Install]
-WantedBy=multi-user.target