From efc3ad00af2aca22256f05929e3218deb4911aec Mon Sep 17 00:00:00 2001
From: alexz <me@alexzaw.dev>
Date: Wed, 4 Feb 2026 21:05:14 +0000
Subject: [PATCH] rego-tunnel: move all scripts to dynamic mounts

- Move entrypoint.sh from build/scripts/ to shared/
- Create startup-vnc.sh in shared/ (was base64-encoded in Dockerfile)
- Remove baked-in scripts and CMD from Dockerfile (keep vnc.service unit only)
- Entrypoint now: chmod +x all shared scripts, symlinks startup-vnc.sh
  to /opt/scripts/ so systemd vnc.service still finds it
- Fix host watcher: use /bin/bash in ExecStart for permission resilience
- Bump tipi_version to 7

All scripts are now dynamically controlled via volume mounts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 apps/rego-tunnel/build/Dockerfile             | 20 ++++++-------------
 apps/rego-tunnel/config.json                  |  2 +-
 .../{build/scripts => shared}/entrypoint.sh   |  7 +++++++
 .../shared/install-host-services.sh           |  2 +-
 apps/rego-tunnel/shared/startup-vnc.sh        | 12 +++++++++++
 5 files changed, 27 insertions(+), 16 deletions(-)
 rename apps/rego-tunnel/{build/scripts => shared}/entrypoint.sh (71%)
 create mode 100644 apps/rego-tunnel/shared/startup-vnc.sh

diff --git a/apps/rego-tunnel/build/Dockerfile b/apps/rego-tunnel/build/Dockerfile
index b12e30a..3c73564 100755
--- a/apps/rego-tunnel/build/Dockerfile
+++ b/apps/rego-tunnel/build/Dockerfile
@@ -65,24 +65,16 @@ RUN tar -xzf /tmp/cisco-secure-client-full.tar.gz -C / && rm /tmp/cisco-secure-c
 # Enable vpnagentd service
 RUN systemctl enable vpnagentd.service
 
-RUN mkdir -p /opt/scripts /shared
-RUN echo 'IyEvYmluL2Jhc2gKc2V0IC1lCmV4cG9ydCBIT01FPScvcm9vdCcKZXhwb3J0IFVTRVI9J3Jvb3QnCnJtIC1mIC90bXAvLlAxLWxvY2sgL3RtcC8uWDExLXVuaXgvWDEgMj4vZGV2L251bGwgfHwgdHJ1ZQpybSAtcmYgL3RtcC8uWCotbG9jayAvdG1wLy5YMTQtdW5peC8qIDI+L2Rldi9udWxsIHx8IHRydWUKZWNobyAiU3RhcnRpbmcgVGlnZXJWTkMgc2VydmVyIG9uIGRpc3BsYXkgOjEuLi4iCnZuY3NlcnZlciA6MSAtZ2VvbWV0cnkgMTI4MHg4MDAgLWRlcHRoIDI0IC1TZWN1cml0eVR5cGVzIFZuY0F1dGggLWxvY2FsaG9zdCBubwpzbGVlcCAyCmVjaG8gIlN0YXJ0aW5nIG5vVk5DIG9uIHBvcnQgJHtOT1ZOQ19QT1JUOi02MDgwfS4uLiIKd2Vic29ja2lmeSAtLXdlYj0vdXNyL3NoYXJlL25vdm5jLyAke05PVk5DX1BPUlQ6LTYwODB9IGxvY2FsaG9zdDo1OTAxICYKdGFpbCAtZiAvcm9vdC8udm5jLyoubG9nCg==' \
-| base64 -d > /opt/scripts/startup-vnc.sh && \
-chmod +x /opt/scripts/startup-vnc.sh
-
-RUN echo 'W1VuaXRdCkRlc2NyaXB0aW9uPVZOQyBhbmQgbm9WTkMgU2VydmVyCkFmdGVyPW5ldHdvcmsudGFyZ2V0IHZwbmFnZW50ZC5zZXJ2aWNlCgpbU2VydmljZV0KVHlwZT1zaW1wbGUKRXhlY1N0YXJ0PS9vcHQvc2NyaXB0cy9zdGFydHVwLXZuYy5zaApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTUKRW52aXJvbm1lbnQ9SE9NRT0vcm9vdApFbnZpcm9ubWVudD1VU0VSPXJvb3QKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldAo=' \
-| base64 -d > /lib/systemd/system/vnc.service
-RUN chmod 644 /lib/systemd/system/vnc.service && \
+# vnc.service - started by systemd, calls /opt/scripts/startup-vnc.sh
+# The entrypoint symlinks /shared/startup-vnc.sh -> /opt/scripts/startup-vnc.sh at runtime
+RUN mkdir -p /opt/scripts && \
+    echo 'W1VuaXRdCkRlc2NyaXB0aW9uPVZOQyBhbmQgbm9WTkMgU2VydmVyCkFmdGVyPW5ldHdvcmsudGFyZ2V0IHZwbmFnZW50ZC5zZXJ2aWNlCgpbU2VydmljZV0KVHlwZT1zaW1wbGUKRXhlY1N0YXJ0PS9vcHQvc2NyaXB0cy9zdGFydHVwLXZuYy5zaApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTUKRW52aXJvbm1lbnQ9SE9NRT0vcm9vdApFbnZpcm9ubWVudD1VU0VSPXJvb3QKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldAo=' \
+    | base64 -d > /lib/systemd/system/vnc.service && \
+    chmod 644 /lib/systemd/system/vnc.service && \
     systemctl enable vnc.service
 
-# Copy entrypoint script
-COPY scripts/entrypoint.sh /opt/scripts/
-RUN chmod +x /opt/scripts/entrypoint.sh
-
 VOLUME ["/sys/fs/cgroup"]
 
 EXPOSE 5901 6080
 
 STOPSIGNAL SIGRTMIN+3
-
-CMD ["/opt/scripts/entrypoint.sh"]
diff --git a/apps/rego-tunnel/config.json b/apps/rego-tunnel/config.json
index 1653707..e763fb0 100755
--- a/apps/rego-tunnel/config.json
+++ b/apps/rego-tunnel/config.json
@@ -6,7 +6,7 @@
   "dynamic_config": true,
   "id": "rego-tunnel",
   "description": "Cisco Secure Client VPN in Docker with noVNC web UI for accessing Rego environments. Native Docker - no VM overhead.",
-  "tipi_version": 6,
+  "tipi_version": 7,
   "version": "5.1.14.145",
   "categories": [
     "utilities"
diff --git a/apps/rego-tunnel/build/scripts/entrypoint.sh b/apps/rego-tunnel/shared/entrypoint.sh
similarity index 71%
rename from apps/rego-tunnel/build/scripts/entrypoint.sh
rename to apps/rego-tunnel/shared/entrypoint.sh
index 71ce4f6..bfe4afa 100644
--- a/apps/rego-tunnel/build/scripts/entrypoint.sh
+++ b/apps/rego-tunnel/shared/entrypoint.sh
@@ -3,6 +3,13 @@
 
 set -euo pipefail
 
+# Ensure all shared scripts are executable (permissions may reset after git pull/appstore update)
+chmod +x /shared/*.sh /shared/cisco-vpn /root/.vnc/xstartup 2>/dev/null || true
+
+# Symlink shared scripts into /opt/scripts/ so systemd services (vnc.service) find them
+mkdir -p /opt/scripts
+ln -sf /shared/startup-vnc.sh /opt/scripts/startup-vnc.sh
+
 # Setup TigerVNC password file from env var (passed by runtipi)
 # TigerVNC expects /root/.vnc/passwd when using SecurityTypes=VncAuth.
 if [ -n "${VNC_PASSWORD:-}" ]; then
diff --git a/apps/rego-tunnel/shared/install-host-services.sh b/apps/rego-tunnel/shared/install-host-services.sh
index 56e09ac..a9788f3 100644
--- a/apps/rego-tunnel/shared/install-host-services.sh
+++ b/apps/rego-tunnel/shared/install-host-services.sh
@@ -31,7 +31,7 @@ After=docker.service
 
 [Service]
 Type=oneshot
-ExecStart=${SCRIPT_DIR}/host-routing.sh restart
+ExecStart=/bin/bash ${SCRIPT_DIR}/host-routing.sh restart
 ExecStartPost=/bin/rm -f ${APP_DATA_DIR}/restart-routing
 ExecStartPost=/bin/bash -c 'echo "trigger cleared at \$(date)" >> ${APP_DATA_DIR}/watcher.log'
 EOF
diff --git a/apps/rego-tunnel/shared/startup-vnc.sh b/apps/rego-tunnel/shared/startup-vnc.sh
new file mode 100644
index 0000000..be79563
--- /dev/null
+++ b/apps/rego-tunnel/shared/startup-vnc.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+export HOME='/root'
+export USER='root'
+rm -f /tmp/.P1-lock /tmp/.X11-unix/X1 2>/dev/null || true
+rm -rf /tmp/.X*-lock /tmp/.X14-unix/* 2>/dev/null || true
+echo "Starting TigerVNC server on display :1..."
+vncserver :1 -geometry 1280x800 -depth 24 -SecurityTypes VncAuth -localhost no
+sleep 2
+echo "Starting noVNC on port ${NOVNC_PORT:-6080}..."
+websockify --web=/usr/share/novnc/ ${NOVNC_PORT:-6080} localhost:5901 &
+tail -f /root/.vnc/*.log