feat(funnel): cloudflare quick tunnel embedded subprocess (0.9.5)

Gives the daemon a public HTTPS hostname (`https://<random>.trycloudflare.com`)
so the in-browser player on torrentclaw.com plays cross-network without
Tailscale or port forwarding — the mixed-content block that was breaking
HTTPS-page → HTTP-daemon fetches is gone. Bytes proxy through CloudFlare,
never through TorrentClaw infra (preserves the aggregator legal posture).

New surface:
  • `internal/funnel/` package: subprocess wrapper + auto-download for
    cloudflared. Linux amd64/arm64/armhf/386 fetched from GitHub releases
    on first run, validated by ELF magic + size sanity, O_EXCL partial
    write so concurrent daemons don't clobber each other.
  • `unarr funnel on/off/status` cobra command (sibling of `unarr vpn`).
  • Daemon supervisor goroutine keeps cloudflared up across crashes + CF's
    ~6h Quick Tunnel rotation. Exponential backoff (2 s → 5 min). On exit
    the reported URL is cleared so the web stops handing out a dead host.
  • Wire: agent registers/syncs a FunnelURL field; web prefers it over
    Tailscale/LAN for in-browser playback (HlsStreamPlayer + Stremio
    addon).

Default ON for fresh installs (NAS/Docker get it without terminal-in);
existing configs that pre-date the feature stay off until the operator
opts in with `unarr funnel on`.

Docker image now bundles cloudflared (built per TARGETARCH via buildx).

Also fixed: libx264 'frame MB size > level limit' on anamorphic >16:9
sources. The level we hint to libx264 was derived from height alone,
which busted on 720p cinemascope (1728×720 = 4860 MBs > level 3.1's
3600). Bumped each tier: 720p → 4.0, 1080p → 4.1.

Version: 0.9.4 → 0.9.5.

CHANGELOG.md

@@ -5,6 +5,44 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.9.5] - 2026-05-26
+
+### Added
+
+- **funnel**: optional CloudFlare Quick Tunnel subprocess. `unarr funnel on`
+  spawns `cloudflared` as a child process and registers an anonymous
+  `https://<random>.trycloudflare.com` hostname tunnelled to the daemon's
+  HLS server. The hostname is reported back to the web on every sync so the
+  in-browser player picks it up automatically — cross-network playback now
+  works on torrentclaw.com without Tailscale or port forwarding. Bytes
+  proxy through CloudFlare; TorrentClaw still doesn't relay content.
+- **funnel**: on by default for fresh installs (NAS/Docker get cross-network
+  HTTPS automatically); existing configs that pre-date the feature stay
+  off until the operator runs `unarr funnel on`.
+- **funnel**: auto-downloads cloudflared to the unarr data dir when not on
+  PATH (Linux amd64/arm64/armhf/386). ELF magic + size sanity check on the
+  download; `O_EXCL` partial-write so concurrent daemons don't clobber
+  each other.
+- **funnel**: subprocess supervisor keeps the tunnel up across cloudflared
+  crashes + CF's ~6h Quick Tunnel rotation. Exponential backoff (2 s → 5 min)
+  on persistent failures. The web's reported URL is cleared the moment
+  cloudflared exits so an outdated hostname doesn't keep handing out 502s.
+- **funnel**: `unarr funnel status` shows the live URL once registered.
+  See README §`[downloads.funnel]` for the throughput / latency caveats of
+  CF's free Quick Tunnels.
+- **docker**: the official `torrentclaw/unarr` image now bundles
+  `cloudflared` so the funnel works the moment the container starts — no
+  first-run download.
+
+### Fixed
+
+- **hls/libx264**: bump the H.264 level we hint to libx264 by one tier so
+  anamorphic (>16:9) sources stop emitting unplayable streams. 720p at
+  level 3.1 silently rejected 1728×720 cinemascope frames with
+  `frame MB size > level limit`; 720p now ships at level 4.0, 1080p at 4.1.
+  Decoder compatibility is unaffected — every device that handles 1080p
+  already handles ≥ 4.1.
+
 ## [0.9.4] - 2026-05-26
 
 ### Removed

Dockerfile

@@ -21,10 +21,23 @@ FROM alpine:3.22
 # Use Alpine's native musl ffmpeg + ffprobe instead of the johnvansickle /
 # BtbN static glibc builds — those need a glibc shim on Alpine and the
 # vector-math symbols the GPL builds reference are not satisfiable by
-# gcompat. Alpine ships ffmpeg ~7.x which is fine for the WebRTC
+# gcompat. Alpine ships ffmpeg ~7.x which is fine for the HLS transcoding
-# transcoding pipeline (libx264 + libfdk-aac alternatives included).
+# pipeline (libx264 + libfdk-aac alternatives included).
 RUN apk upgrade --no-cache && \
-    apk add --no-cache ca-certificates tzdata ffmpeg
+    apk add --no-cache ca-certificates tzdata ffmpeg wget
+
+# Bundle cloudflared so `unarr funnel on` (default: on, see config defaults)
+# Just Works on a headless container with no first-run network round-trip.
+# TARGETARCH is set automatically by Docker buildx during cross-builds.
+ARG TARGETARCH=amd64
+RUN case "$TARGETARCH" in \
+      amd64) CF_ARCH=amd64 ;; \
+      arm64) CF_ARCH=arm64 ;; \
+      arm)   CF_ARCH=armhf ;; \
+      *)     echo "unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \
+    esac && \
+    wget -qO /usr/local/bin/cloudflared "https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-$CF_ARCH" && \
+    chmod +x /usr/local/bin/cloudflared
 
 # Non-root user (UID 1000 matches typical host user for volume permissions)
 RUN addgroup -g 1000 unarr && adduser -u 1000 -G unarr -D -h /home/unarr unarr

README.md

@@ -476,6 +476,64 @@ with a clear error — install ffmpeg or set `enabled = false`.
 See the [VPN](#vpn) section above for how it works (split-tunnel, no root) and
 how to protect your other devices.
 
+#### `[downloads.funnel]` — public HTTPS hostname for the daemon (CloudFlare Quick Tunnel)
+
+```toml
+[downloads.funnel]
+enabled = false   # off by default
+```
+
+| Key | Type | Default | Notes |
+|-----|------|---------|-------|
+| `enabled` | bool | `false` | Spawns `cloudflared tunnel --url http://localhost:<stream_port>` as a child process at daemon startup. Toggle with `unarr funnel on` / `off`. Requires `cloudflared` on PATH. |
+
+**What it does.** Without a tunnel, the daemon is reachable on `localhost`,
+your LAN, and (if installed) Tailscale. That covers the same-machine and
+Tailscale-connected cases, but the **browser-based player on torrentclaw.com
+fails on any other network** because HTTPS pages can't fetch HTTP resources
+("mixed content"). Enabling the funnel gives the daemon a public
+`https://<random>.trycloudflare.com` hostname so the web player picks it up
+and playback works from anywhere — phone on cellular, friend's laptop on a
+foreign Wi-Fi, anywhere. The Stremio addon already works cross-network
+(native mpv/VLC players ignore CORS), so this is strictly a web-player fix.
+
+**Privacy posture.** Bytes pass through CloudFlare's edge — TorrentClaw never
+relays content (we don't see your traffic), CloudFlare does. Quick Tunnels
+are **anonymous** (no CF account required); the registration is unauthenticated
+and the hostname is a random label, but CF logs request metadata like any CDN
+would. If you want zero third-party byte access, use Tailscale instead.
+
+**Limitations (free Quick Tunnels).**
+| Aspect | Limit |
+|--------|-------|
+| Session lifetime | ~6 hours, then the hostname rotates. cloudflared re-registers automatically; the web picks up the new URL on the next sync. In-flight HLS sessions break across the rotation (browser retries). |
+| Bandwidth | No documented hard cap, but CF reserves the right to throttle. 1080p HLS (~6 Mbps) is fine; 4K HEVC at 25 Mbps may hit throttling. |
+| Latency | +20–80 ms vs direct LAN/Tailscale (extra hop browser → CF edge → tunnel). HLS player buffer absorbs it. |
+| Concurrency | One tunnel serves N viewers. CF rate-limits ~200 req/s, plenty for HLS segments. |
+| TOS | CloudFlare flags Quick Tunnels as "not for production traffic". They can decommission an abusive tunnel without notice. |
+
+For heavy / high-throughput / persistent-URL use cases, switch to a CloudFlare
+Named Tunnel (free, needs a CF account) or run your own reverse proxy — both
+out of scope for the bundled command.
+
+**Disable.** `unarr funnel off` flips `enabled` to `false` in the TOML and
+prompts you to restart the daemon. You can also edit `config.toml` directly:
+
+```toml
+[downloads.funnel]
+enabled = false
+```
+
+**Install cloudflared.**
+- Linux: `apt install cloudflared` (after adding CF's apt repo) — see
+  <https://pkg.cloudflare.com>. Or pull the static binary from
+  <https://github.com/cloudflare/cloudflared/releases>.
+- macOS: `brew install cloudflared`.
+- Windows: `winget install --id Cloudflare.cloudflared`.
+
+If `cloudflared` is not on PATH the daemon logs a warning at startup and
+falls back to LAN/Tailscale-only reachability.
+
 ### Environment variables
 
 Environment variables override config file values:

internal/agent/daemon.go

@@ -55,6 +55,10 @@ type Daemon struct {
 	vpnMode   string
 	vpnServer string
 
+	// CloudFlare Quick Tunnel public URL; folded into DaemonState + heartbeat
+	// so the web can prefer it over Tailscale/LAN for in-browser playback.
+	funnelURL string
+
 	// Watching tracks whether a user is viewing download progress in the web UI.
 	Watching atomic.Bool
 
@@ -85,6 +89,15 @@ func (d *Daemon) SetVPNState(active bool, mode, server string) {
 	d.vpnServer = server
 }
 
+// SetFunnelURL records the CloudFlare Quick Tunnel hostname so it's reflected
+// in the daemon state file (read by `unarr funnel status`) and in heartbeat
+// requests (so the web prefers it over Tailscale/LAN). Pass "" to clear.
+func (d *Daemon) SetFunnelURL(url string) {
+	d.funnelURL = url
+	d.State.FunnelURL = url
+	WriteState(&d.State)
+}
+
 // UpdateStreamPort updates the stream port reported in sync requests.
 func (d *Daemon) UpdateStreamPort(port int) {
 	d.cfg.StreamPort = port
@@ -109,6 +122,7 @@ func (d *Daemon) Register(ctx context.Context) error {
 		VPNActive:          d.vpnActive,
 		VPNMode:            d.vpnMode,
 		VPNServer:          d.vpnServer,
+		FunnelURL:          d.funnelURL,
 	}
 	if free, total, err := DiskInfo(d.cfg.DownloadDir); err == nil {
 		req.DiskFreeBytes = free
@@ -162,6 +176,7 @@ func (d *Daemon) Register(ctx context.Context) error {
 		VPNActive:   d.vpnActive,
 		VPNMode:     d.vpnMode,
 		VPNServer:   d.vpnServer,
+		FunnelURL:   d.funnelURL,
 	}
 	WriteState(&d.State)
 
@@ -234,6 +249,9 @@ func (d *Daemon) Run(ctx context.Context) error {
 	d.sync.GetVPNState = func() (bool, string, string) {
 		return d.vpnActive, d.vpnMode, d.vpnServer
 	}
+	d.sync.GetFunnelURL = func() string {
+		return d.funnelURL
+	}
 	d.sync.OnSyncSuccess = func() {
 		d.State.LastHeartbeat = time.Now()
 		if d.GetActiveCount != nil {

internal/agent/state.go

@@ -29,6 +29,11 @@ type DaemonState struct {
 	VPNActive bool   `json:"vpnActive,omitempty"`
 	VPNMode   string `json:"vpnMode,omitempty"`   // managed | self-hosted
 	VPNServer string `json:"vpnServer,omitempty"` // WireGuard endpoint (ip:port)
+
+	// CloudFlare Quick Tunnel state, so `unarr funnel status` can report the
+	// HTTPS hostname the daemon is reachable at from anywhere on the internet.
+	// Empty when the funnel is off or hasn't registered yet.
+	FunnelURL string `json:"funnelUrl,omitempty"`
 }
 
 // stateFilePathFn is overridable for testing.

internal/agent/sync.go

@@ -40,6 +40,9 @@ type SyncClient struct {
 	// WireGuard tunnel is up, the mode, and the exit server) so the web can track
 	// which agent holds the single WG slot.
 	GetVPNState func() (active bool, mode, server string)
+	// GetFunnelURL returns the CloudFlare Quick Tunnel public hostname if one
+	// is active, else "". Sent on every sync so the web picks it up live.
+	GetFunnelURL func() string
 	// OnDeleteFiles is called when the server requests file deletion from disk.
 	// It should delete the files and return the IDs of successfully deleted items.
 	OnDeleteFiles func(items []LibraryDeleteRequest) []int
@@ -162,6 +165,9 @@ func (sc *SyncClient) buildRequest() SyncRequest {
 	if sc.GetVPNState != nil {
 		req.VPNActive, req.VPNMode, req.VPNServer = sc.GetVPNState()
 	}
+	if sc.GetFunnelURL != nil {
+		req.FunnelURL = sc.GetFunnelURL()
+	}
 	// Flush confirmed deletions from previous cycle.
 	// Once flushed, remove IDs from deleteInFlight — the server will stop sending
 	// them after this sync, so deduplication protection is no longer needed.

internal/agent/types.go

@@ -34,6 +34,9 @@ type RegisterRequest struct {
 	VPNActive bool   `json:"vpnActive"`
 	VPNMode   string `json:"vpnMode,omitempty"` // managed | self-hosted
 	VPNServer string `json:"vpnServer,omitempty"`
+	// CloudFlare Quick Tunnel hostname when enabled; the web prefers it over
+	// Tailscale/LAN for in-browser playback because it works on any network.
+	FunnelURL string `json:"funnelUrl,omitempty"`
 }
 
 // RegisterResponse is returned by the server after registration.
@@ -359,6 +362,8 @@ type SyncRequest struct {
 	VPNActive bool   `json:"vpnActive"`
 	VPNMode   string `json:"vpnMode,omitempty"`
 	VPNServer string `json:"vpnServer,omitempty"`
+	// CloudFlare Quick Tunnel hostname when enabled, else empty.
+	FunnelURL string `json:"funnelUrl,omitempty"`
 }
 
 // ControlAction represents a server-side control signal for a task.

internal/cmd/daemon.go

@@ -17,6 +17,7 @@ import (
 	"github.com/torrentclaw/unarr/internal/agent"
 	"github.com/torrentclaw/unarr/internal/config"
 	"github.com/torrentclaw/unarr/internal/engine"
+	"github.com/torrentclaw/unarr/internal/funnel"
 	"github.com/torrentclaw/unarr/internal/library"
 	"github.com/torrentclaw/unarr/internal/library/mediainfo"
 	"github.com/torrentclaw/unarr/internal/usenet/download"
@@ -303,6 +304,15 @@ func runDaemonStart() error {
 	}
 	d.UpdateStreamPort(streamSrv.Port())
 
+	// CloudFlare Quick Tunnel — needs the ACTUAL listening port (the
+	// configured port may have been busy and bumped). Spawning here ensures
+	// cloudflared --url points at the right socket. Failures degrade to
+	// Tailscale/LAN only; the supervisor keeps the tunnel up across CF's
+	// periodic rotation + transient cloudflared crashes.
+	if cfg.Download.Funnel.Enabled {
+		go superviseFunnel(ctx, d, streamSrv.Port())
+	}
+
 	// Warn at startup if transcode is enabled but ffmpeg/ffprobe are missing.
 	// HLS sessions get rejected at runtime (see daemon.go ~line 455), but
 	// surfacing it here gives the operator a chance to install ffmpeg before
@@ -773,3 +783,54 @@ func runAutoScan(ctx context.Context, cfg config.Config, interval time.Duration,
 		}
 	}
 }
+
+// superviseFunnel keeps a CloudFlare Quick Tunnel up across cloudflared
+// crashes and CF's ~6h tunnel rotation. On a clean exit (cancellation) it
+// returns; on a crash it clears the reported URL and respawns with an
+// exponential backoff so we don't hammer cloudflared into a tight loop when
+// it can't reach the CF edge.
+func superviseFunnel(ctx context.Context, d *agent.Daemon, port int) {
+	backoff := 2 * time.Second
+	const maxBackoff = 5 * time.Minute
+	for ctx.Err() == nil {
+		t, err := funnel.Start(ctx, funnel.Config{Port: port})
+		if err != nil {
+			log.Printf("[funnel] could not start CloudFlare tunnel (%v) — retrying in %s", err, backoff)
+			select {
+			case <-time.After(backoff):
+			case <-ctx.Done():
+				return
+			}
+			backoff = min(backoff*2, maxBackoff)
+			continue
+		}
+		log.Printf("[funnel] cloudflared started, waiting for public URL...")
+		go func() {
+			url, werr := t.WaitURL(45 * time.Second)
+			if werr != nil {
+				log.Printf("[funnel] cloudflared did not emit a URL (%v)", werr)
+				return
+			}
+			log.Printf("[funnel] public URL: %s", url)
+			d.SetFunnelURL(url)
+		}()
+		// Block until cloudflared exits (CF rotation, crash, or shutdown).
+		exitErr := <-t.Done()
+		_ = t.Close()
+		d.SetFunnelURL("")
+		if ctx.Err() != nil {
+			return
+		}
+		if exitErr != nil {
+			log.Printf("[funnel] cloudflared exited: %v — restarting in %s", exitErr, backoff)
+		} else {
+			log.Printf("[funnel] cloudflared exited cleanly — restarting in %s", backoff)
+		}
+		select {
+		case <-time.After(backoff):
+		case <-ctx.Done():
+			return
+		}
+		backoff = min(backoff*2, maxBackoff)
+	}
+}

internal/cmd/funnel.go

@@ -0,0 +1,165 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/fatih/color"
+	"github.com/spf13/cobra"
+	"github.com/torrentclaw/unarr/internal/agent"
+	"github.com/torrentclaw/unarr/internal/config"
+)
+
+func newFunnelCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "funnel",
+		Short: "Expose the daemon over a public HTTPS hostname via CloudFlare Quick Tunnel",
+		Long: `Turn the CloudFlare Quick Tunnel on/off and check its status.
+
+When on, the daemon spawns cloudflared as a child process and registers a
+` + "`https://<random>.trycloudflare.com`" + ` hostname tunnelled to its local
+HLS server. The torrentclaw.com / torrentclaw.to web player picks the tunnel
+URL first so cross-network playback works from any browser without Tailscale
+or port forwarding.
+
+Trade-offs:
+  • Bytes proxy through CloudFlare. We don't relay; CF does. Preserves the
+    TorrentClaw legal posture but means CF sees your traffic shape.
+  • Quick Tunnels are anonymous — no CF account required.
+  • Hostname is random per session and rotates roughly every 6 h.
+
+Requires the cloudflared binary on PATH. Install:
+  Linux  : https://pkg.cloudflare.com (apt) or download from
+           https://github.com/cloudflare/cloudflared/releases
+  macOS  : brew install cloudflared
+  Windows: winget install --id Cloudflare.cloudflared`,
+		Example: `  unarr funnel status   # is the tunnel up? what's the URL?
+  unarr funnel on       # turn it on
+  unarr funnel off      # turn it off`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return cmd.Help()
+		},
+	}
+	cmd.AddCommand(newFunnelStatusCmd(), newFunnelOnCmd(), newFunnelOffCmd())
+	return cmd
+}
+
+func newFunnelStatusCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:     "status",
+		Short:   "Show CloudFlare tunnel configuration + live URL",
+		Example: "  unarr funnel status",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return runFunnelStatus()
+		},
+	}
+}
+
+func runFunnelStatus() error {
+	bold := color.New(color.Bold)
+	dim := color.New(color.FgHiBlack)
+	green := color.New(color.FgGreen)
+	yellow := color.New(color.FgYellow)
+	cyan := color.New(color.FgCyan)
+
+	cfg := loadConfig()
+
+	fmt.Println()
+	bold.Println("  CloudFlare Quick Tunnel")
+	fmt.Println()
+
+	if !cfg.Download.Funnel.Enabled {
+		dim.Println("  Mode:    off")
+		fmt.Println()
+		dim.Println("  Enable with `unarr funnel on` to give the daemon a public HTTPS URL")
+		dim.Println("  so cross-network browser playback works without Tailscale.")
+		fmt.Println()
+		return nil
+	}
+	cyan.Println("  Mode:    on")
+
+	state := agent.ReadState()
+	alive := state != nil && isDaemonAlive(state)
+	fmt.Println()
+	switch {
+	case alive && state.FunnelURL != "":
+		green.Println("  ✓ Tunnel ACTIVE")
+		fmt.Printf("    URL:  %s\n", state.FunnelURL)
+		fmt.Println()
+		dim.Println("  This URL rotates roughly every 6 h. The web player picks it up")
+		dim.Println("  automatically — no action needed on your side.")
+	case alive:
+		yellow.Println("  ⚠  Daemon is running but the tunnel hasn't registered yet.")
+		dim.Println("     Check `unarr daemon logs` for a [funnel] line. Common cause:")
+		dim.Println("     cloudflared isn't installed on PATH.")
+	default:
+		dim.Println("  Daemon not running — start it (`unarr start`) to bring the tunnel up.")
+	}
+	fmt.Println()
+	return nil
+}
+
+func newFunnelOnCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:     "on",
+		Short:   "Turn the CloudFlare tunnel on",
+		Example: "  unarr funnel on",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return setFunnelEnabled(true)
+		},
+	}
+}
+
+func newFunnelOffCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:     "off",
+		Short:   "Turn the CloudFlare tunnel off",
+		Example: "  unarr funnel off",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			return setFunnelEnabled(false)
+		},
+	}
+}
+
+func setFunnelEnabled(enabled bool) error {
+	green := color.New(color.FgGreen)
+	dim := color.New(color.FgHiBlack)
+
+	cfg := loadConfig()
+	if cfg.Download.Funnel.Enabled == enabled {
+		fmt.Println()
+		dim.Printf("  Tunnel is already %s — nothing to do.\n", onOffWord(enabled))
+		fmt.Println()
+		return nil
+	}
+
+	cfg.Download.Funnel.Enabled = enabled
+
+	configPath := config.FilePath()
+	if cfgFile != "" {
+		configPath = cfgFile
+	}
+	if err := config.Save(cfg, configPath); err != nil {
+		return fmt.Errorf("save config: %w", err)
+	}
+	appCfg = cfg
+
+	fmt.Println()
+	green.Printf("  ✓ CloudFlare tunnel %s.\n", onOffWord(enabled))
+
+	// Subprocess is launched/torn down by the daemon at startup; a plain config
+	// reload does not bring it up. Prompt for a restart when the daemon is alive.
+	if state := agent.ReadState(); state != nil && isDaemonAlive(state) {
+		fmt.Println()
+		dim.Println("  The daemon is running. Restart it for this to take effect:")
+		dim.Println("    unarr daemon restart")
+	}
+	fmt.Println()
+	return nil
+}
+
+func onOffWord(enabled bool) string {
+	if enabled {
+		return "on"
+	}
+	return "off"
+}

internal/cmd/root.go

@@ -105,6 +105,8 @@ Source:         https://github.com/torrentclaw/unarr`,
 	daemonCmd.GroupID = "daemon"
 	vpnCmd := newVPNCmd()
 	vpnCmd.GroupID = "daemon"
+	funnelCmd := newFunnelCmd()
+	funnelCmd.GroupID = "daemon"
 
 	// System & Diagnostics
 	statsCmd := newStatsCmd()
@@ -149,6 +151,7 @@ Source:         https://github.com/torrentclaw/unarr`,
 		statusCmd,
 		daemonCmd,
 		vpnCmd,
+		funnelCmd,
 		// System & Diagnostics
 		statsCmd,
 		doctorCmd,

internal/cmd/version.go

@@ -1,4 +1,4 @@
 package cmd
 
 // Version is the CLI version. Overridden by goreleaser ldflags at release time.
-var Version = "0.9.4"
+var Version = "0.9.5"

internal/config/config.go

@@ -53,6 +53,16 @@ type DownloadConfig struct {
 	CORSExtraOrigins []string        `toml:"cors_extra_origins"` // extra browser origins added on top of the baked-in allowlist (torrentclaw.com, app.torrentclaw.com, localhost:3030)
 	Transcode        TranscodeConfig `toml:"transcode"`
 	VPN              VPNConfig       `toml:"vpn"`
+	Funnel           FunnelConfig    `toml:"funnel"`
+}
+
+// FunnelConfig gates the optional CloudFlare Quick Tunnel that exposes the
+// daemon's HLS server over a public HTTPS hostname (https://<random>.try
+// cloudflare.com). Enabling it lets the web player on torrentclaw.com play
+// from this daemon across any network without Tailscale or a public IP —
+// the cost is that bytes proxy through CloudFlare's network. Off by default.
+type FunnelConfig struct {
+	Enabled bool `toml:"enabled"`
 }
 
 // VPNConfig gates the managed-VPN add-on split-tunnel. When enabled, the daemon
@@ -139,6 +149,13 @@ func Default() Config {
 				AudioBitrate:  "192k",
 				MaxConcurrent: 2,
 			},
+			Funnel: FunnelConfig{
+				// On by default so headless installs (NAS / Docker) get cross-network
+				// HTTPS playback without anyone having to terminal in. Users who
+				// don't want bytes proxied through CloudFlare can opt out with
+				// `unarr funnel off` (sets enabled=false in the TOML).
+				Enabled: true,
+			},
 		},
 		Organize: OrganizeConfig{
 			Enabled: true,
@@ -227,6 +244,12 @@ func applyDefaults(cfg *Config, meta toml.MetaData) {
 	if !meta.IsDefined("downloads", "transcode", "max_concurrent") {
 		cfg.Download.Transcode.MaxConcurrent = 2
 	}
+	// NOTE: Funnel default-ON only applies to fresh installs (no config file →
+	// Default() returns Funnel.Enabled=true straight off). When an existing
+	// config file lacks `[downloads.funnel]` entirely we intentionally do NOT
+	// flip it on here — that would silently route an upgraded operator's
+	// traffic through CloudFlare without their consent. They opt in with
+	// `unarr funnel on` whenever they're ready.
 }
 
 // Save writes config to the default or specified path using atomic write.

internal/engine/hwaccel.go

@@ -129,12 +129,13 @@ func (h HWAccel) FFmpegVideoCodec(target string) string {
 	}
 }
 
-// H264LevelForHeight returns the lowest H.264 profile level capable of encoding
+// H264LevelForHeight returns the lowest H.264 profile level capable of
-// a stream at the given output pixel height (assumes ~16:9, ≤30 fps). The
+// encoding a stream at the given output pixel height. Each tier carries
-// previous code used a fixed "4.0" which silently rejects anything above 1080p
+// enough macroblock headroom to handle ANAMORPHIC content (up to ~2.4:1
-// — libx264 logs "frame MB size > level limit" and emits a corrupt stream.
+// cinemascope) at 30 fps — a fixed 16:9 assumption used to silently bust
-// Returning a tighter level on smaller outputs keeps player compatibility on
+// the level on a 720p movie shot in 2.4:1 (1728×720 = 4860 MBs > 3.1's
-// older devices where the encoder can't auto-pick.
+// 3600 limit; libx264 logs "frame MB size > level limit" and emits a
+// corrupt stream).
 func H264LevelForHeight(height int) string {
 	switch {
 	case height <= 0:
@@ -142,11 +143,14 @@ func H264LevelForHeight(height int) string {
 		// re-introduce the silent-failure mode that motivated this helper.
 		return "5.1"
 	case height <= 480:
-		return "3.0"
-	case height <= 720:
 		return "3.1"
-	case height <= 1080:
+	case height <= 720:
+		// 4.0 instead of 3.1: covers 720p anamorphic (e.g. 1728×720) +
+		// MB rate up to 245k/s (3.1 caps at 108k/s — broken at 24 fps).
 		return "4.0"
+	case height <= 1080:
+		// 4.1 instead of 4.0: covers 1080p anamorphic + 30 fps (~245k MBs/s).
+		return "4.1"
 	case height <= 1440:
 		return "5.0"
 	case height <= 2160:

internal/funnel/funnel.go

@@ -0,0 +1,199 @@
+// Package funnel manages the optional CloudFlare Quick Tunnel subprocess
+// that gives the daemon a public HTTPS hostname for cross-network playback
+// from browser-based clients (web player on torrentclaw.com / torrentclaw.to).
+//
+// Why: HTTPS pages can't fetch HTTP resources (mixed content). Without a
+// tunnel the daemon is only reachable from the same machine (localhost is
+// exempt) or via Tailscale (which users can install themselves but most
+// won't). CF Quick Tunnels are anonymous — no CF account, no DNS, no port
+// forwarding — and assign a one-shot `https://<random>.trycloudflare.com`
+// URL. Bytes flow through CF, never through our infra (legal posture: we
+// don't relay; CF does).
+//
+// Lifecycle:
+//
+//   t, err := funnel.Start(ctx, funnel.Config{Port: 11819})
+//   defer t.Close()
+//   url, err := t.WaitURL(30 * time.Second)  // blocks until cloudflared emits the URL
+//
+// The tunnel runs until the context is cancelled or t.Close() is called.
+package funnel
+
+import (
+	"bufio"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os/exec"
+	"regexp"
+	"sync"
+	"time"
+)
+
+// urlPattern matches the `https://<random>.trycloudflare.com` URL cloudflared
+// prints when a Quick Tunnel is registered. The hostname has a random
+// hyphen-separated label followed by .trycloudflare.com.
+var urlPattern = regexp.MustCompile(`https://[a-z0-9-]+\.trycloudflare\.com`)
+
+// Config controls how the tunnel is launched.
+type Config struct {
+	// Port is the local upstream port cloudflared will tunnel to. Required.
+	Port int
+	// Binary is the cloudflared executable path. When empty the package looks
+	// it up via $PATH.
+	Binary string
+}
+
+// Tunnel is a handle on a running cloudflared Quick Tunnel.
+type Tunnel struct {
+	cmd     *exec.Cmd
+	cancel  context.CancelFunc
+	urlCh   chan string
+	exitCh  chan error
+	mu      sync.Mutex
+	url     string
+	stopped bool
+}
+
+// Start launches cloudflared as a subprocess. The returned *Tunnel exposes the
+// public URL via WaitURL once cloudflared registers it (usually 2–5 s).
+//
+// The subprocess inherits the cancellation of the supplied context. Closing
+// the *Tunnel sends SIGTERM and waits for the subprocess to exit.
+func Start(ctx context.Context, cfg Config) (*Tunnel, error) {
+	if cfg.Port <= 0 {
+		return nil, fmt.Errorf("funnel: invalid Port %d", cfg.Port)
+	}
+	binary := cfg.Binary
+	if binary == "" {
+		resolved, err := ResolveBinary()
+		if err != nil {
+			return nil, err
+		}
+		binary = resolved
+	}
+
+	subCtx, cancel := context.WithCancel(ctx)
+	// `--no-autoupdate` disables cloudflared's daily self-update check (the
+	// daemon manages binary rotation). `--metrics 127.0.0.1:0` suppresses the
+	// default `:9090` listener that would collide on a shared box.
+	cmd := exec.CommandContext(subCtx, binary,
+		"tunnel",
+		"--no-autoupdate",
+		"--metrics", "127.0.0.1:0",
+		"--url", fmt.Sprintf("http://localhost:%d", cfg.Port),
+	)
+
+	// cloudflared writes the connect log + assigned URL to stderr.
+	stderr, err := cmd.StderrPipe()
+	if err != nil {
+		cancel()
+		return nil, fmt.Errorf("funnel: pipe stderr: %w", err)
+	}
+	cmd.Stdout = io.Discard // quick tunnels print nothing useful on stdout
+
+	if err := cmd.Start(); err != nil {
+		cancel()
+		return nil, fmt.Errorf("funnel: start cloudflared: %w", err)
+	}
+
+	t := &Tunnel{
+		cmd:    cmd,
+		cancel: cancel,
+		urlCh:  make(chan string, 1),
+		exitCh: make(chan error, 1),
+	}
+
+	// Reader goroutine: scan cloudflared's stderr for the URL, surface the
+	// rest as a single string we don't try to interpret.
+	go t.scanStderr(stderr)
+
+	// Waiter goroutine: signal exit so callers can react (e.g. restart).
+	go func() {
+		t.exitCh <- cmd.Wait()
+	}()
+
+	return t, nil
+}
+
+// WaitURL blocks until cloudflared has registered the tunnel and emitted the
+// public URL, or `timeout` elapses, or the subprocess exits. The returned URL
+// has the form `https://<random>.trycloudflare.com`.
+func (t *Tunnel) WaitURL(timeout time.Duration) (string, error) {
+	t.mu.Lock()
+	if t.url != "" {
+		u := t.url
+		t.mu.Unlock()
+		return u, nil
+	}
+	t.mu.Unlock()
+
+	select {
+	case u := <-t.urlCh:
+		return u, nil
+	case err := <-t.exitCh:
+		if err == nil {
+			return "", errors.New("funnel: cloudflared exited before URL")
+		}
+		return "", fmt.Errorf("funnel: cloudflared exited: %w", err)
+	case <-time.After(timeout):
+		return "", fmt.Errorf("funnel: timed out waiting for URL after %s", timeout)
+	}
+}
+
+// URL returns the assigned tunnel URL, or "" if not yet emitted.
+func (t *Tunnel) URL() string {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	return t.url
+}
+
+// Done returns a channel that closes once the subprocess exits. The error sent
+// before close describes the exit reason (nil = clean shutdown via Close).
+func (t *Tunnel) Done() <-chan error {
+	return t.exitCh
+}
+
+// Close terminates the subprocess and waits for it to exit. Safe to call
+// multiple times.
+func (t *Tunnel) Close() error {
+	t.mu.Lock()
+	if t.stopped {
+		t.mu.Unlock()
+		return nil
+	}
+	t.stopped = true
+	t.mu.Unlock()
+	t.cancel()
+	// Drain the exit channel so the Wait goroutine doesn't leak.
+	select {
+	case <-t.exitCh:
+	case <-time.After(5 * time.Second):
+	}
+	return nil
+}
+
+func (t *Tunnel) scanStderr(r io.Reader) {
+	scanner := bufio.NewScanner(r)
+	// Some cloudflared lines exceed the default 64KiB scanner buffer (when it
+	// prints connection diagnostics). Bump to 1MiB.
+	scanner.Buffer(make([]byte, 0, 64*1024), 1024*1024)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if t.URL() == "" {
+			if m := urlPattern.FindString(line); m != "" {
+				t.mu.Lock()
+				t.url = m
+				t.mu.Unlock()
+				// Non-blocking send: if no one is listening, just drop —
+				// the URL field carries the value for any later WaitURL call.
+				select {
+				case t.urlCh <- m:
+				default:
+				}
+			}
+		}
+	}
+}
+

internal/funnel/install.go

@@ -0,0 +1,167 @@
+package funnel
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"time"
+
+	"github.com/torrentclaw/unarr/internal/config"
+)
+
+// ResolveBinary returns the path to a usable cloudflared executable, downloading
+// one into the unarr data dir if neither $PATH nor the cached location has it.
+// This makes the funnel feature usable on headless installs (NAS / Docker)
+// where the user can't easily install cloudflared via the OS package manager.
+//
+// Resolution order:
+//
+//  1. cloudflared on $PATH (operator already installed it)
+//  2. <data-dir>/bin/cloudflared (we cached it on a previous run)
+//  3. download from GitHub releases (Linux-only fallback; macOS / Windows
+//     return a clear error pointing at brew / winget)
+func ResolveBinary() (string, error) {
+	if p, err := exec.LookPath("cloudflared"); err == nil {
+		return p, nil
+	}
+	cached := cachedBinaryPath()
+	if _, err := os.Stat(cached); err == nil {
+		return cached, nil
+	}
+	return downloadCloudflared(cached)
+}
+
+func cachedBinaryPath() string {
+	name := "cloudflared"
+	if runtime.GOOS == "windows" {
+		name += ".exe"
+	}
+	return filepath.Join(config.DataDir(), "bin", name)
+}
+
+// downloadCloudflared fetches the latest cloudflared release asset matching
+// the current GOOS/GOARCH into `dest`. Linux only — macOS/Windows return a
+// pointer at the OS package manager.
+//
+// Supply-chain caveat: we trust GitHub-over-TLS + cloudflare/cloudflared
+// repo integrity. The fetch is over HTTPS to api.github.com's release-asset
+// redirector, so a network MITM is bounded by Let's Encrypt + GitHub's cert
+// chain. We additionally verify the file is an ELF binary (Linux magic
+// bytes) so a generic 404 HTML page or a wrong-arch tarball is rejected at
+// rest. We do NOT verify a signature because Cloudflare doesn't sign release
+// assets at the moment — if you need stricter integrity, install cloudflared
+// from your distro's package manager (apt/brew/winget) and unarr will use
+// the PATH copy.
+func downloadCloudflared(dest string) (string, error) {
+	if runtime.GOOS != "linux" {
+		return "", fmt.Errorf("funnel: auto-download not supported on %s — install cloudflared manually or drop a binary at %s", runtime.GOOS, dest)
+	}
+
+	var asset string
+	switch runtime.GOARCH {
+	case "amd64":
+		asset = "cloudflared-linux-amd64"
+	case "arm64":
+		asset = "cloudflared-linux-arm64"
+	case "arm":
+		asset = "cloudflared-linux-armhf"
+	case "386":
+		asset = "cloudflared-linux-386"
+	default:
+		return "", fmt.Errorf("funnel: unsupported linux arch %q — install cloudflared manually", runtime.GOARCH)
+	}
+
+	url := "https://github.com/cloudflare/cloudflared/releases/latest/download/" + asset
+	if err := os.MkdirAll(filepath.Dir(dest), 0o755); err != nil {
+		return "", fmt.Errorf("funnel: create bin dir: %w", err)
+	}
+
+	// O_EXCL so concurrent unarr-dev / prod daemons don't clobber each
+	// other's partial download. The loser gets EEXIST → falls back to
+	// polling for the winner to finish.
+	tmp := dest + ".partial"
+	out, err := os.OpenFile(tmp, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o755)
+	if err != nil {
+		if errors.Is(err, os.ErrExist) {
+			// Another process is downloading. Wait briefly for them to finish.
+			for range 60 {
+				time.Sleep(time.Second)
+				if _, statErr := os.Stat(dest); statErr == nil {
+					return dest, nil
+				}
+			}
+			return "", fmt.Errorf("funnel: another download in progress at %s (timed out)", tmp)
+		}
+		return "", fmt.Errorf("funnel: open dest: %w", err)
+	}
+
+	client := &http.Client{Timeout: 5 * time.Minute}
+	resp, err := client.Get(url)
+	if err != nil {
+		_ = out.Close()
+		_ = os.Remove(tmp)
+		return "", fmt.Errorf("funnel: download cloudflared: %w", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		_ = out.Close()
+		_ = os.Remove(tmp)
+		return "", fmt.Errorf("funnel: download cloudflared: HTTP %d from %s", resp.StatusCode, url)
+	}
+
+	if _, err := io.Copy(out, resp.Body); err != nil {
+		_ = out.Close()
+		_ = os.Remove(tmp)
+		return "", fmt.Errorf("funnel: write dest: %w", err)
+	}
+	if err := out.Close(); err != nil {
+		_ = os.Remove(tmp)
+		return "", fmt.Errorf("funnel: close dest: %w", err)
+	}
+
+	// Sanity check before promoting <partial> to <dest>: must be a Linux
+	// ELF executable (rejects 404 HTML pages or wrong-arch payloads) and at
+	// least 1 MB (real cloudflared is ~50 MB; anything smaller is corrupt).
+	if err := verifyLinuxElf(tmp); err != nil {
+		_ = os.Remove(tmp)
+		return "", fmt.Errorf("funnel: downloaded file failed sanity check: %w", err)
+	}
+
+	if err := os.Rename(tmp, dest); err != nil {
+		_ = os.Remove(tmp)
+		return "", fmt.Errorf("funnel: rename dest: %w", err)
+	}
+	return dest, nil
+}
+
+// verifyLinuxElf returns nil when the file at `path` starts with the ELF
+// magic bytes and is at least 1 MB. Used as a low-cost guard against
+// downloading an HTML error page or a wrong-arch payload.
+func verifyLinuxElf(path string) error {
+	st, err := os.Stat(path)
+	if err != nil {
+		return err
+	}
+	if st.Size() < 1024*1024 {
+		return errors.New("file is suspiciously small (<1 MB)")
+	}
+	f, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	head := make([]byte, 4)
+	if _, err := io.ReadFull(f, head); err != nil {
+		return fmt.Errorf("read magic bytes: %w", err)
+	}
+	if !bytes.Equal(head, []byte{0x7f, 'E', 'L', 'F'}) {
+		return errors.New("not an ELF binary")
+	}
+	return nil
+}