diff --git a/crates/punktfunk-host/README.md b/crates/punktfunk-host/README.md index 5336dd7..3d4f48c 100644 --- a/crates/punktfunk-host/README.md +++ b/crates/punktfunk-host/README.md @@ -44,7 +44,7 @@ cargo run -rp punktfunk-host -- serve # native-only (secure defa cargo run -rp punktfunk-host -- serve --gamestream # + Moonlight compatibility ``` -Then pair from the web console (`https://:3000`) or the client app. +Then pair from the web console (`https://:47992`) or the client app. Most people should install a **package** rather than run from source — see [`packaging/`](../../packaging/README.md) (apt · rpm/COPR/bootc · Arch/sysext · Windows installer) and diff --git a/crates/punktfunk-host/src/windows/install.rs b/crates/punktfunk-host/src/windows/install.rs index 8b39381..9d569e8 100644 --- a/crates/punktfunk-host/src/windows/install.rs +++ b/crates/punktfunk-host/src/windows/install.rs @@ -338,7 +338,7 @@ fn web_setup(args: &[String]) -> Result<()> { // 1. login password set_web_password(&pw_path, pw_file.as_deref()); - // 2. (upgrade-safe) stop any running console so the new task binds :3000 + the files unlock + // 2. (upgrade-safe) stop any running console so the new task binds :47992 + the files unlock stop_web_console(); // 3. register the PunktfunkWeb scheduled task let cmd = app_dir.join("web").join("web-run.cmd"); @@ -346,7 +346,7 @@ fn web_setup(args: &[String]) -> Result<()> { bail!("web launcher missing: {}", cmd.display()); } register_web_task(&cmd)?; - // 4. firewall: inbound TCP 3000. The console serves HTTPS (HTTP/1.1 over TLS) with the host's + // 4. firewall: inbound TCP 47992. The console serves HTTPS (HTTP/1.1 over TLS) with the host's // identity cert. (No UDP/HTTP-3: browsers won't use QUIC against a self-signed/no-SAN cert.) if !run_quiet( "netsh", @@ -355,14 +355,14 @@ fn web_setup(args: &[String]) -> Result<()> { "firewall", "add", "rule", - "name=punktfunk web console (TCP 3000)", + "name=punktfunk web console (TCP 47992)", "dir=in", "action=allow", "protocol=TCP", - "localport=3000", + "localport=47992", ], ) { - eprintln!("warning: could not add the firewall rule for TCP 3000"); + eprintln!("warning: could not add the firewall rule for TCP 47992"); } // 5. wait briefly for the host's mgmt token, then start (restart-on-failure picks it up otherwise) for _ in 0..30 { @@ -372,7 +372,7 @@ fn web_setup(args: &[String]) -> Result<()> { std::thread::sleep(std::time::Duration::from_secs(1)); } run_quiet("schtasks", &["/run", "/tn", WEB_TASK]); - println!("web console set up + started (https://:3000)"); + println!("web console set up + started (https://:47992)"); Ok(()) } @@ -432,7 +432,7 @@ fn random_password() -> String { .collect() } -/// Stop + reap a running console before re-registering (upgrade-safe): end the task AND kill the :3000 +/// Stop + reap a running console before re-registering (upgrade-safe): end the task AND kill the :47992 /// listener owner (runtime-agnostic - a prior install may have run node vs the current bun). The listener /// is identified by the wildcard foreign address (`0.0.0.0:0`/`[::]:0`), so the localized state word /// ("LISTENING"/"ABHOEREN"/...) is never parsed. @@ -442,7 +442,7 @@ fn stop_web_console() { let toks: Vec<&str> = line.split_whitespace().collect(); if toks.len() >= 5 && toks[0].eq_ignore_ascii_case("tcp") - && toks[1].ends_with(":3000") + && toks[1].ends_with(":47992") && (toks[2] == "0.0.0.0:0" || toks[2] == "[::]:0") { let pid = toks[toks.len() - 1]; @@ -460,7 +460,7 @@ fn register_web_task(cmd: &Path) -> Result<()> { let xml = format!( "\n\ \n\ - punktfunk web management console (Nitro SSR on bun, :3000)\n\ + punktfunk web management console (Nitro SSR on bun, :47992)\n\ true\n\ S-1-5-18HighestAvailable\n\ \n\ diff --git a/design/ci.md b/design/ci.md index 1c4b483..0f4987d 100644 --- a/design/ci.md +++ b/design/ci.md @@ -40,7 +40,7 @@ the GPU/compositor stack of the box it runs on). What is: | Image | Source | Notes | |---|---|---| -| `git.unom.io/unom/punktfunk-web` | `web/Dockerfile` (repo-root context — orval needs `api/openapi.json`) | Nitro `bun` bundle; `PORT` (3000) and `PUNKTFUNK_MGMT_URL` env at runtime | +| `git.unom.io/unom/punktfunk-web` | `web/Dockerfile` (repo-root context — orval needs `api/openapi.json`) | Nitro `bun` bundle; `PORT` (47992) and `PUNKTFUNK_MGMT_URL` env at runtime | | `git.unom.io/unom/punktfunk-docs` | `docs-site/Dockerfile` | This site; `PORT` (3000) | | `git.unom.io/unom/punktfunk-rust-ci` | `ci/rust-ci.Dockerfile` | Ubuntu 26.04 + FFmpeg 8/PipeWire/GL/GBM dev libs + a libcuda **link stub** (driver userspace, no kernel module) + pinned rustup — the container `ci.yml`'s Rust job runs in | diff --git a/design/windows-build-and-packaging.md b/design/windows-build-and-packaging.md index d07b43f..df08347 100644 --- a/design/windows-build-and-packaging.md +++ b/design/windows-build-and-packaging.md @@ -157,8 +157,8 @@ and stays. Each subcommand is best-effort (a hiccup warns, never aborts the inst (pf-vdisplay) or `pnputil /add-driver` per-inf (gamepads - the host SwDeviceCreate's the devnodes). A driver hiccup never aborts the install (the host degrades to a physical display). - **Web console (`web setup`):** write the ACL'd `web-password`, register the `PunktfunkWeb` task (boot, - SYSTEM, restart-on-failure -> `bun` on `:3000`, via a generated UTF-16 Task Scheduler XML), open TCP - 3000, start it. Upgrade-safe: stop + reap any old console (by the `:3000` listener owner, runtime- + SYSTEM, restart-on-failure -> `bun` on `:47992`, via a generated UTF-16 Task Scheduler XML), open TCP + 47992, start it. Upgrade-safe: stop + reap any old console (by the `:47992` listener owner, runtime- agnostic - identified by the wildcard foreign address, so the localized state word is never parsed) before re-registering so the new one can bind. @@ -172,7 +172,7 @@ secrets, an ephemeral self-signed cert is generated and its `.cer` published nex The console is a TanStack Start / Nitro SSR app (`web/`). `vite.config.ts` sets `noExternals: true`, so `bun run build` emits a **self-contained `.output`** (~75 files, deps bundled + tree-shaken, no `node_modules`/`.npmrc`). The installer ships that `.output` + a portable `bun.exe`; the `PunktfunkWeb` -task runs `bun .output/server/index.mjs` on `:3000`, auto-wired to the host's loopback mgmt API via +task runs `bun .output/server/index.mjs` on `:47992`, auto-wired to the host's loopback mgmt API via `web-run.cmd` (sources `%ProgramData%\punktfunk\mgmt-token` + `web-password`). No node, no node_modules forest. (`build-web.ps1` is the dev-box rebuild-and-restart helper.) diff --git a/docs-site/content/docs/bazzite.md b/docs-site/content/docs/bazzite.md index b6ed6ad..947fc1c 100644 --- a/docs-site/content/docs/bazzite.md +++ b/docs-site/content/docs/bazzite.md @@ -129,7 +129,7 @@ Desktop; it follows whichever the box is in. ```sh systemctl --user enable --now punktfunk-host # Web console (pairing + status) — enable it and read the auto-generated login password, -# then open http://:3000: +# then open http://:47992: systemctl --user enable --now punktfunk-web journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' ``` diff --git a/docs-site/content/docs/fedora-kde.md b/docs-site/content/docs/fedora-kde.md index 4bd4d1d..1e82943 100644 --- a/docs-site/content/docs/fedora-kde.md +++ b/docs-site/content/docs/fedora-kde.md @@ -114,7 +114,7 @@ mDNS. It requires **PIN pairing** by default (secure on a LAN); pair once from y ### Web console The console (status, paired devices, arm pairing) ships as `punktfunk-web` — enable it, then open -`http://:3000`: +`http://:47992`: ```sh systemctl --user enable --now punktfunk-web diff --git a/docs-site/content/docs/install.md b/docs-site/content/docs/install.md index 9d163a7..46e9cfd 100644 --- a/docs-site/content/docs/install.md +++ b/docs-site/content/docs/install.md @@ -73,7 +73,7 @@ fallback without one. More detail — including the CLI `punktfunk-host service Bare `serve` is the secure native-only default (native `punktfunk/1` + the web console). On a trusted LAN, add `--gamestream` to also serve stock [Moonlight](/docs/moonlight) clients. -3. Enable the web console and read its login password, then open `http://:3000`: +3. Enable the web console and read its login password, then open `http://:47992`: ```sh systemctl --user enable --now punktfunk-web diff --git a/docs-site/content/docs/steamos-host.md b/docs-site/content/docs/steamos-host.md index 50e3331..71a9e4b 100644 --- a/docs-site/content/docs/steamos-host.md +++ b/docs-site/content/docs/steamos-host.md @@ -83,7 +83,7 @@ When it finishes it prints the web-console URL and how to pair. By default the host **requires PIN pairing** (secure). Two ways to pair: -- **Web console** (printed at the end of step 2): open `http://:3000`, log in with the +- **Web console** (printed at the end of step 2): open `http://:47992`, log in with the generated password (in `~/.config/punktfunk/web.env`), go to **Devices → arm pairing**, and enter the PIN on your client. - **From the client directly**: pick this host (it advertises over mDNS as `_punktfunk._udp`) and diff --git a/docs-site/content/docs/ubuntu-gnome.md b/docs-site/content/docs/ubuntu-gnome.md index a735469..25c1267 100644 --- a/docs-site/content/docs/ubuntu-gnome.md +++ b/docs-site/content/docs/ubuntu-gnome.md @@ -103,7 +103,7 @@ The console (status, paired devices, arm pairing) ships as `punktfunk-web`: ```sh systemctl --user enable --now punktfunk-web -# read the auto-generated login password, then open http://:3000 +# read the auto-generated login password, then open http://:47992 journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' ``` diff --git a/docs-site/content/docs/ubuntu-kde.md b/docs-site/content/docs/ubuntu-kde.md index b2d277a..7573e9a 100644 --- a/docs-site/content/docs/ubuntu-kde.md +++ b/docs-site/content/docs/ubuntu-kde.md @@ -76,7 +76,7 @@ your [client](/docs/clients). ```sh systemctl --user enable --now punktfunk-web -# read the auto-generated login password, then open http://:3000 +# read the auto-generated login password, then open http://:47992 journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' ``` diff --git a/docs-site/content/docs/windows-host.md b/docs-site/content/docs/windows-host.md index bb4a443..308f509 100644 --- a/docs-site/content/docs/windows-host.md +++ b/docs-site/content/docs/windows-host.md @@ -52,7 +52,7 @@ Packaging internals live in The installer also sets up the **web management console** (status, paired devices, the PIN pairing flow): it bundles the console plus its own runtime and runs it as the **`PunktfunkWeb`** task on -**`http://:3000`**, starting at boot. +**`http://:47992`**, starting at boot. #### Console login password diff --git a/packaging/README.md b/packaging/README.md index b12bd56..70b6141 100644 --- a/packaging/README.md +++ b/packaging/README.md @@ -101,11 +101,11 @@ systemctl --user enable --now punktfunk-host # Management web console (pairing + status) — pulled in by default (the host RPM Recommends it; # `--no-install-recommends` / headless-only boxes can skip it). Enable it and read the login password: systemctl --user enable --now punktfunk-web -journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' # then open https://:3000 +journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' # then open https://:47992 ``` Pair a stock Moonlight client (mDNS-discovered), or connect the native punktfunk/1 client — via the -web console at `https://:3000` or directly. +web console at `https://:47992` or directly. > ⚠️ **COPR caveat:** COPR's mock chroot has no `bun`, so a COPR build produces only > `punktfunk` + `punktfunk-client` — **not** `punktfunk-web`. For the console on a COPR/bootc host, diff --git a/packaging/arch/README.md b/packaging/arch/README.md index c3321e1..8b682c4 100644 --- a/packaging/arch/README.md +++ b/packaging/arch/README.md @@ -42,7 +42,7 @@ cp /usr/share/punktfunk/host.env.bazzite ~/.config/punktfunk/host.env # gamesc systemctl --user enable --now punktfunk-host # Web console (if you installed the punktfunk-web package): enable it + read the login password. systemctl --user enable --now punktfunk-web -journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' # open https://:3000 +journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' # open https://:47992 ``` NVENC/EGL come from the NVIDIA driver: `sudo pacman -S --needed nvidia-utils`. Arch's stock `ffmpeg` already has NVENC built in — no RPM-Fusion-style swap needed (unlike Fedora). diff --git a/packaging/bazzite/README.md b/packaging/bazzite/README.md index ff4097b..c911ad9 100644 --- a/packaging/bazzite/README.md +++ b/packaging/bazzite/README.md @@ -223,7 +223,7 @@ systemctl --user enable --now punktfunk-host # Management web console (pairing + status), if you installed punktfunk-web (it ships in the Gitea # RPM registry / bootc image — COPR can't build it; see ../rpm/README.md). Read the login password: systemctl --user enable --now punktfunk-web -journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' # then open https://:3000 +journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' # then open https://:47992 ``` Check health and logs: diff --git a/packaging/debian/README.md b/packaging/debian/README.md index 13eead2..f5e48d3 100644 --- a/packaging/debian/README.md +++ b/packaging/debian/README.md @@ -45,7 +45,7 @@ sudo usermod -aG input "$USER" # virtual gamepads (re-login to take eff mkdir -p ~/.config/punktfunk cp /usr/share/punktfunk-host/host.env.example ~/.config/punktfunk/host.env # then edit systemctl --user enable --now punktfunk-host -# Web console — enable it and read the auto-generated login password (then open https://:3000): +# Web console — enable it and read the auto-generated login password (then open https://:47992): systemctl --user enable --now punktfunk-web journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' ``` diff --git a/packaging/debian/build-web-deb.sh b/packaging/debian/build-web-deb.sh index f525c15..409859e 100755 --- a/packaging/debian/build-web-deb.sh +++ b/packaging/debian/build-web-deb.sh @@ -111,7 +111,7 @@ Homepage: https://git.unom.io/unom/punktfunk Description: punktfunk management web console (Nitro SSR on bun + React) The browser console for a punktfunk streaming host: status, paired devices, and the SPAKE2 PIN pairing flow every client needs. Runs as a systemd --user service on port - 3000 over HTTPS (HTTP/1.1 over TLS, with the host's own identity cert), login-gated (a + 47992 over HTTPS (HTTP/1.1 over TLS, with the host's own identity cert), login-gated (a password generated on first start), proxying the host's loopback HTTPS management API with a bearer token injected server-side (never sent to the browser). Bundles its own bun runtime (no system nodejs/bun dependency). @@ -130,7 +130,7 @@ if [ "$1" = "configure" ]; then echo "A login password is generated on first start — read it with:" echo " journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p'" echo " (or: sed -n 's/^PUNKTFUNK_UI_PASSWORD=//p' ~/.config/punktfunk/web-password)" - echo "Then open https://:3000 (self-signed host cert — trust it once)" + echo "Then open https://:47992 (self-signed host cert — trust it once)" fi exit 0 EOF diff --git a/packaging/rpm/README.md b/packaging/rpm/README.md index 636c8a9..b0406e2 100644 --- a/packaging/rpm/README.md +++ b/packaging/rpm/README.md @@ -84,7 +84,7 @@ ujust add-user-to-input-group # virtual gamepads need /dev/uinput (re- mkdir -p ~/.config/punktfunk cp /usr/share/punktfunk/host.env.bazzite ~/.config/punktfunk/host.env # gamescope defaults systemctl --user enable --now punktfunk-host -# Web console — enable it and read the auto-generated login password (then open http://:3000): +# Web console — enable it and read the auto-generated login password (then open http://:47992): systemctl --user enable --now punktfunk-web journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p' ``` diff --git a/packaging/windows/README.md b/packaging/windows/README.md index ef1c8db..0421929 100644 --- a/packaging/windows/README.md +++ b/packaging/windows/README.md @@ -45,7 +45,7 @@ parse breakage that silently failed installs on non-English boxes. password (pre-filled with a secure random default, shown again on the final page; kept on upgrade), then `punktfunk-host.exe web setup` writes the ACL'd `%ProgramData%\punktfunk\web-password`, registers the **`PunktfunkWeb`** scheduled task (boot, SYSTEM, restart-on-failure → `web-run.cmd` → `bun` on - `:3000`), opens TCP 3000, and starts it. It proxies the host's loopback mgmt API with the host's + `:47992`), opens TCP 47992, and starts it. It proxies the host's loopback mgmt API with the host's own `%ProgramData%\punktfunk\mgmt-token`. - **GameStream (Moonlight) compatibility is a wizard task** (checked by default): the choice is passed to `service install --gamestream=on|off`, which writes `PUNKTFUNK_HOST_CMD=serve --gamestream` (or @@ -108,7 +108,7 @@ fresh install uses the generated random console password — read it from | `install-vbcable.ps1` | On-target: seed VB-Audio's cert into `TrustedPublisher`, silently install the bundled VB-CABLE (`-i -h`). Run by the installer's *Install VB-CABLE virtual audio* task; idempotent + always exits 0 (non-fatal). | | `clear-force-integrity.ps1` | Clear the `/INTEGRITYCHECK` PE bit so a self-signed driver loads (reused by every driver build). | | `stage-pf-vdisplay.ps1` | Stage the just-built pf-vdisplay bundle + fetch/verify the **pinned** nefcon release. | -| `../../scripts/windows/web-run.cmd` | The `PunktfunkWeb` task action: loads the mgmt token + login password env, runs the bundled `bun` on the Nitro server (`:3000`). | +| `../../scripts/windows/web-run.cmd` | The `PunktfunkWeb` task action: loads the mgmt token + login password env, runs the bundled `bun` on the Nitro server (`:47992`). | | `drivers/` | The all-Rust IddCx **driver source** workspace: the `pf-vdisplay` crate on `wdk-sys` / windows-drivers-rs + the owned `pf-driver-proto` ABI + `wdk-iddcx` / `wdk-probe`, plus `deploy-dev.ps1` (build/sign/install for dev). | | `reset-pf-vdisplay.ps1` | **Dev:** recover a wedged driver — stop host → reap ghost monitor nodes → reload the adapter → start host (no reboot). See *Dev iteration* below. | | `redeploy-pf-vdisplay.ps1` | **Dev:** one-shot redeploy — (optional) build → stop host → `deploy-dev.ps1 -Install` → reload adapter → start host. | diff --git a/scripts/punktfunk-web.service b/scripts/punktfunk-web.service index f8a7595..1210db7 100644 --- a/scripts/punktfunk-web.service +++ b/scripts/punktfunk-web.service @@ -1,4 +1,4 @@ -# punktfunk management web console — systemd USER unit (Nitro SSR on bun, port 3000, HTTPS). +# punktfunk management web console — systemd USER unit (Nitro SSR on bun, port 47992, HTTPS). # # Installed by the punktfunk-web .deb to /usr/lib/systemd/user/. AUTO-WIRED — no env editing: # it sources the host's mgmt token + the generated login password, serves HTTPS (HTTP/1.1 over TLS) @@ -21,7 +21,7 @@ EnvironmentFile=%h/.config/punktfunk/mgmt-token EnvironmentFile=-%h/.config/punktfunk/web-password Environment=PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 Environment=NODE_TLS_REJECT_UNAUTHORIZED=0 -Environment=PORT=3000 +Environment=PORT=47992 Environment=HOST=0.0.0.0 # Serve HTTPS (HTTP/1.1 over TLS) with the host's own identity cert; mark the # session cookie Secure. The host's `serve` writes these PEMs; if absent at start the unit fails and diff --git a/scripts/steamdeck/README.md b/scripts/steamdeck/README.md index 37c1486..2dbcb87 100644 --- a/scripts/steamdeck/README.md +++ b/scripts/steamdeck/README.md @@ -47,7 +47,7 @@ Note: unlike a bare `serve` (native-only by default), the Deck install enables ` default so stock Moonlight clients work out of the box; `--no-gamestream` turns that surface off. Env overrides: `PUNKTFUNK_SRC` (source dir, default `~/punktfunk`), `PUNKTFUNK_BOX` (container name, -default `pf2`), `PUNKTFUNK_MGMT_PORT` (47990), `PUNKTFUNK_WEB_PORT` (3000). +default `pf2`), `PUNKTFUNK_MGMT_PORT` (47990), `PUNKTFUNK_WEB_PORT` (47992). ## What gets installed diff --git a/scripts/steamdeck/install.sh b/scripts/steamdeck/install.sh index 6bb6d5c..a59eeeb 100755 --- a/scripts/steamdeck/install.sh +++ b/scripts/steamdeck/install.sh @@ -29,7 +29,7 @@ SRC="${PUNKTFUNK_SRC:-$HOME/punktfunk}" BOX="${PUNKTFUNK_BOX:-pf2}" BOX_IMAGE="${PUNKTFUNK_BOX_IMAGE:-docker.io/library/debian:trixie}" MGMT_PORT="${PUNKTFUNK_MGMT_PORT:-47990}" -WEB_PORT="${PUNKTFUNK_WEB_PORT:-3000}" +WEB_PORT="${PUNKTFUNK_WEB_PORT:-47992}" OPEN=0 WITH_WEB=1 GAMESTREAM=1 # Moonlight/GameStream compat on by default; --no-gamestream for a secure native-only host diff --git a/scripts/web-init.sh b/scripts/web-init.sh index ee86d43..4bfd124 100755 --- a/scripts/web-init.sh +++ b/scripts/web-init.sh @@ -15,5 +15,5 @@ if [ ! -s "$PWFILE" ]; then (umask 077; printf 'PUNKTFUNK_UI_PASSWORD=%s\n' "$PW" > "$PWFILE") chmod 600 "$PWFILE" 2>/dev/null || true echo "punktfunk web console login password generated: $PW" - echo "(stored in $PWFILE — open http://:3000 and log in)" + echo "(stored in $PWFILE — open http://:47992 and log in)" fi diff --git a/scripts/windows/README.md b/scripts/windows/README.md index 51530c8..48d07e0 100644 --- a/scripts/windows/README.md +++ b/scripts/windows/README.md @@ -38,9 +38,9 @@ On an **installed** host (the `setup.exe`) the console is set up automatically The installer bundles the built (self-contained, no-`node_modules`) `.output` server + a portable bun and runs `punktfunk-host.exe web setup`, which registers the **`PunktfunkWeb`** scheduled task (at boot, as SYSTEM, restart-on-failure) running `{app}\web\web-run.cmd` → -`bun …\.output\server\index.mjs` on `:3000`, opens inbound TCP 3000, and writes the login password to +`bun …\.output\server\index.mjs` on `:47992`, opens inbound TCP 47992, and writes the login password to `%ProgramData%\punktfunk\web-password` (ACL'd to Administrators + SYSTEM). The mgmt bearer token it -proxies with is the host's own `%ProgramData%\punktfunk\mgmt-token`. Browse `http://:3000` +proxies with is the host's own `%ProgramData%\punktfunk\mgmt-token`. Browse `http://:47992` and log in with the password the installer shows on its final page. To change it, edit `web-password` and re-run the task: `schtasks /run /tn PunktfunkWeb`. diff --git a/scripts/windows/build-web.ps1 b/scripts/windows/build-web.ps1 index b06dc9d..490b4b3 100644 --- a/scripts/windows/build-web.ps1 +++ b/scripts/windows/build-web.ps1 @@ -5,7 +5,7 @@ bun is both the build tool AND the runtime: vite.config's Nitro noExternals bundles every dep into the self-contained .output (no node_modules, nothing for bun to fail to resolve), so the - PunktfunkWeb task runs web\web-run.cmd -> bun .output\server\index.mjs on :3000. + PunktfunkWeb task runs web\web-run.cmd -> bun .output\server\index.mjs on :47992. #> $ErrorActionPreference = 'Stop' $repo = Split-Path (Split-Path $PSScriptRoot) @@ -30,6 +30,6 @@ Start-Sleep 2 & schtasks /run /tn $task | Out-Null Start-Sleep 5 try { - $r = Invoke-WebRequest 'http://127.0.0.1:3000/login' -UseBasicParsing -TimeoutSec 10 + $r = Invoke-WebRequest 'http://127.0.0.1:47992/login' -UseBasicParsing -TimeoutSec 10 Write-Host "DONE - web /login -> HTTP $($r.StatusCode)" } catch { Write-Warning "web restarted but /login check failed: $($_.Exception.Message)" } diff --git a/scripts/windows/web-run.cmd b/scripts/windows/web-run.cmd index b1285ac..693378a 100644 --- a/scripts/windows/web-run.cmd +++ b/scripts/windows/web-run.cmd @@ -34,7 +34,7 @@ for /f "usebackq tokens=1* delims==" %%A in ("%TOKENFILE%") do set "%%A=%%B" if exist "%PWFILE%" for /f "usebackq tokens=1* delims==" %%A in ("%PWFILE%") do set "%%A=%%B" rem Fixed deployment wiring (the Windows analogue of scripts/punktfunk-web.service). -set "PORT=3000" +set "PORT=47992" set "HOST=0.0.0.0" set "PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990" set "NODE_TLS_REJECT_UNAUTHORIZED=0" diff --git a/web/.env.example b/web/.env.example index 5781a43..768ecf4 100644 --- a/web/.env.example +++ b/web/.env.example @@ -40,5 +40,5 @@ PUNKTFUNK_UI_TLS_KEY=/home/you/.config/punktfunk/key.pem PUNKTFUNK_UI_SECURE=1 # The Bun server binds these (standard Nitro env): -# PORT=3000 +# PORT=47992 # HOST=0.0.0.0 diff --git a/web/Dockerfile b/web/Dockerfile index a17b221..eb58e2e 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -4,7 +4,7 @@ # # docker build -f web/Dockerfile -t punktfunk-web . # -# Runtime: PORT (default 3000) and PUNKTFUNK_MGMT_URL (upstream management API the Nitro +# Runtime: PORT (default 47992) and PUNKTFUNK_MGMT_URL (upstream management API the Nitro # server proxies /api to; see web/server/routes). FROM oven/bun:1 AS build WORKDIR /repo/web @@ -24,6 +24,6 @@ FROM oven/bun:1-slim WORKDIR /app COPY --from=build /repo/web/.output ./.output USER bun -ENV PORT=3000 -EXPOSE 3000 +ENV PORT=47992 +EXPOSE 47992 CMD ["bun", "run", ".output/server/index.mjs"] diff --git a/web/README.md b/web/README.md index 5911dc1..d120e54 100644 --- a/web/README.md +++ b/web/README.md @@ -18,7 +18,7 @@ The `@unom` registry mapping lives in [`.npmrc`](.npmrc); the auth token comes f ```sh # from web/ — Bun is the toolchain (https://bun.sh) bun install # runs `prepare` → codegen (orval + paraglide) -bun run dev # http://localhost:3000 +bun run dev # http://localhost:47992 # The dev server proxies /api → https://127.0.0.1:47990 (the host's mgmt API; it serves HTTPS # with the host's self-signed identity cert — the dev proxy uses `secure: false`). @@ -50,7 +50,7 @@ LAN console.) ```sh bun run build # → .output/ (Nitro `bun` preset + our Bun.serve TLS entry) -PORT=3000 HOST=0.0.0.0 \ +PORT=47992 HOST=0.0.0.0 \ PUNKTFUNK_UI_PASSWORD=… PUNKTFUNK_MGMT_TOKEN=… \ PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 NODE_TLS_REJECT_UNAUTHORIZED=0 \ PUNKTFUNK_UI_TLS_CERT=~/.config/punktfunk/cert.pem \ @@ -63,7 +63,7 @@ bun run lint # tsc --noEmit ``` The built **Nitro bun server** SSR-renders the app and is the only thing exposed on the LAN. -Run it on the same box as the host; it serves the console over HTTPS on `:3000` (or `$PORT`). +Run it on the same box as the host; it serves the console over HTTPS on `:47992` (or `$PORT`). ## Auth (backend-for-frontend) diff --git a/web/package.json b/web/package.json index 33f5949..5288f87 100644 --- a/web/package.json +++ b/web/package.json @@ -7,7 +7,7 @@ "prepare": "bun run codegen", "codegen": "orval --config orval.config.ts && paraglide-js compile --project ./project.inlang --outdir ./src/paraglide", "predev": "orval --config orval.config.ts", - "dev": "vite dev --port 3000", + "dev": "vite dev --port 47992", "prebuild": "orval --config orval.config.ts", "build": "vite build", "start": "bun run .output/server/index.mjs", diff --git a/web/web-run.cmd b/web/web-run.cmd index 8a3b287..79c38a6 100644 --- a/web/web-run.cmd +++ b/web/web-run.cmd @@ -3,7 +3,7 @@ rem punktfunk web console launcher - DEV layout (in-repo tree). The PunktfunkWeb rem (boot trigger, SYSTEM, restart-on-failure) runs this at startup. It sources the host's mgmt bearer rem token + the console login password from %ProgramData%\punktfunk\, points the /api proxy at the rem host's loopback HTTPS mgmt API, and serves the self-contained (no-node_modules) Nitro console over -rem HTTPS (HTTP/1.1 over TLS) on :3000 with the host's identity cert. %~dp0 = \web\ . +rem HTTPS (HTTP/1.1 over TLS) on :47992 with the host's identity cert. %~dp0 = \web\ . rem rem DEV vs the installed launcher (scripts\windows\web-run.cmd): the dev host service runs from rem target\release (not the installed {app} tree), so this runs the in-repo web\.output. The console @@ -35,7 +35,7 @@ for /f "usebackq tokens=1* delims==" %%A in ("%TOKENFILE%") do set "%%A=%%B" if exist "%PWFILE%" for /f "usebackq tokens=1* delims==" %%A in ("%PWFILE%") do set "%%A=%%B" rem Fixed deployment wiring (the Windows analogue of scripts/punktfunk-web.service). -set "PORT=3000" +set "PORT=47992" set "HOST=0.0.0.0" set "PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990" set "NODE_TLS_REJECT_UNAUTHORIZED=0" diff --git a/web/web.env.example b/web/web.env.example index 3afd73c..7104e61 100644 --- a/web/web.env.example +++ b/web/web.env.example @@ -3,7 +3,7 @@ # On a `apt install punktfunk-web` install you DO NOT edit anything: the systemd --user units wire # everything automatically — # punktfunk-web.service sets PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990, NODE_TLS_REJECT_UNAUTHORIZED=0, -# PORT=3000, HOST=0.0.0.0, the PUNKTFUNK_UI_TLS_* cert paths + PUNKTFUNK_UI_SECURE=1, and sources: +# PORT=47992, HOST=0.0.0.0, the PUNKTFUNK_UI_TLS_* cert paths + PUNKTFUNK_UI_SECURE=1, and sources: # ~/.config/punktfunk/mgmt-token (written by the host's `serve` — the shared bearer token) # ~/.config/punktfunk/web-password (written by punktfunk-web-init — the console login password) # ~/.config/punktfunk/{cert,key}.pem (the host identity — the console serves HTTPS with it) @@ -14,7 +14,7 @@ # (its only outbound TLS hop is that loopback connection). PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 NODE_TLS_REJECT_UNAUTHORIZED=0 -PORT=3000 +PORT=47992 HOST=0.0.0.0 # Serve the console over HTTPS (HTTP/1.1 over TLS) with the host's own identity cert. BOTH paths