Files
punktfunk/scripts/punktfunk-web.service
T
enricobuehler ae51276a03 feat(web): consolidate paired devices, self-contained sections, docs + lint
Web console
- Pairing/Library/Stats refactored into self-contained subsections that each own
  their own queries + mutations; a shared slot-based layout (view.tsx) is filled by
  the live page (containers) and Storybook (pure cards + fixtures) so the layout can't
  drift.
- All paired devices in one list on Pairing with a protocol column (punktfunk/1 +
  Moonlight), routing each unpair to the right endpoint; the redundant Clients page is
  removed.
- Library: overview grid split from the add/edit form into separate files.
- Login screen links out to the docs.

Docs
- "Console login password" section on every host page (apt/RPM/Bazzite/SteamOS/Windows)
  plus a new "Forgot your Password?" troubleshooting page, linked from the login screen.
- Console served as HTTP/1.1 over TLS (drop the unusable HTTP/3 advertising) across the
  Bun entry, launchers, systemd units, and packaging.

Tooling
- Biome now respects .gitignore (stops linting generated code), config migrated to
  2.5.1; all lint issues fixed cleanly.

Also includes this branch's in-progress host, Apple client, packaging, and CI changes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 19:05:22 +02:00

38 lines
1.9 KiB
Desktop File

# punktfunk management web console — systemd USER unit (Nitro SSR on bun, port 3000, HTTPS).
#
# Installed by the punktfunk-web .deb to /usr/lib/systemd/user/. AUTO-WIRED — no env editing:
# it sources the host's mgmt token + the generated login password, serves HTTPS (HTTP/1.1 over TLS)
# with the host's own identity cert (~/.config/punktfunk/{cert,key}.pem), and points the /api proxy
# at the host's loopback HTTPS mgmt API (self-signed cert → NODE_TLS_REJECT_UNAUTHORIZED for the
# proxy's only outbound hop, which is loopback). Enable per user:
# systemctl --user enable --now punktfunk-web
[Unit]
Description=punktfunk management web console
# web-init generates the login password; the host writes the mgmt token. Order after both.
After=punktfunk-web-init.service punktfunk-host.service
Wants=punktfunk-web-init.service
[Service]
Type=simple
# Both are KEY=VALUE files. mgmt-token is REQUIRED (written by the host's `serve`); if absent the
# unit fails + Restart retries until the host has created it. web-password is '-' optional (web-init
# creates it first, but a manual operator may inject PUNKTFUNK_UI_PASSWORD another way).
EnvironmentFile=%h/.config/punktfunk/mgmt-token
EnvironmentFile=-%h/.config/punktfunk/web-password
Environment=PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990
Environment=NODE_TLS_REJECT_UNAUTHORIZED=0
Environment=PORT=3000
Environment=HOST=0.0.0.0
# Serve HTTPS (HTTP/1.1 over TLS) with the host's own identity cert; mark the
# session cookie Secure. The host's `serve` writes these PEMs; if absent at start the unit fails and
# Restart retries (same as the mgmt-token wait above) rather than silently serving plain HTTP.
Environment=PUNKTFUNK_UI_TLS_CERT=%h/.config/punktfunk/cert.pem
Environment=PUNKTFUNK_UI_TLS_KEY=%h/.config/punktfunk/key.pem
Environment=PUNKTFUNK_UI_SECURE=1
ExecStart=/usr/bin/punktfunk-web-server
Restart=on-failure
RestartSec=2
[Install]
WantedBy=default.target