rego-tunnel: move all scripts to dynamic mounts

- Move entrypoint.sh from build/scripts/ to shared/
- Create startup-vnc.sh in shared/ (was base64-encoded in Dockerfile)
- Remove baked-in scripts and CMD from Dockerfile (keep vnc.service unit only)
- Entrypoint now: chmod +x all shared scripts, symlinks startup-vnc.sh
  to /opt/scripts/ so systemd vnc.service still finds it
- Fix host watcher: use /bin/bash in ExecStart for permission resilience
- Bump tipi_version to 7

All scripts are now dynamically controlled via volume mounts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/rego-tunnel/build/Dockerfile

@@ -65,24 +65,16 @@ RUN tar -xzf /tmp/cisco-secure-client-full.tar.gz -C / && rm /tmp/cisco-secure-c
 # Enable vpnagentd service
 RUN systemctl enable vpnagentd.service
 
-RUN mkdir -p /opt/scripts /shared
-RUN echo 'IyEvYmluL2Jhc2gKc2V0IC1lCmV4cG9ydCBIT01FPScvcm9vdCcKZXhwb3J0IFVTRVI9J3Jvb3QnCnJtIC1mIC90bXAvLlAxLWxvY2sgL3RtcC8uWDExLXVuaXgvWDEgMj4vZGV2L251bGwgfHwgdHJ1ZQpybSAtcmYgL3RtcC8uWCotbG9jayAvdG1wLy5YMTQtdW5peC8qIDI+L2Rldi9udWxsIHx8IHRydWUKZWNobyAiU3RhcnRpbmcgVGlnZXJWTkMgc2VydmVyIG9uIGRpc3BsYXkgOjEuLi4iCnZuY3NlcnZlciA6MSAtZ2VvbWV0cnkgMTI4MHg4MDAgLWRlcHRoIDI0IC1TZWN1cml0eVR5cGVzIFZuY0F1dGggLWxvY2FsaG9zdCBubwpzbGVlcCAyCmVjaG8gIlN0YXJ0aW5nIG5vVk5DIG9uIHBvcnQgJHtOT1ZOQ19QT1JUOi02MDgwfS4uLiIKd2Vic29ja2lmeSAtLXdlYj0vdXNyL3NoYXJlL25vdm5jLyAke05PVk5DX1BPUlQ6LTYwODB9IGxvY2FsaG9zdDo1OTAxICYKdGFpbCAtZiAvcm9vdC8udm5jLyoubG9nCg==' \
-| base64 -d > /opt/scripts/startup-vnc.sh && \
-chmod +x /opt/scripts/startup-vnc.sh
-
-RUN echo 'W1VuaXRdCkRlc2NyaXB0aW9uPVZOQyBhbmQgbm9WTkMgU2VydmVyCkFmdGVyPW5ldHdvcmsudGFyZ2V0IHZwbmFnZW50ZC5zZXJ2aWNlCgpbU2VydmljZV0KVHlwZT1zaW1wbGUKRXhlY1N0YXJ0PS9vcHQvc2NyaXB0cy9zdGFydHVwLXZuYy5zaApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTUKRW52aXJvbm1lbnQ9SE9NRT0vcm9vdApFbnZpcm9ubWVudD1VU0VSPXJvb3QKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldAo=' \
-| base64 -d > /lib/systemd/system/vnc.service
-RUN chmod 644 /lib/systemd/system/vnc.service && \
+# vnc.service - started by systemd, calls /opt/scripts/startup-vnc.sh
+# The entrypoint symlinks /shared/startup-vnc.sh -> /opt/scripts/startup-vnc.sh at runtime
+RUN mkdir -p /opt/scripts && \
+    echo 'W1VuaXRdCkRlc2NyaXB0aW9uPVZOQyBhbmQgbm9WTkMgU2VydmVyCkFmdGVyPW5ldHdvcmsudGFyZ2V0IHZwbmFnZW50ZC5zZXJ2aWNlCgpbU2VydmljZV0KVHlwZT1zaW1wbGUKRXhlY1N0YXJ0PS9vcHQvc2NyaXB0cy9zdGFydHVwLXZuYy5zaApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTUKRW52aXJvbm1lbnQ9SE9NRT0vcm9vdApFbnZpcm9ubWVudD1VU0VSPXJvb3QKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldAo=' \
+    | base64 -d > /lib/systemd/system/vnc.service && \
+    chmod 644 /lib/systemd/system/vnc.service && \
     systemctl enable vnc.service
 
-# Copy entrypoint script
-COPY scripts/entrypoint.sh /opt/scripts/
-RUN chmod +x /opt/scripts/entrypoint.sh
-
 VOLUME ["/sys/fs/cgroup"]
 
 EXPOSE 5901 6080
 
 STOPSIGNAL SIGRTMIN+3
-
-CMD ["/opt/scripts/entrypoint.sh"]

apps/rego-tunnel/build/scripts/entrypoint.sh

@@ -1,24 +0,0 @@
-#!/bin/bash
-# Entrypoint: VNC password setup + DNS fix + systemd
-
-set -euo pipefail
-
-# Setup TigerVNC password file from env var (passed by runtipi)
-# TigerVNC expects /root/.vnc/passwd when using SecurityTypes=VncAuth.
-if [ -n "${VNC_PASSWORD:-}" ]; then
-    mkdir -p /root/.vnc
-    printf '%s\n%s\n' "$VNC_PASSWORD" "$VNC_PASSWORD" | vncpasswd -f > /root/.vnc/passwd
-    chmod 600 /root/.vnc/passwd
-fi
-
-cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
-cp /etc/hosts /tmp/hosts.bak 2>/dev/null || true
-umount /etc/resolv.conf 2>/dev/null || true
-umount /etc/hosts 2>/dev/null || true
-cat /tmp/resolv.conf.bak > /etc/resolv.conf 2>/dev/null || echo "nameserver 8.8.8.8" > /etc/resolv.conf
-cat /tmp/hosts.bak > /etc/hosts 2>/dev/null || echo "127.0.0.1 localhost" > /etc/hosts
-
-echo 1 > /proc/sys/net/ipv4/ip_forward
-echo "[entrypoint] IP forwarding enabled"
-
-exec /sbin/init