# punktfunk web — management console (Bun/Nitro server) configuration.
# Copy to `.env` (gitignored) or set these in the environment of `bun run start`.

# REQUIRED in production: the shared login password for the console. The built Nitro
# server fails CLOSED (503 on every request) if this is unset, so a LAN-exposed server
# never admits anyone by accident.
PUNKTFUNK_UI_PASSWORD=change-me

# Management API the console proxies to. Keep it loopback — it should NOT be LAN-exposed;
# the login-gated web server is the only path to it.
PUNKTFUNK_MGMT_URL=http://127.0.0.1:47990

# Bearer token for the management API, injected server-side by the /api proxy (never sent
# to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN.
PUNKTFUNK_MGMT_TOKEN=

# OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, a stable key is derived
# from PUNKTFUNK_UI_PASSWORD (changing the password then invalidates sessions).
# PUNKTFUNK_UI_SECRET=

# The Bun server binds these (standard Nitro env):
# PORT=3000
# HOST=0.0.0.0