# punktfunk management web console — systemd USER unit (Nitro SSR on bun, port 3000, HTTPS).
#
# Installed by the punktfunk-web .deb to /usr/lib/systemd/user/. AUTO-WIRED — no env editing:
# it sources the host's mgmt token + the generated login password, serves HTTPS (HTTP/1.1 over TLS)
# with the host's own identity cert (~/.config/punktfunk/{cert,key}.pem), and points the /api proxy
# at the host's loopback HTTPS mgmt API (self-signed cert → NODE_TLS_REJECT_UNAUTHORIZED for the
# proxy's only outbound hop, which is loopback). Enable per user:
#   systemctl --user enable --now punktfunk-web
[Unit]
Description=punktfunk management web console
# web-init generates the login password; the host writes the mgmt token. Order after both.
After=punktfunk-web-init.service punktfunk-host.service
Wants=punktfunk-web-init.service

[Service]
Type=simple
# Both are KEY=VALUE files. mgmt-token is REQUIRED (written by the host's `serve`); if absent the
# unit fails + Restart retries until the host has created it. web-password is '-' optional (web-init
# creates it first, but a manual operator may inject PUNKTFUNK_UI_PASSWORD another way).
EnvironmentFile=%h/.config/punktfunk/mgmt-token
EnvironmentFile=-%h/.config/punktfunk/web-password
Environment=PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990
Environment=NODE_TLS_REJECT_UNAUTHORIZED=0
Environment=PORT=3000
Environment=HOST=0.0.0.0
# Serve HTTPS (HTTP/1.1 over TLS) with the host's own identity cert; mark the
# session cookie Secure. The host's `serve` writes these PEMs; if absent at start the unit fails and
# Restart retries (same as the mgmt-token wait above) rather than silently serving plain HTTP.
Environment=PUNKTFUNK_UI_TLS_CERT=%h/.config/punktfunk/cert.pem
Environment=PUNKTFUNK_UI_TLS_KEY=%h/.config/punktfunk/key.pem
Environment=PUNKTFUNK_UI_SECURE=1
ExecStart=/usr/bin/punktfunk-web-server
Restart=on-failure
RestartSec=2

[Install]
WantedBy=default.target