unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 3 Wiki Activity

feat(steamdeck): --no-gamestream installer flag for a secure native-only SteamOS host
apple / swift (push) Successful in 55s
Details
android / android (push) Successful in 4m41s
Details
ci / web (push) Successful in 34s
Details
ci / docs-site (push) Successful in 35s
Details
ci / rust (push) Successful in 4m54s
Details
deb / build-publish (push) Successful in 2m9s
Details
decky / build-publish (push) Successful in 11s
Details
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 4s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
Details
ci / bench (push) Successful in 4m29s
Details
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 8m20s
Details
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 8m29s
Details
docker / deploy-docs (push) Successful in 17s
Details

Browse Source 
Completes the GameStream-opt-in posture (54b75c9) on the SteamOS path: the installer keeps
Moonlight compat on by default (`serve --gamestream`, the Deck commonly streams to Moonlight),
but `--no-gamestream` now installs a secure native-only host with no GameStream on-path surface
(plain-HTTP pairing / legacy GCM nonce reuse — security-review #5/#9; native clients only).
Documented in the installer --help; the SteamOS host doc references it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-21 10:29:40 +00:00
parent 54b75c9be4
commit 1fe4161d4d
1 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/steamdeck/install.sh
+9 -4
View File
@@ -10,7 +10,8 @@
# Run it on the Deck (Desktop Mode "Konsole", or over ssh). Idempotent — safe to re-run to update # Run it on the Deck (Desktop Mode "Konsole", or over ssh). Idempotent — safe to re-run to update
# config or pick up new options. To rebuild after pulling new source, use update.sh. # config or pick up new options. To rebuild after pulling new source, use update.sh.
# #
# bash scripts/steamdeck/install.sh # secure default: PIN pairing required # bash scripts/steamdeck/install.sh # PIN pairing required; Moonlight compat ON
# bash scripts/steamdeck/install.sh --no-gamestream # SECURE native-only (no Moonlight/#5/#9 surface)
# bash scripts/steamdeck/install.sh --open # trusted LAN: accept unpaired clients (TOFU) # bash scripts/steamdeck/install.sh --open # trusted LAN: accept unpaired clients (TOFU)
# bash scripts/steamdeck/install.sh --no-web # skip the management web console # bash scripts/steamdeck/install.sh --no-web # skip the management web console
# PUNKTFUNK_SRC=~/src/punktfunk bash scripts/steamdeck/install.sh # source elsewhere # PUNKTFUNK_SRC=~/src/punktfunk bash scripts/steamdeck/install.sh # source elsewhere
@@ -31,10 +32,12 @@ MGMT_PORT="${PUNKTFUNK_MGMT_PORT:-47990}"
WEB_PORT="${PUNKTFUNK_WEB_PORT:-3000}" WEB_PORT="${PUNKTFUNK_WEB_PORT:-3000}"
OPEN=0 OPEN=0
WITH_WEB=1 WITH_WEB=1
GAMESTREAM=1 # Moonlight/GameStream compat on by default; --no-gamestream for a secure native-only host
for arg in "$@"; do for arg in "$@"; do
case "$arg" in case "$arg" in
--open) OPEN=1 ;; --open) OPEN=1 ;;
--no-web) WITH_WEB=0 ;; --no-web) WITH_WEB=0 ;;
--no-gamestream) GAMESTREAM=0 ;;
--src=*) SRC="${arg#--src=}" ;; --src=*) SRC="${arg#--src=}" ;;
-h|--help) sed -n '2,20p' "$0"; exit 0 ;; -h|--help) sed -n '2,20p' "$0"; exit 0 ;;
*) die "unknown option: $arg (try --help)" ;; *) die "unknown option: $arg (try --help)" ;;
@@ -170,9 +173,11 @@ fi
# --- 5. systemd user services --------------------------------------------- # --- 5. systemd user services ---------------------------------------------
log "Installing systemd user services" log "Installing systemd user services"
mkdir -p "$UNITS" mkdir -p "$UNITS"
# --gamestream keeps the Moonlight-compat planes (the Deck commonly streams to Moonlight too); drop # The native punktfunk/1 plane is always on; --gamestream additionally enables the Moonlight-compat
# it for a secure native-only host (no #5/#9 surface — native clients only). # planes (the Deck commonly streams to Moonlight too). --no-gamestream → secure native-only (no #5/#9
SERVE_ARGS="serve --gamestream --mgmt-bind 0.0.0.0:$MGMT_PORT" # surface; native clients only).
SERVE_ARGS="serve --mgmt-bind 0.0.0.0:$MGMT_PORT"
[ "$GAMESTREAM" = 1 ] && SERVE_ARGS="$SERVE_ARGS --gamestream"
[ "$OPEN" = 1 ] && SERVE_ARGS="$SERVE_ARGS --open" [ "$OPEN" = 1 ] && SERVE_ARGS="$SERVE_ARGS --open"
cat > "$UNITS/punktfunk-host.service" <<EOF cat > "$UNITS/punktfunk-host.service" <<EOF
# Generated by scripts/steamdeck/install.sh — punktfunk Steam Deck host (native binary). # Generated by scripts/steamdeck/install.sh — punktfunk Steam Deck host (native binary).