@muhammedaksam/easiarr 1.0.0 → 1.1.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@muhammedaksam/easiarr",
-  "version": "1.0.0",
+  "version": "1.1.1",
   "description": "TUI tool for generating docker-compose files for the *arr media ecosystem with 41 apps, TRaSH Guides best practices, VPN routing, and Traefik reverse proxy support",
   "module": "src/index.ts",
   "type": "module",
@@ -69,6 +69,7 @@
   "dependencies": {
     "@opentui/core": "^0.1.60",
     "bcrypt": "^6.0.0",
+    "socket.io-client": "^4.8.1",
     "yaml": "^2.8.2"
   },
   "engines": {

package/src/api/auto-setup-types.ts

@@ -0,0 +1,62 @@
+/**
+ * Auto-Setup Types
+ * Interfaces for auto-setup capability metadata and clients
+ */
+
+import type { AppId } from "../config/schema"
+
+/**
+ * Describes an app's auto-setup capability
+ */
+export interface AutoSetupCapability {
+  /** Type of auto-setup support */
+  type: "full" | "partial" | "manual"
+  /** Human-readable description of what gets configured */
+  description: string
+  /** Other apps that must be set up first */
+  requires?: AppId[]
+  /** Environment variables required for setup */
+  envVars?: string[]
+  /** Setup function name in FullAutoSetup (for dynamic discovery) */
+  setupMethod?: string
+}
+
+/**
+ * Result of an auto-setup operation
+ */
+export interface AutoSetupResult {
+  success: boolean
+  message?: string
+  /** Data to persist (e.g., API keys, tokens) */
+  envUpdates?: Record<string, string>
+  /** Additional result data (e.g., API keys, generated credentials) */
+  data?: Record<string, unknown>
+}
+
+/**
+ * Base interface for auto-setup clients
+ */
+export interface IAutoSetupClient {
+  /** Check if service is reachable */
+  isHealthy(): Promise<boolean>
+
+  /** Check if service is already configured */
+  isInitialized(): Promise<boolean>
+
+  /** Run the auto-setup process */
+  setup(options: AutoSetupOptions): Promise<AutoSetupResult>
+}
+
+/**
+ * Common options for auto-setup
+ */
+export interface AutoSetupOptions {
+  /** Global username for auth */
+  username: string
+  /** Global password for auth */
+  password: string
+  /** Environment variables available */
+  env: Record<string, string>
+  /** Plex authentication token (for Plex-dependent services) */
+  plexToken?: string
+}

package/src/api/bazarr-api.ts

@@ -4,6 +4,7 @@
  */
 
 import { debugLog } from "../utils/debug"
+import type { IAutoSetupClient, AutoSetupOptions, AutoSetupResult } from "./auto-setup-types"
 
 /**
  * Bazarr System Settings (partial - auth related fields)
@@ -21,7 +22,7 @@ export interface BazarrAuthSettings {
  * Bazarr API Client
  * Note: Bazarr uses form data for POST, not JSON!
  */
-export class BazarrApiClient {
+export class BazarrApiClient implements IAutoSetupClient {
   private baseUrl: string
   private apiKey: string | null = null
 
@@ -217,4 +218,56 @@ export class BazarrApiClient {
       throw e
     }
   }
+
+  /**
+   * Check if already configured (has auth set up)
+   */
+  async isInitialized(): Promise<boolean> {
+    try {
+      const settings = await this.getSettings()
+      const auth = (settings as { auth?: { type?: string } }).auth
+      return !!auth?.type && auth.type !== "None"
+    } catch {
+      return false
+    }
+  }
+
+  /**
+   * Run the auto-setup process for Bazarr
+   */
+  async setup(options: AutoSetupOptions): Promise<AutoSetupResult> {
+    const { username, password } = options
+
+    try {
+      // Check if reachable
+      const healthy = await this.isHealthy()
+      if (!healthy) {
+        return { success: false, message: "Bazarr not reachable" }
+      }
+
+      // Get API key first (needed for subsequent requests)
+      const apiKey = await this.getApiKey()
+      if (apiKey) {
+        this.setApiKey(apiKey)
+      }
+
+      // Check if auth already configured
+      const initialized = await this.isInitialized()
+      let authConfigured = false
+
+      if (!initialized) {
+        // Enable form auth
+        authConfigured = await this.enableFormAuth(username, password)
+      }
+
+      return {
+        success: true,
+        message: initialized ? "Already configured" : authConfigured ? "Auth enabled" : "Ready",
+        data: { apiKey, authConfigured },
+        envUpdates: apiKey ? { API_KEY_BAZARR: apiKey } : undefined,
+      }
+    } catch (error) {
+      return { success: false, message: `${error}` }
+    }
+  }
 }

package/src/api/cloudflare-api.ts

@@ -173,10 +173,12 @@ export class CloudflareApi {
 
   /**
    * Configure tunnel ingress rules
+   * @param warpRouting Enable WARP routing for private network access (VPN)
    */
   async configureTunnel(
     tunnelId: string,
-    ingress: Array<{ hostname?: string; service: string; originRequest?: Record<string, unknown> }>
+    ingress: Array<{ hostname?: string; service: string; originRequest?: Record<string, unknown> }>,
+    warpRouting = false
   ): Promise<void> {
     const accountId = await this.getAccountId()
 
@@ -189,7 +191,7 @@ export class CloudflareApi {
     await this.request("PUT", `/accounts/${accountId}/cfd_tunnel/${tunnelId}/configurations`, {
       config: {
         ingress,
-        "warp-routing": { enabled: false },
+        "warp-routing": { enabled: warpRouting },
       },
     })
   }
@@ -245,6 +247,50 @@ export class CloudflareApi {
     await this.request("DELETE", `/accounts/${accountId}/cfd_tunnel/${tunnelId}`)
   }
 
+  // ==================== Zero Trust Private Network API ====================
+
+  /**
+   * Add a private network route to a tunnel (for WARP VPN access)
+   * This allows WARP clients to access the specified network through the tunnel
+   */
+  async addTunnelRoute(tunnelId: string, networkCidr: string, comment = "easiarr private network"): Promise<string> {
+    const accountId = await this.getAccountId()
+    const response = await this.request<{ id: string }>("POST", `/accounts/${accountId}/teamnet/routes`, {
+      network: networkCidr,
+      tunnel_id: tunnelId,
+      comment,
+    })
+    return response.result.id
+  }
+
+  /**
+   * List existing tunnel routes for the account
+   */
+  async listTunnelRoutes(): Promise<Array<{ id: string; network: string; tunnel_id: string; comment?: string }>> {
+    const accountId = await this.getAccountId()
+    const response = await this.request<Array<{ id: string; network: string; tunnel_id: string; comment?: string }>>(
+      "GET",
+      `/accounts/${accountId}/teamnet/routes`
+    )
+    return response.result
+  }
+
+  /**
+   * Delete a tunnel route
+   */
+  async deleteTunnelRoute(routeId: string): Promise<void> {
+    const accountId = await this.getAccountId()
+    await this.request("DELETE", `/accounts/${accountId}/teamnet/routes/${routeId}`)
+  }
+
+  /**
+   * Check if a tunnel route already exists for the given network
+   */
+  async getTunnelRouteForNetwork(networkCidr: string): Promise<{ id: string; tunnel_id: string } | null> {
+    const routes = await this.listTunnelRoutes()
+    return routes.find((r) => r.network === networkCidr) || null
+  }
+
   // ==================== Cloudflare Access API ====================
 
   /**
@@ -321,16 +367,160 @@ export class CloudflareApi {
   }
 
   /**
-   * Create Access application with email policy
+   * Create bypass policy for an Access app (e.g., for home IP)
+   */
+  async createBypassPolicy(
+    appId: string,
+    bypassIp: string,
+    policyName = "easiarr-web-bypass"
+  ): Promise<{ id: string }> {
+    const accountId = await this.getAccountId()
+
+    // Check if policy already exists
+    const existing = await this.request<Array<{ id: string; name: string }>>(
+      "GET",
+      `/accounts/${accountId}/access/apps/${appId}/policies`
+    )
+
+    const existingPolicy = existing.result.find((p) => p.name === policyName)
+    if (existingPolicy) {
+      return { id: existingPolicy.id }
+    }
+
+    // Create IP-based bypass policy
+    const response = await this.request<{ id: string }>(
+      "POST",
+      `/accounts/${accountId}/access/apps/${appId}/policies`,
+      {
+        name: policyName,
+        decision: "bypass",
+        include: [
+          {
+            ip: { ip: bypassIp },
+          },
+        ],
+        precedence: existing.result.length + 1,
+      }
+    )
+
+    return response.result
+  }
+
+  /**
+   * Create Access application with email policy and optional IP bypass
    */
   async setupAccessProtection(
     domain: string,
     allowedEmails: string[],
-    appName = "easiarr"
-  ): Promise<{ appId: string; policyId: string }> {
+    appName = "easiarr",
+    bypassIp?: string
+  ): Promise<{ appId: string; policyId: string; bypassPolicyId?: string }> {
     const app = await this.createAccessApplication(domain, appName)
-    const policy = await this.createAccessPolicy(app.id, allowedEmails)
-    return { appId: app.id, policyId: policy.id }
+    const policy = await this.createAccessPolicy(app.id, allowedEmails, "easiarr-web-allow")
+
+    let bypassPolicyId: string | undefined
+    if (bypassIp) {
+      const bypassPolicy = await this.createBypassPolicy(app.id, bypassIp, "easiarr-web-bypass")
+      bypassPolicyId = bypassPolicy.id
+    }
+
+    return { appId: app.id, policyId: policy.id, bypassPolicyId }
+  }
+
+  // ==================== WARP Device Enrollment API ====================
+
+  /**
+   * Get or create device enrollment application (type: warp)
+   */
+  async getDeviceEnrollmentApp(): Promise<{ id: string; name: string } | null> {
+    const accountId = await this.getAccountId()
+    const apps = await this.request<Array<{ id: string; name: string; type: string }>>(
+      "GET",
+      `/accounts/${accountId}/access/apps`
+    )
+    return apps.result.find((a) => a.type === "warp") || null
+  }
+
+  /**
+   * Create device enrollment policy for WARP
+   * This allows specified emails to enroll their devices
+   * Also creates a bypass policy for local network access
+   */
+  async setupDeviceEnrollment(
+    allowedEmails: string[],
+    privateNetworkCidr?: string
+  ): Promise<{ appId: string; allowPolicyId: string; bypassPolicyId?: string }> {
+    const accountId = await this.getAccountId()
+
+    // Check if WARP enrollment app exists
+    let warpApp = await this.getDeviceEnrollmentApp()
+
+    if (!warpApp) {
+      // Create WARP enrollment app
+      const response = await this.request<{ id: string; name: string }>("POST", `/accounts/${accountId}/access/apps`, {
+        type: "warp",
+        name: "Device Enrollment",
+        session_duration: "24h",
+      })
+      warpApp = response.result
+    }
+
+    // Get existing policies
+    const existingPolicies = await this.request<Array<{ id: string; name: string }>>(
+      "GET",
+      `/accounts/${accountId}/access/apps/${warpApp.id}/policies`
+    )
+
+    let allowPolicyId: string
+    let bypassPolicyId: string | undefined
+
+    // 1. Create/get email-based Allow policy
+    const allowPolicyName = "easiarr-vpn-allow"
+    const existingAllow = existingPolicies.result.find((p) => p.name === allowPolicyName)
+    if (existingAllow) {
+      allowPolicyId = existingAllow.id
+    } else {
+      const policy = await this.request<{ id: string }>(
+        "POST",
+        `/accounts/${accountId}/access/apps/${warpApp.id}/policies`,
+        {
+          name: allowPolicyName,
+          decision: "allow",
+          include: allowedEmails.map((email) => ({
+            email: { email },
+          })),
+          precedence: existingPolicies.result.length + 1,
+        }
+      )
+      allowPolicyId = policy.result.id
+    }
+
+    // 2. Create/get Bypass policy for local network (if CIDR provided)
+    if (privateNetworkCidr) {
+      const bypassPolicyName = "easiarr-vpn-bypass"
+      const existingBypass = existingPolicies.result.find((p) => p.name === bypassPolicyName)
+      if (existingBypass) {
+        bypassPolicyId = existingBypass.id
+      } else {
+        const bypassPolicy = await this.request<{ id: string }>(
+          "POST",
+          `/accounts/${accountId}/access/apps/${warpApp.id}/policies`,
+          {
+            name: bypassPolicyName,
+            decision: "bypass",
+            include: [
+              {
+                ip: { ip: privateNetworkCidr },
+              },
+            ],
+            precedence: existingPolicies.result.length + 2,
+          }
+        )
+        bypassPolicyId = bypassPolicy.result.id
+      }
+    }
+
+    return { appId: warpApp.id, allowPolicyId, bypassPolicyId }
   }
 }
 
@@ -340,10 +530,14 @@ export class CloudflareApi {
 export async function setupCloudflaredTunnel(
   apiToken: string,
   domain: string,
-  tunnelName = "easiarr"
-): Promise<{ tunnelToken: string; tunnelId: string }> {
+  tunnelName = "easiarr",
+  warpRouting = false
+): Promise<{ tunnelToken: string; tunnelId: string; accountId: string }> {
   const api = new CloudflareApi(apiToken)
 
+  // Get account ID first (needed for Homepage widget)
+  const accountId = await api.getAccountId()
+
   // 1. Check if tunnel already exists
   let tunnel = await api.getTunnelByName(tunnelName)
   let tunnelToken: string
@@ -358,14 +552,18 @@ export async function setupCloudflaredTunnel(
     tunnelToken = await api.getTunnelToken(tunnel.id)
   }
 
-  // 3. Configure ingress rules
-  await api.configureTunnel(tunnel.id, [
-    {
-      hostname: `*.${domain}`,
-      service: "http://traefik:80",
-      originRequest: {},
-    },
-  ])
+  // 3. Configure ingress rules (enable warp-routing if VPN is enabled)
+  await api.configureTunnel(
+    tunnel.id,
+    [
+      {
+        hostname: `*.${domain}`,
+        service: "http://traefik:80",
+        originRequest: {},
+      },
+    ],
+    warpRouting
+  )
 
   // 4. Add DNS CNAME record (wildcard)
   const zoneId = await api.getZoneId(domain)
@@ -374,5 +572,6 @@ export async function setupCloudflaredTunnel(
   return {
     tunnelToken,
     tunnelId: tunnel.id,
+    accountId,
   }
 }