lwoodard/Omarchy-Stream
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Persistent HEADLESS-1 + SSH-tunnel-friendly cert SANs + web UI lockdown

Browse Source 
Two streams of fixes shipped together.

Headless persistence (root cause of "Fatal: Unable to find display or
encoder during startup")
- bin/sunshine-stream-undo.sh: stop removing HEADLESS-1 on disconnect.
  Create-on-connect / destroy-on-disconnect raced with Sunshine's startup
  encoder probe and made every restart fail with a fatal-but-misleading
  warning. The output now lives across stream sessions; sunshine-stream-
  do.sh just resizes it per client.
- files/headless-prestart.conf: systemd-user drop-in that runs
  'hyprctl output create headless' (non-fatal) before Sunshine starts, so
  HEADLESS-1 exists before the encoder probe.
- lib/headless.sh: install_headless_prestart_dropin resolves the actual
  unit name (sunshine.service or app-dev.lizardbyte.app.Sunshine.service)
  and lands the drop-in under ~/.config/systemd/user/<unit>.d/.
- lib/service.sh: enable_sunshine_service calls install_headless_prestart_
  dropin when STREAM_MODE=headless. Placed after ensure_sunshine_unit_
  present so the unit name is settled when the drop-in is written.
- install.sh: comment noting the drop-in install is deferred to the
  service-enable step.

Web UI lockdown + tunnel-friendly certs
- lib/config.sh: emits origin_web_ui_allowed = pc. Sunshine rejects web UI
  requests from anywhere other than localhost regardless of bind address.
  Streaming/pairing (47989) stays LAN-accessible. Inline comment documents
  the SSH tunnel recipe.
- lib/certs.sh: add DNS:localhost and IP:127.0.0.1 to host cert SANs so
  the tunneled https://localhost:47990 URL doesn't trigger a hostname
  mismatch. Idempotency check now requires those SANs too.

Misc.
- files/sunshine.service: fallback unit also gains the prestart ExecStartPre.
- lib/service.sh: ensure_sunshine_unit_present aliases the reverse-DNS
  Sunshine unit as sunshine.service when sunshine-bin's short-name unit
  isn't installed.
This commit is contained in:
Levi Woodard
2026-05-18 11:53:18 -06:00
parent e18187362c
commit 4d2f050e33
8 changed files with 134 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/certs.sh
View File

@@ -102,7 +102,9 @@ subjectAltName = @alt_names
[alt_names]
DNS.1 = ${host_lc}.lan
DNS.2 = localhost
IP.1 = ${lan_ip}
IP.2 = 127.0.0.1
EOF
openssl genrsa -out "$tmpdir/host-key.pem" 2048 2>/dev/null
@@ -176,7 +178,9 @@ fetch_and_install_certs() {
&& cert_is_current \
&& cert_signed_by_ca "$tmpdir/ca-cert.pem" \
&& cert_has_san_for "${host_lc}.lan" \
&& cert_has_san_for "${lan_ip}"; then
&& cert_has_san_for "${lan_ip}" \
&& cert_has_san_for "localhost" \
&& cert_has_san_for "127.0.0.1"; then
ok "Sunshine cert is current, signed by CA, and matches expected SANs — skipping mint"
return 0
fi