feat: implement clean routing architecture and enhanced UX

- Move website to /ui with smart root redirect for tunnel routing
- Clean separation: /ui for website, / for tunnel subdomains
- Simplified script with focus on proper cleanup
- Enhanced docker-compose.yml with volume mounts and production config
- Removed clutter from website UI (keyboard shortcuts, path notes)
- Fixed tunnel proxy routing issues by following gorilla/mux best practices

This resolves tunnel subdomain conflicts and provides a maintainable architecture.

Author: mr-karan

README.md

@@ -4,21 +4,22 @@ Secure HTTP tunnels to localhost using WireGuard. Share your local development s
 
 ## Quick Start
 
+**Single command (recommended):**
 ```bash
-# Start your local server
-python3 -m http.server 3000
+# Replace 3000 with your local port
+curl -s https://arbok.mrkaran.dev/start/3000 | sudo bash
 
-# Get tunnel config
-curl https://tunnel.mrkaran.dev/3000 > tunnel.conf
-
-# Start tunnel
-sudo wg-quick up ./tunnel.conf
-
-# Your app is now live at https://random-name-1234.tunnel.mrkaran.dev
+# Your app is now live at https://random-name-1234.arbok.mrkaran.dev
+# Press Ctrl+C to stop the tunnel
 ```
 
-Stop the tunnel:
+**Manual setup (advanced):**
 ```bash
+# Get tunnel config and start manually
+curl https://arbok.mrkaran.dev/3000 > tunnel.conf
+sudo wg-quick up ./tunnel.conf
+
+# Stop the tunnel
 sudo wg-quick down ./tunnel.conf
 ```
 
@@ -34,7 +35,7 @@ make build
 2. **Configure** (copy `config.sample.toml` to `config.toml`):
 ```toml
 [app]
-domain = "tunnel.yourdomain.com"
+domain = "arbok.yourdomain.com"
 
 [auth]
 # Optional: Add API keys for authentication
@@ -77,7 +78,7 @@ curl -H "Host: your-subdomain.localhost" http://localhost:8080
 ## Features
 
 **Simple & Secure**
-- One command setup - just `curl` to get started
+- One command setup with automatic lifecycle management
 - WireGuard encryption with modern cryptography
 - No account needed - anonymous tunnels by default
 - Self-hosted - complete control over your infrastructure
@@ -90,9 +91,14 @@ curl -H "Host: your-subdomain.localhost" http://localhost:8080
 
 ## API Usage
 
-### Simple provisioning
+### Enhanced provisioning (single command)
+```bash
+curl -s https://arbok.mrkaran.dev/start/3000 | sudo bash
+```
+
+### Simple provisioning (manual config)
 ```bash
-curl https://tunnel.yourdomain.com/3000 > tunnel.conf
+curl https://arbok.mrkaran.dev/3000 > tunnel.conf
 ```
 
 ### RESTful API

docker-compose.prod-env.yml

@@ -0,0 +1,33 @@
+services:
+  arbok:
+    image: ghcr.io/mr-karan/arbok:latest
+    container_name: arbok
+    environment:
+      TZ: Asia/Kolkata
+    volumes:
+      - ./config.toml:/app/config.toml  # Mount your local config.toml file
+    ports:
+      - "8080:8080"
+      - "54321:54321/udp"  # WireGuard port
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv6.conf.all.forwarding=1
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    healthcheck:
+      test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:8080/health -O - || exit 1"]
+      interval: 60s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+    restart: unless-stopped
+    command: ["./arbok", "--config", "/app/config.toml"]
+    networks:
+      - arbok
+
+networks:
+  arbok:
+    name: arbok

docker-compose.prod.yml

@@ -225,6 +225,39 @@ func (s *Server) handleProvisionSimple(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprint(w, instructions)
 }
 
+// handleStartTunnel handles enhanced tunnel provisioning with self-executing script
+func (s *Server) handleStartTunnel(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	port, err := strconv.ParseUint(vars["port"], 10, 16)
+	if err != nil || port == 0 || port > 65535 {
+		http.Error(w, "Invalid port number", http.StatusBadRequest)
+		return
+	}
+	
+	// Create tunnel
+	t, err := s.registry.CreateTunnel(uint16(port))
+	if err != nil {
+		s.logger.Error("failed to create tunnel", "error", err, "port", port)
+		http.Error(w, "Failed to create tunnel", http.StatusInternalServerError)
+		return
+	}
+	
+	// Add peer to WireGuard
+	if err := s.tun.AddPeer(t.PublicKey, t.AllowedIP); err != nil {
+		s.logger.Error("failed to add peer", "error", err, "tunnel_id", t.ID)
+		_ = s.registry.DeleteTunnel(t.ID)
+		http.Error(w, "Failed to configure tunnel", http.StatusInternalServerError)
+		return
+	}
+	
+	// Generate self-executing script
+	script := s.generateTunnelScript(t)
+	
+	w.Header().Set("Content-Type", "text/plain")
+	w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
+	fmt.Fprint(w, script)
+}
+
 // generateWireGuardConfig generates a WireGuard configuration
 func (s *Server) generateWireGuardConfig(t *tunnel.Info) string {
 	serverEndpoint := fmt.Sprintf("%s:%d", s.cfg.Domain, s.cfg.WireGuardPort)
@@ -260,17 +293,22 @@ func (s *Server) handleTunnelProxy(w http.ResponseWriter, r *http.Request) {
 
 	parts := strings.Split(host, ".")
 	if len(parts) < 2 {
+		s.logger.Debug("tunnel proxy: invalid host", "host", host, "parts", len(parts))
 		writeError(w, http.StatusBadRequest, "INVALID_HOST", "Invalid host header")
 		return
 	}
 
 	subdomain := parts[0]
+	s.logger.Debug("tunnel proxy: looking for tunnel", "host", host, "subdomain", subdomain)
 	t := s.registry.GetTunnelBySubdomain(subdomain)
 	if t == nil {
+		s.logger.Debug("tunnel proxy: tunnel not found", "subdomain", subdomain)
 		writeError(w, http.StatusNotFound, "TUNNEL_NOT_FOUND", "Tunnel not found")
 		return
 	}
 
+	s.logger.Debug("tunnel proxy: found tunnel", "subdomain", subdomain, "tunnel_id", t.ID)
+	
 	// Update traffic stats
 	defer func() {
 		// This is a simplified version - in production you'd track actual bytes