# Dockerized OpenConnect-SSO with noVNC and Cloudflared

## Setup
1) Copy `.env.example` to `.env` and fill values (URLs, servercert pins, VNC passwords, cloudflared tokens).

2) First-time SSO: leave `OC_SSO_ARGS_*=--browser-display-mode visible`.

3) Build and start:
   docker compose build
   docker compose up -d vpn_a
   # Open http://localhost:6901, complete SSO.
   # After success, attach app containers or start cloudflared_a.

4) Optional: switch to headless after first login:
   Set `OC_SSO_ARGS_*=--browser-display-mode hidden` (or `headless`) and restart the vpn service.

## Notes
- Each VPN runs in its own net namespace; routes from one cannot affect the other or the host.
- DNS from the VPN applies within its container namespace and attached services only.
- Persisted state lives in the named volumes mounted at `/root` (Playwright cache, configs).