@muhammedaksam/easiarr 0.8.5 → 0.9.0

package/src/compose/traefik-config.ts

@@ -0,0 +1,174 @@
+/**
+ * Traefik Configuration Generator
+ * Generates traefik.yml (static config) and dynamic.yml (middlewares)
+ */
+
+import { writeFile, mkdir } from "node:fs/promises"
+import { existsSync } from "node:fs"
+import { join } from "node:path"
+import { createHash } from "node:crypto"
+import type { EasiarrConfig } from "../config/schema"
+
+export interface TraefikStaticConfig {
+  entrypoints: {
+    web: { address: string }
+  }
+  api: {
+    dashboard: boolean
+    insecure: boolean
+  }
+  providers: {
+    docker: {
+      endpoint: string
+      exposedByDefault: boolean
+    }
+    file: {
+      directory: string
+      watch: boolean
+    }
+  }
+}
+
+/**
+ * Generate traefik.yml static configuration
+ */
+export function generateTraefikStaticConfig(): string {
+  return `# Traefik Static Configuration
+# Generated by easiarr
+
+api:
+  dashboard: true
+  insecure: true
+
+entryPoints:
+  web:
+    address: ":80"
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    directory: "/etc/traefik"
+    watch: true
+`
+}
+
+/**
+ * Generate dynamic.yml with security headers middleware
+ */
+export function generateTraefikDynamicConfig(
+  _middlewares: string[],
+  basicAuth?: { username: string; passwordHash: string }
+): string {
+  let yaml = `# Traefik Dynamic Configuration
+# Generated by easiarr
+
+http:
+  middlewares:
+`
+
+  // Always include security-headers
+  yaml += `    security-headers:
+      headers:
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        customFrameOptionsValue: "SAMEORIGIN"
+`
+
+  // Add basic-auth middleware if credentials provided
+  if (basicAuth?.username && basicAuth?.passwordHash) {
+    // Escape $ in password hash for YAML
+    const escapedHash = basicAuth.passwordHash.replace(/\$/g, "$$$$")
+    yaml += `
+    basic-auth:
+      basicAuth:
+        users:
+          - "${basicAuth.username}:${escapedHash}"
+`
+  }
+
+  return yaml
+}
+
+/**
+ * Generate htpasswd-compatible hash for basic auth
+ * Uses SHA1 hash in htpasswd format: {SHA}base64(sha1(password))
+ */
+function generateHtpasswdHash(password: string): string {
+  const sha1Hash = createHash("sha1").update(password).digest("base64")
+  return `{SHA}${sha1Hash}`
+}
+
+/**
+ * Save Traefik configuration files to the config directory
+ */
+export async function saveTraefikConfig(config: EasiarrConfig): Promise<void> {
+  // Check if traefik is enabled
+  const traefikApp = config.apps.find((a) => a.id === "traefik" && a.enabled)
+  if (!traefikApp) return
+
+  const traefikConfigDir = join(config.rootDir, "config", "traefik")
+  const letsencryptDir = join(traefikConfigDir, "letsencrypt")
+
+  try {
+    // Create directories if they don't exist
+    if (!existsSync(traefikConfigDir)) {
+      await mkdir(traefikConfigDir, { recursive: true })
+    }
+    if (!existsSync(letsencryptDir)) {
+      await mkdir(letsencryptDir, { recursive: true })
+    }
+
+    // Generate and save static config (traefik.yml)
+    const staticConfig = generateTraefikStaticConfig()
+    const staticPath = join(traefikConfigDir, "traefik.yml")
+
+    // Only write if file doesn't exist (don't overwrite user customizations)
+    if (!existsSync(staticPath)) {
+      await writeFile(staticPath, staticConfig, "utf-8")
+    }
+
+    // Check for basic auth credentials from config
+    let basicAuth: { username: string; passwordHash: string } | undefined
+    if (config.traefik?.basicAuth?.enabled) {
+      const username = config.traefik.basicAuth.username
+      const password = config.traefik.basicAuth.password
+      if (username && password) {
+        basicAuth = {
+          username,
+          passwordHash: generateHtpasswdHash(password),
+        }
+      }
+    }
+
+    // Generate and save dynamic config (dynamic.yml)
+    const dynamicConfig = generateTraefikDynamicConfig(config.traefik?.middlewares ?? [], basicAuth)
+    const dynamicPath = join(traefikConfigDir, "dynamic.yml")
+
+    // Always regenerate dynamic.yml as it contains auth settings
+    await writeFile(dynamicPath, dynamicConfig, "utf-8")
+
+    // Create acme.json with correct permissions if it doesn't exist
+    const acmePath = join(letsencryptDir, "acme.json")
+    if (!existsSync(acmePath)) {
+      await writeFile(acmePath, "{}", { mode: 0o600 })
+    }
+  } catch (error) {
+    // Permission denied - directory owned by root from Docker
+    // User needs to manually create configs or fix permissions
+    const err = error as NodeJS.ErrnoException
+    if (err.code === "EACCES") {
+      console.warn(
+        `[WARN] Cannot write Traefik config files (permission denied). ` +
+          `Fix with: sudo chown -R $(id -u):$(id -g) ${traefikConfigDir}`
+      )
+    } else {
+      throw error
+    }
+  }
+}

package/src/config/schema.ts

@@ -65,6 +65,12 @@ export interface TraefikConfig {
   domain: string
   entrypoint: string
   middlewares: string[]
+  /** Basic auth using username/password */
+  basicAuth?: {
+    enabled: boolean
+    username: string
+    password: string
+  }
 }
 
 export interface AppConfig {
@@ -133,6 +139,7 @@ export type AppId =
   // Reverse Proxy
   | "traefik"
   | "traefik-certs-dumper"
+  | "cloudflared"
   | "crowdsec"
   // Network/VPN
   | "headscale"
@@ -176,6 +183,8 @@ export interface AppDefinition {
   defaultPort: number
   /** Internal container port if different from defaultPort */
   internalPort?: number
+  /** Additional port mappings (e.g., "8083:8080" for dashboard ports) */
+  secondaryPorts?: string[]
   image: string
   puid: number
   pgid: number
@@ -186,6 +195,8 @@ export interface AppDefinition {
   secrets?: AppSecret[]
   devices?: string[]
   cap_add?: string[]
+  /** Custom command to run (e.g., "tunnel run" for cloudflared) */
+  command?: string
   apiKeyMeta?: ApiKeyMeta
   rootFolder?: RootFolderMeta
   prowlarrCategoryIds?: number[]

package/src/ui/screens/AppConfigurator.ts

@@ -40,6 +40,7 @@ export class AppConfigurator extends BoxRenderable {
   // Global *arr credentials
   private globalUsername = "admin"
   private globalPassword = ""
+  private globalEmail = ""
   private overrideExisting = false
 
   // Download client credentials
@@ -85,6 +86,7 @@ export class AppConfigurator extends BoxRenderable {
     const env = readEnvSync()
     if (env.USERNAME_GLOBAL) this.globalUsername = env.USERNAME_GLOBAL
     this.globalPassword = env.PASSWORD_GLOBAL || "Ch4ng3m3!1234securityReasons"
+    if (env.EMAIL_GLOBAL) this.globalEmail = env.EMAIL_GLOBAL
     if (env.PASSWORD_QBITTORRENT) this.qbPass = env.PASSWORD_QBITTORRENT
     if (env.API_KEY_SABNZBD) this.sabApiKey = env.API_KEY_SABNZBD
   }
@@ -138,6 +140,19 @@ export class AppConfigurator extends BoxRenderable {
 
     content.add(new BoxRenderable(this.cliRenderer, { width: 1, height: 1 })) // Spacer
 
+    // Email input (for Cloudflare Access, notifications, etc.)
+    content.add(new TextRenderable(this.cliRenderer, { content: "Email (optional):", fg: "#aaaaaa" }))
+    const emailInput = new InputRenderable(this.cliRenderer, {
+      id: "global-email-input",
+      width: 40,
+      placeholder: "you@example.com",
+      value: this.globalEmail,
+      focusedBackgroundColor: "#1a1a1a",
+    })
+    content.add(emailInput)
+
+    content.add(new BoxRenderable(this.cliRenderer, { width: 1, height: 1 })) // Spacer
+
     // Override toggle
     const overrideText = new TextRenderable(this.cliRenderer, {
       id: "override-toggle",
@@ -160,13 +175,17 @@ export class AppConfigurator extends BoxRenderable {
         overrideText.content = `[O] Override existing: ${this.overrideExisting ? "Yes" : "No"}`
         overrideText.fg = this.overrideExisting ? "#50fa7b" : "#6272a4"
       } else if (key.name === "tab") {
-        // Cycle focus: username -> password -> no focus (shortcuts work) -> username
+        // Cycle focus: username -> password -> email -> no focus (shortcuts work) -> username
         if (focusedInput === userInput) {
           userInput.blur()
           passInput.focus()
           focusedInput = passInput
         } else if (focusedInput === passInput) {
           passInput.blur()
+          emailInput.focus()
+          focusedInput = emailInput
+        } else if (focusedInput === emailInput) {
+          emailInput.blur()
           focusedInput = null // No focus state - shortcuts available
         } else {
           // No input focused, go back to username
@@ -178,6 +197,7 @@ export class AppConfigurator extends BoxRenderable {
         this.cliRenderer.keyInput.off("keypress", this.keyHandler)
         userInput.blur()
         passInput.blur()
+        emailInput.blur()
         focusedInput = null
         this.currentStep = "configure"
         this.runConfiguration()
@@ -185,10 +205,12 @@ export class AppConfigurator extends BoxRenderable {
         // Save and continue
         this.globalUsername = userInput.value || "admin"
         this.globalPassword = passInput.value
+        this.globalEmail = emailInput.value
 
         this.cliRenderer.keyInput.off("keypress", this.keyHandler)
         userInput.blur()
         passInput.blur()
+        emailInput.blur()
         focusedInput = null
 
         // Save credentials to .env
@@ -206,6 +228,7 @@ export class AppConfigurator extends BoxRenderable {
       const updates: Record<string, string> = {}
       if (this.globalUsername) updates.USERNAME_GLOBAL = this.globalUsername
       if (this.globalPassword) updates.PASSWORD_GLOBAL = this.globalPassword
+      if (this.globalEmail) updates.EMAIL_GLOBAL = this.globalEmail
       await updateEnv(updates)
     } catch {
       // Ignore errors - not critical

package/src/ui/screens/AppManager.ts

@@ -162,7 +162,7 @@ export class AppManager {
         this.config.traefik = {
           enabled: true,
           domain: "${CLOUDFLARE_DNS_ZONE}",
-          entrypoint: "websecure",
+          entrypoint: "web",
           middlewares: [],
         }
       } else if (!enabled && this.config.traefik?.enabled) {