feat(steamdeck): --no-gamestream installer flag for a secure native-only SteamOS host
apple / swift (push) Successful in 55s
android / android (push) Successful in 4m41s
ci / web (push) Successful in 34s
ci / docs-site (push) Successful in 35s
ci / rust (push) Successful in 4m54s
deb / build-publish (push) Successful in 2m9s
decky / build-publish (push) Successful in 11s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 4s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
ci / bench (push) Successful in 4m29s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 8m20s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 8m29s
docker / deploy-docs (push) Successful in 17s
apple / swift (push) Successful in 55s
android / android (push) Successful in 4m41s
ci / web (push) Successful in 34s
ci / docs-site (push) Successful in 35s
ci / rust (push) Successful in 4m54s
deb / build-publish (push) Successful in 2m9s
decky / build-publish (push) Successful in 11s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 4s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
ci / bench (push) Successful in 4m29s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 8m20s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 8m29s
docker / deploy-docs (push) Successful in 17s
Completes the GameStream-opt-in posture (54b75c9) on the SteamOS path: the installer keeps
Moonlight compat on by default (`serve --gamestream`, the Deck commonly streams to Moonlight),
but `--no-gamestream` now installs a secure native-only host with no GameStream on-path surface
(plain-HTTP pairing / legacy GCM nonce reuse — security-review #5/#9; native clients only).
Documented in the installer --help; the SteamOS host doc references it.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -10,7 +10,8 @@
|
||||
# Run it on the Deck (Desktop Mode "Konsole", or over ssh). Idempotent — safe to re-run to update
|
||||
# config or pick up new options. To rebuild after pulling new source, use update.sh.
|
||||
#
|
||||
# bash scripts/steamdeck/install.sh # secure default: PIN pairing required
|
||||
# bash scripts/steamdeck/install.sh # PIN pairing required; Moonlight compat ON
|
||||
# bash scripts/steamdeck/install.sh --no-gamestream # SECURE native-only (no Moonlight/#5/#9 surface)
|
||||
# bash scripts/steamdeck/install.sh --open # trusted LAN: accept unpaired clients (TOFU)
|
||||
# bash scripts/steamdeck/install.sh --no-web # skip the management web console
|
||||
# PUNKTFUNK_SRC=~/src/punktfunk bash scripts/steamdeck/install.sh # source elsewhere
|
||||
@@ -31,10 +32,12 @@ MGMT_PORT="${PUNKTFUNK_MGMT_PORT:-47990}"
|
||||
WEB_PORT="${PUNKTFUNK_WEB_PORT:-3000}"
|
||||
OPEN=0
|
||||
WITH_WEB=1
|
||||
GAMESTREAM=1 # Moonlight/GameStream compat on by default; --no-gamestream for a secure native-only host
|
||||
for arg in "$@"; do
|
||||
case "$arg" in
|
||||
--open) OPEN=1 ;;
|
||||
--no-web) WITH_WEB=0 ;;
|
||||
--no-gamestream) GAMESTREAM=0 ;;
|
||||
--src=*) SRC="${arg#--src=}" ;;
|
||||
-h|--help) sed -n '2,20p' "$0"; exit 0 ;;
|
||||
*) die "unknown option: $arg (try --help)" ;;
|
||||
@@ -170,9 +173,11 @@ fi
|
||||
# --- 5. systemd user services ---------------------------------------------
|
||||
log "Installing systemd user services"
|
||||
mkdir -p "$UNITS"
|
||||
# --gamestream keeps the Moonlight-compat planes (the Deck commonly streams to Moonlight too); drop
|
||||
# it for a secure native-only host (no #5/#9 surface — native clients only).
|
||||
SERVE_ARGS="serve --gamestream --mgmt-bind 0.0.0.0:$MGMT_PORT"
|
||||
# The native punktfunk/1 plane is always on; --gamestream additionally enables the Moonlight-compat
|
||||
# planes (the Deck commonly streams to Moonlight too). --no-gamestream → secure native-only (no #5/#9
|
||||
# surface; native clients only).
|
||||
SERVE_ARGS="serve --mgmt-bind 0.0.0.0:$MGMT_PORT"
|
||||
[ "$GAMESTREAM" = 1 ] && SERVE_ARGS="$SERVE_ARGS --gamestream"
|
||||
[ "$OPEN" = 1 ] && SERVE_ARGS="$SERVE_ARGS --open"
|
||||
cat > "$UNITS/punktfunk-host.service" <<EOF
|
||||
# Generated by scripts/steamdeck/install.sh — punktfunk Steam Deck host (native binary).
|
||||
|
||||
Reference in New Issue
Block a user