The mgmt REST API has bound 0.0.0.0:47990 by default since ae51276 so paired
clients can browse the game library over mTLS, but every packaged firewall
opener still excluded 47990 and the docs still claimed it was loopback-only.
On any host with an active firewall (ufw/firewalld) the LAN game-library
feature was silently broken.
Add 47990/tcp to the native firewall profiles (punktfunk.ufw [punktfunk-native]
+ punktfunk-native.xml) and correct the stale "loopback-only by default" text
across the debian/arch/bazzite READMEs and the docs site (incl. the factually
wrong --mgmt-bind default in host-cli.md, 127.0.0.1 -> 0.0.0.0). Opening the
port adds no admin exposure: off-loopback mgmt::require_auth serves only the
read-only status/library allowlist to a paired client cert; the bearer-token
admin surface stays loopback-only regardless of the bind.
Windows was already sound (shared parse_serve binds 0.0.0.0; service.rs already
firewall-opens 47990) — add a clarifying comment so the rule isn't mistaken for
accidental over-exposure.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
3.3 KiB
title, description
| title | description |
|---|---|
| The Web Console | Enable the punktfunk browser console, read or change its login password, and arm PIN pairing. |
The web console is the browser UI for a punktfunk host — live status, paired devices, and the PIN
pairing flow. It ships as the punktfunk-web systemd user unit on Linux and the PunktfunkWeb
task on Windows, and serves on http://<host-ip>:47992. It's the surface you expose on the LAN to
administer the host; the host's own management API (47990) keeps every admin action loopback-only and
off-loopback serves only read-only status + game-library browsing to paired clients.
New here? Read Security & Safe Use first — a streaming host is remote control of the machine, so keep it on a trusted LAN or VPN and require pairing.
Enable the console
-
Linux packages (apt / RPM / Bazzite):
punktfunk-hostrecommendspunktfunk-web, so your package manager pulls it in. Enable and start it as your desktop user, then open the URL:systemctl --user enable --now punktfunk-web # then browse to http://<host-ip>:47992 -
Windows host: the installer sets up the console, its runtime, and the
PunktfunkWebtask and starts it at boot. There is nothing to enable — openhttp://<this-PC>:47992. -
SteamOS host: the install script builds and starts the console as a user service for you. It prints the URL when it finishes.
Login password
The console is password-protected. Where that password lives and how you change it depends on the host platform.
Linux packages (apt / RPM / Bazzite). On first start punktfunk-web-init generates a random
password and saves it to ~/.config/punktfunk/web-password (as PUNKTFUNK_UI_PASSWORD=…). Read it
back from the init service's journal or straight from the file:
journalctl --user -u punktfunk-web-init | sed -n 's/.*password generated: //p'
sed -n 's/^PUNKTFUNK_UI_PASSWORD=//p' ~/.config/punktfunk/web-password
To set your own, edit that file (PUNKTFUNK_UI_PASSWORD=<your-password>) and restart the console:
systemctl --user restart punktfunk-web.
SteamOS host. Same idea, but the install script writes the generated password to
~/.config/punktfunk/web.env and prints it at the end of the install run:
sed -n 's/^PUNKTFUNK_UI_PASSWORD=//p' ~/.config/punktfunk/web.env
Edit that file and systemctl --user restart punktfunk-web to change it.
Windows host. You choose the password during install — a secure random default is pre-filled and
shown again on the installer's final page. It's stored in %ProgramData%\punktfunk\web-password (as
PUNKTFUNK_UI_PASSWORD=…), readable only by Administrators and SYSTEM. To change it, edit the file
and restart the task in an elevated PowerShell:
notepad "$env:ProgramData\punktfunk\web-password" # set PUNKTFUNK_UI_PASSWORD=<your-password>
schtasks /End /TN PunktfunkWeb; schtasks /Run /TN PunktfunkWeb
Forgot it? See Forgot your Password?.
Arm pairing
The host requires PIN pairing by default (secure on a LAN). To connect the first time, open the console, log in, and go to Devices → arm pairing. The host displays a 4-digit PIN — enter it on your client to pair. See Pairing & Trust for the full trust model and how to approve or remove devices later.