bda5556d37
Remediates the two web-console residuals from the 2026-07-05 posture audit: - Brute-force throttle (loginThrottle.ts): per-IP exponential backoff after 5 free attempts, plus a global floor for spread-out floods, keyed on the socket peer IP (not spoofable X-Forwarded-For) with a size-capped map. The constant-time compare already stopped the timing leak; this bounds guess *volume* against a by-design LAN-exposed console. - Session seal key now derives from the high-entropy mgmt token instead of the low-entropy login password, so a captured cookie is no longer an offline password oracle. Falls back to the password only when no token is configured (dev/local). Rotating the token now invalidates sessions. - Replace the process-wide NODE_TLS_REJECT_UNAUTHORIZED=0 with per-request Bun TLS scoped to the loopback proxy hop; a non-loopback mgmt URL now verifies normally. Dropped the env var from the systemd unit, Steam Deck installer, Windows run scripts, env examples, and web README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
38 lines
1.9 KiB
Desktop File
38 lines
1.9 KiB
Desktop File
# punktfunk management web console — systemd USER unit (Nitro SSR on bun, port 47992, HTTPS).
|
|
#
|
|
# Installed by the punktfunk-web .deb to /usr/lib/systemd/user/. AUTO-WIRED — no env editing:
|
|
# it sources the host's mgmt token + the generated login password, serves HTTPS (HTTP/1.1 over TLS)
|
|
# with the host's own identity cert (~/.config/punktfunk/{cert,key}.pem), and points the /api proxy
|
|
# at the host's loopback HTTPS mgmt API. The self-signed cert is accepted only for that loopback hop,
|
|
# scoped inside the proxy code (Bun per-request TLS) — no process-wide NODE_TLS_REJECT_UNAUTHORIZED.
|
|
# Enable per user:
|
|
# systemctl --user enable --now punktfunk-web
|
|
[Unit]
|
|
Description=punktfunk management web console
|
|
# web-init generates the login password; the host writes the mgmt token. Order after both.
|
|
After=punktfunk-web-init.service punktfunk-host.service
|
|
Wants=punktfunk-web-init.service
|
|
|
|
[Service]
|
|
Type=simple
|
|
# Both are KEY=VALUE files. mgmt-token is REQUIRED (written by the host's `serve`); if absent the
|
|
# unit fails + Restart retries until the host has created it. web-password is '-' optional (web-init
|
|
# creates it first, but a manual operator may inject PUNKTFUNK_UI_PASSWORD another way).
|
|
EnvironmentFile=%h/.config/punktfunk/mgmt-token
|
|
EnvironmentFile=-%h/.config/punktfunk/web-password
|
|
Environment=PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990
|
|
Environment=PORT=47992
|
|
Environment=HOST=0.0.0.0
|
|
# Serve HTTPS (HTTP/1.1 over TLS) with the host's own identity cert; mark the
|
|
# session cookie Secure. The host's `serve` writes these PEMs; if absent at start the unit fails and
|
|
# Restart retries (same as the mgmt-token wait above) rather than silently serving plain HTTP.
|
|
Environment=PUNKTFUNK_UI_TLS_CERT=%h/.config/punktfunk/cert.pem
|
|
Environment=PUNKTFUNK_UI_TLS_KEY=%h/.config/punktfunk/key.pem
|
|
Environment=PUNKTFUNK_UI_SECURE=1
|
|
ExecStart=/usr/bin/punktfunk-web-server
|
|
Restart=on-failure
|
|
RestartSec=2
|
|
|
|
[Install]
|
|
WantedBy=default.target
|