enricobuehler
54b75c9be4
Follows the security audit (#5/#9): the GameStream-compat plane carries inherent on-path weaknesses that can't be fixed on the wire without breaking stock Moonlight — its pairing runs over plain HTTP (#9, MITM-able during the pairing window) and its legacy control encryption can reuse GCM nonces (#5, a passive eavesdropper can recover/forge input). The native punktfunk/1 plane (SPAKE2 PIN pairing + per-direction AEAD nonces) has neither. So flip the default to secure-by-default: - `serve` → native punktfunk/1 plane + management API ONLY (no GameStream surface). - `serve --gamestream` → ALSO the GameStream/Moonlight-compat planes (nvhttp pairing, RTSP, ENet control, _nvstream mDNS). Opt-in, logged with a trusted-LAN caveat. `--moonlight` is an alias. - The native plane is now ALWAYS on in `serve` (`--native` is a kept-for-compat no-op); the unified GameStream+native host is `serve --gamestream`. `gamestream::serve` gates the GameStream spawns (nvhttp/rtsp/control/mdns) on the flag; the native plane + mgmt + native-pairing handle always run. To avoid silently regressing validated Moonlight deployments, the explicit deployment configs PRESERVE Moonlight via `--gamestream` (each documents dropping it for a secure native-only host): the Linux systemd unit, the Steam Deck installer, and the Windows service default (DEFAULT_HOST_CMD). The bare `serve` default (new/manual use) is secure. Docs swept to match (host-cli, moonlight, quickstart, install, packaging READMEs, CLAUDE.md, README, …): Moonlight setup now instructs `--gamestream`; native/console refs use bare `serve`. OpenAPI regenerated (a stale "run `serve --native`" string). fmt + clippy clean; 94 host tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
4.5 KiB
title, description
| title | description |
|---|---|
| Running as a Service | Start the host at boot — for a desktop you log into, or a fully headless always-on machine. |
Running serve in a terminal is fine for trying punktfunk out. To make a machine an
always-available host, run it as a service. There are two cases.
The bundled unit
scripts/punktfunk-host.servicerunsserve --gamestream, so it serves both the nativepunktfunk/1plane and stock Moonlight clients. For a secure native-only host (no GameStream — its pairing runs over plain HTTP and its legacy encryption is weaker; security-review #5/#9), drop--gamestreamfrom the unit'sExecStartand use bareserve.
A. A desktop you log into
If you sit at the machine (or it auto-logs-in to a desktop), run the host as a systemd user service that starts with your session:
mkdir -p ~/.config/systemd/user
cp scripts/punktfunk-host.service ~/.config/systemd/user/
# Put your host.env in place first — see the setup guide for your desktop.
systemctl --user daemon-reload
systemctl --user enable --now punktfunk-host
The host now starts whenever you log in. Check it with systemctl --user status punktfunk-host.
B. A headless, always-on host
To run with no monitor and no login — a machine in a closet that's always ready — you need two things: a desktop session that comes up at boot, and the host service started without a login.
Start by making the host service start at boot even when nobody logs in:
sudo loginctl enable-linger "$USER"
Then bring up a session automatically, depending on your desktop:
Headless GNOME
Have GDM auto-login your user, so a GNOME Wayland session is always running:
# /etc/gdm3/custom.conf (Ubuntu) · /etc/gdm/custom.conf (Fedora)
[daemon]
AutomaticLoginEnable = true
AutomaticLogin = your-user
Then disable the screen lock — a locked GNOME session blocks screen capture, and there's no one to unlock a headless box:
gsettings set org.gnome.desktop.screensaver lock-enabled false
gsettings set org.gnome.desktop.session idle-delay 0
Enable the host user service (section A) and reboot. The host comes up on the auto-login session.
Headless KDE
punktfunk ships a unit that brings up a headless KWin/Plasma session with no display manager, so the host has a desktop to stream even with no monitor attached:
cp scripts/punktfunk-kde-session.service scripts/punktfunk-host.service ~/.config/systemd/user/
# host.env: PUNKTFUNK_COMPOSITOR=kwin, WAYLAND_DISPLAY=wayland-kde
systemctl --user daemon-reload
systemctl --user enable punktfunk-kde-session punktfunk-host
sudo loginctl enable-linger "$USER"
reboot
The session unit starts headless KWin; the host unit follows it and starts listening. (KWin only needs to be up by the time a client connects, so the ordering is soft.)
Headless Bazzite
On Bazzite, the host launches its own gamescope/Steam session per client, so you don't need a separate session unit — see Bazzite.
Windows
punktfunk is Linux-first, but a native Windows host also ships — a signed installer with an SCM service and a bundled virtual-display driver. It's NVIDIA-only (NVENC) and newer than the Linux host. (Not to be confused with the Windows client, which streams to a Windows PC.)
On Windows the host runs as a LocalSystem service that launches into the interactive session, so it
captures the secure desktop (UAC / lock screen) and survives reboots with nobody logged in — the same
model Sunshine/Apollo use.
The easy path is the signed installer: download punktfunk-host-setup-<ver>.exe from the package
registry (punktfunk-host-windows) and run it. It drops the host
into C:\Program Files\punktfunk, optionally installs the bundled SudoVDA virtual-display driver,
and registers + starts the service for you (/VERYSILENT for unattended). Upgrades and uninstall are
handled through Add/Remove Programs.
Prefer the CLI? Run punktfunk-host service install from an elevated prompt — see
Windows service. Either
way you need an NVIDIA GPU + driver (the host is NVENC-only on Windows).
Verifying
After a reboot, from another machine on the network:
punktfunk-probe --discover # or just look for the host in a native client / Moonlight
If the host is listed, it's up. If not, check journalctl --user -u punktfunk-host on the host.