alexz/runtipi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rego-tunnel: move all scripts to dynamic mounts

Browse Source 
- Move entrypoint.sh from build/scripts/ to shared/
- Create startup-vnc.sh in shared/ (was base64-encoded in Dockerfile)
- Remove baked-in scripts and CMD from Dockerfile (keep vnc.service unit only)
- Entrypoint now: chmod +x all shared scripts, symlinks startup-vnc.sh
  to /opt/scripts/ so systemd vnc.service still finds it
- Fix host watcher: use /bin/bash in ExecStart for permission resilience
- Bump tipi_version to 7

All scripts are now dynamically controlled via volume mounts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Alex Zaw
2026-02-04 21:05:14 +00:00
parent 7ac32e9199
commit efc3ad00af
5 changed files with 27 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
apps/rego-tunnel/build/Dockerfile
View File

@@ -65,24 +65,16 @@ RUN tar -xzf /tmp/cisco-secure-client-full.tar.gz -C / && rm /tmp/cisco-secure-c
# Enable vpnagentd service # Enable vpnagentd service
RUN systemctl enable vpnagentd.service RUN systemctl enable vpnagentd.service
RUN mkdir -p /opt/scripts /shared # vnc.service - started by systemd, calls /opt/scripts/startup-vnc.sh
RUN echo 'IyEvYmluL2Jhc2gKc2V0IC1lCmV4cG9ydCBIT01FPScvcm9vdCcKZXhwb3J0IFVTRVI9J3Jvb3QnCnJtIC1mIC90bXAvLlAxLWxvY2sgL3RtcC8uWDExLXVuaXgvWDEgMj4vZGV2L251bGwgfHwgdHJ1ZQpybSAtcmYgL3RtcC8uWCotbG9jayAvdG1wLy5YMTQtdW5peC8qIDI+L2Rldi9udWxsIHx8IHRydWUKZWNobyAiU3RhcnRpbmcgVGlnZXJWTkMgc2VydmVyIG9uIGRpc3BsYXkgOjEuLi4iCnZuY3NlcnZlciA6MSAtZ2VvbWV0cnkgMTI4MHg4MDAgLWRlcHRoIDI0IC1TZWN1cml0eVR5cGVzIFZuY0F1dGggLWxvY2FsaG9zdCBubwpzbGVlcCAyCmVjaG8gIlN0YXJ0aW5nIG5vVk5DIG9uIHBvcnQgJHtOT1ZOQ19QT1JUOi02MDgwfS4uLiIKd2Vic29ja2lmeSAtLXdlYj0vdXNyL3NoYXJlL25vdm5jLyAke05PVk5DX1BPUlQ6LTYwODB9IGxvY2FsaG9zdDo1OTAxICYKdGFpbCAtZiAvcm9vdC8udm5jLyoubG9nCg==' \ # The entrypoint symlinks /shared/startup-vnc.sh -> /opt/scripts/startup-vnc.sh at runtime
| base64 -d > /opt/scripts/startup-vnc.sh && \ RUN mkdir -p /opt/scripts && \
chmod +x /opt/scripts/startup-vnc.sh echo 'W1VuaXRdCkRlc2NyaXB0aW9uPVZOQyBhbmQgbm9WTkMgU2VydmVyCkFmdGVyPW5ldHdvcmsudGFyZ2V0IHZwbmFnZW50ZC5zZXJ2aWNlCgpbU2VydmljZV0KVHlwZT1zaW1wbGUKRXhlY1N0YXJ0PS9vcHQvc2NyaXB0cy9zdGFydHVwLXZuYy5zaApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTUKRW52aXJvbm1lbnQ9SE9NRT0vcm9vdApFbnZpcm9ubWVudD1VU0VSPXJvb3QKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldAo=' \
| base64 -d > /lib/systemd/system/vnc.service && \
RUN echo 'W1VuaXRdCkRlc2NyaXB0aW9uPVZOQyBhbmQgbm9WTkMgU2VydmVyCkFmdGVyPW5ldHdvcmsudGFyZ2V0IHZwbmFnZW50ZC5zZXJ2aWNlCgpbU2VydmljZV0KVHlwZT1zaW1wbGUKRXhlY1N0YXJ0PS9vcHQvc2NyaXB0cy9zdGFydHVwLXZuYy5zaApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTUKRW52aXJvbm1lbnQ9SE9NRT0vcm9vdApFbnZpcm9ubWVudD1VU0VSPXJvb3QKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldAo=' \ chmod 644 /lib/systemd/system/vnc.service && \
| base64 -d > /lib/systemd/system/vnc.service
RUN chmod 644 /lib/systemd/system/vnc.service && \
systemctl enable vnc.service systemctl enable vnc.service
# Copy entrypoint script
COPY scripts/entrypoint.sh /opt/scripts/
RUN chmod +x /opt/scripts/entrypoint.sh
VOLUME ["/sys/fs/cgroup"] VOLUME ["/sys/fs/cgroup"]
EXPOSE 5901 6080 EXPOSE 5901 6080
STOPSIGNAL SIGRTMIN+3 STOPSIGNAL SIGRTMIN+3
CMD ["/opt/scripts/entrypoint.sh"]

2
apps/rego-tunnel/config.json
View File

@@ -6,7 +6,7 @@
"dynamic_config": true, "dynamic_config": true,
"id": "rego-tunnel", "id": "rego-tunnel",
"description": "Cisco Secure Client VPN in Docker with noVNC web UI for accessing Rego environments. Native Docker - no VM overhead.", "description": "Cisco Secure Client VPN in Docker with noVNC web UI for accessing Rego environments. Native Docker - no VM overhead.",
"tipi_version": 6, "tipi_version": 7,
"version": "5.1.14.145", "version": "5.1.14.145",
"categories": [ "categories": [
"utilities" "utilities"

7
apps/rego-tunnel/build/scripts/entrypoint.sh → apps/rego-tunnel/shared/entrypoint.sh
View File

@@ -3,6 +3,13 @@
set -euo pipefail set -euo pipefail
# Ensure all shared scripts are executable (permissions may reset after git pull/appstore update)
chmod +x /shared/*.sh /shared/cisco-vpn /root/.vnc/xstartup 2>/dev/null || true
# Symlink shared scripts into /opt/scripts/ so systemd services (vnc.service) find them
mkdir -p /opt/scripts
ln -sf /shared/startup-vnc.sh /opt/scripts/startup-vnc.sh
# Setup TigerVNC password file from env var (passed by runtipi) # Setup TigerVNC password file from env var (passed by runtipi)
# TigerVNC expects /root/.vnc/passwd when using SecurityTypes=VncAuth. # TigerVNC expects /root/.vnc/passwd when using SecurityTypes=VncAuth.
if [ -n "${VNC_PASSWORD:-}" ]; then if [ -n "${VNC_PASSWORD:-}" ]; then

2
apps/rego-tunnel/shared/install-host-services.sh
View File

@@ -31,7 +31,7 @@ After=docker.service
[Service] [Service]
Type=oneshot Type=oneshot
ExecStart=${SCRIPT_DIR}/host-routing.sh restart ExecStart=/bin/bash ${SCRIPT_DIR}/host-routing.sh restart
ExecStartPost=/bin/rm -f ${APP_DATA_DIR}/restart-routing ExecStartPost=/bin/rm -f ${APP_DATA_DIR}/restart-routing
ExecStartPost=/bin/bash -c 'echo "trigger cleared at \$(date)" >> ${APP_DATA_DIR}/watcher.log' ExecStartPost=/bin/bash -c 'echo "trigger cleared at \$(date)" >> ${APP_DATA_DIR}/watcher.log'
EOF EOF

12
apps/rego-tunnel/shared/startup-vnc.sh Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
set -e
export HOME='/root'
export USER='root'
rm -f /tmp/.P1-lock /tmp/.X11-unix/X1 2>/dev/null || true
rm -rf /tmp/.X*-lock /tmp/.X14-unix/* 2>/dev/null || true
echo "Starting TigerVNC server on display :1..."
vncserver :1 -geometry 1280x800 -depth 24 -SecurityTypes VncAuth -localhost no
sleep 2
echo "Starting noVNC on port ${NOVNC_PORT:-6080}..."
websockify --web=/usr/share/novnc/ ${NOVNC_PORT:-6080} localhost:5901 &
tail -f /root/.vnc/*.log