unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 8 Packages Projects Releases 4 Wiki Activity
Files
586c4d0ddcf0a55bd6ab792e9ad4a0eaf7dee2d2
punktfunk/web/.env.example
T
enricobuehler df005e2963
android / android (push) Failing after 22s
Details
deb / build-publish (push) Failing after 0s
Details
decky / build-publish (push) Failing after 0s
Details
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Failing after 1s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Failing after 0s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Failing after 1s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Failing after 0s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Failing after 0s
Details
flatpak / build-publish (push) Failing after 1s
Details
docker / deploy-docs (push) Has been skipped
Details
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Failing after 0s
Details
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Failing after 0s
Details
apple / swift (push) Successful in 53s
Details
ci / web (push) Successful in 28s
Details
ci / docs-site (push) Successful in 34s
Details
ci / bench (push) Successful in 1m32s
Details
ci / rust (push) Failing after 53s
Details
feat(packaging/web): bundle the web console into the apt install (punktfunk-web) 
Every user needs the console for pairing, so ship it via apt, auto-wired to the
host — no manual bun/env setup. New punktfunk-web .deb (Architecture: all,
Depends: nodejs >= 20 — runs the node-server build under apt-native node, no
bundled bun):

- packaging/debian/build-web-deb.sh: stages web/.output (server + public) + a
  /usr/bin/punktfunk-web-server wrapper (node) + the systemd --user units + the
  web.env template + docs. Refuses a bun bundle (Bun.serve) as a wrong-preset guard.
- scripts/punktfunk-web.service: --user unit on :3000, EnvironmentFile sources the
  host's ~/.config/punktfunk/mgmt-token (the shared bearer) + the generated
  web-password; sets PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990 +
  NODE_TLS_REJECT_UNAUTHORIZED=0 (loopback self-signed cert). Restart=on-failure
  rides out the host-writes-token-first ordering.
- scripts/punktfunk-web-init.service + web-init.sh: --user one-shot that generates
  the login password (a .deb postinst runs as root → wrong $HOME) and surfaces it
  to the journal.
- build-deb.sh: punktfunk-host now Recommends punktfunk-web (apt pulls it by
  default; headless boxes opt out with --no-install-recommends).
- deb.yml: build the web console + smoke-boot it under node (gate the .deb on a
  real /login 200) + build-web-deb.sh; the publish loop globs it automatically.
- web/{.env.example,web.env.example}: document the auto-wiring vs a manual deploy.

End state: `apt install punktfunk-host` pulls punktfunk-web; enable both --user
services; the console logs in (password from the journal) and proxies the host's
HTTPS mgmt API with the shared token — zero hand-edited env. Local .deb build +
node smoke-boot verified.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 08:50:40 +00:00

33 lines
1.7 KiB
Bash
Raw Blame History

# punktfunk web — management console (Nitro/Node server) configuration.
# Copy to `.env` (gitignored) or set these in the environment of `node .output/server/index.mjs`.
# NOTE: on a packaged install (the punktfunk-web .deb) you edit NOTHING — the systemd --user units
# auto-wire these from the host's ~/.config/punktfunk/{mgmt-token,web-password}. See web.env.example.
# REQUIRED in production: the shared login password for the console. The built Nitro
# server fails CLOSED (503 on every request) if this is unset, so a LAN-exposed server
# never admits anyone by accident.
PUNKTFUNK_UI_PASSWORD=change-me
# Management API the console proxies to. It serves HTTPS (the host's own identity cert) and
# requires auth (mTLS or the bearer below). Keep this loopback — the login-gated web server is
# the only path to it.
PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990
# REQUIRED: bearer token for the management API, injected server-side by the /api proxy (never
# sent to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN — otherwise
# the proxy gets 401.
PUNKTFUNK_MGMT_TOKEN=
# REQUIRED with the HTTPS mgmt API: the host presents a SELF-SIGNED identity cert on loopback,
# which the proxy's fetch would otherwise reject (→ 502). The web server makes no other outbound
# TLS calls, so disabling verification here only affects the loopback hop to the host's own cert.
NODE_TLS_REJECT_UNAUTHORIZED=0
# OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, a stable key is derived
# from PUNKTFUNK_UI_PASSWORD (changing the password then invalidates sessions).
# PUNKTFUNK_UI_SECRET=
# The Bun server binds these (standard Nitro env):
# PORT=3000
# HOST=0.0.0.0
Reference in New Issue View Git Blame Copy Permalink