rego-tunnel: move all scripts to dynamic mounts

- Move entrypoint.sh from build/scripts/ to shared/
- Create startup-vnc.sh in shared/ (was base64-encoded in Dockerfile)
- Remove baked-in scripts and CMD from Dockerfile (keep vnc.service unit only)
- Entrypoint now: chmod +x all shared scripts, symlinks startup-vnc.sh
  to /opt/scripts/ so systemd vnc.service still finds it
- Fix host watcher: use /bin/bash in ExecStart for permission resilience
- Bump tipi_version to 7

All scripts are now dynamically controlled via volume mounts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/rego-tunnel/shared/entrypoint.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# Entrypoint: VNC password setup + DNS fix + systemd
+
+set -euo pipefail
+
+# Ensure all shared scripts are executable (permissions may reset after git pull/appstore update)
+chmod +x /shared/*.sh /shared/cisco-vpn /root/.vnc/xstartup 2>/dev/null || true
+
+# Symlink shared scripts into /opt/scripts/ so systemd services (vnc.service) find them
+mkdir -p /opt/scripts
+ln -sf /shared/startup-vnc.sh /opt/scripts/startup-vnc.sh
+
+# Setup TigerVNC password file from env var (passed by runtipi)
+# TigerVNC expects /root/.vnc/passwd when using SecurityTypes=VncAuth.
+if [ -n "${VNC_PASSWORD:-}" ]; then
+    mkdir -p /root/.vnc
+    printf '%s\n%s\n' "$VNC_PASSWORD" "$VNC_PASSWORD" | vncpasswd -f > /root/.vnc/passwd
+    chmod 600 /root/.vnc/passwd
+fi
+
+cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
+cp /etc/hosts /tmp/hosts.bak 2>/dev/null || true
+umount /etc/resolv.conf 2>/dev/null || true
+umount /etc/hosts 2>/dev/null || true
+cat /tmp/resolv.conf.bak > /etc/resolv.conf 2>/dev/null || echo "nameserver 8.8.8.8" > /etc/resolv.conf
+cat /tmp/hosts.bak > /etc/hosts 2>/dev/null || echo "127.0.0.1 localhost" > /etc/hosts
+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+echo "[entrypoint] IP forwarding enabled"
+
+exec /sbin/init