FROM ubuntu:22.04

LABEL maintainer="alexz"
LABEL description="Cisco Secure Client VPN in Docker with noVNC"
LABEL version="5.1.14.145"

ENV DEBIAN_FRONTEND=noninteractive
ENV container=docker

# VNC/noVNC settings
ENV DISPLAY=:1
ENV VNC_PORT=5901
ENV NOVNC_PORT=6080

# Install systemd and dependencies
RUN apt-get update && apt-get install -y \
    systemd \
    systemd-sysv \
    dbus \
    dbus-x11 \
    libgtk-3-0 \
    libglib2.0-0 \
    libstdc++6 \
    iptables \
    libxml2 \
    network-manager \
    zlib1g \
    policykit-1 \
    xdg-utils \
    libwebkit2gtk-4.0-37 \
    tigervnc-standalone-server \
    tigervnc-common \
    novnc \
    websockify \
    openbox \
    xterm \
    procps \
    net-tools \
    curl \
    iproute2 \
    iputils-ping \
    nano \
    xdotool \
    oathtool \
    xclip \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*

# Remove unnecessary systemd services that cause issues in containers
RUN rm -f /lib/systemd/system/multi-user.target.wants/* \
    /etc/systemd/system/*.wants/* \
    /lib/systemd/system/local-fs.target.wants/* \
    /lib/systemd/system/sockets.target.wants/*udev* \
    /lib/systemd/system/sockets.target.wants/*initctl* \
    /lib/systemd/system/sysinit.target.wants/systemd-tmpfiles-setup* \
    /lib/systemd/system/systemd-update-utmp*

# Copy and extract Cisco Secure Client
COPY cisco-secure-client-full.tar.gz /tmp/
RUN tar -xzf /tmp/cisco-secure-client-full.tar.gz -C / && rm /tmp/cisco-secure-client-full.tar.gz

# Enable vpnagentd service
RUN systemctl enable vpnagentd.service

# Create scripts directory
RUN mkdir -p /opt/scripts /shared

# Inline startup-vnc.sh (cannot be overridden at runtime)
RUN cat > /opt/scripts/startup-vnc.sh << 'EOF'
#!/bin/bash
set -e
export HOME=/root
export USER=root
rm -f /tmp/.X1-lock /tmp/.X11-unix/X1 2>/dev/null || true
rm -rf /tmp/.X*-lock /tmp/.X11-unix/* 2>/dev/null || true
echo "Starting TigerVNC server on display :1..."
vncserver :1 -geometry 1280x800 -depth 24 -SecurityTypes VncAuth -localhost no
sleep 2
echo "Starting noVNC on port ${NOVNC_PORT:-6080}..."
websockify --web=/usr/share/novnc/ ${NOVNC_PORT:-6080} localhost:5901 &
tail -f /root/.vnc/*.log
EOF
RUN chmod +x /opt/scripts/startup-vnc.sh

# Inline vnc.service (cannot be overridden at runtime)
RUN cat > /lib/systemd/system/vnc.service << 'EOF'
[Unit]
Description=VNC and noVNC Server
After=network.target vpnagentd.service

[Service]
Type=simple
ExecStart=/opt/scripts/startup-vnc.sh
Restart=always
RestartSec=5
Environment=HOME=/root
Environment=USER=root

[Install]
WantedBy=multi-user.target
EOF
RUN systemctl enable vnc.service

# Copy scripts that CAN be overridden at runtime
COPY scripts/init-vpn.sh /opt/scripts/
COPY scripts/xstartup /root/.vnc/xstartup
COPY scripts/vpn-connect.sh /opt/scripts/
RUN chmod +x /opt/scripts/*.sh /root/.vnc/xstartup

# Setup VNC password (default, can be overridden via mount)
ARG VNC_PASSWORD=cisco123
RUN mkdir -p /root/.vnc && \
    echo "${VNC_PASSWORD}" | vncpasswd -f > /root/.vnc/passwd && \
    chmod 600 /root/.vnc/passwd

VOLUME ["/sys/fs/cgroup"]

EXPOSE 5901 6080

STOPSIGNAL SIGRTMIN+3

CMD ["/opt/scripts/init-vpn.sh"]