.

apps/cistech-tunnel/build/.gitignore

@@ -0,0 +1,2 @@
+# Large binary files - track tar.gz but not 7z
+*.7z

apps/cistech-tunnel/build/Dockerfile

@@ -0,0 +1,99 @@
+FROM ubuntu:22.04
+
+LABEL maintainer="alexz"
+LABEL description="OpenConnect-SSO VPN in Docker with noVNC"
+LABEL version="1.0.0"
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV container=docker
+
+# VNC/noVNC settings
+ENV DISPLAY=:1
+ENV VNC_PORT=5901
+ENV NOVNC_PORT=6092
+
+# Python/Playwright settings
+ENV VIRTUAL_ENV=/opt/venv
+ENV PATH=/opt/venv/bin:$PATH
+ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    # Core tools
+    openconnect \
+    vpnc-scripts \
+    iptables \
+    iproute2 \
+    iputils-ping \
+    net-tools \
+    procps \
+    curl \
+    nano \
+    ca-certificates \
+    # Python
+    python3 \
+    python3-pip \
+    python3-venv \
+    # VNC/noVNC
+    tigervnc-standalone-server \
+    tigervnc-common \
+    novnc \
+    websockify \
+    x11vnc \
+    xvfb \
+    # Window manager & terminal
+    openbox \
+    fluxbox \
+    xterm \
+    # Automation tools
+    xdotool \
+    xclip \
+    oathtool \
+    # X11/GUI dependencies for browser
+    dbus \
+    dbus-x11 \
+    libgtk-3-0 \
+    libglib2.0-0 \
+    libnss3 \
+    libatk1.0-0 \
+    libatk-bridge2.0-0 \
+    libx11-6 \
+    libx11-xcb1 \
+    libxcomposite1 \
+    libxrandr2 \
+    libgbm1 \
+    libxdamage1 \
+    libpango-1.0-0 \
+    libxkbcommon0 \
+    libxkbcommon-x11-0 \
+    fonts-liberation \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create Python venv and install openconnect-sso with all dependencies
+RUN python3 -m venv "$VIRTUAL_ENV" && \
+    pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir \
+        'openconnect-sso[full]' \
+        playwright \
+        keyring \
+        keyrings.alt
+
+# Install Playwright browser (Chromium)
+RUN python -m playwright install --with-deps chromium
+
+# Create directories
+RUN mkdir -p /opt/scripts
+
+# VNC startup script (base64 encoded)
+RUN echo 'IyEvYmluL2Jhc2gKc2V0IC1lCmV4cG9ydCBIT01FPScvcm9vdCcKZXhwb3J0IFVTRVI9J3Jvb3QnCnJtIC1mIC90bXAvLlAxLWxvY2sgL3RtcC8uWDExLXVuaXgvWDEgMj4vZGV2L251bGwgfHwgdHJ1ZQpybSAtcmYgL3RtcC8uWCotbG9jayAvdG1wLy5YMTQtdW5peC8qIDI+L2Rldi9udWxsIHx8IHRydWUKZWNobyAiU3RhcnRpbmcgVGlnZXJWTkMgc2VydmVyIG9uIGRpc3BsYXkgOjEuLi4iCnZuY3NlcnZlciA6MSAtZ2VvbWV0cnkgMTI4MHg4MDAgLWRlcHRoIDI0IC1TZWN1cml0eVR5cGVzIFZuY0F1dGggLWxvY2FsaG9zdCBubwpzbGVlcCAyCmVjaG8gIlN0YXJ0aW5nIG5vVk5DIG9uIHBvcnQgJHtOT1ZOQ19QT1JUOi02MDkyfS4uLiIKd2Vic29ja2lmeSAtLXdlYj0vdXNyL3NoYXJlL25vdm5jLyAke05PVk5DX1BPUlQ6LTYwOTJ9IGxvY2FsaG9zdDoke1ZOQ19QT1JUOi01OTAxfSAmCnRhaWwgLWYgL3Jvb3QvLnZuYy8qLmxvZwo=' \
+    | base64 -d > /opt/scripts/startup-vnc.sh && \
+    chmod +x /opt/scripts/startup-vnc.sh
+
+# Copy entrypoint script
+COPY scripts/entrypoint.sh /opt/scripts/
+RUN chmod +x /opt/scripts/entrypoint.sh
+
+EXPOSE "$VNC_PORT" "$NOVNC_PORT"
+
+CMD ["/opt/scripts/entrypoint.sh"]

apps/cistech-tunnel/build/README.md

@@ -0,0 +1,67 @@
+# Cistech Tunnel - Build Files
+
+This directory contains the Dockerfile and scripts to build the OpenConnect-SSO VPN Docker image.
+
+## Files
+
+- `Dockerfile` - Docker image definition (Ubuntu 22.04 + openconnect-sso + noVNC)
+- `build.sh` - Build and push script
+- `scripts/entrypoint.sh` - Container entrypoint
+
+## Building
+
+```bash
+cd /etc/runtipi/repos/runtipi/apps/cistech-tunnel/build
+./build.sh
+```
+
+This builds and pushes to `git.alexzaw.dev/alexz/openconnect-vpn:latest`
+
+To build without pushing:
+```bash
+docker build -t git.alexzaw.dev/alexz/openconnect-vpn:latest .
+```
+
+## What's in the image
+
+The Dockerfile creates an image with:
+- Ubuntu 22.04
+- openconnect + openconnect-sso[full] (Python)
+- Playwright Chromium browser (for SSO authentication)
+- TigerVNC server + noVNC (web-based VNC)
+- Tools: oathtool (TOTP), openbox, xterm
+
+### Scripts (baked in)
+- `/opt/scripts/startup-vnc.sh` - Starts VNC server and noVNC
+- `/opt/scripts/entrypoint.sh` - Container entrypoint (DNS fix, IP forwarding, config generation)
+
+## Runtime mounts (from shared/)
+
+When running as cistech-tunnel app, these are mounted from `shared/`:
+- `/shared/openconnect-vpn` - Main VPN connection script
+- `/shared/xstartup` -> `/root/.vnc/xstartup` - VNC session startup
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `VPN_EMAIL` | Email/username for SSO login |
+| `VPN_PASSWORD` | Password for SSO login |
+| `VPN_TOTP_SECRET` | TOTP secret for 2FA (base32) |
+| `VPN_HOST` | VPN server URL (e.g., `https://vpn.example.com/Group`) |
+| `TARGET_IP` | Target IP for connectivity testing |
+| `VNC_PASSWORD` | VNC access password |
+
+## Ports
+
+- `5901` - VNC server
+- `6092` - noVNC web interface
+
+## How it works
+
+1. Container starts, generates openconnect-sso config from env vars
+2. VNC server starts with noVNC web interface
+3. xterm launches with the `openconnect-vpn` script
+4. Script sets up keyring with credentials (password + TOTP)
+5. openconnect-sso handles SSO authentication via hidden browser
+6. VPN connects and IP forwarding/NAT is configured

apps/cistech-tunnel/build/build.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# Build and push the OpenConnect-SSO VPN Docker image
+# Run this from the build directory
+
+set -euo pipefail
+
+IMAGE_NAME="${IMAGE_NAME:-git.alexzaw.dev/alexz/openconnect-vpn}"
+IMAGE_TAG="${IMAGE_TAG:-latest}"
+
+echo "Building ${IMAGE_NAME}:${IMAGE_TAG}..."
+
+docker build "$@" -t "${IMAGE_NAME}:${IMAGE_TAG}" .
+docker push "${IMAGE_NAME}:${IMAGE_TAG}"
+
+echo ""
+echo "Build complete!"
+echo ""
+echo "To test locally:"
+echo "  docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -p 5901:5901 -p 6092:6092 -e VNC_PASSWORD=changeme -e VPN_HOST=https://vpn.example.com -e VPN_EMAIL=user@example.com ${IMAGE_NAME}:${IMAGE_TAG}"
+echo ""
+echo "Then connect via VNC to localhost:5901 or open noVNC at http://localhost:6092/vnc.html"
+echo ""

apps/cistech-tunnel/build/scripts/entrypoint.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+# Entrypoint: VNC password setup + DNS fix + start VNC
+
+set -euo pipefail
+
+# Setup TigerVNC password file from env var (passed by runtipi)
+if [ -n "${VNC_PASSWORD:-}" ]; then
+    mkdir -p /root/.vnc
+    printf '%s\n%s\n' "$VNC_PASSWORD" "$VNC_PASSWORD" | vncpasswd -f > /root/.vnc/passwd
+    chmod 600 /root/.vnc/passwd
+fi
+
+# DNS fix - unmount Docker's read-only mounts
+cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
+cp /etc/hosts /tmp/hosts.bak 2>/dev/null || true
+umount /etc/resolv.conf 2>/dev/null || true
+umount /etc/hosts 2>/dev/null || true
+cat /tmp/resolv.conf.bak > /etc/resolv.conf 2>/dev/null || echo "nameserver 8.8.8.8" > /etc/resolv.conf
+cat /tmp/hosts.bak > /etc/hosts 2>/dev/null || echo "127.0.0.1 localhost" > /etc/hosts
+
+# Enable IP forwarding
+echo 1 > /proc/sys/net/ipv4/ip_forward
+echo "[entrypoint] IP forwarding enabled"
+
+# Generate openconnect-sso config from environment variables
+mkdir -p /root/.config/openconnect-sso
+cat > /root/.config/openconnect-sso/config.toml << EOF
+on_disconnect = ""
+
+[default_profile]
+address = "${VPN_HOST:-}"
+user_group = ""
+name = ""
+
+[credentials]
+username = "${VPN_EMAIL:-}"
+
+[auto_fill_rules]
+[[auto_fill_rules."https://*"]]
+selector = "div[id=passwordError]"
+action = "stop"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[type=email]"
+fill = "username"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[name=passwd]"
+fill = "password"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[data-report-event=Signin_Submit]"
+action = "click"
+
+[[auto_fill_rules."https://*"]]
+selector = "div[data-value=PhoneAppOTP]"
+action = "click"
+
+[[auto_fill_rules."https://*"]]
+selector = "a[id=signInAnotherWay]"
+action = "click"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[id=idTxtBx_SAOTCC_OTC]"
+fill = "totp"
+EOF
+echo "[entrypoint] openconnect-sso config generated"
+
+# Start VNC server
+exec /opt/scripts/startup-vnc.sh