nas-samba: configurable admin user (uses SMB_PASSWORD)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/renovate.yml

@@ -1,45 +0,0 @@
-name: Renovate
-on:
-  workflow_dispatch:
-    inputs:
-      log_level:
-        type: choice
-        description: Log level
-        default: INFO
-        options:
-          - DEBUG
-          - INFO
-          - WARN
-          - ERROR
-          - FATAL
-  schedule:
-    - cron: 0 2 * * *
-
-jobs:
-  renovate:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install node
-        uses: actions/setup-node@v4
-        with:
-          node-version: "22"
-
-      - name: Install bun
-        uses: oven-sh/setup-bun@v2
-
-      - name: Cache Bun global packages
-        uses: actions/cache@v4
-        with:
-          path: ~/.bun/install/global
-          key: ${{ runner.os }}-bun-global-renovate-40
-          restore-keys: |
-            ${{ runner.os }}-bun-global-
-
-      - name: Install Renovate
-        run: bun install -g renovate@40
-
-      - name: Run renovate
-        run: LOG_LEVEL=${{ github.event.inputs.log_level || 'INFO' }} renovate --token ${{ secrets.GITHUB_TOKEN }} ${{ github.repository }}

.github/workflows/test.yml

@@ -1,23 +0,0 @@
-name: Test
-
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
-
-      - name: Install dependencies
-        run: bun install
-
-      - name: Run tests
-        run: bun test

apps/cfddns/config.json

@@ -0,0 +1,65 @@
+{
+  "$schema": "../app-info-schema.json",
+  "name": "Cloudflare DDNS",
+  "id": "cfddns",
+  "available": true,
+  "exposable": false,
+  "dynamic_config": true,
+  "no_gui": true,
+  "tipi_version": 7,
+  "version": "latest",
+  "categories": [
+    "network",
+    "utilities"
+  ],
+  "description": "Automatically update Cloudflare DNS records with your current public IP. Supports multiple domains, IPv4/IPv6, and proxy toggle.",
+  "short_desc": "Dynamic DNS updater for Cloudflare",
+  "author": "favonia",
+  "source": "https://github.com/favonia/cloudflare-ddns",
+  "form_fields": [
+    {
+      "type": "password",
+      "label": "Cloudflare API Token",
+      "env_variable": "CLOUDFLARE_API_TOKEN",
+      "required": true,
+      "hint": "API token with DNS edit permissions"
+    },
+    {
+      "type": "text",
+      "label": "Domains (comma-separated)",
+      "env_variable": "DOMAINS",
+      "required": true,
+      "hint": "e.g. home.example.com,vpn.example.com"
+    },
+    {
+      "type": "boolean",
+      "label": "Proxied (Orange Cloud)",
+      "env_variable": "PROXIED",
+      "required": false,
+      "default": false
+    },
+    {
+      "type": "text",
+      "label": "Update Schedule",
+      "env_variable": "UPDATE_CRON",
+      "required": false,
+      "default": "@every 5m",
+      "hint": "Cron expression or @every Xm"
+    },
+    {
+      "type": "text",
+      "label": "Timezone",
+      "env_variable": "TZ",
+      "required": false,
+      "default": "UTC"
+    }
+  ],
+  "supported_architectures": [
+    "arm64",
+    "amd64"
+  ],
+  "created_at": 1736974800000,
+  "updated_at": 1736974800000,
+  "deprecated": false,
+  "min_tipi_version": "4.5.0"
+}

apps/cfddns/docker-compose.json

@@ -0,0 +1,33 @@
+{
+  "schemaVersion": 2,
+  "$schema": "https://schemas.runtipi.io/dynamic-compose.json",
+  "services": [
+    {
+      "name": "cfddns",
+      "image": "favonia/cloudflare-ddns:latest",
+      "isMain": true,
+      "environment": [
+        {
+          "key": "CLOUDFLARE_API_TOKEN",
+          "value": "${CLOUDFLARE_API_TOKEN}"
+        },
+        {
+          "key": "DOMAINS",
+          "value": "${DOMAINS}"
+        },
+        {
+          "key": "PROXIED",
+          "value": "${PROXIED:-false}"
+        },
+        {
+          "key": "UPDATE_CRON",
+          "value": "${UPDATE_CRON:-@every 5m}"
+        },
+        {
+          "key": "TZ",
+          "value": "${TZ:-UTC}"
+        }
+      ]
+    }
+  ]
+}

apps/cistech-tunnel/.env.example

@@ -1,11 +0,0 @@
-# Required
-OC_URL=https://vpn.cistech.net/Employees
-OC_SERVERCERT=pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0=
-
-# Optional
-OC_AUTHGROUP=
-OC_SSO_ARGS=--browser-display-mode shown
-VNC_PASSWORD=vpnSSO12
-NOVNC_PORT=6901
-PUBLISH_ADDR=0.0.0.0
-SSH_KEY_PATH=/home/alexz/.ssh/id_ed25519-lenovo

apps/cistech-tunnel/README.md

@@ -1,42 +0,0 @@
-# Cistech Tunnel
-
-OpenConnect-SSO VPN client running in a container with noVNC for browser-based access.
-
-## Features
-
-- **OpenConnect-SSO**: Cisco AnyConnect VPN with SSO/SAML authentication
-- **TOTP Support**: Automatic 2FA via keyring integration
-- **Auto-reconnect**: Automatically reconnects on disconnection
-- **noVNC**: Browser-based VNC access on port 6902
-- **NAT/Masquerade**: Routes traffic through VPN tunnel
-- **Cloudflared**: Optional Cloudflare tunnel support
-- **SSH Tunnels**: Optional SSH port forwarding
-
-## Runtipi Installation
-
-1. Install from the app store or custom repo
-2. Configure the required environment variables
-3. Start the app via Runtipi dashboard
-
-## First-time SSO Login
-
-1. Open noVNC at `http://<host>:6902`
-2. Enter VNC password
-3. Complete SSO login in the browser window
-4. VPN will connect and auto-reconnect on disconnect
-
-## Source Files
-
-- `source/Dockerfile`: Container build file
-- `source/entrypoint.sh`: Container entrypoint with auto-reconnect
-
-## Environment Variables
-
-| Variable | Required | Description |
-|----------|----------|-------------|
-| OC_URL | Yes | VPN server URL |
-| OC_SERVERCERT | Yes | Server certificate pin |
-| OC_USER | No | Username (enables hidden browser mode) |
-| VNC_PASSWORD | Yes | noVNC access password |
-| OC_TOTP_SECRET | No | TOTP secret for auto 2FA |
-| NOVNC_PORT | No | noVNC port (default: 6901) |

apps/cistech-tunnel/build/.gitignore

@@ -0,0 +1,2 @@
+# Large binary files - track tar.gz but not 7z
+*.7z

apps/cistech-tunnel/build/Dockerfile

@@ -0,0 +1,110 @@
+FROM ubuntu:22.04
+
+LABEL maintainer="alexz"
+LABEL description="OpenConnect-SSO VPN in Docker with noVNC"
+LABEL version="1.0.0"
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV container=docker
+
+# VNC/noVNC settings
+ENV DISPLAY=:1
+ENV VNC_PORT=5901
+ENV NOVNC_PORT=6092
+
+# Python/Playwright settings
+ENV VIRTUAL_ENV=/opt/venv
+ENV PATH=/opt/venv/bin:$PATH
+ENV PLAYWRIGHT_BROWSERS_PATH=/ms-playwright
+
+# Install system dependencies
+RUN apt-get update && apt-get install -y \
+    # Core tools
+    openconnect \
+    vpnc-scripts \
+    iptables \
+    iproute2 \
+    iputils-ping \
+    net-tools \
+    procps \
+    curl \
+    nano \
+    ca-certificates \
+    # Python
+    python3 \
+    python3-pip \
+    python3-venv \
+    # VNC/noVNC (novnc installed from GitHub below)
+    tigervnc-standalone-server \
+    tigervnc-common \
+    websockify \
+    x11vnc \
+    xvfb \
+    # Window manager & terminal
+    openbox \
+    fluxbox \
+    xterm \
+    # Automation tools
+    xdotool \
+    xclip \
+    oathtool \
+    # X11/GUI dependencies for browser
+    dbus \
+    dbus-x11 \
+    libgtk-3-0 \
+    libglib2.0-0 \
+    libnss3 \
+    libatk1.0-0 \
+    libatk-bridge2.0-0 \
+    libx11-6 \
+    libx11-xcb1 \
+    libxcomposite1 \
+    libxrandr2 \
+    libgbm1 \
+    libxdamage1 \
+    libpango-1.0-0 \
+    libxkbcommon0 \
+    libxkbcommon-x11-0 \
+    fonts-liberation \
+    # EGL/GL for PyQt6 WebEngine + software rendering
+    libegl1 \
+    libgl1 \
+    libopengl0 \
+    libdbus-1-3 \
+    mesa-utils \
+    libgl1-mesa-dri \
+    # XCB libraries for Qt6 (complete set)
+    libxcb1 \
+    libxcb-cursor0 \
+    libxcb-icccm4 \
+    libxcb-image0 \
+    libxcb-keysyms1 \
+    libxcb-render0 \
+    libxcb-render-util0 \
+    libxcb-shm0 \
+    libxcb-xfixes0 \
+    libxcb-xinerama0 \
+    libxcb-randr0 \
+    libxcb-glx0 \
+    libxcb-shape0 \
+    # sudo needed for openconnect-sso
+    sudo \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install noVNC from GitHub (v1.4.0 - stable release with ES6 modules)
+RUN curl -fsSL https://github.com/novnc/noVNC/archive/refs/tags/v1.4.0.tar.gz | tar -xz -C /usr/share/ \
+    && mv /usr/share/noVNC-1.4.0 /usr/share/novnc \
+    && ln -sf /usr/share/novnc/vnc.html /usr/share/novnc/index.html
+
+# Create Python venv and install openconnect-sso with all dependencies
+RUN python3 -m venv "$VIRTUAL_ENV" && \
+    pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir \
+        'openconnect-sso[full]' \
+        playwright \
+        keyring \
+        keyrings.alt
+
+# Install Playwright browser (Chromium)
+RUN python -m playwright install --with-deps chromium

apps/cistech-tunnel/build/README.md

@@ -0,0 +1,67 @@
+# Cistech Tunnel - Build Files
+
+This directory contains the Dockerfile and scripts to build the OpenConnect-SSO VPN Docker image.
+
+## Files
+
+- `Dockerfile` - Docker image definition (Ubuntu 22.04 + openconnect-sso + noVNC)
+- `build.sh` - Build and push script
+- `scripts/entrypoint.sh` - Container entrypoint
+
+## Building
+
+```bash
+cd /etc/runtipi/repos/runtipi/apps/cistech-tunnel/build
+./build.sh
+```
+
+This builds and pushes to `git.alexzaw.dev/alexz/openconnect-vpn:latest`
+
+To build without pushing:
+```bash
+docker build -t git.alexzaw.dev/alexz/openconnect-vpn:latest .
+```
+
+## What's in the image
+
+The Dockerfile creates an image with:
+- Ubuntu 22.04
+- openconnect + openconnect-sso[full] (Python)
+- Playwright Chromium browser (for SSO authentication)
+- TigerVNC server + noVNC (web-based VNC)
+- Tools: oathtool (TOTP), openbox, xterm
+
+### Scripts (baked in)
+- `/opt/scripts/startup-vnc.sh` - Starts VNC server and noVNC
+- `/opt/scripts/entrypoint.sh` - Container entrypoint (DNS fix, IP forwarding, config generation)
+
+## Runtime mounts (from shared/)
+
+When running as cistech-tunnel app, these are mounted from `shared/`:
+- `/shared/openconnect-vpn` - Main VPN connection script
+- `/shared/xstartup` -> `/root/.vnc/xstartup` - VNC session startup
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `VPN_EMAIL` | Email/username for SSO login |
+| `VPN_PASSWORD` | Password for SSO login |
+| `VPN_TOTP_SECRET` | TOTP secret for 2FA (base32) |
+| `VPN_HOST` | VPN server URL (e.g., `https://vpn.example.com/Group`) |
+| `TARGET_IP` | Target IP for connectivity testing |
+| `VNC_PASSWORD` | VNC access password |
+
+## Ports
+
+- `5901` - VNC server
+- `6092` - noVNC web interface
+
+## How it works
+
+1. Container starts, generates openconnect-sso config from env vars
+2. VNC server starts with noVNC web interface
+3. xterm launches with the `openconnect-vpn` script
+4. Script sets up keyring with credentials (password + TOTP)
+5. openconnect-sso handles SSO authentication via hidden browser
+6. VPN connects and IP forwarding/NAT is configured

apps/cistech-tunnel/build/build.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# Build and push the OpenConnect-SSO VPN Docker image
+# Run this from the build directory
+
+set -euo pipefail
+
+IMAGE_NAME="${IMAGE_NAME:-git.alexzaw.dev/alexz/openconnect-vpn}"
+IMAGE_TAG="${IMAGE_TAG:-latest}"
+
+echo "Building ${IMAGE_NAME}:${IMAGE_TAG}..."
+
+docker build "$@" -t "${IMAGE_NAME}:${IMAGE_TAG}" .
+docker push "${IMAGE_NAME}:${IMAGE_TAG}"
+
+echo ""
+echo "Build complete!"
+echo ""
+echo "To test locally:"
+echo "  docker run -d --cap-add=NET_ADMIN --device=/dev/net/tun -p 5901:5901 -p 6092:6092 -e VNC_PASSWORD=changeme -e VPN_HOST=https://vpn.example.com -e VPN_EMAIL=user@example.com ${IMAGE_NAME}:${IMAGE_TAG}"
+echo ""
+echo "Then connect via VNC to localhost:5901 or open noVNC at http://localhost:6092/vnc.html"
+echo ""

apps/cistech-tunnel/config.json

@@ -1,53 +1,76 @@
 {
-    "name": "Cistech Tunnel",
-    "id": "cistech-tunnel",
-    "available": true,
-    "short_desc": "Cistech VPN client container with noVNC.",
-    "author": "alexz",
-    "port": 6902,
-    "categories": [
-        "utilities",
-        "network"
-    ],
-    "description": "OpenConnect-SSO VPN running in an isolated namespace with noVNC for first-time SSO reconnects.",
-    "tipi_version": 1,
-    "version": "latest",
-    "source": "local",
-    "exposable": true,
-    "dynamic_config": true,
-    "no_gui": false,
-    "form_fields": [
-        {
-            "label": "VPN URL",
-            "type": "text",
-            "env_variable": "OC_URL",
-            "required": true,
-            "default": "https://vpn.cistech.net/Employees"
-        },
-        {
-            "label": "VNC Password",
-            "type": "password",
-            "env_variable": "VNC_PASSWORD",
-            "required": true,
-            "default": "Az@83278327$$@@"
-        },
-        {
-            "label": "Server Certificate",
-            "type": "text",
-            "env_variable": "OC_SERVERCERT",
-            "required": true,
-            "default": "pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0="
-        },
-        {
-            "label": "Username",
-            "type": "text",
-            "env_variable": "OC_USER",
-            "required": true,
-            "default": "alex.zaw@cistech.net"
-        }
-    ],
-    "supported_architectures": [
-        "arm64",
-        "amd64"
-    ]
+  "name": "cistech Tunnel",
+  "available": true,
+  "port": 6092,
+  "exposable": true,
+  "dynamic_config": true,
+  "id": "cistech-tunnel",
+  "description": "openconnect-sso in Docker with noVNC web UI for accessing cistech environments. Native Docker - no VM overhead.",
+  "tipi_version": 7,
+  "version": "5.1.14.145",
+  "categories": [
+    "utilities"
+  ],
+  "short_desc": "openconnect-sso VPN tunnel to cistech environments (native Docker)",
+  "author": "alexz",
+  "source": "https://git.alexzaw.dev/alexz/runtipi",
+  "form_fields": [
+    {
+      "type": "email",
+      "label": "VPN Email",
+      "hint": "Email address for VPN SSO login (configured in /shared/openconnect-vpn script)",
+      "placeholder": "your-email@company.com",
+      "required": false,
+      "env_variable": "VPN_EMAIL",
+      "default": ""
+    },
+    {
+      "type": "password",
+      "label": "VPN Password",
+      "hint": "Password for VPN SSO login (configured in /shared/openconnect-vpn script)",
+      "placeholder": "",
+      "required": false,
+      "env_variable": "VPN_PASSWORD",
+      "default": ""
+    },
+    {
+      "type": "text",
+      "label": "TOTP Secret",
+      "hint": "Base32 TOTP secret for 2FA (configured in /shared/openconnect-vpn script)",
+      "placeholder": "",
+      "required": false,
+      "env_variable": "VPN_TOTP_SECRET",
+      "default": ""
+    },
+    {
+      "type": "text",
+      "label": "VPN Host",
+      "hint": "VPN server hostname",
+      "placeholder": "vpn.company.com",
+      "required": false,
+      "env_variable": "VPN_HOST",
+      "default": "vpn.cistech.net/Employees"
+    },
+    {
+      "type": "text",
+      "label": "Target IP",
+      "hint": "IP address to route through VPN (e.g., IBM i server)",
+      "placeholder": "10.3.1.201",
+      "required": false,
+      "env_variable": "TARGET_IP",
+      "default": "10.3.1.201"
+    },
+    {
+      "type": "password",
+      "label": "VNC Password",
+      "hint": "Password for noVNC web interface",
+      "placeholder": "cisco123",
+      "required": false,
+      "env_variable": "VNC_PASSWORD",
+      "default": ""
+    }
+  ],
+  "supported_architectures": [
+    "amd64"
+  ]
 }

apps/cistech-tunnel/docker-compose.json

@@ -1,23 +1,74 @@
 {
+  "schemaVersion": 2,
   "services": [
     {
       "name": "cistech-tunnel",
-      "image": "cistech-vpn:latest",
-      "isMain": true,
-      "internalPort": 6902,
-      "privileged": true,
-      "capAdd": ["NET_ADMIN"],
-      "devices": ["/dev/net/tun:/dev/net/tun"],
-      "environment": {
-        "OC_URL": "${OC_URL}",
-        "OC_SERVERCERT": "${OC_SERVERCERT}",
-        "OC_USER": "${OC_USER}",
-        "VNC_PASSWORD": "${VNC_PASSWORD}",
-        "NOVNC_PORT": "6902"
-      },
+      "image": "git.alexzaw.dev/alexz/openconnect-vpn:latest",
+      "environment": [
+        {
+          "key": "VPN_EMAIL",
+          "value": "${VPN_EMAIL}"
+        },
+        {
+          "key": "VPN_PASSWORD",
+          "value": "${VPN_PASSWORD}"
+        },
+        {
+          "key": "VPN_TOTP_SECRET",
+          "value": "${VPN_TOTP_SECRET}"
+        },
+        {
+          "key": "VPN_HOST",
+          "value": "${VPN_HOST}"
+        },
+        {
+          "key": "VNC_PASSWORD",
+          "value": "${VNC_PASSWORD}"
+        },
+        {
+          "key": "TZ",
+          "value": "${TZ}"
+        },
+        {
+          "key": "TARGET_IP",
+          "value": "${TARGET_IP}"
+        }
+      ],
+      "internalPort": 6092,
       "volumes": [
-        { "hostPath": "${APP_DATA_DIR}/data", "containerPath": "/root" }
-      ]
+        {
+          "hostPath": "${APP_DATA_DIR}/config",
+          "containerPath": "/config",
+          "readOnly": false
+        },
+        {
+          "hostPath": "${APP_DATA_DIR}",
+          "containerPath": "/runtime",
+          "readOnly": false
+        },
+        {
+          "hostPath": "/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared",
+          "containerPath": "/shared",
+          "readOnly": false
+        },
+        {
+          "hostPath": "/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/xstartup",
+          "containerPath": "/root/.vnc/xstartup",
+          "readOnly": true
+        }
+      ],
+      "stopGracePeriod": "30s",
+      "devices": [
+        "/dev/net/tun"
+      ],
+      "privileged": true,
+      "capAdd": [
+        "NET_ADMIN"
+      ],
+      "isMain": true,
+      "extraLabels": {
+        "runtipi.managed": true
+      }
     }
   ]
 }

apps/cistech-tunnel/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   cistech-tunnel:
-    image: cistech-vpn:latest
+    image: git.alexzaw.dev/alexz/openconnect-vpn:latest
     restart: unless-stopped
     networks:
       cistech-tunnel_runtipi_network:
@@ -8,21 +8,26 @@ services:
       tipi_main_network:
         gw_priority: 1
     environment:
-      OC_URL: ${OC_URL}
-      OC_SERVERCERT: ${OC_SERVERCERT}
-      OC_USER: ${OC_USER}
+      VPN_EMAIL: ${VPN_EMAIL}
+      VPN_PASSWORD: ${VPN_PASSWORD}
+      VPN_TOTP_SECRET: ${VPN_TOTP_SECRET}
+      VPN_HOST: ${VPN_HOST}
       VNC_PASSWORD: ${VNC_PASSWORD}
-      NOVNC_PORT: "6902"
+      TZ: ${TZ}
+      TARGET_IP: ${TARGET_IP}
     ports:
-      - ${APP_PORT}:6902
+      - ${APP_PORT}:6092
     volumes:
-      - ${APP_DATA_DIR}/data:/root
+      - ${APP_DATA_DIR}/config:/config
+      - ${APP_DATA_DIR}:/runtime
+      - /etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared:/shared
+      - /etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/xstartup:/root/.vnc/xstartup:ro
     labels:
       generated: true
       traefik.enable: true
       traefik.docker.network: runtipi_tipi_main_network
       traefik.http.middlewares.cistech-tunnel-runtipi-web-redirect.redirectscheme.scheme: https
-      traefik.http.services.cistech-tunnel-runtipi.loadbalancer.server.port: "6902"
+      traefik.http.services.cistech-tunnel-runtipi.loadbalancer.server.port: "6092"
       traefik.http.routers.cistech-tunnel-runtipi-insecure.rule: Host(`${APP_DOMAIN}`)
       traefik.http.routers.cistech-tunnel-runtipi-insecure.entrypoints: web
       traefik.http.routers.cistech-tunnel-runtipi-insecure.service: cistech-tunnel-runtipi
@@ -32,3 +37,10 @@ services:
       traefik.http.routers.cistech-tunnel-runtipi.service: cistech-tunnel-runtipi
       traefik.http.routers.cistech-tunnel-runtipi.tls.certresolver: myresolver
       runtipi.managed: true
+      runtipi.appurn: cistech-tunnel:runtipi
+    cap_add:
+      - NET_ADMIN
+    devices:
+      - /dev/net/tun
+    privileged: true
+    stop_grace_period: 30s

apps/cistech-tunnel/metadata/description.md

@@ -1,20 +1,147 @@
-# Dockerized OpenConnect-SSO with noVNC and Cloudflared
+# Cistech Tunnel - OpenConnect-SSO VPN
 
-## Setup
-1) Copy `.env.example` to `.env` and fill values (URLs, servercert pins, VNC passwords, cloudflared tokens).
+Docker container running OpenConnect-SSO for Cisco AnyConnect VPN with SSO/SAML authentication support via noVNC. Provides transparent VPN access to protected resources from your LAN.
 
-2) First-time SSO: leave `OC_SSO_ARGS_*=--browser-display-mode visible`.
+## Features
 
-3) Build and start:
-   docker compose build
-   docker compose up -d vpn_a
-   # Open http://localhost:6901, complete SSO.
-   # After success, attach app containers or start cloudflared_a.
+- **OpenConnect-SSO** - Handles SAML/SSO authentication automatically
+- **Playwright browser** - Headless Chromium for SSO login
+- **Web-based access** via noVNC (port 6092)
+- **Auto-login with TOTP** - Credentials stored in keyring
+- **LAN routing** - Other machines on your network can reach VPN targets
+- **Lightweight** - No systemd, no Cisco bloat
 
-4) Optional: switch to headless after first login:
-   Set `OC_SSO_ARGS_*=--browser-display-mode hidden` (or `headless`) and restart the vpn service.
+## Architecture
 
-## Notes
-- Each VPN runs in its own net namespace; routes from one cannot affect the other or the host.
-- DNS from the VPN applies within its container namespace and attached services only.
-- Persisted state lives in the named volumes mounted at `/root` (Playwright cache, configs).
+```
+LAN Devices ──► Linux Host ──► Container (172.30.0.10) ──► VPN Tunnel ──► Target
+                   │                    │
+                   │                    └── openconnect-sso + openconnect
+                   │                    └── noVNC web UI (port 6092)
+                   │
+                   └── Host routing service
+                       (routes VPN traffic through container)
+```
+
+## Installation
+
+### 1. Install the app through Runtipi
+
+Configure your VPN credentials in app settings:
+- VPN Email
+- VPN Password
+- TOTP Secret (base32)
+- VPN Host (e.g., `https://vpn.cistech.net/Employees`)
+- Target IP (for connectivity testing)
+
+### 2. Install host routing service (required for LAN access)
+
+**Run this ONCE on the host after app install:**
+
+```bash
+/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/install-host-services.sh
+```
+
+This creates systemd services that route VPN traffic through the container.
+
+### 3. Access the VPN GUI
+
+Open `http://<your-server>:6092/vnc.html`
+
+The VPN will auto-connect using your configured credentials.
+
+## Usage
+
+### Access noVNC
+
+Navigate to port 6092 on your server. The openconnect-vpn script runs automatically and provides a menu:
+
+```
+1 - Connect VPN
+2 - Disconnect VPN
+3 - Show VPN status
+4 - Setup IP forwarding
+5 - Test connection
+6 - Show network status
+7 - Show routing table
+8 - Setup keyring
+q - Quit
+```
+
+### Command line options
+
+```bash
+# Inside container
+openconnect-vpn -c          # Connect and exit
+openconnect-vpn -d          # Disconnect and exit
+openconnect-vpn -s          # Show status
+openconnect-vpn --help      # Show all options
+```
+
+### View logs
+
+```bash
+# Inside container
+cat /var/log/openconnect-vpn/$(date +%Y-%m-%d).log
+
+# On host
+cat /var/log/cistech-routing.log
+```
+
+## LAN Access
+
+After the host routing service is installed, any device on your LAN can reach the VPN target:
+
+1. **From the host:** Works automatically
+2. **From other LAN devices:** Add a static route pointing to your host
+
+Example (Windows client):
+```cmd
+route add 10.3.1.0 mask 255.255.255.0 192.168.0.150 -p
+```
+
+Where `192.168.0.150` is your Linux host IP.
+
+## Uninstall
+
+Before removing the app from Runtipi:
+
+```bash
+/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/uninstall-host-services.sh
+```
+
+## Troubleshooting
+
+### VPN not connecting
+```bash
+# Check logs
+docker exec cistech-tunnel cat /var/log/openconnect-vpn/$(date +%Y-%m-%d).log
+
+# Try manual connect
+docker exec -it cistech-tunnel /shared/openconnect-vpn -c
+```
+
+### VPN connects but can't reach target
+```bash
+# Check routes inside container
+docker exec cistech-tunnel ip route
+
+# Check host routing
+ip route | grep <target-ip>
+```
+
+### Host routing not working
+```bash
+# Check watcher service
+systemctl status cistech-routing-watcher.path
+
+# Manually trigger routing
+touch /etc/runtipi/app-data/runtipi/cistech-tunnel/restart-routing
+```
+
+## Technical Details
+
+- **Container IP:** 172.30.0.10 (on br-cistech-vpn bridge)
+- **Ports:** 6092 (noVNC), 5901 (VNC)
+- **Capabilities:** `NET_ADMIN`, `/dev/net/tun`
+- **Log retention:** 7 days (auto-cleanup)

apps/cistech-tunnel/shared/entrypoint.sh

@@ -0,0 +1,83 @@
+#!/bin/bash
+# Entrypoint: VNC password setup + DNS fix + start VNC
+
+set -euo pipefail
+
+# Force software rendering (no GPU/OpenGL)
+export QT_QUICK_BACKEND=software
+export LIBGL_ALWAYS_SOFTWARE=1
+export GALLIUM_DRIVER=llvmpipe
+export MESA_GL_VERSION_OVERRIDE=3.3
+
+# Qt/Chromium flags for running as root
+export QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu --use-gl=swiftshader"
+export QTWEBENGINE_DISABLE_SANDBOX=1
+
+# Ensure all shared scripts are executable (permissions may reset after git pull/appstore update)
+chmod +x /shared/*.sh /shared/openconnect-vpn /root/.vnc/xstartup 2>/dev/null || true
+
+# Setup TigerVNC password file from env var (passed by runtipi)
+if [ -n "${VNC_PASSWORD:-}" ]; then
+    mkdir -p /root/.vnc
+    printf '%s\n%s\n' "$VNC_PASSWORD" "$VNC_PASSWORD" | vncpasswd -f > /root/.vnc/passwd
+    chmod 600 /root/.vnc/passwd
+fi
+
+# DNS fix - unmount Docker's read-only mounts
+cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
+cp /etc/hosts /tmp/hosts.bak 2>/dev/null || true
+umount /etc/resolv.conf 2>/dev/null || true
+umount /etc/hosts 2>/dev/null || true
+cat /tmp/resolv.conf.bak > /etc/resolv.conf 2>/dev/null || echo "nameserver 8.8.8.8" > /etc/resolv.conf
+cat /tmp/hosts.bak > /etc/hosts 2>/dev/null || echo "127.0.0.1 localhost" > /etc/hosts
+
+# Enable IP forwarding
+echo 1 > /proc/sys/net/ipv4/ip_forward
+echo "[entrypoint] IP forwarding enabled"
+
+# Generate openconnect-sso config from environment variables
+mkdir -p /root/.config/openconnect-sso
+cat > /root/.config/openconnect-sso/config.toml << EOF
+on_disconnect = ""
+
+[default_profile]
+address = "${VPN_HOST:-}"
+user_group = ""
+name = ""
+
+[credentials]
+username = "${VPN_EMAIL:-}"
+
+[auto_fill_rules]
+[[auto_fill_rules."https://*"]]
+selector = "div[id=passwordError]"
+action = "stop"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[type=email]"
+fill = "username"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[name=passwd]"
+fill = "password"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[data-report-event=Signin_Submit]"
+action = "click"
+
+[[auto_fill_rules."https://*"]]
+selector = "div[data-value=PhoneAppOTP]"
+action = "click"
+
+[[auto_fill_rules."https://*"]]
+selector = "a[id=signInAnotherWay]"
+action = "click"
+
+[[auto_fill_rules."https://*"]]
+selector = "input[id=idTxtBx_SAOTCC_OTC]"
+fill = "totp"
+EOF
+echo "[entrypoint] openconnect-sso config generated"
+
+# Start VNC server
+exec /shared/startup-vnc.sh

apps/cistech-tunnel/shared/host-routing.sh

@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+#
+# Host routing script for cistech-tunnel
+# Routes TARGET_IP through the VPN container
+#
+set -euo pipefail
+
+ACTION="${1:-start}"
+
+# Fixed configuration (we assigned these)
+CONTAINER_IP="172.30.0.10"
+BRIDGE_NAME="br-cistech-vpn"
+TARGET_IP="${TARGET_IP:-10.3.1.0}"
+TARGET_SUBNET="$(echo "$TARGET_IP" | cut -d. -f1-3).0/24"
+LAN_SUBNET="192.168.0.0/23"
+LAN_INTERFACES="eth0 eth1 wlan0"
+LOG_FILE="/var/log/cistech-routing.log"
+
+log() {
+    local msg="[$(date '+%Y-%m-%d %H:%M:%S')] [cistech-routing] $*"
+    echo "$msg" | tee -a "$LOG_FILE" >&2
+}
+
+get_lan_interface() {
+    ip route show default | awk '/default/ {for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -1
+}
+
+remove_routes() {
+    log "Removing stale routes for $TARGET_SUBNET..."
+
+    # Remove any existing route to TARGET_SUBNET
+    ip route del "$TARGET_SUBNET" 2>/dev/null || true
+
+    log "Stale routes removed"
+}
+
+apply_routes() {
+    local lan_if
+    lan_if="$(get_lan_interface)"
+
+    log "Applying host routing rules..."
+    log "  Container IP: $CONTAINER_IP"
+    log "  Bridge: $BRIDGE_NAME"
+    log "  Target Subnet: $TARGET_SUBNET"
+    log "  LAN interface: ${lan_if:-unknown}"
+
+    # Enable IP forwarding
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+    log "IP forwarding enabled"
+
+    # Add route to TARGET_SUBNET via container
+    ip route replace "$TARGET_SUBNET" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
+    log "Route added: $TARGET_SUBNET via $CONTAINER_IP dev $BRIDGE_NAME"
+
+    # Allow forwarding in DOCKER-USER chain for all LAN interfaces
+    for lan_if in $LAN_INTERFACES; do
+        # Check if interface exists
+        if ip link show "$lan_if" &>/dev/null; then
+            # Allow traffic from LAN to container for TARGET_SUBNET
+            iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || \
+                iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_SUBNET" -j ACCEPT
+
+            # Allow return traffic
+            iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_SUBNET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
+                iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_SUBNET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+            log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME"
+        fi
+    done
+
+    # Masquerade traffic from LAN subnet to VPN bridge (so return traffic routes correctly)
+    # Use nft since iptables-nft backend doesn't support iptables -t nat commands
+    if ! nft list chain ip nat POSTROUTING 2>/dev/null | grep -q "saddr $LAN_SUBNET.*oifname.*$BRIDGE_NAME.*masquerade"; then
+        nft add rule ip nat POSTROUTING ip saddr "$LAN_SUBNET" oifname "$BRIDGE_NAME" counter masquerade
+        log "NAT masquerade rule added for $LAN_SUBNET -> $BRIDGE_NAME"
+    else
+        log "NAT masquerade rule already exists for $LAN_SUBNET -> $BRIDGE_NAME"
+    fi
+
+    log "OK: Host routing applied - $TARGET_SUBNET via $CONTAINER_IP ($BRIDGE_NAME)"
+}
+
+remove_all() {
+    log "Removing all routing rules..."
+
+    # Remove route
+    ip route del "$TARGET_SUBNET" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
+
+    # Remove iptables rules for all LAN interfaces
+    for lan_if in $LAN_INTERFACES; do
+        iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || true
+        iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_SUBNET" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
+    done
+
+    # Remove masquerade rule (using nft)
+    local handle=""
+    handle=$(nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "saddr $LAN_SUBNET.*oifname.*$BRIDGE_NAME.*masquerade" | grep -oP 'handle \K\d+' | head -1 || true)
+    if [ -n "$handle" ]; then
+        nft delete rule ip nat POSTROUTING handle "$handle" 2>/dev/null || true
+    fi
+
+    log "All routing rules removed"
+}
+
+case "$ACTION" in
+    start)
+        remove_routes
+        apply_routes
+        ;;
+    stop)
+        remove_all
+        ;;
+    restart)
+        remove_all
+        sleep 1
+        remove_routes
+        apply_routes
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart}" >&2
+        exit 2
+        ;;
+esac

apps/cistech-tunnel/shared/install-host-services.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+#
+# Install host-side systemd services for cistech-tunnel
+# Run this ONCE on the host after installing the app in Runtipi
+#
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+APP_DATA_DIR="/etc/runtipi/app-data/runtipi/cistech-tunnel"
+
+echo "Installing cistech-tunnel host services..."
+
+# Create the path watcher unit
+cat << 'EOF' | sudo tee /etc/systemd/system/cistech-routing-watcher.path
+[Unit]
+Description=Watch for cistech-tunnel routing trigger
+
+[Path]
+PathExists=/etc/runtipi/app-data/runtipi/cistech-tunnel/restart-routing
+Unit=cistech-routing-watcher.service
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Create the service unit
+cat << EOF | sudo tee /etc/systemd/system/cistech-routing-watcher.service
+[Unit]
+Description=Apply cistech-tunnel routing rules
+After=docker.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash ${SCRIPT_DIR}/host-routing.sh restart
+ExecStartPost=/bin/rm -f ${APP_DATA_DIR}/restart-routing
+ExecStartPost=/bin/bash -c 'echo "trigger cleared at \$(date)" >> ${APP_DATA_DIR}/watcher.log'
+EOF
+
+# Make host-routing.sh executable
+sudo chmod +x "${SCRIPT_DIR}/host-routing.sh"
+
+# Reload systemd and enable the watcher
+sudo systemctl daemon-reload
+sudo systemctl enable --now cistech-routing-watcher.path
+
+echo ""
+echo "Done! Services installed:"
+echo "  - cistech-routing-watcher.path (watches for trigger file)"
+echo "  - cistech-routing-watcher.service (applies routing rules)"
+echo ""
+echo "To check status:"
+echo "  systemctl status cistech-routing-watcher.path"
+echo ""
+echo "To manually trigger routing:"
+echo "  touch ${APP_DATA_DIR}/restart-routing"

apps/cistech-tunnel/shared/openconnect-vpn

@@ -0,0 +1,662 @@
+#!/bin/bash
+
+# Cistech VPN Connection Script with OpenConnect-SSO
+# Usage: ./openconnect-vpn [-c|--connect] [-d|--disconnect] [-m|--menu] [-r|--routes] [-s|--status] [--help]
+#
+# Options:
+#   -c, --connect     Connect to VPN and exit
+#   -d, --disconnect  Disconnect VPN and exit
+#   -m, --menu        Skip auto-connect, show menu directly
+#   -r, --routes      Show routing table and exit
+#   -s, --status      Show VPN status and exit
+#   --help            Show this help message
+
+# Credentials from environment variables (set by runtipi)
+VPN_EMAIL="${VPN_EMAIL:-}"
+VPN_PASSWORD="${VPN_PASSWORD:-}"
+VPN_TOTP_SECRET="${VPN_TOTP_SECRET:-}"
+VPN_HOST="${VPN_HOST:-}"
+TARGET_IP="${TARGET_IP:-10.3.1.201}"
+TARGET_SUBNET="$(echo "$TARGET_IP" | cut -d. -f1-3).0/24"
+VPN_INTERFACE="${VPN_INTERFACE:-tun0}"
+CONTAINER_NETWORK="172.30.0.0/24"
+
+
+# Log directory
+LOG_DIR="/var/log/openconnect-vpn"
+LOG_RETENTION_DAYS=7
+mkdir -p "$LOG_DIR" 2>/dev/null
+
+get_log_file() {
+    echo "$LOG_DIR/$(date '+%Y-%m-%d').log"
+}
+
+cleanup_old_logs() {
+    find "$LOG_DIR" -name "*.log" -type f -mtime +$LOG_RETENTION_DAYS -delete 2>/dev/null
+}
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+GRAY='\033[0;90m'
+NC='\033[0m'
+
+print_banner() {
+    echo -e "${CYAN}========================================${NC}"
+    echo -e "${CYAN}    Cistech VPN Connection Script       ${NC}"
+    echo -e "${CYAN}========================================${NC}"
+    echo ""
+}
+
+# Flags
+SKIP_AUTO_CONNECT=false
+DO_CONNECT=false
+DO_DISCONNECT=false
+
+# Logging
+log() {
+    local level="$1"
+    local msg="$2"
+    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
+    local timestamp_short=$(date '+%H:%M:%S')
+    local log_file=$(get_log_file)
+
+    local msg_plain=$(echo -e "$msg" | sed 's/\x1b\[[0-9;]*m//g')
+    echo "[$timestamp] [$level] $msg_plain" >> "$log_file"
+
+    case $level in
+        INFO)  echo -e "${GRAY}[$timestamp_short]${NC} ${GREEN}[INFO]${NC}  $msg" ;;
+        WARN)  echo -e "${GRAY}[$timestamp_short]${NC} ${YELLOW}[WARN]${NC}  $msg" ;;
+        ERROR) echo -e "${GRAY}[$timestamp_short]${NC} ${RED}[ERROR]${NC} $msg" ;;
+        DEBUG) echo -e "${GRAY}[$timestamp_short]${NC} ${CYAN}[DEBUG]${NC} $msg" ;;
+        CMD)   echo -e "${GRAY}[$timestamp_short]${NC} ${GRAY}[CMD]${NC}   $msg" ;;
+        *)     echo -e "${GRAY}[$timestamp_short]${NC} $msg" ;;
+    esac
+}
+
+run_cmd() {
+    local desc="$1"
+    shift
+    log CMD "$desc: $*"
+    output=$("$@" 2>&1)
+    local rc=$?
+    if [ -n "$output" ]; then
+        echo "$output" | while IFS= read -r line; do
+            echo -e "           ${GRAY}│${NC} $line"
+        done
+    fi
+    return $rc
+}
+
+show_help() {
+    echo -e "${CYAN}Cistech VPN Connection Script${NC}"
+    echo ""
+    echo "Usage: $0 [OPTIONS]"
+    echo ""
+    echo "Options:"
+    echo "  -c, --connect     Connect to VPN and exit"
+    echo "  -d, --disconnect  Disconnect VPN and exit"
+    echo "  -m, --menu        Skip auto-connect, show menu directly"
+    echo "  -r, --routes      Show routing table and exit"
+    echo "  -s, --status      Show VPN status and exit"
+    echo "  --help            Show this help message"
+    echo ""
+    echo "Menu Options:"
+    echo "  1 - Connect VPN"
+    echo "  2 - Disconnect VPN"
+    echo "  3 - Show VPN status"
+    echo "  4 - Setup IP forwarding"
+    echo "  5 - Test connection"
+    echo "  6 - Show network status"
+    echo "  7 - Show routing table"
+    echo "  8 - Show live TOTP"
+    echo "  q - Quit"
+}
+
+# Fetch server certificate fingerprint
+get_server_cert() {
+    local host="$1"
+    local server=$(echo "$host" | sed -E 's|^https?://||; s|/.*$||')
+    [[ "$server" != *:* ]] && server="${server}:443"
+
+    log DEBUG "Fetching server certificate from $server..."
+
+    local cert_pin=$(echo | openssl s_client -connect "$server" 2>/dev/null \
+        | openssl x509 -pubkey -noout 2>/dev/null \
+        | openssl pkey -pubin -outform der 2>/dev/null \
+        | openssl dgst -sha256 -binary \
+        | openssl enc -base64)
+
+    if [[ -n "$cert_pin" ]]; then
+        echo "pin-sha256:${cert_pin}"
+    else
+        log WARN "Could not fetch server certificate"
+        echo ""
+    fi
+}
+
+# Setup keyring with credentials
+setup_keyring() {
+    log INFO "Setting up keyring credentials..."
+
+    if [[ -z "$VPN_EMAIL" ]]; then
+        log ERROR "VPN_EMAIL is not set"
+        return 1
+    fi
+
+    python3 << PYTHON
+import keyring
+from keyrings.alt.file import PlaintextKeyring
+
+keyring.set_keyring(PlaintextKeyring())
+
+email = "$VPN_EMAIL"
+password = "$VPN_PASSWORD"
+totp_secret = "$VPN_TOTP_SECRET"
+
+if password:
+    keyring.set_password('openconnect-sso', email, password)
+    print(f"Password stored in keyring for {email}")
+
+if totp_secret:
+    keyring.set_password('openconnect-sso', f'totp/{email}', totp_secret.upper())
+    print(f"TOTP secret stored in keyring for {email}")
+
+print("Keyring setup complete")
+PYTHON
+
+    if [ $? -eq 0 ]; then
+        log INFO "Keyring credentials configured"
+    else
+        log ERROR "Failed to setup keyring"
+        return 1
+    fi
+}
+
+get_totp() {
+    oathtool --totp -b "$VPN_TOTP_SECRET"
+}
+
+# Test connection to TARGET_IP
+test_connection() {
+    if [[ -z "$TARGET_IP" ]]; then
+        log WARN "TARGET_IP not set"
+        return 1
+    fi
+
+    log INFO "Testing connection to $TARGET_IP..."
+    if ping -c 3 -W 3 "$TARGET_IP" &>/dev/null; then
+        log INFO "Connection test: ${GREEN}SUCCESS${NC}"
+        return 0
+    else
+        log WARN "Connection test: ${RED}FAILED${NC} (may need manual route on host)"
+        return 1
+    fi
+}
+
+show_totp() {
+    log INFO "Starting live TOTP display (Ctrl+C to stop)"
+    echo ""
+    while true; do
+        TOTP=$(get_totp)
+        SECONDS_LEFT=$((30 - ($(date +%s) % 30)))
+        echo -ne "\r           ${CYAN}Current TOTP:${NC} ${GREEN}$TOTP${NC} (expires in ${YELLOW}${SECONDS_LEFT}s${NC})   "
+        sleep 1
+    done
+}
+
+get_vpn_interface() {
+    local iface=$(ip link show | grep -oP 'tun\d+(?=:.*UP)' | head -1)
+    if [ -z "$iface" ]; then
+        iface=$(ip link show | grep -oP 'tun\d+' | head -1)
+    fi
+    echo "$iface"
+}
+
+get_container_ip() {
+    ip addr show eth0 2>/dev/null | grep -oP 'inet \K[\d.]+' | head -1
+}
+
+get_vpn_ip() {
+    local iface=$(get_vpn_interface)
+    if [ -n "$iface" ]; then
+        ip addr show "$iface" 2>/dev/null | grep -oP 'inet \K[\d.]+' | head -1
+    fi
+}
+
+check_vpn_status() {
+    local vpn_iface=$(get_vpn_interface)
+    if [ -n "$vpn_iface" ]; then
+        local vpn_ip=$(get_vpn_ip)
+        log INFO "VPN is ${GREEN}CONNECTED${NC}"
+        log DEBUG "  Interface: $vpn_iface"
+        log DEBUG "  VPN IP: $vpn_ip"
+        return 0
+    else
+        log WARN "VPN is ${RED}NOT CONNECTED${NC}"
+        return 1
+    fi
+}
+
+show_routes() {
+    echo -e "${CYAN}========================================${NC}"
+    echo -e "${CYAN}         Current Routing Table          ${NC}"
+    echo -e "${CYAN}========================================${NC}"
+    echo ""
+    echo -e "${GREEN}IPv4 Routes:${NC}"
+    ip -4 route show | while IFS= read -r line; do
+        if echo "$line" | grep -qE "tun[0-9]"; then
+            echo -e "  ${YELLOW}$line${NC}"
+        elif echo "$line" | grep -qE "10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\."; then
+            echo -e "  ${CYAN}$line${NC}"
+        else
+            echo "  $line"
+        fi
+    done
+    echo ""
+    echo -e "${GREEN}VPN Interface:${NC}"
+    local vpn_iface=$(get_vpn_interface)
+    if [ -n "$vpn_iface" ]; then
+        ip addr show "$vpn_iface" 2>/dev/null | grep -E "inet|link" | while IFS= read -r line; do
+            echo "  $line"
+        done
+    else
+        echo -e "  ${RED}No VPN interface found${NC}"
+    fi
+}
+
+show_network_status() {
+    log INFO "Current network status:"
+    echo ""
+    log DEBUG "Container Network Interfaces:"
+    ip -4 addr show | grep -E "inet |^[0-9]+:" | while IFS= read -r line; do
+        echo -e "           ${GRAY}│${NC} $line"
+    done
+
+    echo ""
+    local vpn_iface=$(get_vpn_interface)
+    if [ -n "$vpn_iface" ]; then
+        local vpn_ip=$(get_vpn_ip)
+        log INFO "VPN Status: ${GREEN}CONNECTED${NC}"
+        log DEBUG "  Interface: $vpn_iface"
+        log DEBUG "  VPN IP: $vpn_ip"
+    else
+        log WARN "VPN Status: ${RED}NOT CONNECTED${NC}"
+    fi
+
+    local container_ip=$(get_container_ip)
+    if [ -n "$container_ip" ]; then
+        log DEBUG "Container IP: $container_ip"
+    fi
+
+    echo ""
+    log DEBUG "Default gateway:"
+    ip route show default | while IFS= read -r line; do
+        echo -e "           ${GRAY}│${NC} $line"
+    done
+    echo ""
+}
+
+kill_vpn_processes() {
+    log INFO "Killing VPN processes..."
+    local killed=0
+
+    for pid in $(pgrep -x "openconnect" 2>/dev/null); do
+        log DEBUG "Killing openconnect (PID $pid)"
+        kill -9 "$pid" 2>/dev/null && ((killed++))
+    done
+
+    for pid in $(pgrep -f "openconnect-sso" 2>/dev/null); do
+        log DEBUG "Killing openconnect-sso (PID $pid)"
+        kill -9 "$pid" 2>/dev/null && ((killed++))
+    done
+
+    if [ $killed -eq 0 ]; then
+        log INFO "No VPN processes were running"
+    else
+        log INFO "Killed $killed process(es)"
+        sleep 2
+    fi
+}
+
+disconnect_vpn() {
+    log INFO "Disconnecting VPN..."
+    kill_vpn_processes
+
+    if check_vpn_status; then
+        log WARN "VPN still appears connected"
+        return 1
+    fi
+
+    log INFO "VPN disconnected"
+    return 0
+}
+
+setup_forwarding() {
+    log INFO "Setting up IP forwarding rules for $TARGET_SUBNET..."
+
+    local vpn_iface=$(get_vpn_interface)
+    if [ -z "$vpn_iface" ]; then
+        log ERROR "No VPN interface found! Is VPN connected?"
+        return 1
+    fi
+
+    local vpn_ip=$(get_vpn_ip)
+    local container_ip=$(get_container_ip)
+
+    log DEBUG "VPN interface: $vpn_iface"
+    log DEBUG "VPN IP: $vpn_ip"
+    log DEBUG "Container IP: $container_ip"
+
+    # Enable IP forwarding
+    run_cmd "Enabling IP forwarding" sysctl -w net.ipv4.ip_forward=1
+
+    # NAT masquerade for container network going through VPN
+    if ! iptables -t nat -C POSTROUTING -s "$CONTAINER_NETWORK" -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then
+        run_cmd "Adding NAT masquerade for container network -> VPN" iptables -t nat -A POSTROUTING -s "$CONTAINER_NETWORK" -o "$vpn_iface" -j MASQUERADE
+    else
+        log DEBUG "NAT masquerade for container network already exists"
+    fi
+
+    # Forward rules at position 1
+    iptables -D FORWARD -d "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || true
+    iptables -D FORWARD -s "$TARGET_SUBNET" -j ACCEPT 2>/dev/null || true
+    iptables -D FORWARD -s "$CONTAINER_NETWORK" -j ACCEPT 2>/dev/null || true
+    iptables -D FORWARD -d "$CONTAINER_NETWORK" -j ACCEPT 2>/dev/null || true
+
+    run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d "$CONTAINER_NETWORK" -j ACCEPT
+    run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s "$CONTAINER_NETWORK" -j ACCEPT
+    run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_SUBNET" -j ACCEPT
+    run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_SUBNET" -j ACCEPT
+
+    log INFO "Forwarding rules configured"
+    echo ""
+
+    # Trigger host routing service restart
+    log INFO "Triggering host routing service restart..."
+    touch /runtime/restart-routing 2>/dev/null || true
+    sleep 2
+    if [ ! -f /runtime/restart-routing ]; then
+        log INFO "Host routing service restarted"
+    else
+        log WARN "Host watcher may not be running (trigger file still exists)"
+    fi
+
+    log INFO "Routing configured for $TARGET_SUBNET through VPN tunnel"
+    echo ""
+}
+
+connect_vpn() {
+    log INFO "=== Starting OpenConnect-SSO VPN ==="
+    echo ""
+
+    # Kill any existing VPN processes
+    kill_vpn_processes
+
+    # Reset DNS to public servers (VPN script may have overwritten it)
+    log DEBUG "Resetting DNS to public servers..."
+    echo "nameserver 8.8.8.8" > /etc/resolv.conf
+    echo "nameserver 1.1.1.1" >> /etc/resolv.conf
+
+    # Clean up stale tun interface
+    ip link delete tun0 2>/dev/null || true
+
+    # Validate required variables
+    if [[ -z "$VPN_HOST" ]]; then
+        log ERROR "VPN_HOST is not set"
+        return 1
+    fi
+
+    # Setup keyring credentials
+    setup_keyring
+
+    # Fetch server certificate
+    log INFO "Fetching server certificate..."
+    local servercert=$(get_server_cert "$VPN_HOST")
+
+    log INFO "Connecting to: $VPN_HOST"
+    log DEBUG "Interface: $VPN_INTERFACE"
+
+    # Build openconnect-sso command
+    local sso_args=()
+    sso_args+=("-s" "$VPN_HOST")
+
+    if [[ -n "$VPN_EMAIL" ]]; then
+        sso_args+=("-u" "$VPN_EMAIL")
+    fi
+
+    # Use hidden browser for automated login
+    sso_args+=("--browser-display-mode" "hidden")
+
+    # Build openconnect args
+    local oc_args=()
+    oc_args+=("--protocol=anyconnect")
+    oc_args+=("--interface" "$VPN_INTERFACE")
+    oc_args+=("--script" "/usr/share/vpnc-scripts/vpnc-script")
+
+    if [[ -n "$servercert" ]]; then
+        oc_args+=("--servercert" "$servercert")
+        log DEBUG "Server cert: $servercert"
+    fi
+
+    # Launch openconnect-sso
+    log INFO "Launching openconnect-sso..."
+    openconnect-sso "${sso_args[@]}" -- /usr/sbin/openconnect "${oc_args[@]}" &
+    OC_PID=$!
+    disown $OC_PID
+    log DEBUG "openconnect-sso started with PID $OC_PID"
+
+    # Wait for VPN to connect
+    log INFO "Waiting for VPN connection..."
+    local wait_count=0
+    local max_wait=300
+
+    while [ -z "$(get_vpn_interface)" ]; do
+        sleep 2
+        ((wait_count+=2))
+        if [ $((wait_count % 10)) -eq 0 ]; then
+            log DEBUG "Still waiting for VPN... (${wait_count}s)"
+        fi
+        if [ $wait_count -ge $max_wait ]; then
+            log ERROR "Timeout waiting for VPN connection after ${max_wait}s"
+            return 1
+        fi
+    done
+
+    log INFO "VPN connected!"
+    local vpn_iface=$(get_vpn_interface)
+    local vpn_ip=$(get_vpn_ip)
+    log DEBUG "  Interface: $vpn_iface"
+    log DEBUG "  VPN IP: $vpn_ip"
+
+    # Wait for routes to stabilize
+    log DEBUG "Waiting for routes to stabilize..."
+    sleep 3
+
+    # Setup forwarding
+    setup_forwarding
+
+    # Test connection to IBMI host
+    test_connection
+
+    # Disable screen blanking
+    xset s off 2>/dev/null || true
+    xset -dpms 2>/dev/null || true
+    xset s noblank 2>/dev/null || true
+    log DEBUG "Screen blanking disabled"
+
+    log INFO "VPN setup complete"
+
+    # Start watchdog in background
+    start_watchdog &
+    WATCHDOG_PID=$!
+    log DEBUG "Watchdog started with PID $WATCHDOG_PID"
+
+    return 0
+}
+
+# Watchdog - monitors VPN and reconnects if dropped
+start_watchdog() {
+    log INFO "Starting VPN watchdog (check every 60s, keepalive ping every 5min)..."
+
+    local check_interval=60
+    local keepalive_interval=300
+    local last_keepalive=0
+    local reconnect_attempts=0
+    local max_reconnect_attempts=3
+
+    while true; do
+        sleep $check_interval
+
+        local now=$(date +%s)
+        local vpn_iface=$(get_vpn_interface)
+
+        if [ -n "$vpn_iface" ]; then
+            # VPN is up
+            reconnect_attempts=0
+
+            # Keepalive ping every 5 minutes
+            if [ $((now - last_keepalive)) -ge $keepalive_interval ]; then
+                test_connection || log WARN "VPN may be degraded"
+                last_keepalive=$now
+            fi
+        else
+            # VPN is down
+            ((reconnect_attempts++))
+            log WARN "VPN disconnected! Reconnect attempt $reconnect_attempts/$max_reconnect_attempts..."
+
+            if [ $reconnect_attempts -le $max_reconnect_attempts ]; then
+                connect_vpn
+            else
+                log ERROR "Max reconnect attempts reached. Manual intervention required."
+                sleep 300
+                reconnect_attempts=0
+            fi
+        fi
+    done
+}
+
+# Main menu
+main_menu() {
+    echo -e "${GREEN}Options:${NC}"
+    echo -e "  ${CYAN}1${NC} - Connect VPN"
+    echo -e "  ${CYAN}2${NC} - Disconnect VPN"
+    echo -e "  ${CYAN}3${NC} - Show VPN status"
+    echo -e "  ${CYAN}4${NC} - Setup IP forwarding only"
+    echo -e "  ${CYAN}5${NC} - Test connection to $TARGET_IP"
+    echo -e "  ${CYAN}6${NC} - Show network status"
+    echo -e "  ${CYAN}7${NC} - Show routing table"
+    echo -e "  ${CYAN}8${NC} - Show live TOTP"
+    echo -e "  ${CYAN}q${NC} - Quit"
+    echo ""
+}
+
+parse_args() {
+    while [[ $# -gt 0 ]]; do
+        case $1 in
+            -c|--connect)
+                DO_CONNECT=true
+                shift
+                ;;
+            -d|--disconnect)
+                DO_DISCONNECT=true
+                shift
+                ;;
+            -m|--menu)
+                SKIP_AUTO_CONNECT=true
+                shift
+                ;;
+            -s|--status)
+                print_banner
+                check_vpn_status
+                echo ""
+                show_network_status
+                exit 0
+                ;;
+            -r|--routes)
+                show_routes
+                exit 0
+                ;;
+            --help)
+                show_help
+                exit 0
+                ;;
+            *)
+                echo "Unknown option: $1"
+                echo "Use --help for usage information"
+                exit 1
+                ;;
+        esac
+    done
+
+    if [ "$DO_CONNECT" = "true" ] && [ "$DO_DISCONNECT" = "true" ]; then
+        echo "Error: --connect and --disconnect are mutually exclusive"
+        exit 1
+    fi
+}
+
+# Main
+parse_args "$@"
+cleanup_old_logs
+
+echo "" >> "$(get_log_file)"
+echo "========================================" >> "$(get_log_file)"
+log INFO "=== Starting OpenConnect-SSO VPN ==="
+echo ""
+log DEBUG "VPN_EMAIL=$VPN_EMAIL"
+log DEBUG "VPN_HOST=$VPN_HOST"
+log DEBUG "TARGET_IP=$TARGET_IP"
+log DEBUG "TARGET_SUBNET=$TARGET_SUBNET"
+log DEBUG "VPN_TOTP_SECRET is $([ -n "$VPN_TOTP_SECRET" ] && echo 'set' || echo 'NOT SET')"
+
+print_banner
+
+if [ "$DO_DISCONNECT" = "true" ]; then
+    disconnect_vpn
+    exit $?
+fi
+
+if [ "$DO_CONNECT" = "true" ]; then
+    connect_vpn
+    exit $?
+fi
+
+# Auto-connect logic (unless -m flag)
+if [ "$SKIP_AUTO_CONNECT" = "true" ]; then
+    log INFO "Menu mode - skipping auto-connect"
+elif check_vpn_status; then
+    echo ""
+    log INFO "VPN already connected. Setting up forwarding..."
+    setup_forwarding
+else
+    echo ""
+    log INFO "Auto-starting VPN connection..."
+    echo ""
+    connect_vpn
+fi
+
+# Interactive menu loop
+while true; do
+    echo ""
+    main_menu
+    echo -ne "${CYAN}Choice: ${NC}"
+    read -r choice
+    echo ""
+
+    [[ -z "${choice// }" ]] && continue
+
+    case $choice in
+        1) connect_vpn ;;
+        2) disconnect_vpn ;;
+        3) check_vpn_status ;;
+        4) setup_forwarding ;;
+        5) test_connection ;;
+        6) show_network_status ;;
+        7) show_routes ;;
+        8) show_totp ;;
+        q|Q) log INFO "Goodbye!"; exit 0 ;;
+        *) ;;
+    esac
+done

apps/cistech-tunnel/shared/startup-vnc.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+export HOME='/root'
+export USER='root'
+rm -f /tmp/.P1-lock /tmp/.X11-unix/X1 2>/dev/null || true
+rm -rf /tmp/.X*-lock /tmp/.X14-unix/* 2>/dev/null || true
+echo "Starting TigerVNC server on display :1..."
+vncserver :1 -geometry 1280x800 -depth 24 -SecurityTypes VncAuth -localhost no
+sleep 2
+echo "Starting noVNC on port ${NOVNC_PORT:-6092}..."
+websockify --web=/usr/share/novnc/ ${NOVNC_PORT:-6092} localhost:${VNC_PORT:-5901} &
+tail -f /root/.vnc/*.log

apps/cistech-tunnel/shared/uninstall-host-services.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+#
+# Uninstall host-side systemd services for cistech-tunnel
+#
+set -euo pipefail
+
+echo "Removing cistech-tunnel host services..."
+
+# Stop and disable the watcher
+sudo systemctl stop cistech-routing-watcher.path 2>/dev/null || true
+sudo systemctl disable cistech-routing-watcher.path 2>/dev/null || true
+
+# Remove routing rules
+/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/host-routing.sh stop 2>/dev/null || true
+
+# Remove systemd units
+sudo rm -f /etc/systemd/system/cistech-routing-watcher.path
+sudo rm -f /etc/systemd/system/cistech-routing-watcher.service
+
+# Reload systemd
+sudo systemctl daemon-reload
+
+echo ""
+echo "Done! Host services removed."

apps/cistech-tunnel/shared/xstartup

@@ -0,0 +1,53 @@
+#!/bin/bash
+# VNC xstartup - launches terminal with cisco-vpn script
+
+unset SESSION_MANAGER
+unset DBUS_SESSION_BUS_ADDRESS
+
+# Import environment variables from container (PID 1)
+# Systemd services don't inherit Docker env vars, so we source them here
+while IFS= read -r -d '' line; do
+    export "$line"
+done < /proc/1/environ
+
+export XDG_RUNTIME_DIR=/tmp/runtime-root
+mkdir -p $XDG_RUNTIME_DIR
+chmod 700 $XDG_RUNTIME_DIR
+
+# Force software rendering (no GPU/OpenGL)
+export QT_QUICK_BACKEND=software
+export LIBGL_ALWAYS_SOFTWARE=1
+export GALLIUM_DRIVER=llvmpipe
+export MESA_GL_VERSION_OVERRIDE=3.3
+
+# GPU/WebKit workarounds for Cisco UI
+export GDK_BACKEND=x11
+export WEBKIT_DISABLE_DMABUF_RENDERER=1
+
+# Qt/Chromium flags for running as root (no sandbox)
+export QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu"
+export QTWEBENGINE_DISABLE_SANDBOX=1
+
+# Start system dbus daemon (needed for Chromium)
+mkdir -p /run/dbus
+dbus-daemon --system --fork 2>/dev/null || true
+
+# Start dbus session
+[ -x /usr/bin/dbus-launch ] && eval $(dbus-launch --sh-syntax --exit-with-session)
+
+# Start window manager
+openbox &
+sleep 2
+
+# Disable screen blanking and power saving
+xset s off 2>/dev/null || true
+xset -dpms 2>/dev/null || true
+xset s noblank 2>/dev/null || true
+
+# Make script executable and launch in terminal
+chmod +x /shared/openconnect-vpn 2>/dev/null || true
+xterm -fn fixed -bg black -fg white -geometry 130x45+10+10 \
+    -title "Cistech VPN Terminal" \
+    -e "bash -c '/shared/openconnect-vpn; exec bash'" &
+
+wait

apps/cistech-tunnel/source/Dockerfile

@@ -1,46 +0,0 @@
-FROM ubuntu:24.04
-ENV DEBIAN_FRONTEND=noninteractive \
-    PLAYWRIGHT_BROWSERS_PATH=/ms-playwright \
-    VIRTUAL_ENV=/opt/venv \
-    PATH=/opt/venv/bin:$PATH \
-    QTWEBENGINE_DISABLE_SANDBOX=1 \
-    QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu" \
-    OC_URL="https://vpn.cistech.net/Employees" \
-    OC_SERVERCERT="pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0=" \
-    OC_USER="alex.zaw@cistech.net" \
-    OC_TOTP_SECRET="t6ypnjqvyx2yvw2l" \
-    VNC_PASSWORD="Az@83278327\$\$@@"
-
-RUN apt-get update && apt-get install -y \
-    openconnect iproute2 iptables ca-certificates \
-    python3 python3-pip python3-venv \
-    vpnc-scripts curl wget openssh-client \
-    x11vnc xvfb fluxbox novnc websockify xterm nano oathtool \
-    xauth libnss3 libatk1.0-0 libatk-bridge2.0-0 \
-    libx11-6 libx11-xcb1 libxcomposite1 libxrandr2 libgbm1 libxdamage1 \
-    libpango-1.0-0 fonts-liberation \
-    libegl1 libgl1 libopengl0 libdbus-1-3 libglib2.0-0 \
-    libxkbcommon0 libxkbcommon-x11-0 \
-    libxcb1 libxcb-cursor0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-render0 libxcb-render-util0 libxcb-shm0 libxcb-xfixes0 libxcb-xinerama0 libxcb-randr0 libxcb-glx0 \
-    sudo && rm -rf /var/lib/apt/lists/*
-
-RUN apt-get update && (apt-get install -y libasound2t64 || apt-get install -y libasound2) && rm -rf /var/lib/apt/lists/*
-
-# Python venv + Playwright + openconnect-sso
-RUN python3 -m venv "$VIRTUAL_ENV"
-RUN pip install --no-cache-dir openconnect-sso playwright keyring keyrings.alt && \
-    python -m playwright install --with-deps chromium
-
-# Cloudflared (amd64)
-RUN arch=$(dpkg --print-architecture) && \
-    if [ "$arch" = "amd64" ]; then \
-      curl -fsSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o /tmp/cloudflared.deb && \
-      apt-get update && apt-get install -y /tmp/cloudflared.deb && rm -f /tmp/cloudflared.deb ; \
-    else \
-      echo "Install cloudflared manually for arch=$arch" && exit 1 ; \
-    fi
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-EXPOSE 6901
-ENTRYPOINT ["/entrypoint.sh"]

apps/cistech-tunnel/source/entrypoint.sh

@@ -1,182 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-: "${OC_URL:?OC_URL required}"
-: "${OC_SERVERCERT:?OC_SERVERCERT required}"
-
-NOVNC_PORT="${NOVNC_PORT:-6901}"
-VNC_PASSWORD="${VNC_PASSWORD:-changeme}"
-DISPLAY_ADDR="${DISPLAY:-:1}"
-OC_INTERFACE="${OC_INTERFACE:-tun0}"
-OC_USER="${OC_USER:-}"
-OC_TOTP_SECRET="${OC_TOTP_SECRET:-}"
-
-# Default to hidden browser if OC_USER is set
-if [[ -n "$OC_USER" ]]; then
-  OC_SSO_ARGS_DEFAULT="--browser-display-mode hidden -u $OC_USER"
-else
-  OC_SSO_ARGS_DEFAULT="--browser-display-mode shown"
-fi
-
-CLOUDFLARED_MODE="${CLOUDFLARED_MODE:-off}"   # off|token|config
-CLOUDFLARED_TOKEN="${CLOUDFLARED_TOKEN:-}"
-SSH_TUNNEL_ENABLE="${SSH_TUNNEL_ENABLE:-0}"
-SSH_DEST="${SSH_DEST:-zawa@10.3.1.201}"
-SSH_FORWARDS="${SSH_FORWARDS:-0.0.0.0:8090:localhost:8090}"
-
-pids=()
-
-# Setup keyring with TOTP secret if provided
-setup_keyring() {
-  if [[ -n "$OC_TOTP_SECRET" && -n "$OC_USER" ]]; then
-    python3 -c "
-import keyring
-keyring.set_password('openconnect-sso', 'totp/$OC_USER', '$OC_TOTP_SECRET'.upper())
-print('TOTP secret stored in keyring for $OC_USER')
-"
-  fi
-}
-
-# Create vpn_connect command in PATH and save environment
-create_vpn_command() {
-  # Save environment variables to a file
-  cat > /etc/vpn.env << ENVFILE
-export OC_URL="$OC_URL"
-export OC_SERVERCERT="$OC_SERVERCERT"
-export OC_INTERFACE="$OC_INTERFACE"
-export OC_USER="$OC_USER"
-export OC_SSO_ARGS_DEFAULT="$OC_SSO_ARGS_DEFAULT"
-export OC_SSO_ARGS="${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT}"
-export OC_AUTHGROUP="${OC_AUTHGROUP:-}"
-export OC_USERAGENT="${OC_USERAGENT:-}"
-export OC_EXTRA_ARGS="${OC_EXTRA_ARGS:-}"
-export OC_TOTP_SECRET="$OC_TOTP_SECRET"
-export DISPLAY=":1"
-ENVFILE
-
-  # Build openconnect command
-  OPENCONNECT_CMD="/usr/sbin/openconnect --protocol=anyconnect --servercert $OC_SERVERCERT --interface $OC_INTERFACE --script /usr/share/vpnc-scripts/vpnc-script"
-  [[ -n "${OC_AUTHGROUP:-}" ]] && OPENCONNECT_CMD+=" --authgroup $OC_AUTHGROUP"
-  [[ -n "${OC_USERAGENT:-}" ]] && OPENCONNECT_CMD+=" --useragent $OC_USERAGENT"
-  [[ -n "${OC_EXTRA_ARGS:-}" ]] && OPENCONNECT_CMD+=" ${OC_EXTRA_ARGS}"
-  echo "export OPENCONNECT_CMD=\"$OPENCONNECT_CMD\"" >> /etc/vpn.env
-
-  cat > /usr/local/bin/vpn_connect << 'VPNCMD'
-#!/usr/bin/env bash
-source /etc/vpn.env
-echo "[$(date)] Starting VPN connection..."
-
-# openconnect-sso reads TOTP from keyring automatically
-if [[ -n "$OC_USER" ]]; then
-  echo "" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
-else
-  openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
-fi
-VPNCMD
-  chmod +x /usr/local/bin/vpn_connect
-}
-
-# Create VPN runner script that keeps shell open
-create_vpn_script() {
-  cat > /tmp/vpn-runner.sh << 'VPNSCRIPT'
-#!/usr/bin/env bash
-cd /root
-
-echo "============================================"
-echo "  Cistech VPN Container"
-echo "============================================"
-echo ""
-echo "Commands:"
-echo "  vpn_connect  - Start/restart VPN connection"
-echo "  Ctrl+C       - Stop auto-reconnect and drop to shell"
-echo ""
-echo "Starting VPN with auto-reconnect..."
-echo ""
-
-while true; do
-  vpn_connect
-  echo ""
-  echo "[$(date)] VPN disconnected. Reconnecting in 10 seconds..."
-  echo "(Press Ctrl+C to stop auto-reconnect)"
-  sleep 10
-done
-VPNSCRIPT
-  chmod +x /tmp/vpn-runner.sh
-}
-
-start_gui() {
-  mkdir -p /root/.vnc
-  x11vnc -storepasswd "$VNC_PASSWORD" /root/.vnc/pass >/dev/null 2>&1 || true
-  rm -f /tmp/.X1-lock /tmp/.X11-unix/X1 2>/dev/null || true
-  Xvfb "$DISPLAY_ADDR" -screen 0 ${XVFB_WxHxD:-1280x800x24} +extension RANDR &
-  pids+=($!)
-  sleep 0.5
-  export DISPLAY="$DISPLAY_ADDR"
-  fluxbox >/tmp/fluxbox.log 2>&1 &
-  pids+=($!)
-  x11vnc -display "$DISPLAY_ADDR" -rfbauth /root/.vnc/pass -forever -shared -rfbport 5900 -quiet &
-  pids+=($!)
-  websockify --web=/usr/share/novnc/ 0.0.0.0:"$NOVNC_PORT" localhost:5900 >/tmp/websockify.log 2>&1 &
-  pids+=($!)
-}
-
-start_vpn_terminal() {
-  # Start xterm with VPN script
-  sleep 1
-  xterm -fa 'Monospace' -fs 11 -bg black -fg white -geometry 120x35+50+50 \
-    -T "Cistech VPN" -e /tmp/vpn-runner.sh &
-  pids+=($!)
-}
-
-start_cloudflared() {
-  case "$CLOUDFLARED_MODE" in
-    token)
-      [ -n "$CLOUDFLARED_TOKEN" ] && cloudflared tunnel run --token "$CLOUDFLARED_TOKEN" >/tmp/cloudflared.log 2>&1 &
-      pids+=($!)
-      ;;
-    config)
-      cloudflared --no-autoupdate --config /etc/cloudflared/config.yml tunnel run >/tmp/cloudflared.log 2>&1 &
-      pids+=($!)
-      ;;
-    off|*)
-      ;;
-  esac
-}
-
-start_ssh_tunnel() {
-  [ "$SSH_TUNNEL_ENABLE" = "1" ] || return 0
-  IFS=',' read -ra LINES <<< "$SSH_FORWARDS"
-  args=(-N -o StrictHostKeyChecking=no -o ServerAliveInterval=60)
-  for m in "${LINES[@]}"; do args+=(-L "$m"); done
-  ssh "${args[@]}" "$SSH_DEST" &
-  pids+=($!)
-}
-
-setup_nat() {
-  (
-    for i in {1..60}; do
-      if ip link show "$OC_INTERFACE" >/dev/null 2>&1; then
-        sysctl -w net.ipv4.ip_forward=1 >/dev/null
-        iptables -t nat -C POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE 2>/dev/null || \
-          iptables -t nat -A POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE
-        echo "NAT enabled on $OC_INTERFACE"
-        break
-      fi
-      sleep 2
-    done
-  ) &
-}
-
-trap 'kill 0' INT TERM
-
-# Always start GUI now
-setup_keyring
-create_vpn_command
-create_vpn_script
-start_gui
-start_vpn_terminal
-setup_nat
-start_cloudflared
-start_ssh_tunnel
-
-wait

apps/nas-samba/config.json

@@ -0,0 +1,54 @@
+{
+  "$schema": "../app-info-schema.json",
+  "name": "NAS Samba + CloudNAS",
+  "id": "nas-samba",
+  "available": true,
+  "port": 8080,
+  "exposable": true,
+  "dynamic_config": true,
+  "no_gui": false,
+  "tipi_version": 2,
+  "version": "1.0.0",
+  "categories": ["network", "utilities"],
+  "description": "All-in-one NAS container with Samba SMB file sharing and CloudNAS web file manager. Browse files via web UI or connect via SMB at \\\\192.168.0.15\\data with username alexz. No database required — uses filesystem + SQLite.",
+  "short_desc": "NAS with SMB + web file manager",
+  "author": "alexz",
+  "source": "https://gits.alexzaw.dev/alexz/runtipi",
+  "form_fields": [
+    {
+      "type": "password",
+      "label": "SMB Password",
+      "env_variable": "SMB_PASSWORD",
+      "required": true,
+      "hint": "Password for SMB user alexz"
+    },
+    {
+      "type": "random",
+      "label": "JWT Secret",
+      "env_variable": "JWT_SECRET",
+      "min": 32,
+      "encoding": "hex"
+    },
+    {
+      "type": "text",
+      "label": "NAS Host Path",
+      "env_variable": "NAS_PATH",
+      "required": true,
+      "default": "/nas",
+      "hint": "Host path to share via SMB and web UI"
+    },
+    {
+      "type": "text",
+      "label": "Bind IP",
+      "env_variable": "BIND_IP",
+      "required": true,
+      "default": "192.168.0.15",
+      "hint": "IP address to bind SMB ports to"
+    }
+  ],
+  "supported_architectures": ["arm64", "amd64"],
+  "created_at": 1741536000000,
+  "updated_at": 1742169600000,
+  "deprecated": false,
+  "min_tipi_version": "4.5.0"
+}

apps/nas-samba/docker-compose.json

@@ -0,0 +1,25 @@
+{
+  "schemaVersion": 2,
+  "$schema": "https://schemas.runtipi.io/dynamic-compose.json",
+  "services": [
+    {
+      "name": "nas-samba",
+      "image": "git.alexzaw.dev/alexz/nas-samba:1.0.0",
+      "isMain": true,
+      "internalPort": 8080,
+      "addPorts": [
+        { "hostPort": 445, "containerPort": 445, "interface": "${BIND_IP}" },
+        { "hostPort": 139, "containerPort": 139, "interface": "${BIND_IP}" }
+      ],
+      "volumes": [
+        { "hostPath": "${NAS_PATH:-/nas}", "containerPath": "/nas" },
+        { "hostPath": "${APP_DATA_DIR}/data/config", "containerPath": "/config" }
+      ],
+      "environment": [
+        { "key": "SMB_PASSWORD", "value": "${SMB_PASSWORD}" },
+        { "key": "JWT_SECRET", "value": "${JWT_SECRET}" },
+        { "key": "TZ", "value": "${TZ}" }
+      ]
+    }
+  ]
+}

apps/nas-samba/source/Dockerfile

@@ -0,0 +1,51 @@
+FROM ubuntu:24.04
+
+LABEL maintainer="alexz"
+LABEL description="NAS Samba + CloudNAS file manager"
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install runtime: Samba, supervisor, tini, Node.js 20.x, build tools for native modules
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        samba \
+        samba-common-bin \
+        supervisor \
+        curl \
+        ca-certificates \
+        tini \
+        python3 \
+        make \
+        g++ \
+    && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
+    && apt-get install -y --no-install-recommends nodejs \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy app source
+COPY app/ /app/
+
+WORKDIR /app
+
+# Install production dependencies (compiles better-sqlite3 native module)
+RUN npm ci --omit=dev && npm cache clean --force
+
+# Clean up
+RUN rm -rf /var/lib/apt/lists/* /usr/share/doc /usr/share/man
+
+# Create directories
+RUN mkdir -p /nas /config /var/log/supervisor /var/log/samba /run/samba
+
+# Samba configuration
+COPY smb.conf /etc/samba/smb.conf
+
+# Supervisord configuration
+COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
+# Entrypoint
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+EXPOSE 8080 139 445
+
+ENTRYPOINT ["tini", "--"]
+CMD ["/entrypoint.sh"]

apps/nas-samba/source/app/frontend/build/asset-manifest.json

@@ -0,0 +1,13 @@
+{
+  "files": {
+    "main.css": "/static/css/main.da1289f2.css",
+    "main.js": "/static/js/main.fcd0e5c7.js",
+    "index.html": "/index.html",
+    "main.da1289f2.css.map": "/static/css/main.da1289f2.css.map",
+    "main.fcd0e5c7.js.map": "/static/js/main.fcd0e5c7.js.map"
+  },
+  "entrypoints": [
+    "static/css/main.da1289f2.css",
+    "static/js/main.fcd0e5c7.js"
+  ]
+}

apps/nas-samba/source/app/frontend/build/index.html

@@ -0,0 +1 @@
+<!doctype html><html lang="en"><head><meta charset="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><meta name="theme-color" content="#0F172A"/><meta name="description" content="CloudSync - Enterprise File Manager"/><title>CloudSync - Enterprise File Manager</title><script defer="defer" src="/static/js/main.fcd0e5c7.js"></script><link href="/static/css/main.da1289f2.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root"></div></body></html>

apps/nas-samba/source/app/frontend/build/static/js/main.fcd0e5c7.js.LICENSE.txt

@@ -0,0 +1,46 @@
+/**
+ * @license React
+ * react-dom.production.min.js
+ *
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+/**
+ * @license React
+ * react-jsx-runtime.production.min.js
+ *
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+/**
+ * @license React
+ * react.production.min.js
+ *
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+/**
+ * @license React
+ * scheduler.production.min.js
+ *
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+/**
+ * @license lucide-react v0.312.0 - ISC
+ *
+ * This source code is licensed under the ISC license.
+ * See the LICENSE file in the root directory of this source tree.
+ */

apps/nas-samba/source/app/frontend/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "cloudsync-frontend",
+  "version": "2.0.0",
+  "private": true,
+  "dependencies": {
+    "axios": "^1.6.5",
+    "clsx": "^2.1.1",
+    "date-fns": "^3.3.0",
+    "lucide-react": "^0.312.0",
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0",
+    "react-scripts": "5.0.1",
+    "sonner": "^2.0.7",
+    "tailwind-merge": "^3.5.0"
+  },
+  "scripts": {
+    "start": "react-scripts start",
+    "build": "react-scripts build",
+    "test": "react-scripts test",
+    "eject": "react-scripts eject"
+  },
+  "eslintConfig": {
+    "extends": [
+      "react-app"
+    ]
+  },
+  "browserslist": {
+    "production": [
+      ">0.2%",
+      "not dead",
+      "not op_mini all"
+    ],
+    "development": [
+      "last 1 chrome version",
+      "last 1 firefox version",
+      "last 1 safari version"
+    ]
+  }
+}

apps/nas-samba/source/app/frontend/postcss.config.js

@@ -0,0 +1,6 @@
+module.exports = {
+  plugins: {
+    tailwindcss: {},
+    autoprefixer: {},
+  },
+};

apps/nas-samba/source/app/frontend/public/index.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta name="theme-color" content="#0F172A" />
+    <meta name="description" content="CloudSync - Enterprise File Manager" />
+    <title>CloudSync - Enterprise File Manager</title>
+  </head>
+  <body>
+    <noscript>You need to enable JavaScript to run this app.</noscript>
+    <div id="root"></div>
+  </body>
+</html>

apps/nas-samba/source/app/frontend/src/App.css

@@ -0,0 +1 @@
+/* Additional app-specific styles */

apps/nas-samba/source/app/frontend/src/App.js

@@ -0,0 +1,51 @@
+import React, { useState, useCallback, useRef, useEffect } from 'react';
+import { Toaster, toast } from 'sonner';
+import { AuthProvider, useAuth } from './context/AuthContext';
+import { ThemeProvider, useTheme } from './context/ThemeContext';
+import LoginPage from './components/LoginPage';
+import Dashboard from './components/Dashboard';
+import SharePage from './components/SharePage';
+import LoadingScreen from './components/ui/LoadingScreen';
+
+function AppContent() {
+  const { user, loading } = useAuth();
+
+  // Handle /share/:token routes without React Router
+  const path = window.location.pathname;
+  const shareMatch = path.match(/^\/share\/([a-f0-9]+)$/);
+  if (shareMatch) {
+    return <SharePage token={shareMatch[1]} />;
+  }
+
+  if (loading) {
+    return <LoadingScreen />;
+  }
+
+  if (!user) {
+    return <LoginPage />;
+  }
+
+  return <Dashboard />;
+}
+
+function App() {
+  return (
+    <ThemeProvider>
+      <AuthProvider>
+        <Toaster 
+          position="top-right" 
+          richColors 
+          closeButton
+          toastOptions={{
+            style: {
+              fontFamily: 'Inter, system-ui, sans-serif',
+            },
+          }}
+        />
+        <AppContent />
+      </AuthProvider>
+    </ThemeProvider>
+  );
+}
+
+export default App;

apps/nas-samba/source/app/frontend/src/components/LoginPage.js

@@ -0,0 +1,145 @@
+import React, { useState } from 'react';
+import { useAuth } from '../context/AuthContext';
+import { toast } from 'sonner';
+import { Cloud, Eye, EyeOff, Loader2 } from 'lucide-react';
+
+function LoginPage() {
+  const [username, setUsername] = useState('');
+  const [password, setPassword] = useState('');
+  const [showPassword, setShowPassword] = useState(false);
+  const [loading, setLoading] = useState(false);
+  const { login } = useAuth();
+
+  const handleSubmit = async (e) => {
+    e.preventDefault();
+    
+    if (!username.trim() || !password.trim()) {
+      toast.error('Please enter username and password');
+      return;
+    }
+
+    setLoading(true);
+    
+    try {
+      const user = await login(username, password);
+      toast.success(`Welcome back, ${user.name}!`);
+    } catch (error) {
+      const message = error.response?.data?.detail || 'Invalid credentials';
+      toast.error(message);
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  return (
+    <div className="min-h-screen flex">
+      {/* Left side - Background image */}
+      <div 
+        className="hidden lg:flex lg:w-1/2 xl:w-3/5 relative bg-cover bg-center"
+        style={{
+          backgroundImage: 'url(https://images.pexels.com/photos/28428586/pexels-photo-28428586.jpeg?auto=compress&cs=tinysrgb&dpr=2&h=650&w=940)'
+        }}
+      >
+        <div className="absolute inset-0 bg-black/40"></div>
+        <div className="relative z-10 flex flex-col justify-end p-12 text-white">
+          <h1 className="font-secondary text-4xl font-bold mb-4">CloudSync</h1>
+          <p className="text-lg text-white/80 max-w-md">
+            Enterprise-grade file management with secure sharing, storage quotas, and comprehensive activity tracking.
+          </p>
+        </div>
+      </div>
+
+      {/* Right side - Login form */}
+      <div className="flex-1 flex items-center justify-center p-8 bg-background">
+        <div className="w-full max-w-md">
+          {/* Logo for mobile */}
+          <div className="lg:hidden flex items-center gap-3 mb-8">
+            <div className="w-10 h-10 bg-primary rounded-lg flex items-center justify-center">
+              <Cloud className="w-5 h-5 text-primary-foreground" />
+            </div>
+            <span className="font-secondary text-2xl font-bold text-foreground">CloudSync</span>
+          </div>
+
+          <div className="mb-8">
+            <h2 className="font-secondary text-3xl font-bold text-foreground mb-2">Sign in</h2>
+            <p className="text-muted-foreground">Enter your credentials to access your files</p>
+          </div>
+
+          <form onSubmit={handleSubmit} className="space-y-6">
+            <div>
+              <label htmlFor="username" className="block text-sm font-medium text-foreground mb-2">
+                Username
+              </label>
+              <input
+                id="username"
+                type="text"
+                value={username}
+                onChange={(e) => setUsername(e.target.value)}
+                placeholder="Enter your username"
+                disabled={loading}
+                data-testid="login-username-input"
+                className="w-full h-11 px-4 rounded-lg border border-input bg-background text-foreground placeholder:text-muted-foreground focus:outline-none focus:ring-2 focus:ring-ring transition-all disabled:opacity-50"
+                autoComplete="username"
+              />
+            </div>
+
+            <div>
+              <label htmlFor="password" className="block text-sm font-medium text-foreground mb-2">
+                Password
+              </label>
+              <div className="relative">
+                <input
+                  id="password"
+                  type={showPassword ? 'text' : 'password'}
+                  value={password}
+                  onChange={(e) => setPassword(e.target.value)}
+                  placeholder="Enter your password"
+                  disabled={loading}
+                  data-testid="login-password-input"
+                  className="w-full h-11 px-4 pr-12 rounded-lg border border-input bg-background text-foreground placeholder:text-muted-foreground focus:outline-none focus:ring-2 focus:ring-ring transition-all disabled:opacity-50"
+                  autoComplete="current-password"
+                />
+                <button
+                  type="button"
+                  onClick={() => setShowPassword(!showPassword)}
+                  className="absolute right-3 top-1/2 -translate-y-1/2 text-muted-foreground hover:text-foreground transition-colors"
+                  data-testid="toggle-password-visibility"
+                >
+                  {showPassword ? <EyeOff className="w-5 h-5" /> : <Eye className="w-5 h-5" />}
+                </button>
+              </div>
+            </div>
+
+            <button
+              type="submit"
+              disabled={loading}
+              data-testid="login-submit-btn"
+              className="w-full h-11 bg-primary text-primary-foreground font-medium rounded-lg hover:opacity-90 focus:outline-none focus:ring-2 focus:ring-ring focus:ring-offset-2 transition-all disabled:opacity-50 flex items-center justify-center gap-2"
+            >
+              {loading ? (
+                <>
+                  <Loader2 className="w-4 h-4 animate-spin" />
+                  Signing in...
+                </>
+              ) : (
+                'Sign in'
+              )}
+            </button>
+          </form>
+
+          <div className="mt-8 p-4 bg-muted rounded-lg">
+            <p className="text-sm text-muted-foreground">
+              <span className="font-medium text-foreground">Demo credentials:</span>
+              <br />
+              Username: <code className="font-mono bg-background px-1 rounded">admin</code>
+              <br />
+              Password: <code className="font-mono bg-background px-1 rounded">admin123</code>
+            </p>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+export default LoginPage;

apps/nas-samba/source/app/frontend/src/components/SharePage.js

@@ -0,0 +1,182 @@
+import React, { useState, useEffect, useCallback } from 'react';
+import { Cloud, CheckCircle, Lock, FileText, AlertCircle } from 'lucide-react';
+import { formatBytes } from '../lib/utils';
+import * as api from '../lib/api';
+
+export default function SharePage({ token }) {
+  const [fileInfo, setFileInfo] = useState(null);
+  const [error, setError] = useState(null);
+  const [loading, setLoading] = useState(true);
+  const [password, setPassword] = useState('');
+  const [downloaded, setDownloaded] = useState(false);
+  const [downloading, setDownloading] = useState(false);
+
+  const doDownload = useCallback(async (pwd) => {
+    if (!fileInfo || downloading) return;
+    setDownloading(true);
+    setError(null);
+    try {
+      const url = api.downloadSharedFile(token, pwd || null);
+      const res = await fetch(url, { method: 'POST' });
+      if (!res.ok) {
+        const data = await res.json();
+        throw new Error(data.detail || 'Download failed');
+      }
+      const blob = await res.blob();
+      const blobUrl = URL.createObjectURL(blob);
+      const a = document.createElement('a');
+      a.href = blobUrl;
+      a.download = fileInfo.name;
+      document.body.appendChild(a);
+      a.click();
+      document.body.removeChild(a);
+      URL.revokeObjectURL(blobUrl);
+      setDownloaded(true);
+    } catch (err) {
+      setError(err.message);
+      setDownloading(false);
+    }
+  }, [fileInfo, downloading, token]);
+
+  useEffect(() => {
+    async function load() {
+      try {
+        const res = await api.getSharedFileInfo(token);
+        setFileInfo(res.data);
+      } catch (err) {
+        const status = err.response?.status;
+        if (status === 410) {
+          setError('This share link has expired.');
+        } else if (status === 404) {
+          setError('Share link not found.');
+        } else {
+          setError('Failed to load shared file.');
+        }
+      } finally {
+        setLoading(false);
+      }
+    }
+    load();
+  }, [token]);
+
+  // Auto-download if no password required
+  useEffect(() => {
+    if (fileInfo && !fileInfo.requires_password && !downloaded && !downloading) {
+      doDownload(null);
+    }
+  }, [fileInfo, downloaded, downloading, doDownload]);
+
+  if (loading) {
+    return (
+      <div className="min-h-screen bg-background flex items-center justify-center">
+        <div className="animate-spin w-8 h-8 border-2 border-primary border-t-transparent rounded-full"></div>
+      </div>
+    );
+  }
+
+  if (error && !fileInfo) {
+    return (
+      <div className="min-h-screen bg-background flex items-center justify-center p-4">
+        <div className="bg-card border border-border rounded-lg shadow-lg p-8 max-w-md w-full text-center">
+          <AlertCircle className="w-12 h-12 text-destructive mx-auto mb-4" />
+          <h2 className="text-xl font-semibold mb-2">Unavailable</h2>
+          <p className="text-muted-foreground">{error}</p>
+        </div>
+      </div>
+    );
+  }
+
+  // Downloaded state
+  if (downloaded) {
+    return (
+      <div className="min-h-screen bg-background flex items-center justify-center p-4">
+        <div className="bg-card border border-border rounded-lg shadow-lg p-8 max-w-md w-full text-center">
+          <div className="flex items-center justify-center gap-2 mb-6">
+            <Cloud className="w-6 h-6 text-primary" />
+            <span className="text-lg font-semibold">CloudSync</span>
+          </div>
+          <CheckCircle className="w-16 h-16 text-green-500 mx-auto mb-4" />
+          <h2 className="text-xl font-semibold mb-2">File Downloaded</h2>
+          <div className="flex items-center gap-3 justify-center p-3 bg-accent/50 rounded-lg mt-4">
+            <FileText className="w-6 h-6 text-muted-foreground flex-shrink-0" />
+            <div className="text-left min-w-0">
+              <p className="font-medium text-sm truncate">{fileInfo.name}</p>
+              <p className="text-xs text-muted-foreground">{formatBytes(fileInfo.size)}</p>
+            </div>
+          </div>
+          <p className="text-sm text-muted-foreground mt-4">This link has been used and is no longer active.</p>
+        </div>
+      </div>
+    );
+  }
+
+  // Password required state
+  if (fileInfo.requires_password && !downloaded) {
+    return (
+      <div className="min-h-screen bg-background flex items-center justify-center p-4">
+        <div className="bg-card border border-border rounded-lg shadow-lg p-8 max-w-md w-full">
+          <div className="flex items-center gap-2 mb-6">
+            <Cloud className="w-6 h-6 text-primary" />
+            <span className="text-lg font-semibold">CloudSync</span>
+          </div>
+
+          <div className="flex items-center gap-4 mb-6 p-4 bg-accent/50 rounded-lg">
+            <FileText className="w-10 h-10 text-muted-foreground flex-shrink-0" />
+            <div className="min-w-0">
+              <p className="font-medium truncate">{fileInfo.name}</p>
+              <p className="text-sm text-muted-foreground">{formatBytes(fileInfo.size)}</p>
+            </div>
+          </div>
+
+          {error && (
+            <div className="mb-4 p-3 bg-destructive/10 text-destructive text-sm rounded-lg">
+              {error}
+            </div>
+          )}
+
+          <div className="mb-4">
+            <label className="block text-sm font-medium mb-2">
+              <Lock className="w-4 h-4 inline mr-1" />
+              This file is password protected
+            </label>
+            <input
+              type="password"
+              value={password}
+              onChange={(e) => { setPassword(e.target.value); setError(null); }}
+              onKeyDown={(e) => { if (e.key === 'Enter' && password) doDownload(password); }}
+              placeholder="Enter password"
+              className="w-full h-10 px-4 bg-background border border-input rounded-lg focus:outline-none focus:ring-2 focus:ring-ring"
+              autoFocus
+            />
+          </div>
+
+          <button
+            onClick={() => doDownload(password)}
+            disabled={downloading || !password}
+            className="w-full h-10 bg-primary text-primary-foreground rounded-lg hover:opacity-90 flex items-center justify-center gap-2 disabled:opacity-50 disabled:cursor-not-allowed"
+          >
+            {downloading ? (
+              <div className="animate-spin w-4 h-4 border-2 border-primary-foreground border-t-transparent rounded-full"></div>
+            ) : (
+              'Download'
+            )}
+          </button>
+        </div>
+      </div>
+    );
+  }
+
+  // Downloading state (auto-download in progress, no password)
+  return (
+    <div className="min-h-screen bg-background flex items-center justify-center p-4">
+      <div className="bg-card border border-border rounded-lg shadow-lg p-8 max-w-md w-full text-center">
+        <div className="flex items-center justify-center gap-2 mb-6">
+          <Cloud className="w-6 h-6 text-primary" />
+          <span className="text-lg font-semibold">CloudSync</span>
+        </div>
+        <div className="animate-spin w-8 h-8 border-2 border-primary border-t-transparent rounded-full mx-auto mb-4"></div>
+        <p className="text-muted-foreground">Downloading {fileInfo.name}...</p>
+      </div>
+    </div>
+  );
+}

apps/nas-samba/source/app/frontend/src/components/ui/LoadingScreen.js

@@ -0,0 +1,18 @@
+import React from 'react';
+import { cn } from '../../lib/utils';
+
+export function LoadingScreen() {
+  return (
+    <div className="min-h-screen bg-background flex items-center justify-center">
+      <div className="flex flex-col items-center gap-4">
+        <div className="relative w-12 h-12">
+          <div className="absolute inset-0 rounded-full border-2 border-muted"></div>
+          <div className="absolute inset-0 rounded-full border-2 border-primary border-t-transparent animate-spin"></div>
+        </div>
+        <p className="text-muted-foreground font-medium">Loading CloudSync...</p>
+      </div>
+    </div>
+  );
+}
+
+export default LoadingScreen;

apps/nas-samba/source/app/frontend/src/context/AuthContext.js

@@ -0,0 +1,69 @@
+import React, { createContext, useContext, useState, useEffect, useCallback } from 'react';
+import { login as apiLogin, getMe } from '../lib/api';
+
+const AuthContext = createContext(null);
+
+export function AuthProvider({ children }) {
+  const [user, setUser] = useState(null);
+  const [loading, setLoading] = useState(true);
+  const [token, setToken] = useState(localStorage.getItem('token'));
+
+  const checkAuth = useCallback(async () => {
+    const storedToken = localStorage.getItem('token');
+    if (!storedToken) {
+      setLoading(false);
+      return;
+    }
+
+    try {
+      const response = await getMe();
+      setUser(response.data);
+      setToken(storedToken);
+    } catch (error) {
+      localStorage.removeItem('token');
+      setUser(null);
+      setToken(null);
+    } finally {
+      setLoading(false);
+    }
+  }, []);
+
+  useEffect(() => {
+    checkAuth();
+  }, [checkAuth]);
+
+  const login = async (username, password) => {
+    const response = await apiLogin(username, password);
+    const { token: newToken, user: userData } = response.data;
+    
+    localStorage.setItem('token', newToken);
+    setToken(newToken);
+    setUser(userData);
+    
+    return userData;
+  };
+
+  const logout = () => {
+    localStorage.removeItem('token');
+    setToken(null);
+    setUser(null);
+  };
+
+  const updateUser = useCallback((userData) => {
+    setUser(prev => ({ ...prev, ...userData }));
+  }, []);
+
+  return (
+    <AuthContext.Provider value={{ user, token, loading, login, logout, updateUser, checkAuth }}>
+      {children}
+    </AuthContext.Provider>
+  );
+}
+
+export function useAuth() {
+  const context = useContext(AuthContext);
+  if (!context) {
+    throw new Error('useAuth must be used within an AuthProvider');
+  }
+  return context;
+}

apps/nas-samba/source/app/frontend/src/context/ThemeContext.js

@@ -0,0 +1,36 @@
+import React, { createContext, useContext, useState, useEffect } from 'react';
+
+const ThemeContext = createContext(null);
+
+export function ThemeProvider({ children }) {
+  const [theme, setTheme] = useState(() => {
+    const stored = localStorage.getItem('theme');
+    if (stored) return stored;
+    return window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light';
+  });
+
+  useEffect(() => {
+    const root = window.document.documentElement;
+    root.classList.remove('light', 'dark');
+    root.classList.add(theme);
+    localStorage.setItem('theme', theme);
+  }, [theme]);
+
+  const toggleTheme = () => {
+    setTheme(prev => prev === 'light' ? 'dark' : 'light');
+  };
+
+  return (
+    <ThemeContext.Provider value={{ theme, setTheme, toggleTheme }}>
+      {children}
+    </ThemeContext.Provider>
+  );
+}
+
+export function useTheme() {
+  const context = useContext(ThemeContext);
+  if (!context) {
+    throw new Error('useTheme must be used within a ThemeProvider');
+  }
+  return context;
+}

apps/nas-samba/source/app/frontend/src/index.css

@@ -0,0 +1,116 @@
+@import url('https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&family=Manrope:wght@400;500;600;700;800&family=JetBrains+Mono:wght@400;500&display=swap');
+
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
+
+:root {
+  --background: #FFFFFF;
+  --foreground: #0A0A0A;
+  --card: #FFFFFF;
+  --card-foreground: #0A0A0A;
+  --popover: #FFFFFF;
+  --popover-foreground: #0A0A0A;
+  --primary: #0F172A;
+  --primary-foreground: #F8FAFC;
+  --secondary: #F1F5F9;
+  --secondary-foreground: #0F172A;
+  --muted: #F1F5F9;
+  --muted-foreground: #64748B;
+  --accent: #F1F5F9;
+  --accent-foreground: #0F172A;
+  --destructive: #EF4444;
+  --destructive-foreground: #F8FAFC;
+  --border: #E2E8F0;
+  --input: #E2E8F0;
+  --ring: #0F172A;
+  --radius: 0.5rem;
+}
+
+.dark {
+  --background: #020617;
+  --foreground: #F8FAFC;
+  --card: #0F172A;
+  --card-foreground: #F8FAFC;
+  --popover: #0F172A;
+  --popover-foreground: #F8FAFC;
+  --primary: #F8FAFC;
+  --primary-foreground: #0F172A;
+  --secondary: #1E293B;
+  --secondary-foreground: #F8FAFC;
+  --muted: #1E293B;
+  --muted-foreground: #94A3B8;
+  --accent: #1E293B;
+  --accent-foreground: #F8FAFC;
+  --destructive: #7F1D1D;
+  --destructive-foreground: #F8FAFC;
+  --border: #1E293B;
+  --input: #1E293B;
+  --ring: #D1D5DB;
+}
+
+* {
+  box-sizing: border-box;
+  margin: 0;
+  padding: 0;
+}
+
+html, body, #root {
+  height: 100%;
+}
+
+body {
+  font-family: 'Inter', system-ui, sans-serif;
+  background-color: var(--background);
+  color: var(--foreground);
+  -webkit-font-smoothing: antialiased;
+  -moz-osx-font-smoothing: grayscale;
+}
+
+/* Custom scrollbar */
+::-webkit-scrollbar {
+  width: 8px;
+  height: 8px;
+}
+
+::-webkit-scrollbar-track {
+  background: var(--muted);
+}
+
+::-webkit-scrollbar-thumb {
+  background: var(--muted-foreground);
+  border-radius: 4px;
+}
+
+::-webkit-scrollbar-thumb:hover {
+  background: var(--foreground);
+}
+
+/* Skeleton loader animation */
+@keyframes skeleton-pulse {
+  0%, 100% { opacity: 1; }
+  50% { opacity: 0.5; }
+}
+
+.skeleton {
+  animation: skeleton-pulse 1.5s ease-in-out infinite;
+  background: linear-gradient(90deg, var(--muted) 25%, var(--border) 50%, var(--muted) 75%);
+  background-size: 200% 100%;
+}
+
+/* File drop zone styles */
+.drop-zone-active {
+  border-color: var(--ring) !important;
+  background-color: var(--accent) !important;
+}
+
+/* Focus visible styles */
+.focus-visible:focus {
+  outline: 2px solid var(--ring);
+  outline-offset: 2px;
+}
+
+/* Transition utilities */
+.transition-default {
+  transition: all 200ms ease-in-out;
+}

apps/nas-samba/source/app/frontend/src/index.js

@@ -0,0 +1,11 @@
+import React from 'react';
+import ReactDOM from 'react-dom/client';
+import './index.css';
+import App from './App';
+
+const root = ReactDOM.createRoot(document.getElementById('root'));
+root.render(
+  <React.StrictMode>
+    <App />
+  </React.StrictMode>
+);

apps/nas-samba/source/app/frontend/src/lib/api.js

@@ -0,0 +1,136 @@
+import axios from 'axios';
+
+const API_URL = process.env.REACT_APP_BACKEND_URL || '';
+
+const api = axios.create({
+  baseURL: API_URL,
+  headers: {
+    'Content-Type': 'application/json',
+  },
+});
+
+// Request interceptor to add auth token
+api.interceptors.request.use((config) => {
+  const token = localStorage.getItem('token');
+  if (token) {
+    config.headers.Authorization = `Bearer ${token}`;
+  }
+  return config;
+});
+
+// Response interceptor to handle auth errors
+api.interceptors.response.use(
+  (response) => response,
+  (error) => {
+    if (error.response?.status === 401) {
+      localStorage.removeItem('token');
+      localStorage.removeItem('user');
+      window.location.reload();
+    }
+    return Promise.reject(error);
+  }
+);
+
+// Auth
+export const login = (username, password) => 
+  api.post('/api/auth/login', { username, password });
+
+export const getMe = () => 
+  api.get('/api/auth/me');
+
+// Users
+export const getUsers = () => 
+  api.get('/api/users');
+
+export const createUser = (userData) => 
+  api.post('/api/users', userData);
+
+export const updateUser = (userId, userData) => 
+  api.put(`/api/users/${userId}`, userData);
+
+export const deleteUser = (userId) => 
+  api.delete(`/api/users/${userId}`);
+
+// Files
+export const getFiles = (parentId = null, search = null) => {
+  const params = new URLSearchParams();
+  if (parentId) params.append('parent_id', parentId);
+  if (search) params.append('search', search);
+  return api.get(`/api/files?${params.toString()}`);
+};
+
+export const getFile = (fileId) => 
+  api.get(`/api/files/${fileId}`);
+
+export const createFolder = (name, parentId = null) => 
+  api.post('/api/files/folder', { name, parent_id: parentId, is_folder: true });
+
+export const uploadFile = (file, parentId, onProgress) => {
+  const formData = new FormData();
+  formData.append('file', file);
+  if (parentId) {
+    formData.append('parent_id', parentId);
+  }
+  
+  return api.post('/api/files/upload', formData, {
+    headers: { 'Content-Type': 'multipart/form-data' },
+    onUploadProgress: (progressEvent) => {
+      if (onProgress) {
+        const progress = Math.round((progressEvent.loaded * 100) / progressEvent.total);
+        onProgress(progress);
+      }
+    },
+  });
+};
+
+export const renameFile = (fileId, newName) => 
+  api.put(`/api/files/${fileId}/rename`, { new_name: newName });
+
+export const moveFile = (fileId, destinationId) => 
+  api.put(`/api/files/${fileId}/move`, { destination_id: destinationId });
+
+export const copyFile = (fileId, destinationId) => 
+  api.post(`/api/files/${fileId}/copy`, { destination_id: destinationId });
+
+export const deleteFile = (fileId) => 
+  api.delete(`/api/files/${fileId}`);
+
+export const bulkDeleteFiles = (fileIds) => 
+  api.post('/api/files/bulk-delete', fileIds);
+
+export const getDownloadUrl = (fileId) => 
+  `${API_URL}/api/files/${fileId}/download`;
+
+export const getPreviewUrl = (fileId) => 
+  `${API_URL}/api/files/${fileId}/preview`;
+
+export const getBreadcrumb = (fileId) => 
+  api.get(`/api/files/${fileId}/breadcrumb`);
+
+// Shares
+export const getShares = () => 
+  api.get('/api/shares');
+
+export const createShare = (fileId, expiresInHours = 24, password = null) => 
+  api.post('/api/shares', { file_id: fileId, expires_in_hours: expiresInHours, password });
+
+export const deleteShare = (shareId) => 
+  api.delete(`/api/shares/${shareId}`);
+
+export const getSharedFileInfo = (token) => 
+  api.get(`/api/share/${token}`);
+
+export const downloadSharedFile = (token, password = null) => {
+  const params = password ? `?password=${encodeURIComponent(password)}` : '';
+  return `${API_URL}/api/share/${token}/download${params}`;
+};
+
+// Activity
+export const getActivity = (limit = 50) => 
+  api.get(`/api/activity?limit=${limit}`);
+
+// Stats
+export const getStats = () => 
+  api.get('/api/stats');
+
+export default api;

apps/nas-samba/source/app/frontend/src/lib/utils.js

@@ -0,0 +1,33 @@
+import { clsx } from 'clsx';
+import { twMerge } from 'tailwind-merge';
+
+export function cn(...inputs) {
+  return twMerge(clsx(inputs));
+}
+
+export function formatBytes(bytes, decimals = 1) {
+  if (bytes === 0) return '0 B';
+  const k = 1024;
+  const dm = decimals < 0 ? 0 : decimals;
+  const sizes = ['B', 'KB', 'MB', 'GB', 'TB'];
+  const i = Math.floor(Math.log(bytes) / Math.log(k));
+  return parseFloat((bytes / Math.pow(k, i)).toFixed(dm)) + ' ' + sizes[i];
+}
+
+export function formatDate(dateString) {
+  if (!dateString) return '-';
+  const date = new Date(dateString);
+  const now = new Date();
+  const diff = Math.floor((now - date) / 1000);
+  
+  if (diff < 60) return 'Just now';
+  if (diff < 3600) return `${Math.floor(diff / 60)}m ago`;
+  if (diff < 86400) return `${Math.floor(diff / 3600)}h ago`;
+  if (diff < 604800) return `${Math.floor(diff / 86400)}d ago`;
+  
+  return date.toLocaleDateString('en-US', { month: 'short', day: 'numeric', year: 'numeric' });
+}
+
+export function getFileExtension(filename) {
+  return filename.includes('.') ? filename.split('.').pop().toLowerCase() : '';
+}

apps/nas-samba/source/app/frontend/tailwind.config.js

@@ -0,0 +1,60 @@
+/** @type {import('tailwindcss').Config} */
+module.exports = {
+  content: ["./src/**/*.{js,jsx,ts,tsx}"],
+  darkMode: 'class',
+  theme: {
+    extend: {
+      colors: {
+        background: "var(--background)",
+        foreground: "var(--foreground)",
+        card: "var(--card)",
+        "card-foreground": "var(--card-foreground)",
+        popover: "var(--popover)",
+        "popover-foreground": "var(--popover-foreground)",
+        primary: "var(--primary)",
+        "primary-foreground": "var(--primary-foreground)",
+        secondary: "var(--secondary)",
+        "secondary-foreground": "var(--secondary-foreground)",
+        muted: "var(--muted)",
+        "muted-foreground": "var(--muted-foreground)",
+        accent: "var(--accent)",
+        "accent-foreground": "var(--accent-foreground)",
+        destructive: "var(--destructive)",
+        "destructive-foreground": "var(--destructive-foreground)",
+        border: "var(--border)",
+        input: "var(--input)",
+        ring: "var(--ring)",
+      },
+      fontFamily: {
+        primary: ['Inter', 'system-ui', 'sans-serif'],
+        secondary: ['Manrope', 'system-ui', 'sans-serif'],
+        mono: ['JetBrains Mono', 'monospace'],
+      },
+      borderRadius: {
+        lg: "var(--radius)",
+        md: "calc(var(--radius) - 2px)",
+        sm: "calc(var(--radius) - 4px)",
+      },
+      animation: {
+        'fade-in': 'fadeIn 0.3s ease-out',
+        'slide-up': 'slideUp 0.3s ease-out',
+        'slide-down': 'slideDown 0.3s ease-out',
+      },
+      keyframes: {
+        fadeIn: {
+          '0%': { opacity: '0' },
+          '100%': { opacity: '1' },
+        },
+        slideUp: {
+          '0%': { opacity: '0', transform: 'translateY(10px)' },
+          '100%': { opacity: '1', transform: 'translateY(0)' },
+        },
+        slideDown: {
+          '0%': { opacity: '0', transform: 'translateY(-10px)' },
+          '100%': { opacity: '1', transform: 'translateY(0)' },
+        },
+      },
+    },
+  },
+  plugins: [],
+};

apps/nas-samba/source/app/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "cloudsync",
+  "version": "1.0.0",
+  "description": "CloudSync File Manager - NAS Edition",
+  "main": "server.js",
+  "scripts": {
+    "start": "node server.js",
+    "dev": "node --watch server.js"
+  },
+  "dependencies": {
+    "archiver": "^7.0.1",
+    "bcryptjs": "^2.4.3",
+    "better-sqlite3": "^11.7.0",
+    "cors": "^2.8.5",
+    "dotenv": "^16.4.7",
+    "express": "^4.18.2",
+    "jsonwebtoken": "^9.0.2",
+    "mime-types": "^2.1.35",
+    "multer": "^1.4.5-lts.1"
+  }
+}

apps/nas-samba/source/entrypoint.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+set -e
+
+# Create users group if it doesn't exist
+getent group users >/dev/null 2>&1 || groupadd -g 100 users
+
+# Create alexz user with UID 1000 if not exists
+if ! id -u alexz >/dev/null 2>&1; then
+    # Remove any existing user with UID 1000 (e.g. ubuntu)
+    existing_user=$(getent passwd 1000 | cut -d: -f1)
+    if [ -n "$existing_user" ] && [ "$existing_user" != "alexz" ]; then
+        userdel "$existing_user" 2>/dev/null || true
+    fi
+    useradd -u 1000 -g users -M -s /usr/sbin/nologin alexz
+    echo "Created user alexz (UID 1000)"
+fi
+
+# Set Samba password from environment variable
+if [ -n "$SMB_PASSWORD" ]; then
+    echo -e "${SMB_PASSWORD}\n${SMB_PASSWORD}" | smbpasswd -a -s alexz
+    echo "Samba password set for alexz"
+else
+    echo "WARNING: SMB_PASSWORD not set. Samba authentication will fail."
+fi
+
+# Ensure directories exist
+mkdir -p /config /var/log/samba /run/samba /nas
+
+# Ensure correct ownership
+chown alexz:users /nas 2>/dev/null || true
+
+echo "Starting supervisord..."
+exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

apps/nas-samba/source/smb.conf

@@ -0,0 +1,18 @@
+[global]
+   workgroup = WORKGROUP
+   server string = NAS Samba
+   server role = standalone server
+   log file = /var/log/samba/log.%m
+   max log size = 50
+   logging = file
+   map to guest = bad user
+   server min protocol = SMB2
+   server max protocol = SMB3
+
+[data]
+   path = /nas
+   valid users = alexz
+   browsable = yes
+   writable = yes
+   create mask = 0664
+   directory mask = 0775

apps/nas-samba/source/supervisord.conf

@@ -0,0 +1,34 @@
+[supervisord]
+nodaemon=true
+user=root
+logfile=/var/log/supervisor/supervisord.log
+pidfile=/var/run/supervisord.pid
+childlogdir=/var/log/supervisor
+
+[program:smbd]
+command=/usr/sbin/smbd -F --no-process-group
+autostart=true
+autorestart=true
+priority=10
+stdout_logfile=/var/log/supervisor/smbd-stdout.log
+stderr_logfile=/var/log/supervisor/smbd-stderr.log
+
+[program:nmbd]
+command=/usr/sbin/nmbd -F --no-process-group
+autostart=true
+autorestart=true
+priority=10
+stdout_logfile=/var/log/supervisor/nmbd-stdout.log
+stderr_logfile=/var/log/supervisor/nmbd-stderr.log
+
+[program:cloudnas]
+command=node /app/server.js
+directory=/app
+autostart=true
+autorestart=true
+priority=20
+environment=PORT="8080",UPLOAD_DIR="/nas",DB_PATH="/config/cloudsync.db",JWT_SECRET="%(ENV_JWT_SECRET)s",SMB_PASSWORD="%(ENV_SMB_PASSWORD)s"
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

apps/nginx-proxy-manager/docker-compose.yml

@@ -1,46 +0,0 @@
-services:
-  nginx-proxy-manager:
-    image: jc21/nginx-proxy-manager:2.13.5
-    restart: unless-stopped
-    networks:
-      nginx-proxy-manager_runtipi_network:
-        gw_priority: 0
-      tipi_main_network:
-        gw_priority: 1
-      cistech-macvlan:
-    environment:
-      DISABLE_IPV6: "true"
-    ports:
-      - ${NPM_HTTP_PORT}:80
-      - ${NPM_HTTPS_PORT}:443
-      - ${APP_PORT}:81
-    volumes:
-      - ${APP_DATA_DIR}/data:/data
-      - ${APP_DATA_DIR}/letsencrypt:/etc/letsencrypt
-    labels:
-      generated: true
-      traefik.enable: true
-      traefik.docker.network: runtipi_tipi_main_network
-      traefik.http.middlewares.nginx-proxy-manager-runtipi-web-redirect.redirectscheme.scheme: https
-      traefik.http.services.nginx-proxy-manager-runtipi.loadbalancer.server.port: "81"
-      traefik.http.routers.nginx-proxy-manager-runtipi-insecure.rule: Host(`${APP_DOMAIN}`)
-      traefik.http.routers.nginx-proxy-manager-runtipi-insecure.entrypoints: web
-      traefik.http.routers.nginx-proxy-manager-runtipi-insecure.service: nginx-proxy-manager-runtipi
-      traefik.http.routers.nginx-proxy-manager-runtipi-insecure.middlewares: nginx-proxy-manager-runtipi-web-redirect
-      traefik.http.routers.nginx-proxy-manager-runtipi.rule: Host(`${APP_DOMAIN}`)
-      traefik.http.routers.nginx-proxy-manager-runtipi.entrypoints: websecure
-      traefik.http.routers.nginx-proxy-manager-runtipi.service: nginx-proxy-manager-runtipi
-      traefik.http.routers.nginx-proxy-manager-runtipi.tls.certresolver: myresolver
-      runtipi.managed: true
-      runtipi.appurn: nginx-proxy-manager:runtipi
-networks:
-  tipi_main_network:
-    name: runtipi_tipi_main_network
-    external: true
-  nginx-proxy-manager_runtipi_network:
-    name: nginx-proxy-manager_runtipi_network
-    external: false
-  cistech-macvlan:
-    name: cistech-macvlan
-    external: true
-

apps/npm/config.json

@@ -1,10 +1,10 @@
 {
   "name": "Nginx Proxy Manager",
-  "id": "nginx-proxy-manager",
+  "id": "npm",
   "available": true,
   "short_desc": "Docker container for managing Nginx proxy hosts with a simple, powerful web interface",
   "author": "jc21",
-  "port": 81,
+  "hostname": "nginx.alexzaw.dev",
   "categories": [
     "utilities",
     "network"
@@ -22,7 +22,7 @@
       "type": "number",
       "label": "HTTP Port",
       "env_variable": "NPM_HTTP_PORT",
-      "default": "1080",
+      "default": "80",
       "required": true,
       "hint": "Port for HTTP traffic (mapped to container port 80)"
     },
@@ -30,7 +30,15 @@
       "type": "number",
       "label": "HTTPS Port",
       "env_variable": "NPM_HTTPS_PORT",
-      "default": "10443",
+      "default": "443",
+      "required": true,
+      "hint": "Port for HTTPS traffic (mapped to container port 443)"
+    },
+     {
+      "type": "number",
+      "label": "Web UI Port",
+      "env_variable": "NPM_WEBUI_PORT",
+      "default": "81",
       "required": true,
       "hint": "Port for HTTPS traffic (mapped to container port 443)"
     }
@@ -38,7 +46,5 @@
   "supported_architectures": [
     "arm64",
     "amd64"
-  ],
-  "created_at": 1731607800000,
-  "updated_at": 1731607800000
+  ]
 }

apps/npm/docker-compose.json

@@ -1,23 +1,28 @@
 {
+  "schemaVersion": 2,
   "services": [
     {
-      "name": "nginx-proxy-manager",
+      "name": "npm",
       "image": "jc21/nginx-proxy-manager:2.13.5",
       "isMain": true,
       "internalPort": 81,
       "addPorts": [
         {
-          "hostPort": "${NPM_HTTP_PORT}",
+          "hostPort": "192.168.1.150:${NPM_HTTP_PORT}",
           "containerPort": 80
         },
         {
-          "hostPort": "${NPM_HTTPS_PORT}",
+          "hostPort": "192.168.1.150:${NPM_HTTPS_PORT}",
           "containerPort": 443
+        },
+        {
+          "hostPort": "192.168.1.150:${NPM_WEBUI_PORT}",
+          "containerPort": 81
         }
       ],
-      "environment": {
-        "DISABLE_IPV6": "true"
-      },
+      "environment": [
+        {"key": "DISABLE_IPV6", "value": "true"}
+      ],
       "volumes": [
         {
           "hostPath": "${APP_DATA_DIR}/data",

apps/rego-tunnel/build/.gitignore

@@ -0,0 +1,2 @@
+# Large binary files - track tar.gz but not 7z
+*.7z

apps/rego-tunnel/build/Dockerfile

@@ -1,17 +1,80 @@
-FROM ubuntu:24.04
+FROM ubuntu:22.04
+
+LABEL maintainer="alexz"
+LABEL description="Cisco Secure Client VPN in Docker with noVNC"
+LABEL version="5.1.14.145"
 
 ENV DEBIAN_FRONTEND=noninteractive
+ENV container=docker
 
-RUN apt-get update && apt-get install -y qemu-system-x86 qemu-utils novnc websockify openssh-server supervisor iproute2 bridge-utils iptables nano net-tools p7zip-full && rm -rf /var/lib/apt/lists/*
+# VNC/noVNC settings
+ENV DISPLAY=:1
+ENV VNC_PORT=5901
+ENV NOVNC_PORT=6080
 
-# Setup SSH
-RUN mkdir /var/run/sshd && echo 'root:vmpassword' | chpasswd && sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
+# Install systemd and dependencies
+RUN apt-get update && apt-get install -y \
+    systemd \
+    systemd-sysv \
+    dbus \
+    dbus-x11 \
+    libgtk-3-0 \
+    libglib2.0-0 \
+    libstdc++6 \
+    iptables \
+    libxml2 \
+    network-manager \
+    zlib1g \
+    policykit-1 \
+    xdg-utils \
+    libwebkit2gtk-4.0-37 \
+    tigervnc-standalone-server \
+    tigervnc-common \
+    novnc \
+    websockify \
+    openbox \
+    xterm \
+    procps \
+    net-tools \
+    curl \
+    iproute2 \
+    iputils-ping \
+    nano \
+    x11vnc \
+    xvfb \
+    fluxbox \
+    xdotool \
+    oathtool \
+    xclip \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
 
-WORKDIR /vm
+# Remove unnecessary systemd services that cause issues in containers
+RUN rm -f /lib/systemd/system/multi-user.target.wants/* \
+    /etc/systemd/system/*.wants/* \
+    /lib/systemd/system/local-fs.target.wants/* \
+    /lib/systemd/system/sockets.target.wants/*udev* \
+    /lib/systemd/system/sockets.target.wants/*initctl* \
+    /lib/systemd/system/sysinit.target.wants/systemd-tmpfiles-setup* \
+    /lib/systemd/system/systemd-update-utmp*
 
-COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
-COPY start-vm.sh /usr/local/bin/start-vm.sh
-COPY setup-network.sh /usr/local/bin/setup-network.sh
-RUN chmod +x /usr/local/bin/start-vm.sh /usr/local/bin/setup-network.sh
+# Copy and extract Cisco Secure Client
+COPY cisco-secure-client-full.tar.gz /tmp/
+RUN tar -xzf /tmp/cisco-secure-client-full.tar.gz -C / && rm /tmp/cisco-secure-client-full.tar.gz
 
-CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]
+# Enable vpnagentd service
+RUN systemctl enable vpnagentd.service
+
+# vnc.service - started by systemd, calls /opt/scripts/startup-vnc.sh
+# The entrypoint symlinks /shared/startup-vnc.sh -> /opt/scripts/startup-vnc.sh at runtime
+RUN mkdir -p /opt/scripts && \
+    echo 'W1VuaXRdCkRlc2NyaXB0aW9uPVZOQyBhbmQgbm9WTkMgU2VydmVyCkFmdGVyPW5ldHdvcmsudGFyZ2V0IHZwbmFnZW50ZC5zZXJ2aWNlCgpbU2VydmljZV0KVHlwZT1zaW1wbGUKRXhlY1N0YXJ0PS9vcHQvc2NyaXB0cy9zdGFydHVwLXZuYy5zaApSZXN0YXJ0PWFsd2F5cwpSZXN0YXJ0U2VjPTUKRW52aXJvbm1lbnQ9SE9NRT0vcm9vdApFbnZpcm9ubWVudD1VU0VSPXJvb3QKCltJbnN0YWxsXQpXYW50ZWRCeT1tdWx0aS11c2VyLnRhcmdldAo=' \
+    | base64 -d > /lib/systemd/system/vnc.service && \
+    chmod 644 /lib/systemd/system/vnc.service && \
+    systemctl enable vnc.service
+
+VOLUME ["/sys/fs/cgroup"]
+
+EXPOSE 5901 6080
+
+STOPSIGNAL SIGRTMIN+3

apps/rego-tunnel/build/README.md

@@ -0,0 +1,51 @@
+# Rego Tunnel - Build Files
+
+This directory contains the Dockerfile and scripts to build the Cisco VPN Docker image.
+
+## Files
+
+- `Dockerfile` - Docker image definition (Ubuntu 22.04 + Cisco Secure Client + noVNC)
+- `cisco-secure-client-full.tar.gz` - Pre-extracted Cisco Secure Client 5.1.14.145
+- `build.sh` - Build and push script
+- `scripts/entrypoint.sh` - Container entrypoint (starts systemd)
+
+## Building
+
+```bash
+cd /etc/runtipi/repos/runtipi/apps/rego-tunnel/build
+./build.sh
+```
+
+This builds and pushes to `git.alexzaw.dev/alexz/cisco-vpn:latest`
+
+To build without pushing:
+```bash
+docker build -t git.alexzaw.dev/alexz/cisco-vpn:latest .
+```
+
+## What's in the image
+
+The Dockerfile creates an image with:
+- Ubuntu 22.04 with systemd
+- Cisco Secure Client 5.1.14.145 (VPN, DART, Posture modules)
+- TigerVNC server + noVNC (web-based VNC)
+- Tools: xdotool, oathtool (for TOTP), xclip, openbox
+
+### Systemd services (baked in)
+- `vpnagentd.service` - Cisco VPN agent
+- `vnc.service` - VNC server + noVNC websockify
+
+### Scripts (baked in via base64 in Dockerfile)
+- `/opt/scripts/startup-vnc.sh` - Starts VNC server and noVNC
+- `/opt/scripts/entrypoint.sh` - Container entrypoint
+
+## Runtime mounts (from shared/)
+
+When running as rego-tunnel app, these are mounted from `shared/`:
+- `/shared/cisco-vpn` - Main VPN automation script
+- `/shared/xstartup` → `/root/.vnc/xstartup` - VNC session startup
+
+## Ports
+
+- `5901` - VNC server
+- `6080` - noVNC web interface

apps/rego-tunnel/build/build.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+# Build and push the Cisco VPN Docker image
+# Run this from the build directory
+
+set -euo pipefail
+
+IMAGE_NAME="${IMAGE_NAME:-git.alexzaw.dev/alexz/cisco-vpn}"
+IMAGE_TAG="${IMAGE_TAG:-latest}"
+
+echo "Building ${IMAGE_NAME}:${IMAGE_TAG}..."
+
+docker build "$@" -t "${IMAGE_NAME}:${IMAGE_TAG}" .
+docker push "${IMAGE_NAME}:${IMAGE_TAG}"
+
+echo ""
+echo "Build complete!"
+echo ""
+echo "To test locally:"
+echo "  docker run -d --privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cap-add=NET_ADMIN --device=/dev/net/tun -p 5901:5901 -p 6080:6080 ${IMAGE_NAME}:${IMAGE_TAG}"
+echo ""
+echo "Then connect via VNC to localhost:5901 or open noVNC at http://localhost:6080/vnc.html"
+echo ""

apps/rego-tunnel/build/setup-network.sh

@@ -1,41 +0,0 @@
-#!/bin/bash
-# Setup TAP/Bridge networking for QEMU VM
-# Bridge: 100.100.0.1/24
-# VM will be: 100.100.0.2/24
-
-set -e
-
-# Create bridge if not exists
-if ! ip link show br0 &>/dev/null; then
-    ip link add br0 type bridge
-    ip addr add 100.100.0.1/24 dev br0
-    ip link set br0 up
-    echo "Bridge br0 created with IP 100.100.0.1/24"
-fi
-
-# Create TAP device if not exists
-if ! ip link show tap0 &>/dev/null; then
-    ip tuntap add tap0 mode tap
-    ip link set tap0 master br0
-    ip link set tap0 up
-    echo "TAP device tap0 created and attached to br0"
-fi
-
-# Enable IP forwarding
-echo 1 > /proc/sys/net/ipv4/ip_forward
-
-# Setup NAT/masquerade for outbound traffic from VM
-iptables -t nat -C POSTROUTING -s 100.100.0.0/24 -o eth0 -j MASQUERADE 2>/dev/null ||     iptables -t nat -A POSTROUTING -s 100.100.0.0/24 -o eth0 -j MASQUERADE
-
-# Forward traffic destined for VPN networks to VM (10.35.33.230 = IBM i)
-# The VM will route this through its VPN tunnel
-iptables -C FORWARD -d 10.35.33.230 -j ACCEPT 2>/dev/null ||     iptables -A FORWARD -d 10.35.33.230 -j ACCEPT
-iptables -C FORWARD -s 10.35.33.230 -j ACCEPT 2>/dev/null ||     iptables -A FORWARD -s 10.35.33.230 -j ACCEPT
-
-# Route to IBM i through VM
-ip route add 10.35.33.230 via 100.100.0.2 2>/dev/null || true
-
-echo "Network setup complete"
-echo "Bridge: br0 = 100.100.0.1/24"
-echo "TAP: tap0 attached to br0"
-echo "Route: 10.35.33.230 via 100.100.0.2 (VM)"

apps/rego-tunnel/build/start-vm.sh

@@ -1,36 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-# If provided, extract ssh.zip to /root/.ssh/zip (not baked into the image)
-SSH_ZIP_PATH="/shared/ssh.zip"
-SSH_ZIP_DEST="/root/.ssh/zip"
-
-if [ -f "$SSH_ZIP_PATH" ]; then
-	mkdir -p "$SSH_ZIP_DEST"
-	chmod 700 /root/.ssh
-	chmod 700 "$SSH_ZIP_DEST"
-
-	echo "[rego-tunnel] Extracting $SSH_ZIP_PATH -> $SSH_ZIP_DEST"
-	7z x -y -o"$SSH_ZIP_DEST" "$SSH_ZIP_PATH" >/dev/null
-
-	find "$SSH_ZIP_DEST" -type d -exec chmod 700 {} \;
-	find "$SSH_ZIP_DEST" -type f -exec chmod 600 {} \;
-else
-	echo "[rego-tunnel] No $SSH_ZIP_PATH found; skipping SSH zip extraction"
-fi
-
-# Wait for network setup
-sleep 2
-
-exec qemu-system-x86_64 \
-	-enable-kvm \
-	-cpu host \
-	-m ${VM_RAM:-8G} \
-	-smp ${VM_CPUS:-4} \
-	-hda /vm/linux-vm.qcow2 \
-	-netdev tap,id=net0,ifname=tap0,script=no,downscript=no \
-	-device virtio-net-pci,netdev=net0,mac=52:54:00:12:34:56 \
-	-vnc :0 \
-	-vga virtio \
-	-usb \
-	-device usb-tablet

apps/rego-tunnel/build/supervisord.conf

@@ -1,36 +0,0 @@
-[supervisord]
-nodaemon=true
-logfile=/var/log/supervisord.log
-
-[program:network-setup]
-command=/usr/local/bin/setup-network.sh
-autostart=true
-autorestart=false
-startsecs=0
-priority=1
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-
-[program:sshd]
-command=/usr/sbin/sshd -D
-autostart=true
-autorestart=true
-priority=10
-
-[program:qemu]
-command=/usr/local/bin/start-vm.sh
-autostart=true
-autorestart=true
-priority=20
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-
-[program:novnc]
-command=/usr/share/novnc/utils/novnc_proxy --vnc localhost:5900 --listen 8006
-autostart=true
-autorestart=true
-priority=30

apps/rego-tunnel/config.json

@@ -1,34 +1,76 @@
 {
   "name": "Rego Tunnel",
   "available": true,
-  "port": 8006,
+  "port": 6080,
   "exposable": true,
   "dynamic_config": true,
   "id": "rego-tunnel",
-  "description": "Linux VM with Cisco AnyConnect VPN for accessing Rego environments securely.",
-  "tipi_version": 3,
-  "version": "latest",
-  "categories": ["utilities"],
-  "short_desc": "Linux VM VPN tunnel to Rego environments.",
+  "description": "Cisco Secure Client VPN in Docker with noVNC web UI for accessing Rego environments. Native Docker - no VM overhead.",
+  "tipi_version": 7,
+  "version": "5.1.14.145",
+  "categories": [
+    "utilities"
+  ],
+  "short_desc": "Cisco VPN tunnel to Rego environments (native Docker)",
   "author": "alexz",
   "source": "https://git.alexzaw.dev/alexz/runtipi",
   "form_fields": [
     {
-      "type": "number",
-      "label": "RAM (GB)",
-      "hint": "RAM to assign to the VM (in gigabytes)",
-      "placeholder": "8",
-      "required": true,
-      "env_variable": "WINDOWS_RAM_GB"
+      "type": "email",
+      "label": "VPN Email",
+      "hint": "Email address for VPN SSO login (configured in /shared/cisco-vpn script)",
+      "placeholder": "your-email@company.com",
+      "required": false,
+      "env_variable": "VPN_EMAIL",
+      "default": ""
     },
     {
-      "type": "number",
-      "label": "CPU Cores",
-      "hint": "CPU cores to assign to the VM",
-      "placeholder": "4",
-      "required": true,
-      "env_variable": "WINDOWS_CPU_CORES"
+      "type": "password",
+      "label": "VPN Password",
+      "hint": "Password for VPN SSO login (configured in /shared/cisco-vpn script)",
+      "placeholder": "",
+      "required": false,
+      "env_variable": "VPN_PASSWORD",
+      "default": ""
+    },
+    {
+      "type": "text",
+      "label": "TOTP Secret",
+      "hint": "Base32 TOTP secret for 2FA (configured in /shared/cisco-vpn script)",
+      "placeholder": "",
+      "required": false,
+      "env_variable": "VPN_TOTP_SECRET",
+      "default": ""
+    },
+    {
+      "type": "text",
+      "label": "VPN Host",
+      "hint": "VPN server hostname",
+      "placeholder": "vpn.company.com",
+      "required": false,
+      "env_variable": "VPN_HOST",
+      "default": "vpn-ord1.dovercorp.com"
+    },
+    {
+      "type": "text",
+      "label": "Target IP",
+      "hint": "IP address to route through VPN (e.g., IBM i server)",
+      "placeholder": "10.35.33.230",
+      "required": false,
+      "env_variable": "TARGET_IP",
+      "default": "10.35.33.230"
+    },
+    {
+      "type": "password",
+      "label": "VNC Password",
+      "hint": "Password for noVNC web interface",
+      "placeholder": "cisco123",
+      "required": false,
+      "env_variable": "VNC_PASSWORD",
+      "default": ""
     }
   ],
-  "supported_architectures": ["amd64"]
+  "supported_architectures": [
+    "amd64"
+  ]
 }

apps/rego-tunnel/docker-compose.json

@@ -1,39 +1,79 @@
 {
+  "schemaVersion": 2,
   "services": [
     {
       "name": "rego-tunnel",
-      "image": "git.alexzaw.dev/alexz/linux-vm:latest",
-      "isMain": true,
-      "internalPort": 8006,
+      "image": "git.alexzaw.dev/alexz/cisco-vpn:latest",
       "environment": [
         {
-          "key": "VM_RAM",
-          "value": "${WINDOWS_RAM_GB}G"
+          "key": "VPN_EMAIL",
+          "value": "${VPN_EMAIL}"
         },
         {
-          "key": "VM_CPUS",
-          "value": "${WINDOWS_CPU_CORES}"
+          "key": "VPN_PASSWORD",
+          "value": "${VPN_PASSWORD}"
+        },
+        {
+          "key": "VPN_TOTP_SECRET",
+          "value": "${VPN_TOTP_SECRET}"
+        },
+        {
+          "key": "VPN_HOST",
+          "value": "${VPN_HOST}"
+        },
+        {
+          "key": "VNC_PASSWORD",
+          "value": "${VNC_PASSWORD}"
+        },
+        {
+          "key": "TZ",
+          "value": "${TZ}"
+        },
+        {
+          "key": "TARGET_IP",
+          "value": "${TARGET_IP}"
         }
       ],
+      "internalPort": 6080,
       "volumes": [
         {
-          "hostPath": "/etc/runtipi/user-config/runtipi/rego-tunnel/storage/linux-vm.qcow2",
-          "containerPath": "/vm/linux-vm.qcow2"
+          "hostPath": "${APP_DATA_DIR}/config",
+          "containerPath": "/config",
+          "readOnly": false
         },
         {
-          "hostPath": "/etc/runtipi/user-config/runtipi/rego-tunnel/shared",
-          "containerPath": "/shared"
+          "hostPath": "${APP_DATA_DIR}",
+          "containerPath": "/runtime",
+          "readOnly": false
+        },
+        {
+          "hostPath": "/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared",
+          "containerPath": "/shared",
+          "readOnly": false
+        },
+        {
+          "hostPath": "/sys/fs/cgroup",
+          "containerPath": "/sys/fs/cgroup",
+          "readOnly": false
+        },
+        {
+          "hostPath": "/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/xstartup",
+          "containerPath": "/root/.vnc/xstartup",
+          "readOnly": true
         }
       ],
-      "sysctls": {
-        "net.ipv4.ip_forward": 1
-      },
-      "devices": ["/dev/kvm", "/dev/net/tun"],
-      "capAdd": ["NET_ADMIN"],
+      "stopGracePeriod": "30s",
+      "devices": [
+        "/dev/net/tun"
+      ],
       "privileged": true,
-      "stopGracePeriod": "2m"
+      "capAdd": [
+        "NET_ADMIN"
+      ],
+      "isMain": true,
+      "extraLabels": {
+        "runtipi.managed": true
+      }
     }
-  ],
-  "schemaVersion": 2,
-  "$schema": "https://schemas.runtipi.io/v2/dynamic-compose.json"
+  ]
 }

apps/rego-tunnel/docker-compose.yml

@@ -1,45 +1,48 @@
 services:
   rego-tunnel:
-    container_name: rego-tunnel
-    image: git.alexzaw.dev/alexz/linux-vm:latest
+    image: git.alexzaw.dev/alexz/cisco-vpn:latest
     restart: unless-stopped
-    privileged: true
-    devices:
-      - /dev/kvm
-      - /dev/net/tun
+    networks:
+      rego-tunnel_runtipi_network:
+        gw_priority: 0
+      tipi_main_network:
+        gw_priority: 1
+    environment:
+      VPN_EMAIL: ${VPN_EMAIL}
+      VPN_PASSWORD: ${VPN_PASSWORD}
+      VPN_TOTP_SECRET: ${VPN_TOTP_SECRET}
+      VPN_HOST: ${VPN_HOST}
+      VNC_PASSWORD: ${VNC_PASSWORD}
+      TZ: ${TZ}
+      TARGET_IP: ${TARGET_IP}
+    ports:
+      - ${APP_PORT}:6080
+    volumes:
+      - ${APP_DATA_DIR}/config:/config
+      - ${APP_DATA_DIR}:/runtime
+      - /etc/runtipi/repos/runtipi/apps/rego-tunnel/shared:/shared
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+      - /etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/xstartup:/root/.vnc/xstartup:ro
+    labels:
+      generated: true
+      traefik.enable: true
+      traefik.docker.network: runtipi_tipi_main_network
+      traefik.http.middlewares.rego-tunnel-runtipi-web-redirect.redirectscheme.scheme: https
+      traefik.http.services.rego-tunnel-runtipi.loadbalancer.server.port: "6080"
+      traefik.http.routers.rego-tunnel-runtipi-insecure.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.rego-tunnel-runtipi-insecure.entrypoints: web
+      traefik.http.routers.rego-tunnel-runtipi-insecure.service: rego-tunnel-runtipi
+      traefik.http.routers.rego-tunnel-runtipi-insecure.middlewares: rego-tunnel-runtipi-web-redirect
+      traefik.http.routers.rego-tunnel-runtipi.rule: Host(`${APP_DOMAIN}`)
+      traefik.http.routers.rego-tunnel-runtipi.entrypoints: websecure
+      traefik.http.routers.rego-tunnel-runtipi.service: rego-tunnel-runtipi
+      traefik.http.routers.rego-tunnel-runtipi.tls.certresolver: myresolver
+      runtipi.managed: true
+      runtipi.appurn: rego-tunnel:runtipi
     cap_add:
       - NET_ADMIN
-    stop_grace_period: 2m
-    ports:
-      - ${APP_PORT}:8006
-    environment:
-      - VM_RAM=${WINDOWS_RAM_GB}G
-      - VM_CPUS=${WINDOWS_CPU_CORES}
-    volumes:
-      - /etc/runtipi/user-config/runtipi/rego-tunnel/storage/linux-vm.qcow2:/vm/linux-vm.qcow2
-      - /etc/runtipi/user-config/runtipi/rego-tunnel/shared:/shared
-    networks:
-      - tipi_main_network
-    sysctls:
-      - net.ipv4.ip_forward=1
-    labels:
-      traefik.enable: true
-      traefik.http.middlewares.rego-tunnel-web-redirect.redirectscheme.scheme: https
-      traefik.http.services.rego-tunnel.loadbalancer.server.port: 8006
-      traefik.http.routers.rego-tunnel-insecure.rule: Host(`${APP_DOMAIN}`)
-      traefik.http.routers.rego-tunnel-insecure.entrypoints: web
-      traefik.http.routers.rego-tunnel-insecure.service: rego-tunnel
-      traefik.http.routers.rego-tunnel-insecure.middlewares: rego-tunnel-web-redirect
-      traefik.http.routers.rego-tunnel.rule: Host(`${APP_DOMAIN}`)
-      traefik.http.routers.rego-tunnel.entrypoints: websecure
-      traefik.http.routers.rego-tunnel.service: rego-tunnel
-      traefik.http.routers.rego-tunnel.tls.certresolver: myresolver
-      traefik.http.routers.rego-tunnel-local-insecure.rule: Host(`rego-tunnel.${LOCAL_DOMAIN}`)
-      traefik.http.routers.rego-tunnel-local-insecure.entrypoints: web
-      traefik.http.routers.rego-tunnel-local-insecure.service: rego-tunnel
-      traefik.http.routers.rego-tunnel-local-insecure.middlewares: rego-tunnel-web-redirect
-      traefik.http.routers.rego-tunnel-local.rule: Host(`rego-tunnel.${LOCAL_DOMAIN}`)
-      traefik.http.routers.rego-tunnel-local.entrypoints: websecure
-      traefik.http.routers.rego-tunnel-local.service: rego-tunnel
-      traefik.http.routers.rego-tunnel-local.tls: true
-      runtipi.managed: true
+    devices:
+      - /dev/net/tun
+    privileged: true
+    cgroup: host
+    stop_grace_period: 30s

apps/rego-tunnel/metadata/README.md

@@ -1,258 +0,0 @@
-# Rego-Tunnel VPN Bridge
-
-This app runs a Windows VM inside a Docker container with Cisco AnyConnect VPN, providing transparent access to VPN-protected resources (IBM i at 10.35.33.230) from the local network.
-
-## Architecture
-
-```
-┌─────────────────────────────────────────────────────────────────────────┐
-│ Laptop (192.168.0.230)                                                  │
-│   Route: 172.31.0.0/24 via 192.168.0.150                               │
-└─────────────────────────────────────────────────────────────────────────┘
-                                    │
-                                    ▼
-┌─────────────────────────────────────────────────────────────────────────┐
-│ Linux Host (192.168.0.150 / 192.168.1.150)                             │
-│                                                                         │
-│   rego-routing.service:                                                 │
-│     - Routes 172.32.0.0/24 and 10.35.33.0/24 via 172.31.0.10           │
-│     - Removes Docker nft isolation rules for 172.31.0.10               │
-│     - DOCKER-USER iptables rules for forwarding                         │
-│                                                                         │
-│   Bridge: br-vpn-rego (172.31.0.1/24)                                  │
-└─────────────────────────────────────────────────────────────────────────┘
-                                    │
-                                    ▼
-┌─────────────────────────────────────────────────────────────────────────┐
-│ Container: rego-tunnel (172.31.0.10)                                   │
-│                                                                         │
-│   start.sh:                                                             │
-│     - socat: port 2222 → VM:2222 (SSH to VM)                           │
-│     - DNAT: ports 22,23,446,448,449,8470-8476,2000-2020,3000-3020,     │
-│             10000-10020,36000-36010 → VM                                │
-│     - MASQUERADE for docker bridge                                      │
-│                                                                         │
-│   Internal docker bridge: 172.32.0.1/24                                │
-└─────────────────────────────────────────────────────────────────────────┘
-                                    │
-                                    ▼
-┌─────────────────────────────────────────────────────────────────────────┐
-│ Windows VM (172.32.0.20)                                               │
-│                                                                         │
-│   SSH Server: port 2222                                                 │
-│   Cisco AnyConnect VPN: connected to corporate network                 │
-│   VPN IP: 10.215.x.x                                                   │
-│                                                                         │
-│   Portproxy rules (persistent):                                        │
-│     - 0.0.0.0:22 → 10.35.33.230:22                                     │
-│     - 0.0.0.0:23 → 10.35.33.230:23                                     │
-│     - 0.0.0.0:446,448,449 → 10.35.33.230:*                             │
-│     - 0.0.0.0:8470-8476 → 10.35.33.230:*                               │
-│     - 0.0.0.0:2000-2020 → 10.35.33.230:*                               │
-│     - 0.0.0.0:3000-3020 → 10.35.33.230:*                               │
-│     - 0.0.0.0:10000-10020 → 10.35.33.230:*                             │
-│     - 0.0.0.0:36000-36010 → 10.35.33.230:*                             │
-│                                                                         │
-│   vpn-login.js:                                                         │
-│     - Auto-login to Cisco AnyConnect via WebView DevTools              │
-│     - TOTP authentication                                               │
-│     - Watchdog: monitors VPN and reconnects if dropped                 │
-└─────────────────────────────────────────────────────────────────────────┘
-                                    │
-                                    ▼
-┌─────────────────────────────────────────────────────────────────────────┐
-│ IBM i (10.35.33.230)                                                   │
-│   Via Cisco VPN tunnel                                                  │
-└─────────────────────────────────────────────────────────────────────────┘
-```
-
-## Network Configuration
-
-### IP Addresses
-
-| Component | IP Address |
-|-----------|------------|
-| Container external (br-vpn-rego) | 172.31.0.10 |
-| Container internal bridge | 172.32.0.1 |
-| Windows VM | 172.32.0.20 |
-| IBM i (via VPN) | 10.35.33.230 |
-
-### Ports
-
-| Port | Destination | Purpose |
-|------|-------------|---------|
-| 2222 | VM SSH (2222) | SSH access to Windows VM |
-| 22 | IBM i (via portproxy) | SSH to IBM i |
-| 23 | IBM i (via portproxy) | Telnet to IBM i |
-| 446,448,449 | IBM i (via portproxy) | IBM i services |
-| 8470-8476 | IBM i (via portproxy) | IBM i data ports |
-| 2000-2020 | IBM i (via portproxy) | Additional ports |
-| 3000-3020 | IBM i (via portproxy) | Additional ports |
-| 10000-10020 | IBM i (via portproxy) | Additional ports |
-| 36000-36010 | IBM i (via portproxy) | Additional ports |
-| 8006 | Container | Web-based Windows viewer |
-
-## Host Configuration
-
-### Systemd Service: rego-routing.service
-
-Location: `/etc/systemd/system/rego-routing.service`
-
-This service runs after docker.service and:
-1. Adds routes for 172.32.0.0/24 and 10.35.33.0/24 via 172.31.0.10
-2. Adds DOCKER-USER iptables rules for forwarding
-3. Removes Docker's nft isolation rules that block external access to 172.31.0.10
-
-```bash
-# Check status
-sudo systemctl status rego-routing.service
-
-# Restart if needed
-sudo systemctl restart rego-routing.service
-```
-
-### Client Route (Windows Laptop)
-
-Add a persistent route to reach the container network:
-
-```cmd
-route add 172.31.0.0 mask 255.255.255.0 192.168.0.150 -p
-```
-
-Where 192.168.0.150 is the Linux host IP.
-
-## Files
-
-### vpn_scripts/start.sh
-
-Startup script that runs before the Windows VM entry.sh:
-- Installs required packages (socat, openssh-client, netcat-openbsd)
-- Sets up SSH key for VM access
-- Waits for Windows VM to boot
-- Configures iptables MASQUERADE and FORWARD rules
-- Sets up socat for SSH forwarding (port 2222)
-- Configures DNAT rules for all IBM i ports
-
-**Important**: Uses `return 0` (not `exit 0`) at the end because it's sourced.
-
-### vpn_scripts/vpn-login.js
-
-Automated Cisco AnyConnect VPN login:
-- Connects via WebView DevTools protocol (port 9222)
-- Handles Microsoft/ADFS authentication
-- Generates TOTP codes for 2FA
-- Watchdog mode: monitors VPN every 2 minutes, reconnects if dropped
-
-### vpn_scripts/id_ed25519-lenovo
-
-SSH private key for accessing the Windows VM from the container.
-
-## Windows VM Configuration
-
-### SSH Server
-
-Windows OpenSSH is configured to listen on port 2222 (not 22) to allow port 22 for IBM i portproxy.
-
-Config: `C:\ProgramData\ssh\sshd_config`
-```
-Port 2222
-```
-
-### Portproxy Rules
-
-Portproxy rules forward IBM i ports through the VPN. These are persistent (stored in registry).
-
-```cmd
-# View all portproxy rules
-netsh interface portproxy show all
-
-# Add a rule
-netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=22 connectaddress=10.35.33.230 connectport=22
-
-# Delete all rules
-netsh interface portproxy reset
-```
-
-Rules are defined in: `/etc/runtipi/user-config/runtipi/rego-tunnel/port-proxy.txt`
-
-### IP Helper Service
-
-The IP Helper service (iphlpsvc) must be running for portproxy to work:
-
-```cmd
-net start iphlpsvc
-```
-
-## User Config
-
-Location: `/etc/runtipi/user-config/runtipi/rego-tunnel/docker-compose.yml`
-
-```yaml
-networks:
-  vpn_static-rego:
-    driver: bridge
-    driver_opts:
-      com.docker.network.bridge.name: "br-vpn-rego"
-    ipam:
-      config:
-        - subnet: 172.31.0.0/24
-
-services:
-  rego-tunnel:
-    entrypoint: ["/bin/bash", "-c", "source /vpn_scripts/start.sh; exec /run/entry.sh"]
-    sysctls:
-      - net.ipv4.conf.all.rp_filter=0
-      - net.ipv4.conf.default.rp_filter=0
-    cap_add:
-      - NET_ADMIN
-    environment:
-      - VM_NET_IP=172.32.0.20
-    volumes:
-      - /etc/runtipi/repos/runtipi/apps/rego-tunnel/vpn_scripts:/vpn_scripts:ro
-    networks:
-      vpn_static-rego:
-        ipv4_address: 172.31.0.10
-```
-
-## Troubleshooting
-
-### Container won't start / restarts immediately
-
-Check if start.sh has `exit 0` instead of `return 0` at the end. Since it's sourced, `exit` terminates the parent shell.
-
-### Can't reach container from laptop
-
-1. Check route on laptop: `route print | findstr 172.31`
-2. Check rego-routing.service: `sudo systemctl status rego-routing.service`
-3. Check if Docker nft rules are blocking: `sudo nft list ruleset | grep 172.31`
-
-### Portproxy not working
-
-1. Restart IP Helper: `net stop iphlpsvc && net start iphlpsvc`
-2. Check if SSH is on port 2222: `netstat -an | findstr :22`
-3. Verify portproxy rules: `netsh interface portproxy show all`
-
-### VPN not connecting
-
-1. Check vpn-login.js logs in Windows VM
-2. Verify time sync (TOTP requires accurate time)
-3. Check if VPN credentials in vpn-login.js are correct
-
-### Bridge name too long error
-
-Linux bridge names are limited to 15 characters. "br-vpn-static-rego" (18 chars) won't work; use "br-vpn-rego" (11 chars).
-
-## Maintenance
-
-### Updating vpn_scripts
-
-1. Edit files in `/etc/runtipi/repos/runtipi/apps/rego-tunnel/vpn_scripts/`
-2. Commit and push to git
-3. Run `sudo ./runtipi-cli appstore update`
-4. Restart app: `sudo ./runtipi-cli app stop rego-tunnel:runtipi && sudo ./runtipi-cli app start rego-tunnel:runtipi`
-
-### Updating portproxy rules
-
-1. Edit `/etc/runtipi/user-config/runtipi/rego-tunnel/port-proxy.txt`
-2. SSH to VM: `ssh -p 2222 docker@172.31.0.10`
-3. Reset and re-apply: `netsh interface portproxy reset` then run the commands from port-proxy.txt

apps/rego-tunnel/metadata/description.md

@@ -1,82 +1,144 @@
-<h1 align="center">Windows<br />
-<div align="center">
-<a href="https://github.com/dockur/windows"><img src="https://github.com/dockur/windows/raw/master/.github/logo.png" title="Logo" style="max-width:100%;" width="128" /></a>
-</div>
-<div align="center">
+# Rego Tunnel - Cisco Secure Client VPN
 
-</div></h1>
-
-Windows in a Docker container.
+Native Docker container running Cisco Secure Client (AnyConnect) with full GUI support via noVNC. Provides transparent VPN access to protected resources from your LAN.
 
 ## Features
 
- - ISO downloader
- - KVM acceleration
- - Web-based viewer
+- **Cisco Secure Client 5.1.14.145** - Full GUI with VPN, DART, and Posture modules
+- **Web-based access** via noVNC (port 6080)
+- **Auto-login with TOTP** - Fully automated VPN connection
+- **LAN routing** - Other machines on your network can reach VPN targets
+- **Native Docker** - No QEMU/VM overhead
 
-## FAQ
+## Architecture
 
-* ### How do I use it?
+```
+LAN Devices ──► Linux Host ──► Container (172.31.0.10) ──► VPN Tunnel ──► Target (10.35.33.230)
+                   │                    │
+                   │                    └── Cisco Secure Client
+                   │                    └── noVNC web UI (port 6080)
+                   │
+                   └── Host routing service
+                       (routes VPN traffic through container)
+```
 
-  Very simple! These are the steps:
+## Installation
 
-  - Start the container and connect to [port 8006](http://localhost:8006) using your web browser.
+### 1. Install the app through Runtipi
 
-  - Sit back and relax while the magic happens, the whole installation will be performed fully automatic.
+Configure your VPN credentials in app settings:
+- VPN Email
+- VPN Password
+- TOTP Secret (base32)
+- VPN Host (default: vpn-ord1.dovercorp.com)
+- Target IP (default: 10.35.33.230)
 
-  - Once you see the desktop, your Windows installation is ready for use.
+### 2. Install host routing service (required for LAN access)
 
-  Enjoy your brand new machine, and don't forget to star this repo!
+**Run this ONCE on the host after app install:**
 
-* ### How do I select the Windows version?
+```bash
+/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/install-host-services.sh
+```
 
-  By default, Windows 11 will be installed. But you can change that in settings, in order to specify an alternative Windows version to be downloaded:
+This creates systemd services that route VPN traffic through the container.
 
-  Select from the values below:
+### 3. Access the VPN GUI
 
-  | **Value**  | **Description**  | **Source**  | **Transfer**  | **Size**  |
-  |---|---|---|---|---|
-  | `win11`   | Windows 11 Pro         | Microsoft    | Fast    | 6.4 GB    |
-  | `win10`   | Windows 10 Pro         | Microsoft    | Fast    | 5.8 GB    |
-  | `ltsc10`  | Windows 10 LTSC        | Microsoft    | Fast    | 4.6 GB    |
-  | `win81`   | Windows 8.1 Pro        | Microsoft    | Fast    | 4.2 GB    |
-  | `win7`    | Windows 7 SP1          | Bob Pony     | Medium  | 3.0 GB    |
-  | `vista`   | Windows Vista SP2      | Bob Pony     | Medium  | 3.6 GB    |
-  | `winxp`   | Windows XP SP3         | Bob Pony     | Medium  | 0.6 GB    |
-  ||||||
-  | `2022`    | Windows Server 2022    | Microsoft    | Fast    | 4.7 GB    |
-  | `2019`    | Windows Server 2019    | Microsoft    | Fast    | 5.3 GB    |
-  | `2016`    | Windows Server 2016    | Microsoft    | Fast    | 6.5 GB    |
-  | `2012`    | Windows Server 2012 R2 | Microsoft    | Fast    | 4.3 GB    |
-  | `2008`    | Windows Server 2008 R2 | Microsoft    | Fast    | 3.0 GB    |
-  ||||||
-  | `core11`  | Tiny 11 Core           | Archive.org  | Slow    | 2.1 GB    |
-  | `tiny11`  | Tiny 11                | Archive.org  | Slow    | 3.8 GB    |
-  | `tiny10`  | Tiny 10                | Archive.org  | Slow    | 3.6 GB    |
+Open `http://<your-server>:6080/vnc.html`
 
-* ### How do I connect using RDP?
+The VPN will auto-connect using your configured credentials.
 
-  The web-viewer is mainly meant to be used during installation, as its picture quality is low, and it has no audio or clipboard for example.
+## Usage
 
-  So for a better experience you can connect using any Microsoft Remote Desktop client to the IP of the container, using the username `docker` and by leaving the password empty.
+### Access noVNC
 
-  There is a good RDP client for [Android](https://play.google.com/store/apps/details?id=com.microsoft.rdc.androidx) available from the Play Store. One for [iOS](https://apps.apple.com/nl/app/microsoft-remote-desktop/id714464092?l=en-GB) is in the Apple Store. For Linux you can use [rdesktop](http://www.rdesktop.org/) and for Windows you don't need to install anything as it is already ships as part of the operating system.
+Navigate to port 6080 on your server. The cisco-vpn script runs automatically and provides a menu:
 
-* ### How do I verify if my system supports KVM?
+```
+1 - Start Cisco AnyConnect
+2 - Copy credentials to clipboard
+3 - Show live TOTP
+4 - Setup IP forwarding rules
+5 - Test connection to target
+6 - Show network status
+7 - Kill all Cisco processes
+8 - Show routing table
+9 - Show /etc/hosts
+q - Quit
+```
 
-  To verify if your system supports KVM, run the following commands:
+### Command line options
 
-  ```bash
-  sudo apt install cpu-checker
-  sudo kvm-ok
-  ```
+```bash
+# Inside container
+cisco-vpn -m          # Menu only (skip auto-connect)
+cisco-vpn -c          # Connect and exit
+cisco-vpn -d          # Disconnect and exit
+cisco-vpn -s          # Show status
+cisco-vpn --help      # Show all options
+```
 
-  If you receive an error from `kvm-ok` indicating that KVM acceleration can't be used, check the virtualization settings in the BIOS.
+### View logs
 
-* ### Is this project legal?
+```bash
+# Inside container
+cat /var/log/cisco-vpn/$(date +%Y-%m-%d).log
 
-  Yes, this project contains only open-source code and does not distribute any copyrighted material. Any product keys found in the code are just generic placeholders provided by Microsoft for trial purposes. So under all applicable laws, this project would be considered legal.
+# On host
+cat /var/log/rego-routing.log
+```
 
-## Disclaimer
+## LAN Access
 
-The product names, logos, brands, and other trademarks referred to within this project are the property of their respective trademark holders. This project is not affiliated, sponsored, or endorsed by Microsoft Corporation.
+After the host routing service is installed, any device on your LAN can reach the VPN target:
+
+1. **From the host:** Works automatically
+2. **From other LAN devices:** Add a static route pointing to your host
+
+Example (Windows client):
+```cmd
+route add 10.35.33.230 mask 255.255.255.255 192.168.0.150 -p
+```
+
+Where `192.168.0.150` is your Linux host IP.
+
+## Uninstall
+
+Before removing the app from Runtipi:
+
+```bash
+/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/uninstall-host-services.sh
+```
+
+## Troubleshooting
+
+### noVNC not accessible
+```bash
+docker exec rego-tunnel_runtipi-rego-tunnel-1 systemctl status vnc.service
+```
+
+### VPN connects but can't reach target
+```bash
+# Check routes inside container
+docker exec rego-tunnel_runtipi-rego-tunnel-1 ip route
+
+# Check host routing
+ip route | grep 10.35.33.230
+```
+
+### Host routing not working
+```bash
+# Check watcher service
+systemctl status rego-routing-watcher.path
+
+# Manually trigger routing
+touch /etc/runtipi/app-data/runtipi/rego-tunnel/restart-routing
+```
+
+## Technical Details
+
+- **Container IP:** 172.31.0.10 (on br-rego-vpn bridge)
+- **Ports:** 6080 (noVNC), 5901 (VNC)
+- **Privileges:** `--privileged`, `NET_ADMIN`, `/dev/net/tun`
+- **Log retention:** 7 days (auto-cleanup)

apps/rego-tunnel/shared/cisco-vpn

@@ -0,0 +1,888 @@
+#!/bin/bash
+
+# Dover VPN Connection Script with Semi-Automation
+# Usage: ./cisco-vpn.sh [-c|--connect] [-d|--disconnect] [-m|--menu] [-r|--routes] [-h|--hosts] [--help]
+#
+# Options:
+#   -c, --connect  Start Cisco AnyConnect (optionally auto-login) and exit
+#   -d, --disconnect  Disconnect (kill Cisco processes) and exit
+#   -m, --menu     Skip auto-login, show menu directly
+#   -r, --routes   Show current routing table and exit
+#   -h, --hosts    Show /etc/hosts and exit
+#   -s, --status   Show VPN and network status and exit
+#   --help         Show this help message
+#
+# Keyboard shortcuts (global, work anywhere):
+#   Ctrl+1 - Type email
+#   Ctrl+2 - Type password
+#   Ctrl+3 - Type TOTP code
+#   Ctrl+4 - Type email + Tab + password (combo)
+#   Ctrl+5 - Full sequence: email + Tab + password + Tab + TOTP + Enter
+
+# Credentials from environment variables (set by runtipi)
+EMAIL="${VPN_EMAIL:-}"
+PASSWORD="${VPN_PASSWORD:-}"
+TOTP_SECRET="${VPN_TOTP_SECRET:-}"
+VPN_HOST="${VPN_HOST:-vpn-ord1.dovercorp.com}"
+TARGET_IP="${TARGET_IP:-10.35.33.230}"
+
+# Log directory and file (date-based rotation)
+LOG_DIR="/var/log/cisco-vpn"
+LOG_RETENTION_DAYS=7
+mkdir -p "$LOG_DIR" 2>/dev/null
+
+# Function to get current log file (changes daily)
+get_log_file() {
+    echo "$LOG_DIR/$(date '+%Y-%m-%d').log"
+}
+
+# Cleanup old log files (older than LOG_RETENTION_DAYS)
+cleanup_old_logs() {
+    find "$LOG_DIR" -name "*.log" -type f -mtime +$LOG_RETENTION_DAYS -delete 2>/dev/null
+}
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+CYAN='\033[0;36m'
+GRAY='\033[0;90m'
+NC='\033[0m'
+
+# Print banner
+print_banner() {
+    echo -e "${CYAN}========================================${NC}"
+    echo -e "${CYAN}       Dover VPN Connection Script      ${NC}"
+    echo -e "${CYAN}========================================${NC}"
+    echo ""
+}
+
+# Flags
+SKIP_AUTO_LOGIN=false
+DO_CONNECT=false
+DO_DISCONNECT=false
+
+# Logging function with timestamp - writes to both console and daily log file
+log() {
+    local level="$1"
+    local msg="$2"
+    local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
+    local timestamp_short=$(date '+%H:%M:%S')
+    local log_file=$(get_log_file)
+
+    # Strip ANSI color codes for log file
+    local msg_plain=$(echo -e "$msg" | sed 's/\x1b\[[0-9;]*m//g')
+
+    # Write to log file (plain text, no colors)
+    echo "[$timestamp] [$level] $msg_plain" >> "$log_file"
+
+    # Write to console (with colors)
+    case $level in
+        INFO)  echo -e "${GRAY}[$timestamp_short]${NC} ${GREEN}[INFO]${NC}  $msg" ;;
+        WARN)  echo -e "${GRAY}[$timestamp_short]${NC} ${YELLOW}[WARN]${NC}  $msg" ;;
+        ERROR) echo -e "${GRAY}[$timestamp_short]${NC} ${RED}[ERROR]${NC} $msg" ;;
+        DEBUG) echo -e "${GRAY}[$timestamp_short]${NC} ${CYAN}[DEBUG]${NC} $msg" ;;
+        CMD)   echo -e "${GRAY}[$timestamp_short]${NC} ${GRAY}[CMD]${NC}   $msg" ;;
+        *)     echo -e "${GRAY}[$timestamp_short]${NC} $msg" ;;
+    esac
+}
+
+# Run command with logging
+run_cmd() {
+    local desc="$1"
+    shift
+    log CMD "$desc: $*"
+    output=$("$@" 2>&1)
+    local rc=$?
+    if [ -n "$output" ]; then
+        echo "$output" | while IFS= read -r line; do
+            echo -e "           ${GRAY}│${NC} $line"
+        done
+    fi
+    return $rc
+}
+
+# Show help
+show_help() {
+    echo -e "${CYAN}Dover VPN Connection Script${NC}"
+    echo ""
+    echo "Usage: $0 [OPTIONS]"
+    echo ""
+    echo "Options:"
+    echo "  -c, --connect  Start Cisco AnyConnect and exit"
+    echo "  -d, --disconnect  Disconnect (kill Cisco processes) and exit"
+    echo "  -m, --menu     Skip auto-login, show menu directly"
+    echo "  -r, --routes   Show current routing table and exit"
+    echo "  -h, --hosts    Show /etc/hosts and exit"
+    echo "  -s, --status   Show VPN and network status and exit"
+    echo "  --help         Show this help message"
+    echo ""
+    echo "Menu Options:"
+    echo "  1 - Start Cisco AnyConnect (kill existing + launch)"
+    echo "  2 - Copy credentials to clipboard (one by one)"
+    echo "  3 - Show live TOTP"
+    echo "  4 - Setup IP forwarding rules only"
+    echo "  5 - Test connection to target"
+    echo "  6 - Show network status"
+    echo "  7 - Kill all Cisco processes"
+    echo "  8 - Show routing table"
+    echo "  9 - Show /etc/hosts"
+    echo "  e - Edit /etc/hosts"
+    echo "  q - Quit"
+}
+
+# Show routing table
+show_routes() {
+    echo -e "${CYAN}========================================${NC}"
+    echo -e "${CYAN}         Current Routing Table          ${NC}"
+    echo -e "${CYAN}========================================${NC}"
+    echo ""
+    echo -e "${GREEN}IPv4 Routes:${NC}"
+    ip -4 route show | while IFS= read -r line; do
+        # Highlight VPN-related routes
+        if echo "$line" | grep -qE "cscotun|tun[0-9]"; then
+            echo -e "  ${YELLOW}$line${NC}"
+        elif echo "$line" | grep -qE "10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\."; then
+            echo -e "  ${CYAN}$line${NC}"
+        else
+            echo "  $line"
+        fi
+    done
+    echo ""
+    echo -e "${GREEN}VPN Interface:${NC}"
+    local vpn_iface=$(get_vpn_interface)
+    if [ -n "$vpn_iface" ]; then
+        ip addr show "$vpn_iface" 2>/dev/null | grep -E "inet|link" | while IFS= read -r line; do
+            echo "  $line"
+        done
+    else
+        echo -e "  ${RED}No VPN interface found${NC}"
+    fi
+}
+
+# Show /etc/hosts
+show_hosts() {
+    echo -e "${CYAN}========================================${NC}"
+    echo -e "${CYAN}            /etc/hosts                  ${NC}"
+    echo -e "${CYAN}========================================${NC}"
+    echo ""
+    cat -n /etc/hosts
+}
+
+# Edit /etc/hosts
+edit_hosts() {
+    local editor="${EDITOR:-nano}"
+    if command -v "$editor" &>/dev/null; then
+        "$editor" /etc/hosts
+    else
+        log ERROR "No editor found. Set EDITOR environment variable."
+        log INFO "Try: nano /etc/hosts"
+    fi
+}
+
+# Function to get current TOTP
+get_totp() {
+    oathtool --totp -b "$TOTP_SECRET"
+}
+
+# Function to detect VPN tunnel interface dynamically
+get_vpn_interface() {
+    # Look for cscotun* or tun* interfaces that are UP
+    local iface=$(ip link show | grep -oP '(cscotun\d+|tun\d+)(?=:.*UP)' | head -1)
+    if [ -z "$iface" ]; then
+        # Fallback: any cscotun interface
+        iface=$(ip link show | grep -oP 'cscotun\d+' | head -1)
+    fi
+    echo "$iface"
+}
+
+# Function to get container's IP on the rego-tunnel network
+get_container_ip() {
+    # eth0 is the rego-tunnel network (172.31.0.x)
+    ip addr show eth0 2>/dev/null | grep -oP 'inet \K[\d.]+' | head -1
+}
+
+# Function to get VPN tunnel IP
+get_vpn_ip() {
+    local iface=$(get_vpn_interface)
+    if [ -n "$iface" ]; then
+        ip addr show "$iface" 2>/dev/null | grep -oP 'inet \K[\d.]+' | head -1
+    fi
+}
+
+# Start xbindkeys for keyboard macros
+start_xbindkeys() {
+    log INFO "Starting keyboard macro listener (xbindkeys)..."
+
+    # Kill any existing xbindkeys
+    pkill xbindkeys 2>/dev/null
+    sleep 0.5
+
+    # Start xbindkeys
+    xbindkeys -f ~/.xbindkeysrc 2>/dev/null &
+    XBINDKEYS_PID=$!
+
+    if pgrep xbindkeys >/dev/null; then
+        log DEBUG "xbindkeys started (PID: $(pgrep xbindkeys))"
+        log INFO "Keyboard shortcuts active: Ctrl+1=email, Ctrl+2=pass, Ctrl+3=TOTP, Ctrl+4=combo, Ctrl+5=all"
+    else
+        log WARN "Failed to start xbindkeys"
+    fi
+}
+
+# Stop xbindkeys
+stop_xbindkeys() {
+    if pgrep xbindkeys >/dev/null; then
+        log INFO "Stopping keyboard macro listener..."
+        pkill xbindkeys 2>/dev/null
+        log DEBUG "xbindkeys stopped"
+    fi
+}
+
+# Kill all Cisco-related processes
+kill_cisco_processes() {
+    local kill_agentd="${1:-false}"
+    log INFO "Killing all Cisco-related processes..."
+
+    local killed=0
+    local my_pid=$$
+    local my_ppid=$(ps -o ppid= -p $$ | tr -d ' ')
+
+    # Kill vpnui specifically (not just any process with "vpn" in name)
+    for pid in $(pgrep -x "vpnui" 2>/dev/null); do
+        if [ "$pid" != "$my_pid" ] && [ "$pid" != "$my_ppid" ]; then
+            log DEBUG "Killing vpnui (PID $pid)"
+            kill -9 "$pid" 2>/dev/null && ((killed++))
+        fi
+    done
+
+    # Optionally kill vpnagentd (useful to clear stale state)
+    if [ "$kill_agentd" = "true" ]; then
+        for pid in $(pgrep -x "vpnagentd" 2>/dev/null); do
+            if [ "$pid" != "$my_pid" ] && [ "$pid" != "$my_ppid" ]; then
+                log DEBUG "Killing vpnagentd (PID $pid)"
+                kill -9 "$pid" 2>/dev/null && ((killed++))
+            fi
+        done
+    fi
+
+    # Kill Cisco-specific processes by exact path
+    for proc in cstub cscan acwebsecagent vpndownloader; do
+        for pid in $(pgrep -x "$proc" 2>/dev/null); do
+            log DEBUG "Killing $proc (PID $pid)"
+            kill -9 "$pid" 2>/dev/null && ((killed++))
+        done
+    done
+
+    # Kill openconnect (exact match)
+    for pid in $(pgrep -x "openconnect" 2>/dev/null); do
+        log DEBUG "Killing openconnect (PID $pid)"
+        kill -9 "$pid" 2>/dev/null && ((killed++))
+    done
+
+    if [ $killed -eq 0 ]; then
+        log INFO "No Cisco processes were running"
+    else
+        log INFO "Killed $killed process(es)"
+        sleep 1
+    fi
+
+    sleep 5
+}
+
+# Disconnect VPN (best-effort)
+disconnect_vpn() {
+    log INFO "Disconnecting Cisco AnyConnect..."
+
+    # If vpncli exists, attempt a clean disconnect first (ignore failures)
+    if [ -x /opt/cisco/secureclient/bin/vpncli ]; then
+        run_cmd "Attempting clean disconnect via vpncli" /opt/cisco/secureclient/bin/vpncli -s <<'EOF' || true
+disconnect
+exit
+EOF
+    fi
+
+    # Always kill agent/UI processes afterwards
+    kill_cisco_processes "true"
+
+    # Confirm status
+    if check_vpn_status; then
+        log WARN "VPN still appears connected (interface still up)"
+        return 1
+    fi
+
+    log INFO "VPN disconnected"
+    return 0
+}
+
+# Function to setup iptables rules for forwarding
+setup_forwarding() {
+    log INFO "Setting up IP forwarding rules for $TARGET_IP..."
+
+    local vpn_iface=$(get_vpn_interface)
+    if [ -z "$vpn_iface" ]; then
+        log ERROR "No VPN interface found! Is VPN connected?"
+        return 1
+    fi
+
+    local vpn_ip=$(get_vpn_ip)
+    local container_ip=$(get_container_ip)
+
+    log DEBUG "VPN interface: $vpn_iface"
+    log DEBUG "VPN IP: $vpn_ip"
+    log DEBUG "Container IP: $container_ip"
+
+    # Enable IP forwarding
+    run_cmd "Enabling IP forwarding" sysctl -w net.ipv4.ip_forward=1
+
+    # NAT masquerade for traffic from container network (172.31.0.0/24) going through VPN
+    # This is the ONLY masquerade rule needed - source-based, not destination-based
+    if ! iptables -t nat -C POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then
+        run_cmd "Adding NAT masquerade for container network -> VPN" iptables -t nat -A POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE
+    else
+        log DEBUG "NAT masquerade for container network already exists"
+    fi
+
+    # Forward rules - MUST be at position 1 to run BEFORE cisco VPN chains
+    # The cisco VPN chains have catch-all DROP rules that would block our traffic
+
+    # Wait for Cisco to create its chains (they appear after VPN connects)
+    local wait_count=0
+    while ! iptables -L ciscovpn -n &>/dev/null && [ $wait_count -lt 30 ]; do
+        log DEBUG "Waiting for Cisco VPN chains to be created..."
+        sleep 1
+        ((wait_count++))
+    done
+
+    if iptables -L ciscovpn -n &>/dev/null; then
+        log DEBUG "Cisco VPN chains detected"
+    else
+        log WARN "Cisco VPN chains not created after ${wait_count}s - proceeding anyway"
+    fi
+
+    # Remove any existing rules first (ignore errors if they don't exist)
+    iptables -D FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true
+    iptables -D FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null || true
+    iptables -D FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null || true
+    iptables -D FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null || true
+
+    # Insert at position 1 (reverse order so they end up in correct order)
+    run_cmd "Inserting forward rule (to container network)" iptables -I FORWARD 1 -d 172.31.0.0/24 -j ACCEPT
+    run_cmd "Inserting forward rule (from container network)" iptables -I FORWARD 1 -s 172.31.0.0/24 -j ACCEPT
+    run_cmd "Inserting forward rule (from target)" iptables -I FORWARD 1 -s "$TARGET_IP" -j ACCEPT
+    run_cmd "Inserting forward rule (to target)" iptables -I FORWARD 1 -d "$TARGET_IP" -j ACCEPT
+
+    # Cisco VPN chain bypass (insert at top if chain exists)
+    if iptables -L ciscovpn -n &>/dev/null; then
+        if ! iptables -C ciscovpn -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
+            run_cmd "Adding ciscovpn bypass (outbound)" iptables -I ciscovpn 1 -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT
+        else
+            log DEBUG "Ciscovpn bypass (outbound) already exists"
+        fi
+
+        if ! iptables -C ciscovpn -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
+            run_cmd "Adding ciscovpn bypass (inbound)" iptables -I ciscovpn 2 -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT
+        else
+            log DEBUG "Ciscovpn bypass (inbound) already exists"
+        fi
+
+        # Also allow container network through ciscovpn chain
+        if ! iptables -C ciscovpn -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
+            run_cmd "Adding ciscovpn bypass (container network)" iptables -I ciscovpn 3 -s 172.31.0.0/24 -j ACCEPT
+        fi
+    else
+        log DEBUG "ciscovpn chain does not exist (yet)"
+    fi
+
+    log INFO "Forwarding rules configured"
+    echo ""
+
+    # Trigger host routing service restart
+    log INFO "Triggering host routing service restart..."
+    touch /runtime/restart-routing
+    sleep 2
+    if [ ! -f /runtime/restart-routing ]; then
+        log INFO "Host routing service restarted"
+    else
+        log WARN "Host watcher may not be running (trigger file still exists)"
+    fi
+
+    log INFO "Routing configured for $TARGET_IP through VPN tunnel"
+    echo ""
+}
+
+# Copy credentials to clipboard as alternative
+copy_to_clipboard() {
+    log INFO "Starting clipboard credential rotation..."
+    echo ""
+
+    log INFO "Copying EMAIL to clipboard"
+    echo "$EMAIL" | xclip -selection clipboard
+    echo -e "           ${CYAN}Email ready: $EMAIL${NC}"
+    echo -e "           Paste now (Ctrl+V), then press ${GREEN}Enter${NC} here for password..."
+    read -r
+
+    log INFO "Copying PASSWORD to clipboard"
+    echo "$PASSWORD" | xclip -selection clipboard
+    echo -e "           ${CYAN}Password ready${NC}"
+    echo -e "           Paste now (Ctrl+V), then press ${GREEN}Enter${NC} here for TOTP..."
+    read -r
+
+    TOTP=$(get_totp)
+    log INFO "Copying TOTP to clipboard"
+    echo "$TOTP" | xclip -selection clipboard
+    echo -e "           ${CYAN}TOTP ready: $TOTP${NC}"
+    echo -e "           Paste now (Ctrl+V)"
+}
+
+# Print current TOTP with countdown
+show_totp() {
+    log INFO "Starting live TOTP display (Ctrl+C to stop)"
+    echo ""
+    while true; do
+        TOTP=$(get_totp)
+        SECONDS_LEFT=$((30 - ($(date +%s) % 30)))
+        echo -ne "\r           ${CYAN}Current TOTP:${NC} ${GREEN}$TOTP${NC} (expires in ${YELLOW}${SECONDS_LEFT}s${NC})   "
+        sleep 1
+    done
+}
+
+# Show network status
+show_network_status() {
+    log INFO "Current network status:"
+
+    # Container IPs
+    echo ""
+    log DEBUG "Container Network Interfaces:"
+    ip -4 addr show | grep -E "inet |^[0-9]+:" | while IFS= read -r line; do
+        echo -e "           ${GRAY}│${NC} $line"
+    done
+
+    # VPN status
+    echo ""
+    local vpn_iface=$(get_vpn_interface)
+    if [ -n "$vpn_iface" ]; then
+        local vpn_ip=$(get_vpn_ip)
+        log INFO "VPN Status: ${GREEN}CONNECTED${NC}"
+        log DEBUG "  Interface: $vpn_iface"
+        log DEBUG "  VPN IP: $vpn_ip"
+    else
+        log WARN "VPN Status: ${RED}NOT CONNECTED${NC}"
+    fi
+
+    # Container IP on rego-tunnel network
+    local container_ip=$(get_container_ip)
+    if [ -n "$container_ip" ]; then
+        log DEBUG "Container IP: $container_ip"
+    fi
+
+    # Default gateway
+    echo ""
+    log DEBUG "Default gateway:"
+    ip route show default | while IFS= read -r line; do
+        echo -e "           ${GRAY}│${NC} $line"
+    done
+
+    echo ""
+}
+
+# Main menu
+main_menu() {
+    echo -e "${GREEN}Options:${NC}"
+    echo -e "  ${CYAN}1${NC} - Start Cisco AnyConnect (kill existing + launch)"
+    echo -e "  ${CYAN}2${NC} - Copy credentials to clipboard (one by one)"
+    echo -e "  ${CYAN}3${NC} - Show live TOTP"
+    echo -e "  ${CYAN}4${NC} - Setup IP forwarding rules only"
+    echo -e "  ${CYAN}5${NC} - Test connection to $TARGET_IP"
+    echo -e "  ${CYAN}6${NC} - Show network status"
+    echo -e "  ${CYAN}7${NC} - Kill all Cisco processes"
+    echo -e "  ${CYAN}8${NC} - Show routing table"
+    echo -e "  ${CYAN}9${NC} - Show /etc/hosts"
+    echo -e "  ${CYAN}e${NC} - Edit /etc/hosts"
+    echo -e "  ${CYAN}q${NC} - Quit"
+    echo ""
+}
+
+# Check if VPN is already connected
+check_vpn_status() {
+    local vpn_iface=$(get_vpn_interface)
+    if [ -n "$vpn_iface" ]; then
+        local vpn_ip=$(get_vpn_ip)
+        log INFO "VPN is ${GREEN}CONNECTED${NC}"
+        log DEBUG "  Interface: $vpn_iface"
+        log DEBUG "  VPN IP: $vpn_ip"
+        return 0
+    else
+        log WARN "VPN is ${RED}NOT CONNECTED${NC}"
+        return 1
+    fi
+}
+
+# Focus on Cisco AnyConnect window
+focus_vpn_window() {
+    local win_id=$(xdotool search --name "Cisco" 2>/dev/null | head -1)
+    if [ -n "$win_id" ]; then
+        xdotool windowactivate --sync "$win_id" 2>/dev/null
+        sleep 0.3
+        return 0
+    fi
+    return 1
+}
+
+# Auto-login sequence using xdotool (no auto-focus, types to active window)
+auto_login() {
+    log INFO "Starting automated login sequence..."
+
+    # Wait for UI to fully load
+    log DEBUG "Waiting 5s for UI to load..."
+    sleep 5
+
+    # Press Enter to initiate connection
+    log DEBUG "Pressing Enter to start connection..."
+    xdotool key Return
+    sleep 5
+
+    # Type email
+    log DEBUG "Typing email..."
+    xdotool type --delay 50 "$EMAIL"
+    xdotool key Return
+    sleep 5
+
+    # Type password
+    log DEBUG "Typing password..."
+    xdotool type --delay 50 "$PASSWORD"
+    xdotool key Return
+    sleep 5
+
+    # Type TOTP
+    log DEBUG "Typing TOTP..."
+    local totp=$(oathtool --totp -b "$TOTP_SECRET")
+    log DEBUG "TOTP: $totp"
+    xdotool type --delay 50 "$totp"
+    xdotool key Return
+    sleep 5
+
+    # Extra enters for any confirmation dialogs
+    log DEBUG "Sending confirmation enters..."
+    xdotool key Return
+    sleep 2
+    xdotool key Return
+    sleep 5
+    xdotool key Return
+
+    log INFO "Auto-login sequence completed"
+}
+
+# Watchdog - monitors VPN and reconnects if dropped
+start_watchdog() {
+    log INFO "Starting VPN watchdog (check every 60s, keepalive ping every 5min)..."
+
+    local check_interval=60
+    local keepalive_interval=300
+    local last_keepalive=0
+    local reconnect_attempts=0
+    local max_reconnect_attempts=3
+
+    while true; do
+        sleep $check_interval
+
+        local now=$(date +%s)
+        local vpn_iface=$(get_vpn_interface)
+
+        if [ -n "$vpn_iface" ]; then
+            # VPN is up
+            reconnect_attempts=0
+
+            # Keepalive ping every 5 minutes to prevent idle timeout
+            if [ $((now - last_keepalive)) -ge $keepalive_interval ]; then
+                if ping -c 1 -W 5 "$TARGET_IP" &>/dev/null; then
+                    log DEBUG "Keepalive ping to $TARGET_IP successful"
+                else
+                    log WARN "Keepalive ping to $TARGET_IP failed (VPN may be degraded)"
+                fi
+                last_keepalive=$now
+            fi
+        else
+            # VPN is down
+            ((reconnect_attempts++))
+            log WARN "VPN disconnected! Reconnect attempt $reconnect_attempts/$max_reconnect_attempts..."
+
+            if [ $reconnect_attempts -le $max_reconnect_attempts ]; then
+                # Kill stale processes and restart
+                kill_cisco_processes "true"
+                sleep 2
+
+                # Start vpnagentd
+                if ! pgrep -x vpnagentd >/dev/null; then
+                    /opt/cisco/secureclient/bin/vpnagentd &
+                    sleep 5
+                fi
+
+                # Start vpnui
+                export GDK_BACKEND=x11
+                export WEBKIT_DISABLE_DMABUF_RENDERER=1
+                /opt/cisco/secureclient/bin/vpnui &
+                disown
+                sleep 3
+
+                # Run auto-login
+                auto_login &
+
+                # Wait for connection
+                local wait_count=0
+                while [ -z "$(get_vpn_interface)" ] && [ $wait_count -lt 120 ]; do
+                    sleep 2
+                    ((wait_count+=2))
+                done
+
+                if [ -n "$(get_vpn_interface)" ]; then
+                    log INFO "VPN reconnected successfully!"
+                    setup_forwarding
+                    reconnect_attempts=0
+                else
+                    log ERROR "Reconnect attempt $reconnect_attempts failed"
+                fi
+            else
+                log ERROR "Max reconnect attempts reached. Manual intervention required."
+                log ERROR "Use menu option 1 to restart VPN manually."
+                # Reset counter after a longer wait
+                sleep 300
+                reconnect_attempts=0
+            fi
+        fi
+    done
+}
+
+# Start Cisco AnyConnect with logging
+start_anyconnect() {
+    local do_auto_login="$1"
+    log INFO "=== Starting Cisco AnyConnect VPN ==="
+    echo ""
+
+    # Kill existing processes first
+    # Always restart vpnagentd for a clean session
+    kill_cisco_processes "true"
+
+    # Start vpnagentd if not running
+    if ! pgrep -x vpnagentd >/dev/null; then
+        log INFO "Starting vpnagentd..."
+        /opt/cisco/secureclient/bin/vpnagentd &
+        log DEBUG "Waiting for vpnagentd to initialize..."
+        sleep 5
+    fi
+
+    # Show credentials
+    log INFO "Credentials for SSO login:"
+    echo -e "           ${CYAN}Email:    $EMAIL${NC}"
+    echo -e "           ${CYAN}Password: $PASSWORD${NC}"
+    TOTP=$(get_totp)
+    echo -e "           ${CYAN}TOTP:     $TOTP${NC}"
+    echo ""
+
+    # Start AnyConnect with GPU/WebKit workarounds
+    log INFO "Launching Cisco AnyConnect UI..."
+    export GDK_BACKEND=x11
+    export WEBKIT_DISABLE_DMABUF_RENDERER=1
+    /opt/cisco/secureclient/bin/vpnui &
+    VPNUI_PID=$!
+    disown $VPNUI_PID
+    log DEBUG "vpnui started with PID $VPNUI_PID"
+
+    if [ "$do_auto_login" = "true" ]; then
+        # Run auto-login in background
+        auto_login &
+        AUTO_LOGIN_PID=$!
+        log DEBUG "Auto-login started with PID $AUTO_LOGIN_PID"
+    else
+        log INFO "Manual login mode - use keyboard shortcuts or menu option 2 for credentials"
+        return 0
+    fi
+
+    # Wait for VPN to connect
+    log INFO "Waiting for VPN connection..."
+    local wait_count=0
+    local max_wait=300  # 5 minutes
+    while [ -z "$(get_vpn_interface)" ]; do
+        sleep 2
+        ((wait_count+=2))
+        if [ $((wait_count % 10)) -eq 0 ]; then
+            log DEBUG "Still waiting for VPN... (${wait_count}s)"
+        fi
+        if [ $wait_count -ge $max_wait ]; then
+            log ERROR "Timeout waiting for VPN connection after ${max_wait}s"
+            stop_xbindkeys
+            return 1
+        fi
+    done
+
+    log INFO "VPN connected!"
+    local vpn_iface=$(get_vpn_interface)
+    local vpn_ip=$(get_vpn_ip)
+    log DEBUG "  Interface: $vpn_iface"
+    log DEBUG "  VPN IP: $vpn_ip"
+
+    # Wait a bit for routes to stabilize
+    log DEBUG "Waiting for routes to stabilize..."
+    sleep 3
+
+    # Setup forwarding
+    setup_forwarding
+
+    # Test connection
+    log INFO "Testing connection to $TARGET_IP..."
+    if ping -c 2 -W 3 "$TARGET_IP" &>/dev/null; then
+        log INFO "Connection test: ${GREEN}SUCCESS${NC}"
+    else
+        log WARN "Connection test: ${RED}FAILED${NC} (may need manual route on Windows)"
+    fi
+
+    log INFO "VPN setup complete"
+
+    # Disable screen blanking/power saving
+    xset s off 2>/dev/null || true
+    xset -dpms 2>/dev/null || true
+    xset s noblank 2>/dev/null || true
+    log DEBUG "Screen blanking disabled"
+
+    # Start watchdog in background
+    start_watchdog &
+    WATCHDOG_PID=$!
+    log DEBUG "Watchdog started with PID $WATCHDOG_PID"
+    return 0
+}
+
+# Parse command line arguments
+parse_args() {
+    while [[ $# -gt 0 ]]; do
+        case $1 in
+            -c|--connect)
+                DO_CONNECT=true
+                shift
+                ;;
+            -d|--disconnect)
+                DO_DISCONNECT=true
+                shift
+                ;;
+            -m|--menu)
+                SKIP_AUTO_LOGIN=true
+                shift
+                ;;
+            -r|--routes)
+                show_routes
+                exit 0
+                ;;
+            -h|--hosts)
+                show_hosts
+                exit 0
+                ;;
+            -s|--status)
+                echo -e "${CYAN}========================================${NC}"
+                echo -e "${CYAN}       VPN and Network Status           ${NC}"
+                echo -e "${CYAN}========================================${NC}"
+                echo ""
+                check_vpn_status
+                echo ""
+                show_network_status
+                exit 0
+                ;;
+            --help)
+                show_help
+                exit 0
+                ;;
+            *)
+                echo "Unknown option: $1"
+                echo "Use --help for usage information"
+                exit 1
+                ;;
+        esac
+    done
+
+    if [ "$DO_CONNECT" = "true" ] && [ "$DO_DISCONNECT" = "true" ]; then
+        echo "Error: --connect and --disconnect are mutually exclusive"
+        exit 1
+    fi
+}
+
+# Main
+parse_args "$@"
+
+# Cleanup old logs and start fresh
+cleanup_old_logs
+
+# Log script start
+echo "" >> "$(get_log_file)"
+echo "========================================" >> "$(get_log_file)"
+log INFO "cisco-vpn script started"
+log DEBUG "VPN_EMAIL=$EMAIL"
+log DEBUG "VPN_HOST=$VPN_HOST"
+log DEBUG "TARGET_IP=$TARGET_IP"
+log DEBUG "TOTP_SECRET is $([ -n "$TOTP_SECRET" ] && echo 'set' || echo 'NOT SET')"
+
+print_banner
+
+if [ "$DO_DISCONNECT" = "true" ]; then
+    disconnect_vpn
+    exit $?
+fi
+
+if [ "$DO_CONNECT" = "true" ]; then
+    echo -e "${CYAN}========================================${NC}"
+    echo -e "${CYAN}       Dover VPN Connection Script      ${NC}"
+    echo -e "${CYAN}========================================${NC}"
+    echo ""
+    if [ "$SKIP_AUTO_LOGIN" = "true" ]; then
+        start_anyconnect "false"
+    else
+        start_anyconnect "true"
+    fi
+    exit $?
+fi
+
+log INFO "Script started"
+echo ""
+
+# If -m/--menu flag, skip everything and go straight to menu
+if [ "$SKIP_AUTO_LOGIN" = "true" ]; then
+    log INFO "Menu mode - skipping auto-login"
+# Check current status
+elif check_vpn_status; then
+    echo ""
+    log INFO "VPN already connected. Setting up forwarding..."
+    setup_forwarding
+else
+    echo ""
+    log INFO "Auto-starting VPN connection..."
+    echo ""
+    start_anyconnect "true"
+fi
+
+while true; do
+    echo ""
+    main_menu
+    echo -ne "${CYAN}Choice: ${NC}"
+    read -r choice
+    echo ""
+
+    # Ignore empty/whitespace input
+    [[ -z "${choice// }" ]] && continue
+
+    case $choice in
+        1) if [ "$SKIP_AUTO_LOGIN" = "true" ]; then
+                start_anyconnect "false"
+            else
+                start_anyconnect "true"
+            fi ;;
+        2) copy_to_clipboard ;;
+        3) show_totp ;;
+        4) setup_forwarding ;;
+        5) log INFO "Testing connection to $TARGET_IP..."
+           ping -c 3 "$TARGET_IP" && log INFO "Connection test: ${GREEN}SUCCESS${NC}" || log ERROR "Connection test: ${RED}FAILED${NC}" ;;
+        6) show_network_status ;;
+        7) kill_cisco_processes "true";;
+        8) show_routes ;;
+        9) show_hosts ;;
+        e|E) edit_hosts ;;
+        q|Q) log INFO "Goodbye!"; exit 0 ;;
+        *) ;; # Ignore invalid input silently
+    esac
+done

apps/rego-tunnel/shared/entrypoint.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# Entrypoint: VNC password setup + DNS fix + systemd
+
+set -euo pipefail
+
+# Ensure all shared scripts are executable (permissions may reset after git pull/appstore update)
+chmod +x /shared/*.sh /shared/cisco-vpn /root/.vnc/xstartup 2>/dev/null || true
+
+# Symlink shared scripts into /opt/scripts/ so systemd services (vnc.service) find them
+mkdir -p /opt/scripts
+ln -sf /shared/startup-vnc.sh /opt/scripts/startup-vnc.sh
+
+# Setup TigerVNC password file from env var (passed by runtipi)
+# TigerVNC expects /root/.vnc/passwd when using SecurityTypes=VncAuth.
+if [ -n "${VNC_PASSWORD:-}" ]; then
+    mkdir -p /root/.vnc
+    printf '%s\n%s\n' "$VNC_PASSWORD" "$VNC_PASSWORD" | vncpasswd -f > /root/.vnc/passwd
+    chmod 600 /root/.vnc/passwd
+fi
+
+cp /etc/resolv.conf /tmp/resolv.conf.bak 2>/dev/null || true
+cp /etc/hosts /tmp/hosts.bak 2>/dev/null || true
+umount /etc/resolv.conf 2>/dev/null || true
+umount /etc/hosts 2>/dev/null || true
+cat /tmp/resolv.conf.bak > /etc/resolv.conf 2>/dev/null || echo "nameserver 8.8.8.8" > /etc/resolv.conf
+cat /tmp/hosts.bak > /etc/hosts 2>/dev/null || echo "127.0.0.1 localhost" > /etc/hosts
+
+echo 1 > /proc/sys/net/ipv4/ip_forward
+echo "[entrypoint] IP forwarding enabled"
+
+exec /sbin/init

apps/rego-tunnel/shared/host-routing.sh

@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+#
+# Host routing script for rego-tunnel
+# Routes TARGET_IP through the VPN container
+#
+set -euo pipefail
+
+ACTION="${1:-start}"
+
+# Fixed configuration (we assigned these)
+CONTAINER_IP="172.31.0.10"
+BRIDGE_NAME="br-rego-vpn"
+TARGET_IP="${TARGET_IP:-10.35.33.230}"
+LAN_SUBNET="192.168.0.0/23"
+LAN_INTERFACES="eth0 eth1 wlan0"
+LOG_FILE="/var/log/rego-routing.log"
+
+log() {
+    local msg="[$(date '+%Y-%m-%d %H:%M:%S')] [rego-routing] $*"
+    echo "$msg" | tee -a "$LOG_FILE" >&2
+}
+
+get_lan_interface() {
+    ip route show default | awk '/default/ {for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -1
+}
+
+remove_routes() {
+    log "Removing stale routes for $TARGET_IP..."
+
+    # Remove any existing route to TARGET_IP
+    ip route del "$TARGET_IP" 2>/dev/null || true
+    ip route del "$TARGET_IP/32" 2>/dev/null || true
+
+    log "Stale routes removed"
+}
+
+apply_routes() {
+    local lan_if
+    lan_if="$(get_lan_interface)"
+
+    log "Applying host routing rules..."
+    log "  Container IP: $CONTAINER_IP"
+    log "  Bridge: $BRIDGE_NAME"
+    log "  Target IP: $TARGET_IP"
+    log "  LAN interface: ${lan_if:-unknown}"
+
+    # Enable IP forwarding
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+    log "IP forwarding enabled"
+
+    # Add route to TARGET_IP via container
+    ip route replace "$TARGET_IP/32" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
+    log "Route added: $TARGET_IP via $CONTAINER_IP dev $BRIDGE_NAME"
+
+    # Allow forwarding in DOCKER-USER chain for all LAN interfaces
+    for lan_if in $LAN_INTERFACES; do
+        # Check if interface exists
+        if ip link show "$lan_if" &>/dev/null; then
+            # Allow traffic from LAN to container for TARGET_IP
+            iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || \
+                iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT
+
+            # Allow return traffic
+            iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
+                iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+            log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME"
+        fi
+    done
+
+    # Masquerade traffic from LAN subnet to VPN bridge (so return traffic routes correctly)
+    # Use nft since iptables-nft backend doesn't support iptables -t nat commands
+    if ! nft list chain ip nat POSTROUTING 2>/dev/null | grep -q "saddr $LAN_SUBNET.*oifname.*$BRIDGE_NAME.*masquerade"; then
+        nft add rule ip nat POSTROUTING ip saddr "$LAN_SUBNET" oifname "$BRIDGE_NAME" counter masquerade
+        log "NAT masquerade rule added for $LAN_SUBNET -> $BRIDGE_NAME"
+    else
+        log "NAT masquerade rule already exists for $LAN_SUBNET -> $BRIDGE_NAME"
+    fi
+
+    log "OK: Host routing applied - $TARGET_IP via $CONTAINER_IP ($BRIDGE_NAME)"
+}
+
+remove_all() {
+    log "Removing all routing rules..."
+
+    # Remove route
+    ip route del "$TARGET_IP/32" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
+
+    # Remove iptables rules for all LAN interfaces
+    for lan_if in $LAN_INTERFACES; do
+        iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -d "$TARGET_IP" -j ACCEPT 2>/dev/null || true
+        iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -s "$TARGET_IP" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
+    done
+
+    # Remove masquerade rule (using nft)
+    local handle
+    handle=$(nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "saddr $LAN_SUBNET.*oifname.*$BRIDGE_NAME.*masquerade" | grep -oP 'handle \K\d+' | head -1 || true)
+    if [ -n "$handle" ]; then
+        nft delete rule ip nat POSTROUTING handle "$handle" 2>/dev/null || true
+    fi
+
+    log "All routing rules removed"
+}
+
+case "$ACTION" in
+    start)
+        remove_routes
+        apply_routes
+        ;;
+    stop)
+        remove_all
+        ;;
+    restart)
+        remove_all
+        sleep 1
+        remove_routes
+        apply_routes
+        ;;
+    *)
+        echo "Usage: $0 {start|stop|restart}" >&2
+        exit 2
+        ;;
+esac

apps/rego-tunnel/shared/install-host-services.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+#
+# Install host-side systemd services for rego-tunnel
+# Run this ONCE on the host after installing the app in Runtipi
+#
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+APP_DATA_DIR="/etc/runtipi/app-data/runtipi/rego-tunnel"
+
+echo "Installing rego-tunnel host services..."
+
+# Create the path watcher unit
+cat << 'EOF' | sudo tee /etc/systemd/system/rego-routing-watcher.path
+[Unit]
+Description=Watch for rego-tunnel routing trigger
+
+[Path]
+PathExists=/etc/runtipi/app-data/runtipi/rego-tunnel/restart-routing
+Unit=rego-routing-watcher.service
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Create the service unit
+cat << EOF | sudo tee /etc/systemd/system/rego-routing-watcher.service
+[Unit]
+Description=Apply rego-tunnel routing rules
+After=docker.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash ${SCRIPT_DIR}/host-routing.sh restart
+ExecStartPost=/bin/rm -f ${APP_DATA_DIR}/restart-routing
+ExecStartPost=/bin/bash -c 'echo "trigger cleared at \$(date)" >> ${APP_DATA_DIR}/watcher.log'
+EOF
+
+# Make host-routing.sh executable
+sudo chmod +x "${SCRIPT_DIR}/host-routing.sh"
+
+# Reload systemd and enable the watcher
+sudo systemctl daemon-reload
+sudo systemctl enable --now rego-routing-watcher.path
+
+echo ""
+echo "Done! Services installed:"
+echo "  - rego-routing-watcher.path (watches for trigger file)"
+echo "  - rego-routing-watcher.service (applies routing rules)"
+echo ""
+echo "To check status:"
+echo "  systemctl status rego-routing-watcher.path"
+echo ""
+echo "To manually trigger routing:"
+echo "  touch ${APP_DATA_DIR}/restart-routing"

apps/rego-tunnel/shared/startup-vnc.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+export HOME='/root'
+export USER='root'
+rm -f /tmp/.P1-lock /tmp/.X11-unix/X1 2>/dev/null || true
+rm -rf /tmp/.X*-lock /tmp/.X14-unix/* 2>/dev/null || true
+echo "Starting TigerVNC server on display :1..."
+vncserver :1 -geometry 1280x800 -depth 24 -SecurityTypes VncAuth -localhost no
+sleep 2
+echo "Starting noVNC on port ${NOVNC_PORT:-6080}..."
+websockify --web=/usr/share/novnc/ ${NOVNC_PORT:-6080} localhost:5901 &
+tail -f /root/.vnc/*.log

apps/rego-tunnel/shared/uninstall-host-services.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+#
+# Uninstall host-side systemd services for rego-tunnel
+#
+set -euo pipefail
+
+echo "Removing rego-tunnel host services..."
+
+# Stop and disable the watcher
+sudo systemctl stop rego-routing-watcher.path 2>/dev/null || true
+sudo systemctl disable rego-routing-watcher.path 2>/dev/null || true
+
+# Remove routing rules
+/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/host-routing.sh stop 2>/dev/null || true
+
+# Remove systemd units
+sudo rm -f /etc/systemd/system/rego-routing-watcher.path
+sudo rm -f /etc/systemd/system/rego-routing-watcher.service
+
+# Reload systemd
+sudo systemctl daemon-reload
+
+echo ""
+echo "Done! Host services removed."

apps/rego-tunnel/shared/xstartup

@@ -0,0 +1,39 @@
+#!/bin/bash
+# VNC xstartup - launches terminal with cisco-vpn script
+
+unset SESSION_MANAGER
+unset DBUS_SESSION_BUS_ADDRESS
+
+# Import environment variables from container (PID 1)
+# Systemd services don't inherit Docker env vars, so we source them here
+while IFS= read -r -d '' line; do
+    export "$line"
+done < /proc/1/environ
+
+export XDG_RUNTIME_DIR=/tmp/runtime-root
+mkdir -p $XDG_RUNTIME_DIR
+chmod 700 $XDG_RUNTIME_DIR
+
+# GPU/WebKit workarounds for Cisco UI
+export GDK_BACKEND=x11
+export WEBKIT_DISABLE_DMABUF_RENDERER=1
+
+# Start dbus session
+[ -x /usr/bin/dbus-launch ] && eval $(dbus-launch --sh-syntax --exit-with-session)
+
+# Start window manager
+openbox &
+sleep 2
+
+# Disable screen blanking and power saving
+xset s off 2>/dev/null || true
+xset -dpms 2>/dev/null || true
+xset s noblank 2>/dev/null || true
+
+# Make script executable and launch in terminal
+chmod +x /shared/cisco-vpn 2>/dev/null || true
+xterm -fa 'Monospace' -fs 11 -bg black -fg white -geometry 130x45+10+10 \
+    -title "Rego VPN Terminal" \
+    -e "bash -c '/shared/cisco-vpn; exec bash'" &
+
+wait

apps/rego-tunnel/vpn_scripts-not-used/01_install-nodejs.ps1

@@ -1,31 +0,0 @@
-# Install Node.js on Windows
-# Run as Administrator in PowerShell
-
-$Username = if ($env:REGO_USER) { $env:REGO_USER } else { $env:USERNAME }
-$nodeVersion = "22.9.0"
-$nodeUrl = "https://nodejs.org/dist/v$nodeVersion/node-v$nodeVersion-x64.msi"
-$installerPath = "$env:TEMP\node-installer.msi"
-
-Write-Host "Downloading Node.js v$nodeVersion..." -ForegroundColor Cyan
-Invoke-WebRequest -Uri $nodeUrl -OutFile $installerPath
-
-Write-Host "Installing Node.js..." -ForegroundColor Cyan
-Start-Process msiexec.exe -Wait -ArgumentList "/i `"$installerPath`" /quiet /norestart"
-
-# Refresh PATH
-$env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User")
-
-Write-Host "Verifying installation..." -ForegroundColor Cyan
-node --version
-npm --version
-
-Write-Host "Node.js installed successfully!" -ForegroundColor Green
-
-# Cleanup
-Remove-Item $installerPath -Force
-
-Write-Host ""
-Write-Host "Next steps:" -ForegroundColor Yellow
-Write-Host "1. Copy vpn-login.js, socks5.js, vpn.bat to C:\Users\$Username\vpn_scripts\"
-Write-Host "2. Open CMD in C:\Users\$Username\vpn_scripts\ and run: npm install ws otplib"
-Write-Host "3. Add vpn.bat shortcut to shell:startup folder"

apps/rego-tunnel/vpn_scripts-not-used/02_setup-autologin-sshd.ps1

@@ -1,45 +0,0 @@
-# Setup OpenSSH Server and Auto-Login
-# Run as Administrator in PowerShell
-
-$Username = if ($env:REGO_USER) { $env:REGO_USER } else { $env:USERNAME }
-$Password = if ($env:REGO_PASS) { $env:REGO_PASS } else { "admin" }
-
-Write-Host "=== Setting up OpenSSH Server ===" -ForegroundColor Cyan
-Write-Host "Using username: $Username" -ForegroundColor Yellow
-
-# Install OpenSSH Server
-$sshCapability = Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH.Server*'
-if ($sshCapability.State -ne 'Installed') {
-    Write-Host "Installing OpenSSH Server..." -ForegroundColor Yellow
-    Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
-} else {
-    Write-Host "OpenSSH Server already installed" -ForegroundColor Green
-}
-
-# Start and enable SSH service
-Write-Host "Starting SSH service..." -ForegroundColor Yellow
-Start-Service sshd
-Set-Service -Name sshd -StartupType 'Automatic'
-
-# Configure firewall
-$fwRule = Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue
-if (-not $fwRule) {
-    Write-Host "Adding firewall rule..." -ForegroundColor Yellow
-    New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
-}
-
-Write-Host "OpenSSH Server configured!" -ForegroundColor Green
-
-Write-Host ""
-Write-Host "=== Setting up Auto-Login ===" -ForegroundColor Cyan
-
-$RegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
-Set-ItemProperty -Path $RegPath -Name "AutoAdminLogon" -Value "1"
-Set-ItemProperty -Path $RegPath -Name "DefaultUserName" -Value $Username
-Set-ItemProperty -Path $RegPath -Name "DefaultPassword" -Value $Password
-Remove-ItemProperty -Path $RegPath -Name "DefaultDomainName" -ErrorAction SilentlyContinue
-
-Write-Host "Auto-login configured for '$Username'!" -ForegroundColor Green
-Write-Host ""
-Write-Host "Setup complete! SSH is now available and auto-login is enabled." -ForegroundColor Green
-Write-Host "Reboot to test auto-login." -ForegroundColor Yellow

apps/rego-tunnel/vpn_scripts-not-used/03_setup-ssh-keys.ps1

@@ -1,34 +0,0 @@
-# Setup SSH Keys
-# Run as Administrator in PowerShell
-
-$Username = if ($env:REGO_USER) { $env:REGO_USER } else { $env:USERNAME }
-$PublicKey = if ($env:REGO_SSH_PUBKEY) { $env:REGO_SSH_PUBKEY } else { "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHUQnw0WfeFRQx76UlImXXhu3xeOH41PmDRid8pWK1D default-key" }
-
-Write-Host "=== Setting up SSH Keys ===" -ForegroundColor Cyan
-Write-Host "Using username: $Username" -ForegroundColor Yellow
-
-# User authorized_keys
-$userSshDir = "C:\Users\$Username\.ssh"
-$userAuthKeys = "$userSshDir\authorized_keys"
-
-Write-Host "Creating user .ssh directory..." -ForegroundColor Yellow
-New-Item -ItemType Directory -Path $userSshDir -Force | Out-Null
-
-Write-Host "Adding key to user authorized_keys..." -ForegroundColor Yellow
-Add-Content -Path $userAuthKeys -Value $PublicKey -Force
-
-# Fix permissions for user file
-icacls $userAuthKeys /inheritance:r /grant "${Username}:F" /grant "SYSTEM:F"
-
-# Administrator authorized_keys (for admin users)
-$adminAuthKeys = "C:\ProgramData\ssh\administrators_authorized_keys"
-
-Write-Host "Adding key to administrators_authorized_keys..." -ForegroundColor Yellow
-Add-Content -Path $adminAuthKeys -Value $PublicKey -Force
-
-# Fix permissions for admin file (required by OpenSSH)
-icacls $adminAuthKeys /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F"
-
-Write-Host ""
-Write-Host "SSH keys configured!" -ForegroundColor Green
-Write-Host "You can now SSH in with the configured key." -ForegroundColor Yellow

apps/rego-tunnel/vpn_scripts-not-used/README.md

@@ -1,188 +0,0 @@
-# Rego VPN Automation - Technical Setup Guide
-
-## Overview
-
-Cisco Secure Client VPN running in Windows VM (dockurr/windows) inside Docker container, with SOCKS5 proxy for transparent routing to IBM i systems.
-
-## Architecture
-
-```
-Clients → Host (iptables/redsocks) → Container (socat) → Windows VM (SOCKS5) → VPN → 10.35.33.x
-```
-
-## Components
-
-### 1. Windows VM (inside container)
-- **Container**: `rego-tunnel_runtipi-rego-tunnel-1`
-- **Windows VM IP**: `172.30.0.16` or `172.30.0.17` (internal to container)
-- **VPN**: Cisco Secure Client with SAML auth (email + password + TOTP)
-- **Files on Windows** (`C:\Users\alexz\vpn_scripts`):
-  - `vpn.bat` - Startup batch file
-  - `vpn-login.js` - Node.js script that automates SAML login via Chrome DevTools Protocol
-  - `socks5.js` - Simple SOCKS5 proxy server
-  - `node_modules/` - ws, otplib packages
-
-### 2. Container
-- **External IPs**: `10.128.16.2` or similar
-- **Internal bridge**: `172.30.0.1/24` (Windows VM at .16 or .17)
-- **socat**: Forwards port 1080 from container to Windows VM SOCKS5
-- **start.sh**: Mounted at `/run/start.sh` - sets up iptables DNAT rules
-
-### 3. Host
-- **redsocks**: Transparent SOCKS5 redirector (optional)
-- **iptables**: Redirects traffic to VPN network through container
-
-## VPN Credentials
-
-Located in `vpn-login.js`:
-```javascript
-const CONFIG = {
-  email: "c-azaw@regoproducts.com",
-  password: "Fuckyou4suhail",
-  totpSecret: "RZQTQSKDWKHZ6ZYR",
-  devtoolsPort: 9222,
-  vpnTestIp: "10.35.33.230"
-};
-```
-
-## Windows Setup Steps
-
-### 1. Install Node.js
-Run PowerShell as Administrator:
-```powershell
-# Option A: Run the install script
-.\install-nodejs.ps1
-
-# Option B: Manual download from https://nodejs.org/
-```
-
-### 2. Install Cisco Secure Client
-- Download from company VPN portal or Cisco
-- Install with default options
-- Path: `C:\Program Files (x86)\Cisco\Cisco Secure Client\`
-
-### 3. Setup VPN Scripts
-```cmd
-mkdir C:\Users\alexz\vpn_scripts
-copy \\TSCLIENT\shared\vpn-scripts\*.js C:\Users\alexz\vpn_scripts\
-copy \\TSCLIENT\shared\vpn-scripts\vpn.bat C:\Users\alexz\vpn_scripts\
-
-cd C:\Users\alexz\vpn_scripts
-npm install ws otplib
-```
-
-### 4. Add to Windows Startup
-```cmd
-# Create shortcut to vpn.bat in:
-shell:startup
-# Or: C:\Users\alexz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
-```
-
-### 5. Enable Remote Debugging for Cisco UI
-The vpn-login.js script sets this environment variable before launching Cisco:
-```
-WEBVIEW2_ADDITIONAL_BROWSER_ARGUMENTS=--remote-debugging-port=9222 --remote-debugging-address=0.0.0.0 --remote-allow-origins=*
-```
-
-## Container Configuration
-
-### docker-compose.yml (user-config)
-```yaml
-services:
-  rego-tunnel:
-    environment:
-      USER: alexz
-      PASS: Az@83278327$$@@
-      VERSION: win10
-    entrypoint: ["/bin/bash", "-c", "source /run/start.sh; exec /usr/bin/tini -s /run/entry.sh"]
-```
-
-### start.sh (Container Startup Script)
-Located at: `/etc/runtipi/user-config/runtipi/rego-tunnel/scripts/start.sh`
-
-Sets up:
-- iptables MASQUERADE for docker bridge
-- Route to IBM i network via Windows VM
-- DNAT rules for port forwarding (SSH, IBM i ports)
-
-## Key Ports
-
-| Port | Service |
-|------|---------|
-| 22 | SSH |
-| 23 | Telnet (IBM i) |
-| 446, 448, 449 | IBM i services |
-| 1080 | SOCKS5 proxy |
-| 8006 | noVNC web console |
-| 8470-8476 | IBM i data ports |
-| 9222 | Chrome DevTools (for automation) |
-
-## Manual Commands
-
-### Start VPN from host:
-```bash
-docker exec rego-tunnel_runtipi-rego-tunnel-1 ssh docker@172.30.0.16 'C:\Users\alexz\vpn_scripts\vpn.bat'
-```
-
-### Start socat in container:
-```bash
-docker exec -d rego-tunnel_runtipi-rego-tunnel-1 socat TCP-LISTEN:1080,fork,reuseaddr TCP:172.30.0.16:1080
-```
-
-### Test SOCKS5 connectivity:
-```bash
-nc -zv 10.128.16.2 1080
-```
-
-### Check VPN status in Windows:
-```cmd
-ipconfig | findstr 10\.
-```
-
-## Troubleshooting
-
-### VPN not connecting
-1. Check time sync: `w32tm /resync /force`
-2. Verify Cisco agent: `net start "Cisco Secure Client Agent"`
-3. Check DevTools: `http://172.30.0.16:9222/json`
-
-### SOCKS5 not working
-1. Verify VPN connected first (ping 10.35.33.230)
-2. Check socks5.js running: `tasklist | findstr node`
-3. Test locally: `nc -zv 127.0.0.1 1080`
-
-### Container issues
-1. Check logs: `docker logs rego-tunnel_runtipi-rego-tunnel-1`
-2. Verify start.sh: `docker exec rego-tunnel_runtipi-rego-tunnel-1 cat /run/start.sh`
-3. Check Windows VM IP: `docker exec rego-tunnel_runtipi-rego-tunnel-1 cat /run/qemu.pid`
-
-## File Locations
-
-### Host
-- `/etc/runtipi/user-config/runtipi/rego-tunnel/docker-compose.yml` - User overrides
-- `/etc/runtipi/user-config/runtipi/rego-tunnel/scripts/start.sh` - Container startup
-- `/etc/runtipi/repos/runtipi/apps/rego-tunnel/docker-compose.yml` - Base config
-- `/etc/runtipi/app-data/runtipi/rego-tunnel/data/storage/` - Windows disk image
-- `/etc/runtipi/app-data/runtipi/rego-tunnel/data/shared/` - Shared folder with Windows
-
-### Windows VM
-- `C:\Users\alexz\vpn_scripts\vpn-login.js` - Main automation script
-- `C:\Users\alexz\vpn_scripts\socks5.js` - SOCKS5 proxy
-- `C:\Users\alexz\vpn_scripts\vpn.bat` - Startup batch file
-- `C:\Program Files (x86)\Cisco\Cisco Secure Client\` - Cisco installation
-
-## Watchdog Mode
-
-The vpn-login.js script includes a watchdog that:
-- Monitors VPN connectivity every 2 minutes
-- Auto-reconnects after 2 consecutive failures
-- Restarts SOCKS5 proxy after reconnection
-- Logs memory usage every hour
-
-## Notes
-
-- Windows VM takes ~2-3 minutes to boot
-- VPN login takes ~30 seconds
-- TOTP requires accurate system time (script syncs automatically)
-- The container uses VERSION=win10 for dockurr/windows compatibility
-- noVNC password: `Az@83278327$@@`

apps/rego-tunnel/vpn_scripts-not-used/id_ed25519-lenovo

@@ -1,7 +0,0 @@
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
-QyNTUxOQAAACBh1EJ8NFn3hUUMe+lJSJl14bt8Xjh+NT5g0YnfKVitQwAAAJhfESWEXxEl
-hAAAAAtzc2gtZWQyNTUxOQAAACBh1EJ8NFn3hUUMe+lJSJl14bt8Xjh+NT5g0YnfKVitQw
-AAAEDgYZN7HwPbKY++p612bnhGC10P3GUHQdJlprPEFbODgWHUQnw0WfeFRQx76UlImXXh
-u3xeOH41PmDRid8pWK1DAAAAEWFsZXh6QEFaYXdQQy1QMTZTAQIDBA==
------END OPENSSH PRIVATE KEY-----

apps/rego-tunnel/vpn_scripts-not-used/setup-all.bat

@@ -1,35 +0,0 @@
-@echo off
-echo === Rego VPN Windows Setup ===
-echo.
-
-echo [1/7] Installing Node.js...
-powershell -ExecutionPolicy Bypass -File "%~dp001_install-nodejs.ps1"
-
-echo [2/7] Setting up OpenSSH and Auto-Login...
-powershell -ExecutionPolicy Bypass -File "%~dp002_setup-autologin-sshd.ps1"
-
-echo [3/7] Configuring SSH Keys...
-powershell -ExecutionPolicy Bypass -File "%~dp003_setup-ssh-keys.ps1"
-
-echo [4/7] Creating vpn_scripts folder...
-mkdir "C:\Users\%USERNAME%\vpn_scripts" 2>nul
-
-echo [5/7] Copying runtime scripts...
-copy "%~dp0vpn-login.js" "C:\Users\%USERNAME%\vpn_scripts\"
-copy "%~dp0socks5.js" "C:\Users\%USERNAME%\vpn_scripts\"
-copy "%~dp0vpn.bat" "C:\Users\%USERNAME%\vpn_scripts\"
-
-echo [6/7] Installing npm dependencies...
-cd /d "C:\Users\%USERNAME%\vpn_scripts"
-call npm install ws otplib
-
-echo [7/7] Adding to startup (Run as Admin)...
-copy "%~dp0vpn-startup.lnk" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\vpn.lnk"
-
-echo.
-echo === Setup Complete ===
-echo.
-echo Manual step remaining:
-echo - Install Anyconnect (run anyconnect-win-*.exe from this folder)
-echo.
-pause

apps/rego-tunnel/vpn_scripts-not-used/socks5.js

@@ -1,69 +0,0 @@
-const net = require('net');
-
-const PORT = 1080;
-const HOST = '0.0.0.0';
-
-const server = net.createServer((client) => {
-  client.once('data', (data) => {
-    // SOCKS5 handshake
-    if (data[0] !== 0x05) {
-      client.end();
-      return;
-    }
-
-    // No auth required
-    client.write(Buffer.from([0x05, 0x00]));
-
-    client.once('data', (data) => {
-      if (data[0] !== 0x05 || data[1] !== 0x01) {
-        client.write(Buffer.from([0x05, 0x07, 0x00, 0x01, 0, 0, 0, 0, 0, 0]));
-        client.end();
-        return;
-      }
-
-      let host, port;
-      const atyp = data[3];
-
-      if (atyp === 0x01) {
-        // IPv4
-        host = `${data[4]}.${data[5]}.${data[6]}.${data[7]}`;
-        port = data.readUInt16BE(8);
-      } else if (atyp === 0x03) {
-        // Domain
-        const len = data[4];
-        host = data.slice(5, 5 + len).toString();
-        port = data.readUInt16BE(5 + len);
-      } else if (atyp === 0x04) {
-        // IPv6
-        host = '';
-        for (let i = 0; i < 16; i += 2) {
-          host += data.slice(4 + i, 6 + i).toString('hex');
-          if (i < 14) host += ':';
-        }
-        port = data.readUInt16BE(20);
-      } else {
-        client.write(Buffer.from([0x05, 0x08, 0x00, 0x01, 0, 0, 0, 0, 0, 0]));
-        client.end();
-        return;
-      }
-
-      const remote = net.createConnection(port, host, () => {
-        const response = Buffer.from([0x05, 0x00, 0x00, 0x01, 0, 0, 0, 0, 0, 0]);
-        client.write(response);
-        client.pipe(remote);
-        remote.pipe(client);
-      });
-
-      remote.on('error', () => {
-        client.write(Buffer.from([0x05, 0x05, 0x00, 0x01, 0, 0, 0, 0, 0, 0]));
-        client.end();
-      });
-    });
-  });
-
-  client.on('error', () => {});
-});
-
-server.listen(PORT, HOST, () => {
-  console.log(`SOCKS5 proxy running on ${HOST}:${PORT}`);
-});

apps/rego-tunnel/vpn_scripts-not-used/start.sh

@@ -1,117 +0,0 @@
-#!/usr/bin/env bash
-set -Eeuo pipefail
-
-# Startup hook - runs after container starts
-# Dynamically detects Windows VM IP and sets up networking
-
-# Install required packages (not persistent across restarts)
-echo "[rego-tunnel] Installing required packages..."
-apt-get update -qq && apt-get install -y -qq socat openssh-client netcat-openbsd >/dev/null 2>&1 || true
-
-# Setup SSH key for accessing Windows VM
-echo "[rego-tunnel] Setting up SSH key..."
-mkdir -p /root/.ssh
-cp /vpn_scripts/id_ed25519-lenovo /root/.ssh/ 2>/dev/null || true
-chmod 600 /root/.ssh/id_ed25519-lenovo 2>/dev/null || true
-
-get_windows_ip() {
-  # Use VM_NET_IP env var if set, otherwise detect from DHCP leases
-  if [[ -n "${VM_NET_IP:-}" ]]; then
-    echo "$VM_NET_IP"
-    return
-  fi
-  awk '/Windows/ {print $3}' /var/lib/misc/dnsmasq.leases 2>/dev/null | head -1
-}
-
-get_container_ip() {
-  # Get container's external IP (172.31.0.10) - exclude docker bridge gateway (.1)
-  ip -4 addr 2>/dev/null | grep -oE '172\.31\.0\.[0-9]+' | grep -v '\.1$' | head -1
-}
-
-(
-  # Wait for Windows VM to boot and get IP
-  echo "[rego-tunnel] Waiting for Windows VM..."
-  WINDOWS_IP=""
-  for i in {1..120}; do
-    WINDOWS_IP=$(get_windows_ip)
-    if [[ -n "$WINDOWS_IP" ]]; then
-      echo "[rego-tunnel] Windows VM IP: $WINDOWS_IP"
-      break
-    fi
-    sleep 2
-  done
-
-  if [[ -z "$WINDOWS_IP" ]]; then
-    echo "[rego-tunnel] ERROR: Could not detect Windows VM IP"
-    exit 1
-  fi
-
-  # Wait for SSH to be available on Windows
-  echo "[rego-tunnel] Waiting for SSH on Windows..."
-  for i in {1..60}; do
-    if nc -z "$WINDOWS_IP" 22 2>/dev/null; then
-      echo "[rego-tunnel] SSH is available"
-      break
-    fi
-    sleep 2
-  done
-
-  CONTAINER_IP=$(get_container_ip)
-  echo "[rego-tunnel] Container IP: $CONTAINER_IP"
-
-  # Add MASQUERADE for docker bridge
-  iptables -t nat -C POSTROUTING -o docker -j MASQUERADE 2>/dev/null || \
-  iptables -t nat -A POSTROUTING -o docker -j MASQUERADE
-
-  # Allow forwarding to Windows VM
-  iptables -C FORWARD -d "$WINDOWS_IP" -j ACCEPT 2>/dev/null || \
-  iptables -A FORWARD -d "$WINDOWS_IP" -j ACCEPT
-
-  # Forward port 2222 to VM's SSH (2222) for VM access
-  pkill -f "socat.*:2222" 2>/dev/null || true
-  socat TCP-LISTEN:2222,fork,reuseaddr TCP:"$WINDOWS_IP":2222 &
-  echo "[rego-tunnel] SSH to VM available on port 2222"
-
-  # Add DNAT rules for port forwarding
-  add_dnat() {
-    local port=$1
-    iptables -t nat -C PREROUTING -d "$CONTAINER_IP" -p tcp --dport "$port" -j DNAT --to-destination "$WINDOWS_IP:$port" 2>/dev/null || \
-    iptables -t nat -A PREROUTING -d "$CONTAINER_IP" -p tcp --dport "$port" -j DNAT --to-destination "$WINDOWS_IP:$port"
-  }
-
-  # IBM i standard ports (via VM portproxy)
-  add_dnat 22
-  add_dnat 23
-  add_dnat 446
-  add_dnat 448
-  add_dnat 449
-
-  # IBM i data ports
-  for port in $(seq 8470 8476); do add_dnat $port; done
-
-  # Additional port ranges
-  for port in $(seq 2000 2020); do add_dnat $port; done
-  for port in $(seq 3000 3020); do add_dnat $port; done
-  for port in $(seq 10000 10020); do add_dnat $port; done
-  for port in $(seq 36000 36010); do add_dnat $port; done
-
-  echo "[rego-tunnel] iptables DNAT rules configured"
-  echo "[rego-tunnel] Port forwarding ready via $CONTAINER_IP"
-
-  # Set VNC password if VNC_PASSWORD env var is set
-  if [[ -n "${VNC_PASSWORD:-}" ]]; then
-    echo "[rego-tunnel] Setting VNC password..."
-    for i in {1..30}; do
-      if nc -z localhost 7100 2>/dev/null; then
-        sleep 2
-        echo "set_password vnc ${VNC_PASSWORD}" | nc -q1 localhost 7100 >/dev/null 2>&1 && \
-          echo "[rego-tunnel] VNC password set successfully" || \
-          echo "[rego-tunnel] Failed to set VNC password"
-        break
-      fi
-      sleep 2
-    done
-  fi
-) &
-
-return 0

apps/rego-tunnel/vpn_scripts-not-used/vpn-login.js

@@ -1,441 +0,0 @@
-const WebSocket = require("ws");
-const { authenticator } = require("otplib");
-const { execSync, spawn } = require("child_process");
-
-const CONFIG = {
-  email: "c-azaw@regoproducts.com",
-  password: "Fuckyou4suhail",
-  totpSecret: "RZQTQSKDWKHZ6ZYR",
-  devtoolsPort: 9222,
-  vpnTestIp: "10.35.33.230"
-};
-
-let ws;
-let msgId = 1;
-
-function log(msg) {
-  console.log("[" + new Date().toLocaleTimeString() + "] " + msg);
-}
-
-function run(cmd) {
-  try { execSync(cmd, { stdio: "ignore", timeout: 10000 }); } catch (e) {}
-}
-
-function runOutput(cmd) {
-  try {
-    return execSync(cmd, { encoding: "utf8", timeout: 10000 });
-  } catch (e) {
-    return "";
-  }
-}
-
-async function getPages() {
-  const res = await fetch("http://localhost:" + CONFIG.devtoolsPort + "/json");
-  return res.json();
-}
-
-function send(method, params = {}) {
-  return new Promise((resolve, reject) => {
-    const id = msgId++;
-    const timeout = setTimeout(() => reject(new Error("Timeout: " + method)), 15000);
-    const handler = (data) => {
-      const msg = JSON.parse(data);
-      if (msg.id === id) {
-        clearTimeout(timeout);
-        ws.off("message", handler);
-        resolve(msg.result);
-      }
-    };
-    ws.on("message", handler);
-    ws.send(JSON.stringify({ id, method, params }));
-  });
-}
-
-async function waitForSelector(selector, timeout = 30000) {
-  const start = Date.now();
-  while (Date.now() - start < timeout) {
-    try {
-      const result = await send("Runtime.evaluate", {
-        expression: "document.querySelector('" + selector + "') !== null",
-        returnByValue: true
-      });
-      if (result.result.value === true) return true;
-    } catch (e) {}
-    await sleep(500);
-  }
-  return false;
-}
-
-async function typeText(selector, text) {
-  await send("Runtime.evaluate", {
-    expression: "var el = document.querySelector('" + selector + "'); el.focus(); el.value = '';"
-  });
-  await sleep(100);
-  for (const char of text) {
-    await send("Input.dispatchKeyEvent", { type: "char", text: char });
-    await sleep(30);
-  }
-}
-
-async function click(selector) {
-  await send("Runtime.evaluate", {
-    expression: "document.querySelector('" + selector + "').click()"
-  });
-}
-
-async function clickSubmit() {
-  const methods = [
-    "document.querySelector('#submitButton') && document.querySelector('#submitButton').click()",
-    "typeof Login !== 'undefined' && Login.submitLoginRequest && Login.submitLoginRequest()",
-    "document.querySelector('input[type=\"submit\"]') && document.querySelector('input[type=\"submit\"]').click()",
-    "document.querySelector('button[type=\"submit\"]') && document.querySelector('button[type=\"submit\"]').click()",
-    "document.querySelector('#idSIButton9') && document.querySelector('#idSIButton9').click()"
-  ];
-  for (const expr of methods) {
-    try { await send("Runtime.evaluate", { expression: expr }); } catch (e) {}
-  }
-}
-
-async function sleep(ms) {
-  return new Promise(r => setTimeout(r, ms));
-}
-
-async function waitForDevtools(maxWait = 120000) {
-  const start = Date.now();
-  while (Date.now() - start < maxWait) {
-    try {
-      const pages = await getPages();
-      const page = pages.find(p => p.type === "page");
-      if (page) return page;
-    } catch (e) {}
-    log("Waiting for WebView...");
-    await sleep(2000);
-  }
-  return null;
-}
-
-// VPN adapter check skipped - IP range is unpredictable
-// We rely solely on connectivity test to target IP
-
-// Test connectivity via ping (check for actual reply, not TTL expired)
-function testVpnConnectivity(ip) {
-  try {
-    const output = execSync(`ping -n 1 -w 3000 ${ip}`, { encoding: "utf8", timeout: 5000 });
-    // Must have "Reply from <ip>" - not "TTL expired" or "Request timed out"
-    return output.includes(`Reply from ${ip}`);
-  } catch (e) {
-    return false;
-  }
-}
-
-// Verify VPN is connected with retries (connectivity test only)
-async function verifyVpnConnection(maxRetries = 10, retryDelay = 5000) {
-  log("--- VPN VERIFICATION ---");
-
-  for (let i = 1; i <= maxRetries; i++) {
-    log(`Attempt ${i}/${maxRetries}: Pinging ${CONFIG.vpnTestIp}...`);
-    const connected = testVpnConnectivity(CONFIG.vpnTestIp);
-
-    if (connected) {
-      log("VPN connectivity confirmed!");
-      return true;
-    }
-
-    log("Not reachable yet, waiting...");
-    if (i < maxRetries) {
-      await sleep(retryDelay);
-    }
-  }
-
-  log("VPN verification failed after " + maxRetries + " attempts");
-  return false;
-}
-
-async function main() {
-  console.log("");
-  console.log("========================================");
-  console.log("     CISCO VPN AUTO-LOGIN");
-  console.log("========================================");
-  console.log("");
-
-  // Sync time first (TOTP requires accurate time)
-  log("Syncing system time...");
-  run("sc config w32time start= auto");
-  run("net start w32time");
-  run("w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /update");
-  run("w32tm /resync /force");
-  await sleep(2000);
-
-  // Kill everything
-  log("Killing Cisco processes...");
-  run("taskkill /F /IM csc_ui.exe");
-  run("taskkill /F /IM vpnui.exe");
-  run("taskkill /F /IM vpnagent.exe");
-  run('net stop csc_vpnagent');
-  await sleep(2000);
-
-  // Start agent
-  log("Starting Cisco agent...");
-  run('net start csc_vpnagent');
-  await sleep(3000);
-
-  // Start UI
-  log("Starting Cisco UI...");
-  process.env.WEBVIEW2_ADDITIONAL_BROWSER_ARGUMENTS = "--remote-debugging-port=9222 --remote-debugging-address=0.0.0.0 --remote-allow-origins=*";
-  spawn("C:\\Program Files (x86)\\Cisco\\Cisco Secure Client\\UI\\csc_ui.exe", [], {
-    detached: true,
-    stdio: "ignore"
-  }).unref();
-
-  await sleep(5000);
-
-  // Wait for WebView
-  const page = await waitForDevtools();
-  if (!page) {
-    log("ERROR: WebView not found - rebooting...");
-    run("shutdown /r /t 1");
-    process.exit(1);
-  }
-
-  log("WebView: " + page.title);
-  ws = new WebSocket(page.webSocketDebuggerUrl);
-  await new Promise((resolve, reject) => {
-    ws.on("open", resolve);
-    ws.on("error", reject);
-  });
-
-  await send("DOM.enable");
-  await send("Runtime.enable");
-  await send("Input.enable");
-  log("Connected to DevTools");
-
-  const url = page.url || "";
-  const isADFS = url.includes("adfs");
-  log("Login type: " + (isADFS ? "ADFS" : "Microsoft"));
-
-  if (isADFS) {
-    log("--- ADFS LOGIN ---");
-    if (!await waitForSelector("#passwordInput", 15000)) {
-      log("Password field not found");
-      process.exit(1);
-    }
-    log("Entering password...");
-    await typeText("#passwordInput", CONFIG.password);
-    await sleep(500);
-    log("Clicking Sign In...");
-    await clickSubmit();
-    await sleep(3000);
-  } else {
-    log("--- EMAIL ---");
-    if (await waitForSelector('input[type="email"]', 5000)) {
-      log("Entering email...");
-      await typeText('input[type="email"]', CONFIG.email);
-      await sleep(500);
-      log("Clicking Next...");
-      await clickSubmit();
-      await sleep(3000);
-    }
-
-    log("--- PASSWORD ---");
-    if (!await waitForSelector('input[type="password"]', 15000)) {
-      log("Password field not found");
-      process.exit(1);
-    }
-    log("Entering password...");
-    await typeText('input[type="password"]', CONFIG.password);
-    await sleep(500);
-    log("Clicking Sign In...");
-    await clickSubmit();
-    await sleep(3000);
-  }
-
-  // TOTP
-  log("--- TOTP ---");
-  if (await waitForSelector('input[name="otc"]', 15000)) {
-    await sleep(500);
-    const totp = authenticator.generate(CONFIG.totpSecret);
-    log("TOTP: " + totp);
-    await typeText('input[name="otc"]', totp);
-    await sleep(500);
-    log("Submitting...");
-    await clickSubmit();
-    await sleep(3000);
-  } else {
-    log("No TOTP field");
-  }
-
-  // Stay signed in
-  log("--- STAY SIGNED IN ---");
-  if (await waitForSelector("#idBtn_Back", 5000)) {
-    log("Clicking No...");
-    await click("#idBtn_Back");
-  }
-
-  await sleep(2000);
-  ws.close();
-
-  // Verify VPN connection
-  const vpnConnected = await verifyVpnConnection();
-
-  if (!vpnConnected) {
-    log("ERROR: VPN connection could not be verified");
-    process.exit(1);
-  }
-
-  console.log("");
-  console.log("========================================");
-  console.log("     VPN CONNECTED!");
-  console.log("     Entering watchdog mode...");
-  console.log("========================================");
-  console.log("");
-
-  // Enter watchdog mode - monitor and reconnect if needed
-  await watchdogLoop();
-}
-
-async function watchdogLoop() {
-  const checkInterval = 2 * 60 * 1000;  // 2 minutes
-  let consecutiveFailures = 0;
-  let checkCount = 0;
-
-  log("Watchdog: Monitoring every 2 minutes...");
-
-  while (true) {
-    await sleep(checkInterval);
-    checkCount++;
-
-    // Force garbage collection every 10 checks (~20 min)
-    if (checkCount % 10 === 0 && global.gc) {
-      global.gc();
-    }
-
-    // Log memory every 30 checks (~1 hour)
-    if (checkCount % 30 === 0) {
-      const mem = Math.round(process.memoryUsage().heapUsed / 1024 / 1024);
-      log(`Watchdog: Memory ${mem}MB, checks ${checkCount}`);
-    }
-
-    const connected = testVpnConnectivity(CONFIG.vpnTestIp);
-
-    if (connected) {
-      if (consecutiveFailures > 0) {
-        log("Watchdog: Connection restored");
-      }
-      consecutiveFailures = 0;
-    } else {
-      consecutiveFailures++;
-      log(`Watchdog: Connection FAILED (${consecutiveFailures})`);
-
-      if (consecutiveFailures >= 2) {
-        log("Watchdog: Reconnecting...");
-        await reconnectVpn();
-        consecutiveFailures = 0;
-      }
-    }
-  }
-}
-
-async function reconnectVpn() {
-  // Sync time first (TOTP requires accurate time)
-  log("Syncing system time...");
-  run("sc config w32time start= auto");
-  run("net start w32time");
-  run("w32tm /resync /force");
-  await sleep(1000);
-
-  // Kill and restart VPN
-  log("Killing Cisco processes...");
-  run("taskkill /F /IM csc_ui.exe");
-  run("taskkill /F /IM vpnui.exe");
-  run("taskkill /F /IM vpnagent.exe");
-  run('net stop "Cisco Secure Client Agent"');
-  await sleep(2000);
-
-  log("Starting Cisco agent...");
-  run('net start "Cisco Secure Client Agent"');
-  await sleep(3000);
-
-  log("Starting Cisco UI...");
-  spawn("C:\\Program Files (x86)\\Cisco\\Cisco Secure Client\\UI\\csc_ui.exe", [], {
-    detached: true,
-    stdio: "ignore"
-  }).unref();
-
-  await sleep(5000);
-
-  const page = await waitForDevtools();
-  if (!page) {
-    log("ERROR: WebView not found - rebooting...");
-    run("shutdown /r /t 1");
-    return false;
-  }
-
-  ws = new WebSocket(page.webSocketDebuggerUrl);
-  await new Promise((resolve, reject) => {
-    ws.on("open", resolve);
-    ws.on("error", reject);
-  });
-
-  await send("DOM.enable");
-  await send("Runtime.enable");
-  await send("Input.enable");
-
-  const url = page.url || "";
-  const isADFS = url.includes("adfs");
-
-  if (isADFS) {
-    if (await waitForSelector("#passwordInput", 15000)) {
-      await typeText("#passwordInput", CONFIG.password);
-      await sleep(500);
-      await clickSubmit();
-      await sleep(3000);
-    }
-  } else {
-    if (await waitForSelector('input[type="email"]', 5000)) {
-      await typeText('input[type="email"]', CONFIG.email);
-      await sleep(500);
-      await clickSubmit();
-      await sleep(3000);
-    }
-    if (await waitForSelector('input[type="password"]', 15000)) {
-      await typeText('input[type="password"]', CONFIG.password);
-      await sleep(500);
-      await clickSubmit();
-      await sleep(3000);
-    }
-  }
-
-  // TOTP
-  if (await waitForSelector('input[name="otc"]', 15000)) {
-    await sleep(500);
-    const totp = authenticator.generate(CONFIG.totpSecret);
-    log("TOTP: " + totp);
-    await typeText('input[name="otc"]', totp);
-    await sleep(500);
-    await clickSubmit();
-    await sleep(3000);
-  }
-
-  // Stay signed in - No
-  if (await waitForSelector("#idBtn_Back", 5000)) {
-    await click("#idBtn_Back");
-  }
-
-  await sleep(2000);
-  ws.close();
-
-  // Verify reconnection
-  const verified = await verifyVpnConnection();
-  if (verified) {
-    log("Reconnection successful!");
-    return true;
-  }
-
-  log("Reconnection failed");
-  return false;
-}
-
-main().catch(err => {
-  log("ERROR: " + err.message);
-  process.exit(1);
-});

apps/rego-tunnel/vpn_scripts-not-used/vpn.bat

@@ -1,4 +0,0 @@
-@echo off
-cd /d C:\Users\%USERNAME%\vpn_scripts\
-node vpn-login.js
-pause