@brewnet/cli 0.0.1

package/dist/chunk-4TJMJZMO.js

@@ -0,0 +1,1173 @@
+#!/usr/bin/env node
+import {
+  DOCKER_LOG_MAX_FILES,
+  DOCKER_LOG_MAX_SIZE
+} from "./chunk-HCHY5UIQ.js";
+
+// src/services/compose-generator.ts
+import { readFileSync, writeFileSync } from "fs";
+import yaml from "js-yaml";
+
+// src/config/services.ts
+function traefikRouterLabels(serviceId, subdomain, port) {
+  return {
+    "traefik.enable": "true",
+    [`traefik.http.routers.${serviceId}.rule`]: `Host(\`${subdomain}.{{DOMAIN}}\`)`,
+    [`traefik.http.routers.${serviceId}.entrypoints`]: "websecure",
+    [`traefik.http.routers.${serviceId}.tls.certresolver`]: "letsencrypt",
+    [`traefik.http.services.${serviceId}.loadbalancer.server.port`]: String(port)
+  };
+}
+var SERVICE_REGISTRY = /* @__PURE__ */ new Map([
+  // -- Web servers ----------------------------------------------------------
+  [
+    "traefik",
+    {
+      id: "traefik",
+      name: "Traefik",
+      image: "traefik:v2.11",
+      ports: [80, 443, 8080],
+      subdomain: "traefik",
+      ramMB: 64,
+      diskGB: 0.1,
+      networks: ["brewnet"],
+      healthCheck: {
+        endpoint: "/api/health",
+        interval: 30,
+        timeout: 5,
+        retries: 3
+      },
+      requiredEnvVars: [],
+      traefikLabels: {
+        "traefik.enable": "true",
+        "traefik.http.routers.traefik-dashboard.rule": "Host(`traefik.{{DOMAIN}}`)",
+        "traefik.http.routers.traefik-dashboard.entrypoints": "websecure",
+        "traefik.http.routers.traefik-dashboard.tls.certresolver": "letsencrypt",
+        "traefik.http.routers.traefik-dashboard.service": "api@internal"
+      }
+    }
+  ],
+  [
+    "nginx",
+    {
+      id: "nginx",
+      name: "Nginx",
+      image: "nginx:1.25-alpine",
+      ports: [80, 443],
+      subdomain: "",
+      ramMB: 32,
+      diskGB: 0.1,
+      networks: ["brewnet"],
+      healthCheck: {
+        endpoint: "/",
+        interval: 30,
+        timeout: 5,
+        retries: 3
+      },
+      requiredEnvVars: []
+    }
+  ],
+  [
+    "caddy",
+    {
+      id: "caddy",
+      name: "Caddy",
+      image: "caddy:2-alpine",
+      ports: [80, 443],
+      subdomain: "",
+      ramMB: 32,
+      diskGB: 0.1,
+      networks: ["brewnet"],
+      healthCheck: {
+        endpoint: "/",
+        interval: 30,
+        timeout: 5,
+        retries: 3
+      },
+      requiredEnvVars: []
+    }
+  ],
+  // -- Git server -----------------------------------------------------------
+  [
+    "gitea",
+    {
+      id: "gitea",
+      name: "Gitea",
+      image: "gitea/gitea:latest",
+      ports: [3e3, 3022],
+      subdomain: "git",
+      ramMB: 256,
+      diskGB: 1,
+      networks: ["brewnet", "brewnet-internal"],
+      healthCheck: {
+        endpoint: "/api/healthz",
+        interval: 30,
+        timeout: 10,
+        retries: 3
+      },
+      requiredEnvVars: [
+        "GITEA__database__DB_TYPE",
+        "GITEA__database__HOST",
+        "GITEA__database__NAME",
+        "GITEA__database__USER",
+        "GITEA__database__PASSWD"
+      ],
+      traefikLabels: traefikRouterLabels("gitea", "git", 3e3)
+    }
+  ],
+  // -- File browser ---------------------------------------------------------
+  [
+    "filebrowser",
+    {
+      id: "filebrowser",
+      name: "FileBrowser",
+      image: "filebrowser/filebrowser:latest",
+      ports: [80],
+      subdomain: "files",
+      ramMB: 50,
+      diskGB: 0.1,
+      networks: ["brewnet"],
+      healthCheck: {
+        endpoint: "/health",
+        interval: 30,
+        timeout: 5,
+        retries: 3
+      },
+      requiredEnvVars: [],
+      traefikLabels: traefikRouterLabels("filebrowser", "files", 80)
+    }
+  ],
+  // -- File servers ---------------------------------------------------------
+  [
+    "nextcloud",
+    {
+      id: "nextcloud",
+      name: "Nextcloud",
+      image: "nextcloud:29-apache",
+      ports: [80],
+      subdomain: "cloud",
+      ramMB: 256,
+      diskGB: 2,
+      networks: ["brewnet", "brewnet-internal"],
+      healthCheck: {
+        endpoint: "/status.php",
+        interval: 30,
+        timeout: 10,
+        retries: 5
+      },
+      requiredEnvVars: [
+        "NEXTCLOUD_ADMIN_USER",
+        "NEXTCLOUD_ADMIN_PASSWORD",
+        "NEXTCLOUD_TRUSTED_DOMAINS"
+      ],
+      traefikLabels: traefikRouterLabels("nextcloud", "cloud", 80)
+    }
+  ],
+  [
+    "minio",
+    {
+      id: "minio",
+      name: "MinIO",
+      image: "minio/minio:latest",
+      ports: [9e3],
+      subdomain: "minio",
+      ramMB: 128,
+      diskGB: 1,
+      networks: ["brewnet", "brewnet-internal"],
+      healthCheck: {
+        endpoint: "/minio/health/live",
+        interval: 30,
+        timeout: 5,
+        retries: 3
+      },
+      requiredEnvVars: ["MINIO_ROOT_USER", "MINIO_ROOT_PASSWORD"],
+      traefikLabels: traefikRouterLabels("minio", "minio", 9001)
+    }
+  ],
+  // -- Media ----------------------------------------------------------------
+  [
+    "jellyfin",
+    {
+      id: "jellyfin",
+      name: "Jellyfin",
+      image: "jellyfin/jellyfin:latest",
+      ports: [8096],
+      subdomain: "jellyfin",
+      ramMB: 256,
+      diskGB: 2,
+      networks: ["brewnet"],
+      healthCheck: {
+        endpoint: "/health",
+        interval: 30,
+        timeout: 10,
+        retries: 3
+      },
+      requiredEnvVars: [],
+      traefikLabels: traefikRouterLabels("jellyfin", "jellyfin", 8096)
+    }
+  ],
+  // -- Databases ------------------------------------------------------------
+  [
+    "postgresql",
+    {
+      id: "postgresql",
+      name: "PostgreSQL",
+      image: "postgres:18.3-alpine",
+      ports: [5432],
+      subdomain: "",
+      ramMB: 120,
+      diskGB: 1,
+      networks: ["brewnet", "brewnet-internal"],
+      healthCheck: {
+        endpoint: "",
+        interval: 10,
+        timeout: 5,
+        retries: 5
+      },
+      requiredEnvVars: ["POSTGRES_PASSWORD", "POSTGRES_USER", "POSTGRES_DB"]
+    }
+  ],
+  [
+    "mysql",
+    {
+      id: "mysql",
+      name: "MySQL",
+      image: "mysql:8.4",
+      ports: [3306],
+      subdomain: "",
+      ramMB: 256,
+      diskGB: 1,
+      networks: ["brewnet", "brewnet-internal"],
+      healthCheck: {
+        endpoint: "",
+        interval: 10,
+        timeout: 5,
+        retries: 5
+      },
+      requiredEnvVars: [
+        "MYSQL_ROOT_PASSWORD",
+        "MYSQL_DATABASE",
+        "MYSQL_USER",
+        "MYSQL_PASSWORD"
+      ]
+    }
+  ],
+  // -- Admin UI -------------------------------------------------------------
+  [
+    "pgadmin",
+    {
+      id: "pgadmin",
+      name: "pgAdmin",
+      image: "dpage/pgadmin4:latest",
+      ports: [5050],
+      subdomain: "pgadmin",
+      ramMB: 128,
+      diskGB: 0.5,
+      networks: ["brewnet", "brewnet-internal"],
+      healthCheck: {
+        endpoint: "/misc/ping",
+        interval: 30,
+        timeout: 5,
+        retries: 3
+      },
+      requiredEnvVars: [
+        "PGADMIN_DEFAULT_EMAIL",
+        "PGADMIN_DEFAULT_PASSWORD"
+      ],
+      traefikLabels: traefikRouterLabels("pgadmin", "pgadmin", 80)
+    }
+  ],
+  // -- SSH ------------------------------------------------------------------
+  [
+    "openssh-server",
+    {
+      id: "openssh-server",
+      name: "OpenSSH Server",
+      image: "linuxserver/openssh-server:latest",
+      ports: [2222],
+      subdomain: "",
+      ramMB: 16,
+      diskGB: 0.1,
+      networks: ["brewnet"],
+      healthCheck: {
+        endpoint: "",
+        interval: 30,
+        timeout: 5,
+        retries: 3
+      },
+      requiredEnvVars: ["PUID", "PGID", "TZ", "PASSWORD_ACCESS", "USER_NAME"]
+    }
+  ],
+  // -- Tunnel ---------------------------------------------------------------
+  [
+    "cloudflared",
+    {
+      id: "cloudflared",
+      name: "Cloudflare Tunnel",
+      image: "cloudflare/cloudflared:latest",
+      ports: [],
+      subdomain: "",
+      ramMB: 32,
+      diskGB: 0.1,
+      networks: ["brewnet"],
+      requiredEnvVars: ["TUNNEL_TOKEN"]
+    }
+  ]
+]);
+function getServiceDefinition(id) {
+  return SERVICE_REGISTRY.get(id);
+}
+
+// src/services/compose-generator.ts
+var BREWNET_PREFIX = "brewnet";
+function getLoggingConfig() {
+  return {
+    driver: "json-file",
+    options: {
+      "max-size": DOCKER_LOG_MAX_SIZE,
+      "max-file": DOCKER_LOG_MAX_FILES,
+      tag: "{{.Name}}"
+    }
+  };
+}
+function getServiceVolumes(serviceId) {
+  switch (serviceId) {
+    case "traefik":
+      return [
+        "/var/run/docker.sock:/var/run/docker.sock",
+        `${BREWNET_PREFIX}_traefik_certs:/letsencrypt`,
+        "./logs:/logs"
+      ];
+    case "gitea":
+      return [`${BREWNET_PREFIX}_gitea_data:/data`];
+    case "postgresql":
+      return [`${BREWNET_PREFIX}_postgres_data:/var/lib/postgresql/data`];
+    case "mysql":
+      return [`${BREWNET_PREFIX}_mysql_data:/var/lib/mysql`];
+    case "nextcloud":
+      return [
+        `${BREWNET_PREFIX}_nextcloud_data:/var/www/html`
+      ];
+    case "minio":
+      return [`${BREWNET_PREFIX}_minio_data:/data`];
+    case "jellyfin":
+      return [
+        `${BREWNET_PREFIX}_jellyfin_config:/config`,
+        `${BREWNET_PREFIX}_jellyfin_media:/media`
+      ];
+    case "openssh-server":
+      return [`${BREWNET_PREFIX}_ssh_config:/config`];
+    case "pgadmin":
+      return [`${BREWNET_PREFIX}_pgadmin_data:/var/lib/pgadmin`];
+    case "filebrowser":
+      return [
+        `${BREWNET_PREFIX}_filebrowser_data:/srv`,
+        `${BREWNET_PREFIX}_filebrowser_db:/database`,
+        `${BREWNET_PREFIX}_filebrowser_config:/config`
+      ];
+    case "cloudflared":
+      return [];
+    default:
+      return [];
+  }
+}
+function getHealthcheck(serviceId, state) {
+  switch (serviceId) {
+    case "postgresql":
+      return {
+        test: ["CMD-SHELL", `pg_isready -U ${state.servers.dbServer.dbUser || "brewnet"}`],
+        interval: "10s",
+        timeout: "5s",
+        retries: 5
+      };
+    case "mysql":
+      return {
+        test: ["CMD", "mysqladmin", "ping", "-h", "localhost"],
+        interval: "10s",
+        timeout: "5s",
+        retries: 5
+      };
+    case "gitea":
+      return {
+        test: ["CMD-SHELL", "curl -fsSL http://localhost:3000/api/healthz || exit 1"],
+        interval: "30s",
+        timeout: "10s",
+        retries: 3
+      };
+    case "traefik":
+      return {
+        test: ["CMD-SHELL", "wget --spider -q http://localhost:8080/api/overview || exit 1"],
+        interval: "30s",
+        timeout: "5s",
+        retries: 3
+      };
+    case "nextcloud":
+      return {
+        test: ["CMD-SHELL", "curl -fsSL http://localhost/status.php || exit 1"],
+        interval: "30s",
+        timeout: "10s",
+        retries: 5
+      };
+    case "jellyfin":
+      return {
+        test: ["CMD-SHELL", "curl -fsSL http://localhost:8096/health || exit 1"],
+        interval: "30s",
+        timeout: "10s",
+        retries: 3
+      };
+    default:
+      return void 0;
+  }
+}
+function getPostgresqlEnv(state) {
+  const db = state.servers.dbServer;
+  return {
+    POSTGRES_USER: db.dbUser || "brewnet",
+    POSTGRES_PASSWORD: db.dbPassword || "${DB_PASSWORD}",
+    POSTGRES_DB: db.dbName || "brewnet_db"
+  };
+}
+function getMysqlEnv(state) {
+  const db = state.servers.dbServer;
+  return {
+    MYSQL_ROOT_PASSWORD: db.dbPassword || "${DB_PASSWORD}",
+    MYSQL_DATABASE: db.dbName || "brewnet_db",
+    MYSQL_USER: db.dbUser || "brewnet",
+    MYSQL_PASSWORD: db.dbPassword || "${DB_PASSWORD}"
+  };
+}
+function getGiteaEnv(state) {
+  const env = {
+    USER_UID: "1000",
+    USER_GID: "1000",
+    // Lock the web installer — prevents the setup wizard from running on first access.
+    // Without this, visiting the Gitea URL triggers the installer which writes app.ini
+    // with whatever credentials the user enters (often wrong defaults).
+    // Once app.ini exists, Gitea ignores ALL env vars → DB password mismatch on restart.
+    // With INSTALL_LOCK=true, Gitea reads DB credentials exclusively from GITEA__database__* env vars.
+    "GITEA__security__INSTALL_LOCK": "true"
+  };
+  const giteaTunnelMode = state.domain.cloudflare.tunnelMode;
+  const giteaDomain = state.domain.name;
+  if (giteaTunnelMode === "quick") {
+    env["GITEA__server__ROOT_URL"] = "http://localhost/git/";
+  } else if (giteaDomain) {
+    env["GITEA__server__ROOT_URL"] = `https://git.${giteaDomain}/`;
+    env["GITEA__server__DOMAIN"] = `git.${giteaDomain}`;
+    env["GITEA__server__SSH_DOMAIN"] = `git.${giteaDomain}`;
+  }
+  if (state.servers.dbServer.enabled && state.servers.dbServer.primary) {
+    const dbType = state.servers.dbServer.primary === "postgresql" ? "postgres" : "mysql";
+    const dbHost = state.servers.dbServer.primary === "postgresql" ? "postgresql" : "mysql";
+    const dbPort = state.servers.dbServer.primary === "postgresql" ? "5432" : "3306";
+    env["GITEA__database__DB_TYPE"] = dbType;
+    env["GITEA__database__HOST"] = `${dbHost}:${dbPort}`;
+    env["GITEA__database__NAME"] = "gitea_db";
+    env["GITEA__database__USER"] = state.servers.dbServer.dbUser || "brewnet";
+    env["GITEA__database__PASSWD"] = state.servers.dbServer.dbPassword || "${DB_PASSWORD}";
+  }
+  return env;
+}
+function getNextcloudEnv(state) {
+  const env = {
+    NEXTCLOUD_ADMIN_USER: state.admin.username || "admin",
+    NEXTCLOUD_ADMIN_PASSWORD: state.admin.password || "${ADMIN_PASSWORD}",
+    NEXTCLOUD_TRUSTED_DOMAINS: state.domain.name
+  };
+  const ncTunnelMode = state.domain.cloudflare.tunnelMode;
+  const ncDomain = state.domain.name;
+  if (ncTunnelMode === "quick") {
+    env["OVERWRITEWEBROOT"] = "/cloud";
+    env["NEXTCLOUD_TRUSTED_PROXIES"] = "traefik";
+    const portMap = state.portRemapping ?? {};
+    const ncPort = portMap[8443] ?? 8443;
+    env["NEXTCLOUD_TRUSTED_DOMAINS"] = `${ncDomain} localhost localhost:${ncPort} *.trycloudflare.com`;
+  } else if (ncDomain) {
+    env["OVERWRITEHOST"] = `cloud.${ncDomain}`;
+    env["OVERWRITEPROTOCOL"] = "https";
+    env["NEXTCLOUD_TRUSTED_PROXIES"] = "traefik";
+    env["NEXTCLOUD_TRUSTED_DOMAINS"] = `cloud.${ncDomain} localhost`;
+  }
+  if (state.servers.dbServer.enabled && state.servers.dbServer.primary) {
+    if (state.servers.dbServer.primary === "postgresql") {
+      env["POSTGRES_HOST"] = "postgresql";
+      env["POSTGRES_DB"] = state.servers.dbServer.dbName || "brewnet_db";
+      env["POSTGRES_USER"] = state.servers.dbServer.dbUser || "brewnet";
+      env["POSTGRES_PASSWORD"] = state.servers.dbServer.dbPassword || "${DB_PASSWORD}";
+    } else if (state.servers.dbServer.primary === "mysql") {
+      env["MYSQL_HOST"] = "mysql";
+      env["MYSQL_DATABASE"] = state.servers.dbServer.dbName || "brewnet_db";
+      env["MYSQL_USER"] = state.servers.dbServer.dbUser || "brewnet";
+      env["MYSQL_PASSWORD"] = state.servers.dbServer.dbPassword || "${DB_PASSWORD}";
+    }
+  }
+  return env;
+}
+function getMinioEnv(state) {
+  return {
+    MINIO_ROOT_USER: state.admin.username || "admin",
+    MINIO_ROOT_PASSWORD: state.admin.password || "${ADMIN_PASSWORD}"
+  };
+}
+function getSshEnv(state) {
+  return {
+    PUID: "1000",
+    PGID: "1000",
+    TZ: "UTC",
+    PASSWORD_ACCESS: state.servers.sshServer.passwordAuth ? "true" : "false",
+    USER_NAME: state.admin.username || "admin"
+  };
+}
+function getPgadminEnv(state) {
+  const env = {
+    PGADMIN_DEFAULT_EMAIL: state.servers.dbServer.pgadminEmail || `${state.admin.username || "admin"}@brewnet.dev`,
+    PGADMIN_DEFAULT_PASSWORD: state.admin.password || "${ADMIN_PASSWORD}"
+  };
+  if (state.domain.cloudflare.tunnelMode === "quick") {
+    env["SCRIPT_NAME"] = "/pgadmin";
+  }
+  return env;
+}
+function getFilebrowserEnv(state) {
+  const env = {
+    FB_USERNAME: state.admin.username || "admin",
+    FB_PASSWORD: state.admin.password || "${ADMIN_PASSWORD}"
+  };
+  if (state.domain.cloudflare.tunnelMode === "quick") {
+    env["FB_BASEURL"] = "/files";
+  }
+  return env;
+}
+function getCloudflaredEnv(state) {
+  if (state.domain.cloudflare.tunnelMode === "quick") {
+    return void 0;
+  }
+  return {
+    TUNNEL_TOKEN: state.domain.cloudflare.tunnelToken || "${TUNNEL_TOKEN}"
+  };
+}
+function resolveTraefikLabels(def, domain) {
+  if (!def.traefikLabels) return {};
+  const resolved = {};
+  for (const [key, value] of Object.entries(def.traefikLabels)) {
+    resolved[key] = value.replace(/\{\{DOMAIN\}\}/g, domain);
+  }
+  return resolved;
+}
+function buildQuickTunnelPathLabels(serviceId, path, port, noStrip = false) {
+  const name = `quicktunnel-${serviceId}`;
+  const labels = {
+    "traefik.enable": "true",
+    [`traefik.http.routers.${name}.rule`]: `PathPrefix(\`${path}\`)`,
+    [`traefik.http.routers.${name}.entrypoints`]: "web",
+    [`traefik.http.services.${name}.loadbalancer.server.port`]: String(port)
+  };
+  if (!noStrip) {
+    labels[`traefik.http.middlewares.${name}-strip.stripprefix.prefixes`] = path;
+    labels[`traefik.http.routers.${name}.middlewares`] = `${name}-strip`;
+  }
+  return labels;
+}
+function buildQuickTunnelExtraPathLabels(serviceId, extraPath, port) {
+  const slug = extraPath.replace(/\//g, "").replace(/[^a-z0-9]/gi, "");
+  const routerName = `quicktunnel-${serviceId}-${slug}`;
+  const serviceName = `quicktunnel-${serviceId}-${slug}`;
+  return {
+    // Explicit service link required when the container has multiple service definitions
+    [`traefik.http.routers.quicktunnel-${serviceId}.service`]: `quicktunnel-${serviceId}`,
+    [`traefik.http.routers.${routerName}.rule`]: `PathPrefix(\`${extraPath}\`)`,
+    [`traefik.http.routers.${routerName}.entrypoints`]: "web",
+    // Priority 10 > landing-page explicit priority 1 so this route takes precedence
+    [`traefik.http.routers.${routerName}.priority`]: "10",
+    [`traefik.http.routers.${routerName}.service`]: serviceName,
+    [`traefik.http.services.${serviceName}.loadbalancer.server.port`]: String(port)
+  };
+}
+var QUICK_TUNNEL_PATH_MAP = {
+  // Gitea: Traefik strips /git before forwarding to Gitea (strip-prefix).
+  // ROOT_URL must include /git/ sub-path so Gitea generates /git/assets/... links.
+  // ROOT_URL host must be Traefik's port (80) not Gitea's port (3000):
+  //   - Gitea generates root-relative links: /git/assets/...
+  //   - Browser resolves them against current origin (both local :80 and external tunnel)
+  //   - Traefik receives /git/assets/... → strips /git → sends /assets/... to Gitea ✓
+  gitea: { path: "/git", port: 3e3 },
+  // FileBrowser: Vite build emits /static/... asset paths regardless of FB_BASEURL.
+  // A companion route for /static is required so browsers can load CSS/JS.
+  // See: buildQuickTunnelExtraPathLabels for the /static → filebrowser routing.
+  filebrowser: { path: "/files", port: 80, extraPaths: ["/static"] },
+  "uptime-kuma": { path: "/status", port: 3001 },
+  grafana: { path: "/grafana", port: 3e3 },
+  // pgadmin: WSGI app — SCRIPT_NAME handles path; no strip needed
+  pgadmin: { path: "/pgadmin", port: 80, noStrip: true },
+  // Nextcloud: OVERWRITEWEBROOT env makes NC generate prefixed URLs; strip prefix so NC gets clean paths
+  // Ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html
+  nextcloud: { path: "/cloud", port: 80 },
+  // Jellyfin: Base URL setting handles path natively; no strip needed
+  // Ref: https://jellyfin.org/docs/general/post-install/networking — "Base URL"
+  jellyfin: { path: "/jellyfin", port: 8096, noStrip: true },
+  // MinIO Console: pre-built React SPA without sub-path awareness; use noStrip so the app
+  // receives the full path and Traefik does not alter the prefix.
+  minio: { path: "/minio", port: 9001, noStrip: true }
+};
+function getServicePorts(serviceId, state) {
+  const portMap = state.portRemapping ?? {};
+  const remap = (hostPort) => portMap[hostPort] ?? hostPort;
+  switch (serviceId) {
+    case "traefik": {
+      const httpHost = remap(80);
+      const isQuickTunnel = state.domain.cloudflare.tunnelMode === "quick";
+      if (isQuickTunnel) {
+        return [`${httpHost}:80`];
+      }
+      const httpsHost = remap(443);
+      return [`${httpHost}:80`, `${httpsHost}:443`];
+    }
+    case "nginx":
+      return [`${remap(80)}:80`, `${remap(443)}:443`];
+    case "caddy":
+      return [`${remap(80)}:80`, `${remap(443)}:443`];
+    case "gitea": {
+      const ports = [`${remap(state.servers.gitServer.sshPort)}:22`];
+      if (state.domain.cloudflare.tunnelMode !== "quick") {
+        ports.unshift(`${remap(state.servers.gitServer.port)}:3000`);
+      }
+      return ports;
+    }
+    case "openssh-server":
+      return [`${remap(state.servers.sshServer.port)}:2222`];
+    case "jellyfin":
+      return [`${remap(8096)}:8096`];
+    case "nextcloud": {
+      if (state.domain.cloudflare.tunnelMode === "quick") {
+        return [];
+      }
+      return [`${remap(8443)}:80`];
+    }
+    case "minio":
+      return [`${remap(9e3)}:9000`, `${remap(9001)}:9001`];
+    case "filebrowser":
+      return [`${remap(8085)}:80`];
+    case "pgadmin":
+      return [`${remap(5050)}:80`];
+    case "cloudflared":
+      return [];
+    // DB ports are NOT exposed externally
+    case "postgresql":
+    case "mysql":
+      return [];
+    default:
+      return [];
+  }
+}
+function getDependsOn(serviceId, state) {
+  const deps = [];
+  const dbEnabled = state.servers.dbServer.enabled && state.servers.dbServer.primary;
+  const primaryId = state.servers.dbServer.primary;
+  switch (serviceId) {
+    case "gitea":
+      if (dbEnabled) deps.push(primaryId);
+      break;
+    case "nextcloud":
+      if (dbEnabled) deps.push(primaryId);
+      break;
+    case "pgadmin":
+      deps.push("postgresql");
+      break;
+    default:
+      break;
+  }
+  return deps;
+}
+function getServiceEnvironment(serviceId, state) {
+  switch (serviceId) {
+    case "postgresql":
+      return getPostgresqlEnv(state);
+    case "mysql":
+      return getMysqlEnv(state);
+    case "gitea":
+      return getGiteaEnv(state);
+    case "nextcloud":
+      return getNextcloudEnv(state);
+    case "minio":
+      return getMinioEnv(state);
+    case "openssh-server":
+      return getSshEnv(state);
+    case "pgadmin":
+      return getPgadminEnv(state);
+    case "filebrowser":
+      return getFilebrowserEnv(state);
+    case "cloudflared":
+      return getCloudflaredEnv(state);
+    default:
+      return void 0;
+  }
+}
+function buildComposeService(def, state) {
+  const domain = state.domain.name;
+  const webService = state.servers.webServer.service;
+  const svc = {
+    image: def.image,
+    container_name: `${BREWNET_PREFIX}-${def.id}`,
+    restart: "unless-stopped",
+    security_opt: ["no-new-privileges:true"],
+    networks: [...def.networks]
+  };
+  const ports = getServicePorts(def.id, state);
+  if (ports.length > 0) {
+    svc.ports = ports;
+  }
+  const volumes = getServiceVolumes(def.id);
+  if (volumes.length > 0) {
+    svc.volumes = volumes;
+  }
+  svc.logging = getLoggingConfig();
+  const environment = getServiceEnvironment(def.id, state);
+  if (environment) {
+    svc.environment = environment;
+  }
+  if (webService === "traefik" && def.traefikLabels && state.domain.cloudflare.tunnelMode !== "quick") {
+    svc.labels = resolveTraefikLabels(def, domain);
+  }
+  if (webService === "traefik" && state.domain.cloudflare.tunnelMode === "quick") {
+    const entry = QUICK_TUNNEL_PATH_MAP[def.id];
+    if (entry) {
+      svc.labels = buildQuickTunnelPathLabels(def.id, entry.path, entry.port, entry.noStrip);
+      for (const extraPath of entry.extraPaths ?? []) {
+        Object.assign(svc.labels, buildQuickTunnelExtraPathLabels(def.id, extraPath, entry.port));
+      }
+    }
+  }
+  const deps = getDependsOn(def.id, state);
+  if (deps.length > 0) {
+    svc.depends_on = deps;
+  }
+  const hc = getHealthcheck(def.id, state);
+  if (hc) {
+    svc.healthcheck = hc;
+  }
+  if (def.id === "traefik") {
+    const isQuickTunnel = state.domain.cloudflare.tunnelMode === "quick";
+    const cmds = [
+      "--providers.docker=true",
+      "--providers.docker.exposedbydefault=false",
+      "--providers.docker.network=brewnet",
+      "--entrypoints.web.address=:80"
+    ];
+    if (!isQuickTunnel) {
+      cmds.push("--entrypoints.websecure.address=:443");
+    }
+    if (isQuickTunnel) {
+      cmds.push("--api.insecure=true");
+      cmds.push("--entrypoints.web.forwardedHeaders.insecure=true");
+    }
+    cmds.push(
+      "--accesslog=true",
+      "--accesslog.filepath=/logs/access.log",
+      "--accesslog.format=json",
+      "--accesslog.bufferingsize=100",
+      "--accesslog.fields.headers.defaultmode=drop",
+      "--accesslog.fields.headers.names.User-Agent=keep",
+      "--accesslog.fields.headers.names.X-Forwarded-For=keep"
+    );
+    svc.command = cmds;
+    svc.labels = {
+      "traefik.enable": "true",
+      "traefik.http.routers.brewnet-dashboard.rule": "PathPrefix(`/dashboard`) || PathPrefix(`/api`)",
+      "traefik.http.routers.brewnet-dashboard.entrypoints": "web",
+      "traefik.http.routers.brewnet-dashboard.service": "api@internal",
+      // Redirect /dashboard (no trailing slash) → /dashboard/ before auth.
+      // api@internal returns 404 for paths without trailing slash.
+      "traefik.http.routers.brewnet-dashboard.middlewares": "dashboard-slash-redirect@docker,dashboard-auth@docker",
+      "traefik.http.middlewares.dashboard-slash-redirect.redirectregex.regex": "^(https?://[^/]+)/dashboard$",
+      "traefik.http.middlewares.dashboard-slash-redirect.redirectregex.replacement": "$${1}/dashboard/",
+      "traefik.http.middlewares.dashboard-slash-redirect.redirectregex.permanent": "false",
+      "traefik.http.middlewares.dashboard-auth.basicauth.users": "${TRAEFIK_DASHBOARD_AUTH}"
+    };
+  }
+  if (def.id === "cloudflared") {
+    if (state.domain.cloudflare.tunnelMode === "quick") {
+      svc.command = ["tunnel", "--no-autoupdate", "--url", "http://traefik:80"];
+    } else {
+      svc.command = ["tunnel", "--no-autoupdate", "run"];
+    }
+  }
+  if (def.id === "jellyfin") {
+    svc.entrypoint = [
+      "/bin/sh",
+      "-c",
+      `mkdir -p /config/config && if [ ! -f /config/config/network.xml ]; then echo '<?xml version="1.0" encoding="utf-8"?><NetworkConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><BaseUrl>/jellyfin</BaseUrl></NetworkConfiguration>' > /config/config/network.xml; fi && exec /jellyfin/jellyfin`
+    ];
+  }
+  if (def.id === "minio") {
+    svc.command = ["server", "/data", "--console-address", ":9001"];
+  }
+  return svc;
+}
+function applySecretsMigration(serviceId, svc, _state) {
+  const env = svc.environment ?? {};
+  const secrets = [];
+  switch (serviceId) {
+    // --- PostgreSQL: POSTGRES_PASSWORD → POSTGRES_PASSWORD_FILE ---
+    case "postgresql": {
+      delete env["POSTGRES_PASSWORD"];
+      env["POSTGRES_PASSWORD_FILE"] = "/run/secrets/db_password";
+      secrets.push("db_password");
+      break;
+    }
+    // --- MySQL: MYSQL_ROOT_PASSWORD + MYSQL_PASSWORD → _FILE variants ---
+    case "mysql": {
+      delete env["MYSQL_ROOT_PASSWORD"];
+      delete env["MYSQL_PASSWORD"];
+      env["MYSQL_ROOT_PASSWORD_FILE"] = "/run/secrets/db_password";
+      env["MYSQL_PASSWORD_FILE"] = "/run/secrets/db_password";
+      secrets.push("db_password");
+      break;
+    }
+    // --- Gitea: database PASSWD, security SECRET_KEY → __FILE variants ---
+    case "gitea": {
+      if (env["GITEA__database__PASSWD"]) {
+        delete env["GITEA__database__PASSWD"];
+        env["GITEA__database__PASSWD__FILE"] = "/run/secrets/db_password";
+        secrets.push("db_password");
+      }
+      delete env["GITEA__security__SECRET_KEY"];
+      secrets.push("gitea_secret_key");
+      break;
+    }
+    // --- Nextcloud: NEXTCLOUD_ADMIN_PASSWORD, DB passwords → _FILE ---
+    case "nextcloud": {
+      delete env["NEXTCLOUD_ADMIN_PASSWORD"];
+      env["NEXTCLOUD_ADMIN_PASSWORD_FILE"] = "/run/secrets/admin_password";
+      secrets.push("admin_password");
+      if (env["POSTGRES_PASSWORD"]) {
+        delete env["POSTGRES_PASSWORD"];
+        env["POSTGRES_PASSWORD_FILE"] = "/run/secrets/db_password";
+        secrets.push("db_password");
+      }
+      if (env["MYSQL_PASSWORD"]) {
+        delete env["MYSQL_PASSWORD"];
+        env["MYSQL_PASSWORD_FILE"] = "/run/secrets/db_password";
+        secrets.push("db_password");
+      }
+      break;
+    }
+    // --- pgAdmin: PGADMIN_DEFAULT_PASSWORD → _FILE ---
+    case "pgadmin": {
+      delete env["PGADMIN_DEFAULT_PASSWORD"];
+      env["PGADMIN_DEFAULT_PASSWORD_FILE"] = "/run/secrets/admin_password";
+      secrets.push("admin_password");
+      break;
+    }
+    // --- Traefik: basicauth.users → basicauth.usersfile (BasicAuth bug fix) ---
+    case "traefik": {
+      secrets.push("traefik_dashboard_auth");
+      if (svc.labels) {
+        delete svc.labels["traefik.http.middlewares.dashboard-auth.basicauth.users"];
+        svc.labels["traefik.http.middlewares.dashboard-auth.basicauth.usersfile"] = "/run/secrets/traefik_dashboard_auth";
+      }
+      break;
+    }
+    // minio, cloudflared: no changes (stay in .env)
+    default:
+      break;
+  }
+  const uniqueSecrets = [...new Set(secrets)];
+  if (uniqueSecrets.length > 0) {
+    svc.secrets = uniqueSecrets;
+  }
+  if (Object.keys(env).length > 0) {
+    svc.environment = env;
+  }
+}
+function collectTopLevelSecrets(services) {
+  const allSecrets = /* @__PURE__ */ new Set();
+  for (const svc of Object.values(services)) {
+    for (const s of svc.secrets ?? []) {
+      allSecrets.add(s);
+    }
+  }
+  if (allSecrets.size === 0) return void 0;
+  const result = {};
+  for (const name of allSecrets) {
+    result[name] = { file: `./secrets/${name}` };
+  }
+  return result;
+}
+function collectNamedVolumes(services) {
+  const volumes = {};
+  for (const svc of Object.values(services)) {
+    for (const vol of svc.volumes ?? []) {
+      const hostPart = vol.split(":")[0];
+      if (!hostPart.startsWith("/") && !hostPart.startsWith(".")) {
+        volumes[hostPart] = null;
+      }
+    }
+  }
+  return volumes;
+}
+function generateComposeConfig(state) {
+  const services = {};
+  const webId = state.servers.webServer.service;
+  const webDef = SERVICE_REGISTRY.get(webId);
+  if (webDef) {
+    services[webId] = buildComposeService(webDef, state);
+  }
+  if (webId === "traefik") {
+    const isQuickTunnel = state.domain.cloudflare.tunnelMode === "quick";
+    const landingLabels = {
+      "traefik.enable": "true",
+      "traefik.http.services.brewnet-landing.loadbalancer.server.port": "80",
+      // Security headers middleware
+      "traefik.http.middlewares.landing-headers.headers.customResponseHeaders.Server": "Brewnet",
+      "traefik.http.middlewares.landing-headers.headers.frameDeny": "true",
+      "traefik.http.middlewares.landing-headers.headers.contentTypeNosniff": "true",
+      "traefik.http.middlewares.landing-headers.headers.browserXssFilter": "true"
+    };
+    if (isQuickTunnel) {
+      landingLabels["traefik.http.routers.brewnet-landing.rule"] = "PathPrefix(`/`)";
+      landingLabels["traefik.http.routers.brewnet-landing.entrypoints"] = "web";
+      landingLabels["traefik.http.routers.brewnet-landing.priority"] = "1";
+      landingLabels["traefik.http.routers.brewnet-landing.middlewares"] = "landing-headers@docker";
+    } else {
+      landingLabels["traefik.http.routers.brewnet-landing.rule"] = "Host(`localhost`)";
+      landingLabels["traefik.http.routers.brewnet-landing.entrypoints"] = "web";
+      landingLabels["traefik.http.routers.brewnet-landing.middlewares"] = "landing-headers@docker";
+    }
+    services["brewnet-landing"] = {
+      build: "./landing",
+      container_name: "brewnet-landing",
+      restart: "unless-stopped",
+      security_opt: ["no-new-privileges:true"],
+      networks: ["brewnet"],
+      labels: landingLabels,
+      logging: getLoggingConfig()
+    };
+  }
+  const giteaDef = SERVICE_REGISTRY.get("gitea");
+  if (giteaDef) {
+    services["gitea"] = buildComposeService(giteaDef, state);
+  }
+  if (state.servers.dbServer.enabled && state.servers.dbServer.primary) {
+    const dbId = state.servers.dbServer.primary;
+    const dbDef = SERVICE_REGISTRY.get(dbId);
+    if (dbDef) {
+      const ver = state.servers.dbServer.primaryVersion;
+      const versionedImage = ver && dbId === "postgresql" ? `postgres:${ver}-alpine` : ver && dbId === "mysql" ? `mysql:${ver}` : dbDef.image;
+      services[dbId] = buildComposeService({ ...dbDef, image: versionedImage }, state);
+    }
+    if (state.servers.dbServer.adminUI && dbId === "postgresql") {
+      const pgadminDef = SERVICE_REGISTRY.get("pgadmin");
+      if (pgadminDef) {
+        services["pgadmin"] = buildComposeService(pgadminDef, state);
+      }
+    }
+  }
+  if (state.servers.fileServer.enabled && state.servers.fileServer.service) {
+    const fileId = state.servers.fileServer.service;
+    const fileDef = SERVICE_REGISTRY.get(fileId);
+    if (fileDef) {
+      services[fileId] = buildComposeService(fileDef, state);
+    }
+  }
+  if (state.servers.media.enabled && state.servers.media.services.length > 0) {
+    for (const mediaId of state.servers.media.services) {
+      const mediaDef = SERVICE_REGISTRY.get(mediaId);
+      if (mediaDef) {
+        services[mediaId] = buildComposeService(mediaDef, state);
+      }
+    }
+  }
+  if (state.servers.sshServer.enabled) {
+    const sshDef = SERVICE_REGISTRY.get("openssh-server");
+    if (sshDef) {
+      services["openssh-server"] = buildComposeService(sshDef, state);
+    }
+  }
+  if (state.domain.cloudflare.enabled) {
+    const cfDef = SERVICE_REGISTRY.get("cloudflared");
+    if (cfDef) {
+      services["cloudflared"] = buildComposeService(cfDef, state);
+    }
+  }
+  if (state.servers.fileBrowser.enabled) {
+    const fbDef = SERVICE_REGISTRY.get("filebrowser");
+    if (fbDef) {
+      services["filebrowser"] = buildComposeService(fbDef, state);
+    }
+  }
+  for (const [id, svc] of Object.entries(services)) {
+    applySecretsMigration(id, svc, state);
+  }
+  const namedVolumes = collectNamedVolumes(services);
+  const topSecrets = collectTopLevelSecrets(services);
+  return {
+    name: state.projectName || "brewnet",
+    services,
+    networks: {
+      brewnet: { external: true },
+      "brewnet-internal": { internal: true }
+    },
+    ...Object.keys(namedVolumes).length > 0 ? { volumes: namedVolumes } : {},
+    ...topSecrets ? { secrets: topSecrets } : {}
+  };
+}
+function addExternalLabels(composePath, appName, hostname, port) {
+  const raw = readFileSync(composePath, "utf-8");
+  const doc = yaml.load(raw);
+  const services = doc["services"];
+  if (!services) return;
+  const serviceKey = services[appName] ? appName : services[`brewnet-${appName}`] ? `brewnet-${appName}` : Object.keys(services).find((k) => {
+    const cn = services[k]?.["container_name"];
+    return cn === appName || cn === `brewnet-${appName}`;
+  });
+  if (!serviceKey) {
+    throw new Error(`Service "${appName}" not found in docker-compose.yml`);
+  }
+  const svc = services[serviceKey];
+  const labels = svc["labels"] ?? {};
+  const routerName = `${appName}-external`;
+  labels["traefik.enable"] = "true";
+  labels[`traefik.http.routers.${routerName}.rule`] = `Host(\`${hostname}\`)`;
+  labels[`traefik.http.routers.${routerName}.entrypoints`] = "web";
+  labels[`traefik.http.routers.${routerName}.service`] = routerName;
+  labels[`traefik.http.services.${routerName}.loadbalancer.server.port`] = String(port);
+  svc["labels"] = labels;
+  const output = yaml.dump(doc, {
+    indent: 2,
+    lineWidth: 120,
+    noRefs: true,
+    sortKeys: false,
+    quotingType: '"',
+    forceQuotes: false
+  });
+  writeFileSync(composePath, output, "utf-8");
+}
+function removeExternalLabels(composePath, appName) {
+  const raw = readFileSync(composePath, "utf-8");
+  const doc = yaml.load(raw);
+  const services = doc["services"];
+  if (!services) return;
+  const serviceKey = services[appName] ? appName : services[`brewnet-${appName}`] ? `brewnet-${appName}` : Object.keys(services).find((k) => {
+    const cn = services[k]?.["container_name"];
+    return cn === appName || cn === `brewnet-${appName}`;
+  });
+  if (!serviceKey) return;
+  const svc = services[serviceKey];
+  const labels = svc["labels"];
+  if (!labels) return;
+  const routerName = `${appName}-external`;
+  const prefix = `traefik.http.routers.${routerName}`;
+  const svcPrefix = `traefik.http.services.${routerName}`;
+  for (const key of Object.keys(labels)) {
+    if (key.startsWith(prefix) || key.startsWith(svcPrefix)) {
+      delete labels[key];
+    }
+  }
+  const output = yaml.dump(doc, {
+    indent: 2,
+    lineWidth: 120,
+    noRefs: true,
+    sortKeys: false,
+    quotingType: '"',
+    forceQuotes: false
+  });
+  writeFileSync(composePath, output, "utf-8");
+}
+function addQuickTunnelAppLabels(composePath, appName, serviceName, port, noStrip) {
+  const raw = readFileSync(composePath, "utf-8");
+  const doc = yaml.load(raw);
+  const services = doc["services"];
+  if (!services) return;
+  const svc = services[serviceName];
+  if (!svc) return;
+  const routerName = `app-${appName}`;
+  const pathPrefix = `/apps/${appName}`;
+  let labels;
+  const rawLabels = svc["labels"];
+  if (Array.isArray(rawLabels)) {
+    labels = {};
+    for (const l of rawLabels) {
+      const s = String(l);
+      const idx = s.indexOf("=");
+      if (idx > 0) labels[s.slice(0, idx)] = s.slice(idx + 1);
+    }
+  } else {
+    labels = rawLabels ?? {};
+  }
+  labels["traefik.enable"] = "true";
+  labels[`traefik.http.routers.${routerName}.rule`] = `PathPrefix(\`${pathPrefix}\`)`;
+  labels[`traefik.http.routers.${routerName}.entrypoints`] = "web";
+  labels[`traefik.http.routers.${routerName}.priority`] = String(10 + pathPrefix.length);
+  labels[`traefik.http.routers.${routerName}.service`] = routerName;
+  labels[`traefik.http.services.${routerName}.loadbalancer.server.port`] = String(port);
+  labels[`traefik.http.middlewares.${routerName}-slash.redirectregex.regex`] = `^(.*${pathPrefix.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")})$$`;
+  labels[`traefik.http.middlewares.${routerName}-slash.redirectregex.replacement`] = "$${1}/";
+  labels[`traefik.http.middlewares.${routerName}-slash.redirectregex.permanent`] = "false";
+  if (noStrip) {
+  } else {
+    labels[`traefik.http.middlewares.${routerName}-strip.stripprefix.prefixes`] = pathPrefix;
+    labels[`traefik.http.routers.${routerName}.middlewares`] = `${routerName}-slash,${routerName}-strip`;
+  }
+  svc["labels"] = labels;
+  const svcNetworks = svc["networks"] ?? [];
+  if (Array.isArray(svcNetworks)) {
+    if (!svcNetworks.includes("brewnet")) svcNetworks.push("brewnet");
+    svc["networks"] = svcNetworks;
+  } else {
+    if (!svcNetworks["brewnet"]) svcNetworks["brewnet"] = {};
+    svc["networks"] = svcNetworks;
+  }
+  const topNetworks = doc["networks"] ?? {};
+  topNetworks["brewnet"] = { external: true };
+  doc["networks"] = topNetworks;
+  const output = yaml.dump(doc, {
+    indent: 2,
+    lineWidth: 120,
+    noRefs: true,
+    sortKeys: false,
+    quotingType: '"',
+    forceQuotes: false
+  });
+  writeFileSync(composePath, output, "utf-8");
+}
+function patchCloudflaredToNamedTunnel(composePath, tunnelToken) {
+  const raw = readFileSync(composePath, "utf-8");
+  const doc = yaml.load(raw);
+  const services = doc["services"];
+  if (!services?.["cloudflared"]) return false;
+  const svc = services["cloudflared"];
+  svc["command"] = ["tunnel", "--no-autoupdate", "run"];
+  const env = svc["environment"] ?? {};
+  env["TUNNEL_TOKEN"] = tunnelToken;
+  svc["environment"] = env;
+  const output = yaml.dump(doc, {
+    indent: 2,
+    lineWidth: 120,
+    noRefs: true,
+    sortKeys: false
+  });
+  writeFileSync(composePath, output, "utf-8");
+  return true;
+}
+function composeConfigToYaml(config) {
+  return yaml.dump(config, {
+    indent: 2,
+    lineWidth: 120,
+    noRefs: true,
+    sortKeys: false,
+    quotingType: '"',
+    forceQuotes: false
+  });
+}
+
+export {
+  SERVICE_REGISTRY,
+  getServiceDefinition,
+  generateComposeConfig,
+  addExternalLabels,
+  removeExternalLabels,
+  addQuickTunnelAppLabels,
+  patchCloudflaredToNamedTunnel,
+  composeConfigToYaml
+};
+//# sourceMappingURL=chunk-4TJMJZMO.js.map