docs(dist): end-user install front door + serve/pairing/firewall accuracy fixes

Make the host docs match the real distribution path and the actual CLI. Reviewed by a multi-agent pass (6 editors against one verified fact sheet + an accuracy reviewer); its findings (a wrong client-Recommends claim, a native-concurrency overstatement) folded in. - Install front door: new README "Install (host)" method-picker + docs-site/install.md (+ nav), routing each distro to its package registry; source build demoted to a fallback. - Registry-first install: ubuntu-gnome/ubuntu-kde now lead with the apt registry (not a cargo build); bazzite leads with the Gitea RPM registry (was COPR/source). Source builds moved to an appendix. - CLI accuracy: serve --native arms pairing from the web console (NOT --allow-pairing, which with --require-pairing/--max-concurrent is m3-host-only); --open disables mandatory pairing. host-cli/configuration/pairing/quickstart/troubleshooting corrected; mgmt API documented as always HTTPS+token. Native host serves one session at a time (extras queue) — not multi. - Firewall: real ports documented (native UDP 9777 + the ephemeral data port caveat + GameStream ports) for Debian + Arch (ufw + nftables), not just Bazzite. - Sync/accuracy: punktfunk-client (GTK4) presented as a shipping client (not "roadmap"), punktfunk-client-rs as the headless tool; host Recommends punktfunk-web only (not the client); COPR chroots f43/44; bootc header says Gitea registry not COPR. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 10:43:12 +00:00
parent 5b3d5689bf
commit 9e015304ee
17 changed files with 438 additions and 96 deletions
@@ -95,6 +95,46 @@ launches it (`punktfunk-client --connect host:port`) — gamescope composites it
 The client needs no `/dev/uinput` or compositor-spawning rights (it captures input and decodes),
 so it's a much lighter sysext than the host.

+## Firewall
+
+If the host box runs a firewall, open the ports it listens on. The **native `punktfunk/1`** plane:
+
+- **QUIC control plane: UDP 9777** (`serve --native --native-port N` to change).
+- **Data plane: an *ephemeral* UDP port** — negotiated per session, so there is no fixed port to
+  open. For a restrictive firewall you'd need to allow a UDP range (the repo does not pin one).
+
+And the **GameStream / Moonlight** ports (fixed):
+
+| Port | Proto | Purpose |
+|---|---|---|
+| 47984 | TCP | HTTPS nvhttp (paired, mutual-TLS) |
+| 47989 | TCP | HTTP nvhttp (`/serverinfo`, `/pair` PIN flow) |
+| 48010 | TCP | RTSP handshake |
+| 47998–48010 | UDP | Video RTP (+ FEC), ENet control (47999), audio (48000) |
+| 5353 | UDP | mDNS auto-discovery |
+
+The mgmt API (TCP 47990) binds to loopback by default — leave it closed unless you move it off
+loopback with `--mgmt-bind IP:PORT` (which then requires `--mgmt-token`).
+
+With `ufw`:
+
+```sh
+sudo ufw allow 9777/udp                                 # punktfunk/1 control plane
+sudo ufw allow 47984/tcp && sudo ufw allow 47989/tcp && sudo ufw allow 48010/tcp
+sudo ufw allow 47998:48010/udp
+sudo ufw allow 5353/udp
+# plus the ephemeral punktfunk/1 data port — open a UDP range you reserve for it.
+```
+
+With raw `nftables` (add to your `inet filter input` chain):
+
+```
+udp dport 9777 accept                  # punktfunk/1 control plane
+tcp dport { 47984, 47989, 48010 } accept
+udp dport { 47998-48010, 5353 } accept
+# plus the ephemeral punktfunk/1 data port (a reserved UDP range).
+```
+
 ## Files
 - `PKGBUILD` — split package: `punktfunk-host` + `punktfunk-client` (builds the working tree via
  `PF_SRCDIR`, or a git tag for AUR).