enricobuehler
95c4058582
apple / swift (push) Successful in 54s
android / android (push) Failing after 54s
ci / web (push) Successful in 38s
ci / docs-site (push) Successful in 34s
ci / rust (push) Failing after 2m30s
ci / bench (push) Failing after 1m15s
decky / build-publish (push) Failing after 4s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Failing after 0s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Failing after 1s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Failing after 0s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Failing after 1s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Failing after 0s
docker / deploy-docs (push) Has been skipped
flatpak / build-publish (push) Failing after 0s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Failing after 1s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Failing after 0s
deb / build-publish (push) Successful in 3m22s
The mgmt API serves HTTPS with the host's self-signed identity cert and requires mTLS-or-bearer auth (the mTLS work), but the web console's proxy still defaulted to `http://127.0.0.1:47990` — so a deployment copying .env.example got a plain-HTTP request to an HTTPS port (→ 502 Bad Gateway, observed live on the Bazzite box). - .env.example + server/util/auth.ts + vite.config.ts: default PUNKTFUNK_MGMT_URL to https://127.0.0.1:47990. - vite dev proxy: `secure: false` (the host cert is self-signed). - Document that the deployment needs PUNKTFUNK_MGMT_TOKEN (matching the host's) and NODE_TLS_REJECT_UNAUTHORIZED=0 — the web server's only outbound TLS is the loopback hop to the host's own self-signed cert, so disabling verify there is scoped + safe. The running Bazzite box is already fixed live (web.env → https + token + cert-skip, verified: login 200, /api/v1/status 200). This makes fresh deployments correct. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
31 lines
1.5 KiB
Bash
31 lines
1.5 KiB
Bash
# punktfunk web — management console (Bun/Nitro server) configuration.
|
|
# Copy to `.env` (gitignored) or set these in the environment of `bun run start`.
|
|
|
|
# REQUIRED in production: the shared login password for the console. The built Nitro
|
|
# server fails CLOSED (503 on every request) if this is unset, so a LAN-exposed server
|
|
# never admits anyone by accident.
|
|
PUNKTFUNK_UI_PASSWORD=change-me
|
|
|
|
# Management API the console proxies to. It serves HTTPS (the host's own identity cert) and
|
|
# requires auth (mTLS or the bearer below). Keep this loopback — the login-gated web server is
|
|
# the only path to it.
|
|
PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990
|
|
|
|
# REQUIRED: bearer token for the management API, injected server-side by the /api proxy (never
|
|
# sent to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN — otherwise
|
|
# the proxy gets 401.
|
|
PUNKTFUNK_MGMT_TOKEN=
|
|
|
|
# REQUIRED with the HTTPS mgmt API: the host presents a SELF-SIGNED identity cert on loopback,
|
|
# which the proxy's fetch would otherwise reject (→ 502). The web server makes no other outbound
|
|
# TLS calls, so disabling verification here only affects the loopback hop to the host's own cert.
|
|
NODE_TLS_REJECT_UNAUTHORIZED=0
|
|
|
|
# OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, a stable key is derived
|
|
# from PUNKTFUNK_UI_PASSWORD (changing the password then invalidates sessions).
|
|
# PUNKTFUNK_UI_SECRET=
|
|
|
|
# The Bun server binds these (standard Nitro env):
|
|
# PORT=3000
|
|
# HOST=0.0.0.0
|