# punktfunk web — management console (Nitro server on bun) configuration.
# Copy to `.env` (gitignored) or set these in the environment of `bun .output/server/index.mjs`.
# NOTE: on a packaged install (the punktfunk-web .deb) you edit NOTHING — the systemd --user units
# auto-wire these from the host's ~/.config/punktfunk/{mgmt-token,web-password,cert.pem,key.pem}.
# See web.env.example.

# REQUIRED in production: the shared login password for the console. The built Nitro
# server fails CLOSED (503 on every request) if this is unset, so a LAN-exposed server
# never admits anyone by accident.
PUNKTFUNK_UI_PASSWORD=change-me

# Management API the console proxies to. It serves HTTPS (the host's own identity cert) and
# requires auth (mTLS or the bearer below). Keep this loopback — the login-gated web server is
# the only path to it.
PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990

# REQUIRED: bearer token for the management API, injected server-side by the /api proxy (never
# sent to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN — otherwise
# the proxy gets 401.
PUNKTFUNK_MGMT_TOKEN=

# REQUIRED with the HTTPS mgmt API: the host presents a SELF-SIGNED identity cert on loopback,
# which the proxy's fetch would otherwise reject (→ 502). The web server makes no other outbound
# TLS calls, so disabling verification here only affects the loopback hop to the host's own cert.
NODE_TLS_REJECT_UNAUTHORIZED=0

# OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, a stable key is derived
# from PUNKTFUNK_UI_PASSWORD (changing the password then invalidates sessions).
# PUNKTFUNK_UI_SECRET=

# TLS: serve the console over HTTPS (HTTP/1.1 over TLS) using the HOST's own identity cert (the cert
# native clients already pin). Point these at the host's PEM files; BOTH set ⇒ HTTPS. Unset ⇒ plain
# HTTP (local dev only). (No HTTP/2 or HTTP/3: Bun.serve has no HTTP/2 server, and a browser won't
# speak HTTP/3/QUIC against this self-signed, no-SAN host cert.)
PUNKTFUNK_UI_TLS_CERT=/home/you/.config/punktfunk/cert.pem
PUNKTFUNK_UI_TLS_KEY=/home/you/.config/punktfunk/key.pem

# REQUIRED when serving over TLS: mark the session cookie Secure (browsers drop a Secure cookie over
# plain http://, so it is OFF by default; turn it ON whenever PUNKTFUNK_UI_TLS_* is set).
PUNKTFUNK_UI_SECURE=1

# The Bun server binds these (standard Nitro env):
# PORT=3000
# HOST=0.0.0.0