rego-tunnel: move all scripts to dynamic mounts

- Move entrypoint.sh from build/scripts/ to shared/ - Create startup-vnc.sh in shared/ (was base64-encoded in Dockerfile) - Remove baked-in scripts and CMD from Dockerfile (keep vnc.service unit only) - Entrypoint now: chmod +x all shared scripts, symlinks startup-vnc.sh to /opt/scripts/ so systemd vnc.service still finds it - Fix host watcher: use /bin/bash in ExecStart for permission resilience - Bump tipi_version to 7 All scripts are now dynamically controlled via volume mounts. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-04 21:05:14 +00:00
parent 7ac32e9199
commit efc3ad00af
5 changed files with 27 additions and 16 deletions
--- a/apps/rego-tunnel/shared/entrypoint.sh
+++ b/apps/rego-tunnel/shared/entrypoint.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+# Entrypoint: VNC password setup + DNS fix + systemd
+
+set -euo pipefail
+
+# Ensure all shared scripts are executable (permissions may reset after git pull/appstore update)
+chmod +x /shared/*.sh /shared/cisco-vpn /root/.vnc/xstartup 2>/dev/null || true
+
+# Symlink shared scripts into /opt/scripts/ so systemd services (vnc.service) find them
+mkdir -p /opt/scripts
+ln -sf /shared/startup-vnc.sh /opt/scripts/startup-vnc.sh
+
+# Setup TigerVNC password file from env var (passed by runtipi)
+# TigerVNC expects /root/.vnc/passwd when using SecurityTypes=VncAuth.
+if [ -n "${VNC_PASSWORD:-}" ]; then
+    mkdir -p /root/.vnc
+    printf '%s\n%s\n' "$VNC_PASSWORD" "$VNC_PASSWORD" | vncpasswd -f > /root/.vnc/passwd
+    chmod 600 /root/.vnc/passwd
+fi
+
+cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
+cp /etc/hosts /tmp/hosts.bak 2>/dev/null || true
+umount /etc/resolv.conf 2>/dev/null || true
+umount /etc/hosts 2>/dev/null || true
+cat /tmp/resolv.conf.bak > /etc/resolv.conf 2>/dev/null || echo "nameserver 8.8.8.8" > /etc/resolv.conf
+cat /tmp/hosts.bak > /etc/hosts 2>/dev/null || echo "127.0.0.1 localhost" > /etc/hosts
+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+echo "[entrypoint] IP forwarding enabled"
+
+exec /sbin/init
--- a/apps/rego-tunnel/shared/install-host-services.sh
+++ b/apps/rego-tunnel/shared/install-host-services.sh
@@ -31,7 +31,7 @@ After=docker.service

 [Service]
 Type=oneshot
-ExecStart=${SCRIPT_DIR}/host-routing.sh restart
+ExecStart=/bin/bash ${SCRIPT_DIR}/host-routing.sh restart
 ExecStartPost=/bin/rm -f ${APP_DATA_DIR}/restart-routing
 ExecStartPost=/bin/bash -c 'echo "trigger cleared at \$(date)" >> ${APP_DATA_DIR}/watcher.log'
 EOF
--- a/apps/rego-tunnel/shared/startup-vnc.sh
+++ b/apps/rego-tunnel/shared/startup-vnc.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+export HOME='/root'
+export USER='root'
+rm -f /tmp/.P1-lock /tmp/.X11-unix/X1 2>/dev/null || true
+rm -rf /tmp/.X*-lock /tmp/.X14-unix/* 2>/dev/null || true
+echo "Starting TigerVNC server on display :1..."
+vncserver :1 -geometry 1280x800 -depth 24 -SecurityTypes VncAuth -localhost no
+sleep 2
+echo "Starting noVNC on port ${NOVNC_PORT:-6080}..."
+websockify --web=/usr/share/novnc/ ${NOVNC_PORT:-6080} localhost:5901 &
+tail -f /root/.vnc/*.log