packaging: ship firewalld services on rpm + deb too, share from packaging/linux
apple / swift (push) Successful in 1m10s
apple / screenshots (push) Successful in 5m45s
android / android (push) Successful in 4m2s
arch / build-publish (push) Successful in 5m37s
ci / web (push) Successful in 1m4s
ci / docs-site (push) Successful in 1m9s
ci / rust (push) Successful in 4m39s
deb / build-publish (push) Successful in 2m56s
decky / build-publish (push) Successful in 14s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 4s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
ci / bench (push) Successful in 4m41s
rpm / build-publish (43, bazzite, punktfunk-fedora-rpm) (push) Successful in 10m8s
docker / deploy-docs (push) Successful in 6s
rpm / build-publish (44, fedora-44, punktfunk-fedora44-rpm) (push) Successful in 9m54s
apple / swift (push) Successful in 1m10s
apple / screenshots (push) Successful in 5m45s
android / android (push) Successful in 4m2s
arch / build-publish (push) Successful in 5m37s
ci / web (push) Successful in 1m4s
ci / docs-site (push) Successful in 1m9s
ci / rust (push) Successful in 4m39s
deb / build-publish (push) Successful in 2m56s
decky / build-publish (push) Successful in 14s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 4s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
ci / bench (push) Successful in 4m41s
rpm / build-publish (43, bazzite, punktfunk-fedora-rpm) (push) Successful in 10m8s
docker / deploy-docs (push) Successful in 6s
rpm / build-publish (44, fedora-44, punktfunk-fedora44-rpm) (push) Successful in 9m54s
Mirror the Arch firewalld service definitions into the RPM spec and the Debian
host package so every Linux packager installs them, and move the two XML files
to the shared packaging/linux/ home (alongside the .desktop files both the
PKGBUILD and deb scripts already source there) so there's one source of truth
instead of three drifting copies.
- rpm: install punktfunk-{gamestream,native}.xml to /usr/lib/firewalld/services/,
list them in %files host, and print the firewalld enable command in %post
(gated on firewall-cmd). Fedora/RHEL run firewalld by default, so this is where
it matters most; Bazzite inherits it via the sysext built from the package /usr.
- deb: install both XMLs in build-deb.sh and add the same firewalld-gated hint to
the postinst. Debian/Ubuntu ship no active firewall, so it's a no-op unless the
admin runs firewalld.
- PKGBUILD + arch README updated to the packaging/linux/ path.
- Firewall docs (bazzite README now leads with --add-service; debian README gains
a firewalld block) point at the shipped services; XML comments made
distro-neutral. Never auto-enabled — packages don't touch the admin's firewall.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -138,9 +138,9 @@ package_punktfunk-host() {
|
||||
# firewall). Stock Arch ships none, so they're a no-op there; CachyOS et al. ship firewalld, so
|
||||
# sudo firewall-cmd --reload && sudo firewall-cmd --permanent --add-service=punktfunk-gamestream && sudo firewall-cmd --reload
|
||||
# (or =punktfunk-native). See README.md → Firewall.
|
||||
install -Dm0644 "$R/packaging/arch/punktfunk-gamestream.xml" \
|
||||
install -Dm0644 "$R/packaging/linux/punktfunk-gamestream.xml" \
|
||||
"$pkgdir/usr/lib/firewalld/services/punktfunk-gamestream.xml"
|
||||
install -Dm0644 "$R/packaging/arch/punktfunk-native.xml" \
|
||||
install -Dm0644 "$R/packaging/linux/punktfunk-native.xml" \
|
||||
"$pkgdir/usr/lib/firewalld/services/punktfunk-native.xml"
|
||||
install -Dm0644 "$R/LICENSE-MIT" "$pkgdir/usr/share/licenses/punktfunk-host/LICENSE-MIT"
|
||||
install -Dm0644 "$R/LICENSE-APACHE" "$pkgdir/usr/share/licenses/punktfunk-host/LICENSE-APACHE"
|
||||
|
||||
@@ -206,7 +206,8 @@ udp dport { 47998-48010, 5353 } accept
|
||||
- `punktfunk-host.install` / `punktfunk-client.install` — pacman scriptlets (udev reload + sysctl +
|
||||
first-run hint, incl. the firewalld enable command when firewalld is present), mirror the RPM
|
||||
`%post` / deb postinst.
|
||||
- `punktfunk-gamestream.xml` / `punktfunk-native.xml` — firewalld service definitions the host
|
||||
package installs to `/usr/lib/firewalld/services/` (not auto-enabled; see Firewall above).
|
||||
- The firewalld service definitions (`punktfunk-gamestream.xml` / `punktfunk-native.xml`) are shared
|
||||
across all Linux packaging and live in [`../linux/`](../linux/); the host package installs them to
|
||||
`/usr/lib/firewalld/services/` (not auto-enabled; see Firewall above).
|
||||
- `build-sysext.sh` — wraps either built `.pkg.tar.zst` into a `systemd-sysext` `.raw` for SteamOS
|
||||
(derives the name from the package, so it works for host or client).
|
||||
|
||||
@@ -1,25 +0,0 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!--
|
||||
firewalld service definition for the punktfunk GameStream (Moonlight-compatible) host.
|
||||
|
||||
Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. It is NOT enabled
|
||||
automatically: an Arch package never touches the admin's running firewall. Stock Arch ships no
|
||||
firewall (these ports are already open); on a firewalld spin such as CachyOS, enable it once with
|
||||
firewall-cmd (add-service=punktfunk-gamestream, then reload). Exact commands: the packaging/arch
|
||||
README, Firewall section.
|
||||
|
||||
Needed only when the host runs GameStream/Moonlight compat (serve with the gamestream flag). The
|
||||
mgmt REST API (TCP 47990) stays on loopback by default and is deliberately not opened here.
|
||||
Port map: design/gamestream-host-plan.md.
|
||||
-->
|
||||
<service>
|
||||
<short>Punktfunk (GameStream / Moonlight)</short>
|
||||
<description>Low-latency game-streaming host over the Moonlight-compatible GameStream protocol. Opens the fixed nvhttp (HTTPS/HTTP), RTSP, video RTP, ENet control/input and Opus audio ports, plus mDNS for auto-discovery.</description>
|
||||
<port protocol="tcp" port="47984"/> <!-- HTTPS nvhttp (paired, mutual TLS) -->
|
||||
<port protocol="tcp" port="47989"/> <!-- HTTP nvhttp (/serverinfo, /pair PIN flow) -->
|
||||
<port protocol="tcp" port="48010"/> <!-- RTSP handshake -->
|
||||
<port protocol="udp" port="47998"/> <!-- Video RTP (+ FEC) -->
|
||||
<port protocol="udp" port="47999"/> <!-- ENet control stream + remote input -->
|
||||
<port protocol="udp" port="48000"/> <!-- Audio (Opus) -->
|
||||
<port protocol="udp" port="5353"/> <!-- mDNS auto-discovery (_nvstream._tcp.local) -->
|
||||
</service>
|
||||
@@ -1,20 +0,0 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!--
|
||||
firewalld service definition for the native punktfunk/1 host (the secure default 'serve', or the
|
||||
punktfunk1-host subcommand).
|
||||
|
||||
Installed to /usr/lib/firewalld/services/ by the punktfunk-host package. NOT enabled automatically
|
||||
(an Arch package never touches the admin's firewall). Stock Arch has no firewall; on a firewalld
|
||||
spin such as CachyOS, enable it once with firewall-cmd (add-service=punktfunk-native, then reload).
|
||||
Exact commands: the packaging/arch README, Firewall section.
|
||||
|
||||
The media DATA plane binds an EPHEMERAL UDP port (0.0.0.0:0) chosen per session and reported to the
|
||||
client, so there is no fixed data port to open. On a restrictive firewall you must also allow the
|
||||
ephemeral UDP range (the project does not pin one).
|
||||
-->
|
||||
<service>
|
||||
<short>Punktfunk (native punktfunk/1)</short>
|
||||
<description>Low-latency game-streaming host over the native punktfunk/1 protocol (QUIC control plane). Opens the default QUIC control port plus mDNS for auto-discovery. The media data plane uses an ephemeral UDP port negotiated per session, not opened here.</description>
|
||||
<port protocol="udp" port="9777"/> <!-- QUIC control plane (default 9777) -->
|
||||
<port protocol="udp" port="5353"/> <!-- mDNS auto-discovery (_punktfunk._udp.local) -->
|
||||
</service>
|
||||
Reference in New Issue
Block a user