docs(dist): end-user install front door + serve/pairing/firewall accuracy fixes

Make the host docs match the real distribution path and the actual CLI. Reviewed by a
multi-agent pass (6 editors against one verified fact sheet + an accuracy reviewer); its
findings (a wrong client-Recommends claim, a native-concurrency overstatement) folded in.

- Install front door: new README "Install (host)" method-picker + docs-site/install.md
  (+ nav), routing each distro to its package registry; source build demoted to a fallback.
- Registry-first install: ubuntu-gnome/ubuntu-kde now lead with the apt registry (not a
  cargo build); bazzite leads with the Gitea RPM registry (was COPR/source). Source builds
  moved to an appendix.
- CLI accuracy: serve --native arms pairing from the web console (NOT --allow-pairing, which
  with --require-pairing/--max-concurrent is m3-host-only); --open disables mandatory pairing.
  host-cli/configuration/pairing/quickstart/troubleshooting corrected; mgmt API documented as
  always HTTPS+token. Native host serves one session at a time (extras queue) — not multi.
- Firewall: real ports documented (native UDP 9777 + the ephemeral data port caveat +
  GameStream ports) for Debian + Arch (ufw + nftables), not just Bazzite.
- Sync/accuracy: punktfunk-client (GTK4) presented as a shipping client (not "roadmap"),
  punktfunk-client-rs as the headless tool; host Recommends punktfunk-web only (not the
  client); COPR chroots f43/44; bootc header says Gitea registry not COPR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

packaging/arch/README.md

@@ -95,6 +95,46 @@ launches it (`punktfunk-client --connect host:port`) — gamescope composites it
 The client needs no `/dev/uinput` or compositor-spawning rights (it captures input and decodes),
 so it's a much lighter sysext than the host.
 
+## Firewall
+
+If the host box runs a firewall, open the ports it listens on. The **native `punktfunk/1`** plane:
+
+- **QUIC control plane: UDP 9777** (`serve --native --native-port N` to change).
+- **Data plane: an *ephemeral* UDP port** — negotiated per session, so there is no fixed port to
+  open. For a restrictive firewall you'd need to allow a UDP range (the repo does not pin one).
+
+And the **GameStream / Moonlight** ports (fixed):
+
+| Port | Proto | Purpose |
+|---|---|---|
+| 47984 | TCP | HTTPS nvhttp (paired, mutual-TLS) |
+| 47989 | TCP | HTTP nvhttp (`/serverinfo`, `/pair` PIN flow) |
+| 48010 | TCP | RTSP handshake |
+| 47998–48010 | UDP | Video RTP (+ FEC), ENet control (47999), audio (48000) |
+| 5353 | UDP | mDNS auto-discovery |
+
+The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off
+loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
+
+With `ufw`:
+
+```sh
+sudo ufw allow 9777/udp                                 # punktfunk/1 control plane
+sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp
+sudo ufw allow 47998:48010/udp
+sudo ufw allow 5353/udp
+# plus the ephemeral punktfunk/1 data port — open a UDP range you reserve for it.
+```
+
+With raw `nftables` (add to your `inet filter input` chain):
+
+```
+udp dport 9777 accept                  # punktfunk/1 control plane
+tcp dport { 47984, 47989, 48010 } accept
+udp dport { 47998-48010, 5353 } accept
+# plus the ephemeral punktfunk/1 data port (a reserved UDP range).
+```
+
 ## Files
 - `PKGBUILD` — split package: `punktfunk-host` + `punktfunk-client` (builds the working tree via
   `PF_SRCDIR`, or a git tag for AUR).

packaging/bootc/Containerfile

@@ -1,8 +1,9 @@
 # bootc / OCI image layer that bakes punktfunk into a Bazzite-based atomic image.
 #
 # Bazzite is already a bootc image (Fedora Atomic + gamescope + PipeWire + the NVIDIA
-# stack), so we layer punktfunk on top: enable RPM Fusion (for the NVENC ffmpeg) and our
-# COPR, install the package, and pre-enable the udev rule. Build + push this image, then
+# stack), so we layer punktfunk on top: enable RPM Fusion (for the NVENC ffmpeg) and unom's
+# Gitea RPM registry (NOT COPR — only the registry carries the punktfunk-web subpackage),
+# install the packages, and pre-enable the udev rule. Build + push this image, then
 # `bootc switch` (or rebase) a Bazzite host onto it for an image-based, atomic install —
 # no per-host `rpm-ostree install` drift.
 #

packaging/copr/README.md

@@ -11,7 +11,7 @@ once in the COPR web UI (or with `copr-cli`):
 - Source build method: `rpkg` (or `make_srpm`)
 
 **Project settings**
-- Chroots: `fedora-41-x86_64`, `fedora-42-x86_64` (match your Bazzite Fedora base;
+- Chroots: `fedora-43-x86_64`, `fedora-44-x86_64` (match your Bazzite Fedora base;
   `rpm -E %fedora` on the host tells you which). Add `aarch64` if needed.
 - External repositories (so `ffmpeg-devel` resolves at build time):
   `https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$releasever.noarch.rpm`
@@ -22,7 +22,7 @@ once in the COPR web UI (or with `copr-cli`):
 `copr-cli` equivalent:
 
 ```sh
-copr-cli create punktfunk --chroot fedora-42-x86_64 \
+copr-cli create punktfunk --chroot fedora-44-x86_64 \
   --repo 'https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$releasever.noarch.rpm' \
   --repo 'https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$releasever.noarch.rpm'
 copr-cli buildscm punktfunk \

packaging/debian/README.md

@@ -2,8 +2,16 @@
 
 `punktfunk-host` is published as a `.deb` to **Gitea's Debian package registry** in the public
 `unom` org, so the Ubuntu hosts update with plain `apt`. CI (`.gitea/workflows/deb.yml`) builds
-and publishes on every push to `main` (a rolling `0.0.1~ciN.<sha>` build) and on `v*` tags
-(a clean `X.Y.Z`).
+and publishes on every push to `main` (a rolling `0.2.0~ciN.g<sha>` build) and on `host-v*` tags
+(a clean `X.Y.Z`) — the rolling builds outrank the stray `0.1.1`, so plain `apt upgrade` always
+gets the latest (no version pin needed).
+
+The same workflow also publishes **`punktfunk-web`** (the browser management console — pairing +
+status) and **`punktfunk-client`** (the GTK4 couch/Deck client). `punktfunk-host` **Recommends**
+`punktfunk-web`, so a default `apt install punktfunk-host` pulls the console too (alongside the
+udev/sysctl bits) unless you've disabled weak deps; `punktfunk-client` is independent — install it
+on the box you stream *to*. (`punktfunk-client-rs` is the headless reference/test tool, not packaged
+here.)
 
 Package layout mirrors the Fedora RPM (`../rpm/punktfunk.spec`): the host binary, the `/dev/uinput`
 udev rule, the systemd **user** unit, headless session helpers, the example config, and the OpenAPI
@@ -35,6 +43,49 @@ sudo usermod -aG input "$USER"          # virtual gamepads (re-login to take eff
 mkdir -p ~/.config/punktfunk
 cp /usr/share/punktfunk-host/host.env.example ~/.config/punktfunk/host.env   # then edit
 systemctl --user enable --now punktfunk-host
+# Web console — enable it and read the auto-generated login password (then open http://<host-ip>:3000):
+systemctl --user enable --now punktfunk-web
+journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p'
+```
+
+## Firewall
+
+Open the ports the host listens on. The **native `punktfunk/1`** plane:
+
+- **QUIC control plane: UDP 9777** (`serve --native --native-port N` to change).
+- **Data plane: an *ephemeral* UDP port** — negotiated per session, so there is no fixed port to
+  open. For a restrictive firewall you'd need to allow a UDP range (the repo does not pin one).
+
+And the **GameStream / Moonlight** ports (fixed):
+
+| Port | Proto | Purpose |
+|---|---|---|
+| 47984 | TCP | HTTPS nvhttp (paired, mutual-TLS) |
+| 47989 | TCP | HTTP nvhttp (`/serverinfo`, `/pair` PIN flow) |
+| 48010 | TCP | RTSP handshake |
+| 47998–48010 | UDP | Video RTP (+ FEC), ENet control (47999), audio (48000) |
+| 5353 | UDP | mDNS auto-discovery |
+
+The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off
+loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
+
+With `ufw`:
+
+```sh
+sudo ufw allow 9777/udp                                 # punktfunk/1 control plane
+sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp
+sudo ufw allow 47998:48010/udp
+sudo ufw allow 5353/udp
+# plus the ephemeral punktfunk/1 data port — open a UDP range you reserve for it.
+```
+
+With raw `nftables` (add to your `inet filter input` chain):
+
+```
+udp dport 9777 accept                  # punktfunk/1 control plane
+tcp dport { 47984, 47989, 48010 } accept
+udp dport { 47998-48010, 5353 } accept
+# plus the ephemeral punktfunk/1 data port (a reserved UDP range).
 ```
 
 ## Updates