Files
punktfunk/docs-site/content/docs/web-console.md
T
enricobuehler 1dc8dc7f0d
apple / swift (push) Successful in 1m11s
rpm / build-publish (43, bazzite, punktfunk-fedora-rpm) (push) Has been cancelled
rpm / build-publish (44, fedora-44, punktfunk-fedora44-rpm) (push) Has been cancelled
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Has been cancelled
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Has been cancelled
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Has been cancelled
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Has been cancelled
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Has been cancelled
docker / deploy-docs (push) Has been cancelled
decky / build-publish (push) Has been cancelled
deb / build-publish (push) Has been cancelled
ci / rust (push) Has been cancelled
ci / web (push) Has been cancelled
ci / docs-site (push) Has been cancelled
ci / bench (push) Has been cancelled
android / android (push) Successful in 3m49s
apple / screenshots (push) Has been cancelled
arch / build-publish (push) Has been cancelled
fix(packaging): open mgmt/library port 47990 on the LAN firewall profiles
The mgmt REST API has bound 0.0.0.0:47990 by default since ae51276 so paired
clients can browse the game library over mTLS, but every packaged firewall
opener still excluded 47990 and the docs still claimed it was loopback-only.
On any host with an active firewall (ufw/firewalld) the LAN game-library
feature was silently broken.

Add 47990/tcp to the native firewall profiles (punktfunk.ufw [punktfunk-native]
+ punktfunk-native.xml) and correct the stale "loopback-only by default" text
across the debian/arch/bazzite READMEs and the docs site (incl. the factually
wrong --mgmt-bind default in host-cli.md, 127.0.0.1 -> 0.0.0.0). Opening the
port adds no admin exposure: off-loopback mgmt::require_auth serves only the
read-only status/library allowlist to a paired client cert; the bearer-token
admin surface stays loopback-only regardless of the bind.

Windows was already sound (shared parse_serve binds 0.0.0.0; service.rs already
firewall-opens 47990) — add a clarifying comment so the rule isn't mistaken for
accidental over-exposure.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-07 12:38:57 +00:00

3.3 KiB

title, description
title description
The Web Console Enable the punktfunk browser console, read or change its login password, and arm PIN pairing.

The web console is the browser UI for a punktfunk host — live status, paired devices, and the PIN pairing flow. It ships as the punktfunk-web systemd user unit on Linux and the PunktfunkWeb task on Windows, and serves on http://<host-ip>:47992. It's the surface you expose on the LAN to administer the host; the host's own management API (47990) keeps every admin action loopback-only and off-loopback serves only read-only status + game-library browsing to paired clients.

New here? Read Security & Safe Use first — a streaming host is remote control of the machine, so keep it on a trusted LAN or VPN and require pairing.

Enable the console

  • Linux packages (apt / RPM / Bazzite): punktfunk-host recommends punktfunk-web, so your package manager pulls it in. Enable and start it as your desktop user, then open the URL:

    systemctl --user enable --now punktfunk-web
    # then browse to http://<host-ip>:47992
    
  • Windows host: the installer sets up the console, its runtime, and the PunktfunkWeb task and starts it at boot. There is nothing to enable — open http://<this-PC>:47992.

  • SteamOS host: the install script builds and starts the console as a user service for you. It prints the URL when it finishes.

Login password

The console is password-protected. Where that password lives and how you change it depends on the host platform.

Linux packages (apt / RPM / Bazzite). On first start punktfunk-web-init generates a random password and saves it to ~/.config/punktfunk/web-password (as PUNKTFUNK_UI_PASSWORD=…). Read it back from the init service's journal or straight from the file:

journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p'
sed -n 's/^PUNKTFUNK_UI_PASSWORD=//p' ~/.config/punktfunk/web-password

To set your own, edit that file (PUNKTFUNK_UI_PASSWORD=<your-password>) and restart the console: systemctl --user restart punktfunk-web.

SteamOS host. Same idea, but the install script writes the generated password to ~/.config/punktfunk/web.env and prints it at the end of the install run:

sed -n 's/^PUNKTFUNK_UI_PASSWORD=//p' ~/.config/punktfunk/web.env

Edit that file and systemctl --user restart punktfunk-web to change it.

Windows host. You choose the password during install — a secure random default is pre-filled and shown again on the installer's final page. It's stored in %ProgramData%\punktfunk\web-password (as PUNKTFUNK_UI_PASSWORD=…), readable only by Administrators and SYSTEM. To change it, edit the file and restart the task in an elevated PowerShell:

notepad "$env:ProgramData\punktfunk\web-password"   # set PUNKTFUNK_UI_PASSWORD=<your-password>
schtasks /End /TN PunktfunkWeb; schtasks /Run /TN PunktfunkWeb

Forgot it? See Forgot your Password?.

Arm pairing

The host requires PIN pairing by default (secure on a LAN). To connect the first time, open the console, log in, and go to Devices → arm pairing. The host displays a 4-digit PIN — enter it on your client to pair. See Pairing & Trust for the full trust model and how to approve or remove devices later.