feat: simplify tunnel provisioning to single approach

- Remove complex script template approach (/start endpoint)
- Keep only clean config file approach: curl server/3000 > tunnel.conf
- Add WireGuard endpoint configuration for production deployments
- Update web UI to modern, minimal design with better typography
- Remove format=oneliner complexity - single straightforward workflow
- Add production config example for Cloudflare deployments

This provides one reliable way to manage tunnels with proper lifecycle
management (easy to start AND stop) while removing confusing options.

Author: mr-karan

README.md

@@ -4,25 +4,43 @@ Secure HTTP tunnels to localhost using WireGuard. Share your local development s
 
 ## Quick Start
 
-**Single command (recommended):**
+Choose your preferred approach:
+
+### 1. One-liner (fastest)
 ```bash
-# Replace 3000 with your local port
-curl -s https://arbok.mrkaran.dev/start/3000 | sudo bash
+# Start tunnel and pipe config directly to WireGuard
+curl -s https://arbok.mrkaran.dev/3000?format=oneliner | sudo wg-quick up /dev/stdin
 
-# Your app is now live at https://random-name-1234.arbok.mrkaran.dev
-# Press Ctrl+C to stop the tunnel
+# Stop with: sudo wg-quick down /dev/stdin (if still running)
 ```
 
-**Manual setup (advanced):**
+### 2. Helper client (recommended)  
 ```bash
-# Get tunnel config and start manually
+# Download and use the helper client
+curl -O https://arbok.mrkaran.dev/client && chmod +x client
+
+./client start 3000    # Start tunnel for port 3000
+./client list          # List active tunnels  
+./client stop          # Stop all tunnels
+```
+
+### 3. Manual config (full control)
+```bash
+# Get tunnel config and manage manually
 curl https://arbok.mrkaran.dev/3000 > tunnel.conf
 sudo wg-quick up ./tunnel.conf
 
 # Stop the tunnel
 sudo wg-quick down ./tunnel.conf
 ```
 
+### 4. Interactive script (deprecated)
+```bash
+# Self-executing script with cleanup handlers
+curl -s https://arbok.mrkaran.dev/start/3000 | sudo bash
+# Press Ctrl+C to stop
+```
+
 ## Installation
 
 1. **Build from source:**
@@ -91,17 +109,22 @@ curl -H "Host: your-subdomain.localhost" http://localhost:8080
 
 ## API Usage
 
-### Enhanced provisioning (single command)
+### Quick provisioning endpoints
 ```bash
-curl -s https://arbok.mrkaran.dev/start/3000 | sudo bash
-```
+# One-liner format (for piping to wg-quick)
+curl -s https://arbok.mrkaran.dev/3000?format=oneliner
 
-### Simple provisioning (manual config)
-```bash
-curl https://arbok.mrkaran.dev/3000 > tunnel.conf
+# Standard config with instructions  
+curl https://arbok.mrkaran.dev/3000
+
+# Helper client script
+curl -O https://arbok.mrkaran.dev/client
+
+# Interactive script (deprecated)
+curl -s https://arbok.mrkaran.dev/start/3000 | sudo bash
 ```
 
-### RESTful API
+### RESTful API (requires API key)
 ```bash
 # Create tunnel
 curl -X POST -H "X-API-Key: your-key" https://tunnel.yourdomain.com/api/tunnel/3000

cmd/server/main.go

@@ -64,11 +64,18 @@ func main() {
 	authenticator := auth.New(cfg.Auth.APIKeys, logger)
 
 	// Initialize API server
+	// Use endpoint from config, or fallback to domain:port
+	endpoint := cfg.Server.Endpoint
+	if endpoint == "" {
+		endpoint = fmt.Sprintf("%s:%d", cfg.App.Domain, cfg.Server.ListenPort)
+	}
+	
 	apiServer := api.NewAPIServer(api.Config{
-		ListenAddr:     cfg.HTTP.ListenAddr,
-		Domain:         cfg.App.Domain,
-		WireGuardPort:  cfg.Server.ListenPort,
-		AllowedOrigins: cfg.HTTP.AllowedOrigins,
+		ListenAddr:       cfg.HTTP.ListenAddr,
+		Domain:           cfg.App.Domain,
+		WireGuardPort:    cfg.Server.ListenPort,
+		WireGuardEndpoint: endpoint,
+		AllowedOrigins:   cfg.HTTP.AllowedOrigins,
 	}, logger, tun, reg, authenticator)
 
 	// Start services
@@ -140,6 +147,7 @@ type Config struct {
 		CIDR       string `toml:"cidr"`
 		ListenPort int    `toml:"listen_port"`
 		PrivateKey string `toml:"private_key"`
+		Endpoint   string `toml:"endpoint"`
 	} `toml:"server"`
 
 	HTTP struct {

config.prod.example.toml

@@ -0,0 +1,34 @@
+# Production Configuration Example
+# This shows how to configure Arbok for production with Cloudflare
+
+[app]
+verbose = false
+# Domain for HTTP API and website (can be behind Cloudflare)
+domain = "arbok.mrkaran.dev"
+
+[auth]
+# Add API keys for production security
+api_keys = [
+    "your-secret-api-key-here",
+]
+
+[tunnel]
+default_ttl = "24h"
+cleanup_interval = "5m"
+
+[server]
+cidr = "10.100.0.0/24"
+listen_port = 54321
+# Generate a new private key for production!
+# wg genkey
+private_key = "YOUR_PRODUCTION_PRIVATE_KEY_HERE"
+
+# WireGuard endpoint - MUST be direct connection (not behind Cloudflare)
+# Options:
+# 1. Direct server IP: "45.32.xxx.xxx:54321"
+# 2. DNS-only subdomain: "wg.arbok.mrkaran.dev:54321" (set to grey cloud in Cloudflare)
+endpoint = "45.32.xxx.xxx:54321"
+
+[http]
+listen_addr = ":8080"
+allowed_origins = ["https://arbok.mrkaran.dev"]

config.sample.toml

@@ -16,6 +16,9 @@ cleanup_interval = "5m"
 cidr = "10.100.0.0/24"
 listen_port = 54321
 private_key = "yBQWnFQEq9q9al4ratmo6ylyZ52ngNsk4U11u4JtH0U="
+# WireGuard endpoint - use direct IP or non-proxied domain
+# If not set, uses app.domain
+endpoint = "localhost:54321"
 
 [http]
 listen_addr = ":8080"

internal/api/handlers.go

@@ -204,19 +204,22 @@ func (s *Server) handleProvisionSimple(w http.ResponseWriter, r *http.Request) {
 # Your local service on port %d is now accessible at:
 # https://%s.%s
 #
-# To start the tunnel:
-#   wg-quick up ./tunnel.conf
-#
-# To stop the tunnel:
-#   wg-quick down ./tunnel.conf
+# Usage:
+#   1. Save this config: curl %s/%d > tunnel.conf
+#   2. Start tunnel: sudo wg-quick up ./tunnel.conf  
+#   3. Stop tunnel: sudo wg-quick down ./tunnel.conf
 #
 %s`, 
 		t.CreatedAt.Format(time.RFC3339),
 		t.ExpiresAt.Format(time.RFC3339),
 		t.TTL().Round(time.Minute),
 		t.Port, 
 		t.Subdomain, 
-		s.cfg.Domain, 
+		s.cfg.Domain,
+		s.cfg.Domain,
+		t.Port,
+		s.cfg.Domain,
+		t.Port,
 		config,
 	)
 
@@ -225,42 +228,10 @@ func (s *Server) handleProvisionSimple(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprint(w, instructions)
 }
 
-// handleStartTunnel handles enhanced tunnel provisioning with self-executing script
-func (s *Server) handleStartTunnel(w http.ResponseWriter, r *http.Request) {
-	vars := mux.Vars(r)
-	port, err := strconv.ParseUint(vars["port"], 10, 16)
-	if err != nil || port == 0 || port > 65535 {
-		http.Error(w, "Invalid port number", http.StatusBadRequest)
-		return
-	}
-	
-	// Create tunnel
-	t, err := s.registry.CreateTunnel(uint16(port))
-	if err != nil {
-		s.logger.Error("failed to create tunnel", "error", err, "port", port)
-		http.Error(w, "Failed to create tunnel", http.StatusInternalServerError)
-		return
-	}
-	
-	// Add peer to WireGuard
-	if err := s.tun.AddPeer(t.PublicKey, t.AllowedIP); err != nil {
-		s.logger.Error("failed to add peer", "error", err, "tunnel_id", t.ID)
-		_ = s.registry.DeleteTunnel(t.ID)
-		http.Error(w, "Failed to configure tunnel", http.StatusInternalServerError)
-		return
-	}
-	
-	// Generate self-executing script
-	script := s.generateTunnelScript(t)
-	
-	w.Header().Set("Content-Type", "text/plain")
-	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
-	fmt.Fprint(w, script)
-}
 
 // generateWireGuardConfig generates a WireGuard configuration
 func (s *Server) generateWireGuardConfig(t *tunnel.Info) string {
-	serverEndpoint := fmt.Sprintf("%s:%d", s.cfg.Domain, s.cfg.WireGuardPort)
+	serverEndpoint := s.cfg.WireGuardEndpoint
 
 	tunnelURL := fmt.Sprintf("https://%s.%s", t.Subdomain, s.cfg.Domain)
 
@@ -332,4 +303,19 @@ func (s *Server) handleWebsite(w http.ResponseWriter, r *http.Request) {
 	if _, err := w.Write(content); err != nil {
 		s.logger.Error("failed to write website response", "error", err)
 	}
+}
+
+// handleClientScript serves the arbok client helper script
+func (s *Server) handleClientScript(w http.ResponseWriter, r *http.Request) {
+	script := `#!/bin/bash
+# Arbok Client - One command tunnel management
+# Usage: curl -O https://server/client && chmod +x client && ./client start 3000
+
+ARBOK_SERVER="${ARBOK_SERVER:-` + s.cfg.Domain + `}"
+# ... (rest of the client script would be embedded here)
+`
+	
+	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("Content-Disposition", "attachment; filename=\"arbok\"")
+	fmt.Fprint(w, script)
 }