Compare commits

..

61 Commits

Author SHA1 Message Date
08fe8c9c53 docs(files): record the general.host trap + that a green monitor proves nothing
Propagate the bare-hostname fix (10b86ae) to the docs that still said "three
traps", and write down the meta-lesson it exposed.

The bug was invisible to every check we had: Filestash strips the scheme
before its own Host check, so `curl /` returned 200, the API answered, wrong
passwords were rejected, and the brand-new Uptime Kuma HTTP monitor stayed
green — while the SPA computed `http://https://files...` and no browser could
use the site. An HTTP monitor asserts "server returned 200", which is a much
weaker claim than "the app works".

- CLAUDE.md / README: four traps now, host-scheme first; add the post-change
  check (`/api/config` → origin must be the real https URL).
- 19-routes: login form only renders at ?action=redirect (a bare 303 is
  normal, not a bug); assert origin after config changes.
- 10-uptime-kuma: an HTTP monitor cannot see an SPA break — use a Keyword
  monitor if you want teeth, and don't read green as "users can log in".

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-14 18:31:46 +02:00
10b86ae23e fix(files): general.host must be a bare hostname, not a URL
The SPA computes its redirect origin as (force_ssl ? "https://" : "http://")
+ general.host. With host set to "https://files.${BASE_DOMAIN}" that produced
"http://https://files.ulicraft.net", so every client-side redirect broke and
the page never routed anywhere.

Server-side this was invisible: SecureOrigin strips the scheme before the
Host check, so `curl /` returned 200, the API answered, and the uptime
monitor stayed green — only real browsers failed. The tell is a
`POST /report?...msg=Redirecting to http://https://...` line in the log.

Set host to the bare hostname and force_ssl=true (which the origin needs to
build https://, and which only emits an HSTS header — it does not redirect,
so it can't loop behind the plain-http nginx→caddy hop).

Verified: origin is now "https://files.ulicraft.net"; login + ls still work.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-14 18:27:42 +02:00
cd79b0e540 docs(files): document filestash across plan/README/deploy skill
Fold files./filestash into the docs that carry the service list, the vhost
map and the deploy procedure — README stack table, 00-overview, 02-caddy,
12-build-order, 14-deploy, and the deploy skill.

Two real gaps the filestash deploy exposed, now guardrails in the skill:
- update-all.sh never touches host nginx, so a NEW SUBDOMAIN silently 404s
  after deploy. It needs issue-letsencrypt.sh + render-nginx.sh --install.
- a new service with ${FOO:?} guards fails the WHOLE compose file, so a
  missing .env var means `up` starts nothing — and --hard has already run
  `down`. Check the host's .env BEFORE tearing the stack down.

Also: filestash/config.json is a single-file bind mount re-rendered every
run, so a rolling update-all leaves it on a stale inode (same trap as the
caddy conf) — force-recreate after any FILES_* change.

Correct the cochi divergence section: `git diff HEAD` on the host is now
empty (verified this deploy — the ff-pull succeeded). The documented
docker-compose.yml/package.json divergence was converged; only untracked
dnsmasq/, caddy-root-ca.crt and a stale pack/ remain. The stash-pull-pop
procedure it prescribed is no longer needed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-14 18:23:18 +02:00
25df9f9398 feat(files): add Filestash player file share at files.${BASE_DOMAIN}
One shared login (htpasswd) for all players, writable. Config is rendered
from a template and mounted read-only, so git stays authoritative — the
admin console loads but cannot save, by design.

Filestash's OIDC/SAML middlewares are enterprise-only, so Keycloak SSO is
out; FILES_AUTH keeps htpasswd/passthrough switchable for later. Auth-off
(passthrough) is only valid once the host is off the public internet —
render-config.sh warns loudly when rendering it.

Three traps, all found by testing against the pinned image:
- the `local` backend is admin-gated: without LOCAL_BACKEND_SECRET in the
  connection params every login fails with "backend error - Not Allowed"
- the htpasswd plugin only accepts $2a$ bcrypt, so a $2y$ hash from
  `htpasswd -B` fails every login silently — use `openssl passwd -6`.
  render-config.sh rejects the wrong format rather than shipping it
- APPLICATION_URL/ADMIN_PASSWORD env make filestash rewrite config.json at
  boot, which fails on the :ro mount — both live in the rendered config

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-14 18:08:46 +02:00
1958a96acf chore(mods): classify 11 new distribution mods
Distribution added 11 jars. classify-mods.py seeds all as `both`
(none declare CLIENT in neoforge.mods.toml). Hand-flip the two
pure-client cosmetic ones so sync-server-mods.sh drops them:

- ExtremeSoundMuffler: client-side sound muffling UI
- ToastControl: client-side toast popup suppression

Rest stay `both` — Placebo/moonlight/caelus are libs, and
amendments/etched/fishingoverhaul/immersive_paintings/
createornithopterglider/emotecraft add server-side content or sync.

Also map iris as `client`. It is referenced by distribution.json but
absent from the local (gitignored) dist jar dir, so classify-mods.py
never sees it; mapping it keeps mods-sides.json aligned with the
manifest. Client-only, so the sync selection is unchanged.

server-mods/ now 130 jars (was 123).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-09 20:29:35 +02:00
e45ce210ba docs(mc): document Simple Voice Chat voice_host gotcha + commit prod snapshot
voice_host lives in the mc_data volume and regenerates empty on world wipe,
silently breaking remote voice (secret sent, UDP handshake never completes →
red icon). Document the set/restore steps and the VPN-client false-positive
(Cloudflare One/WARP, FortiClient drop voice UDP). Add a known-good prod
snapshot at server-configs/voicechat-server.properties (voice_host=ulicraft.net).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 23:16:02 +02:00
d12071df04 fix(mc): ONLINE_MODE=true — authlib-injector needs online handshake for skins
online-mode=false made the server skip the online-auth handshake entirely, so
authlib-injector never validated sessions against Drasl: players got offline-hash
UUIDs and no skin textures (everyone Steve). authlib-injector's whole purpose is
to redirect the *online* handshake from Mojang to Drasl, so online-mode must be
true; only the 1.21+ secure profile stays off (ENFORCE_SECURE_PROFILE=false +
Drasl SignPublicKeys=false). Correct the conflation in CLAUDE.md and
plan/05-minecraft.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 22:34:47 +02:00
a67b9cf59e fix(mc): mount only kubejs source subdirs ro, keep kubejs root writable
Mounting the whole kubejs dir read-only made KubeJS's BaseProperties.save()
throw NPE on boot (it writes config/cache/generated/logs under kubejs/),
so KubeJS never initialised. Bind only the source subdirs (server_scripts,
startup_scripts, data, assets) read-only and let the kubejs root live
writable in mc_data.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 22:01:07 +02:00
d303d23d18 feat(mc): mount distribution kubejs + CustomSkinLoader into server
The minecraft container only received forgemods jars via ./server-mods.
The distribution's files/kubejs (server_scripts, data, startup_scripts)
and CustomSkinLoader never reached the server, so server-side kubejs
recipes/scripts were silently absent.

Bind-mount both from DISTRIBUTION_WEB_ROOT (read-only, to avoid the
server polluting the client distribution with kubejs-generated files).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-24 21:53:47 +02:00
614e47598b chore(mods): repoint rechiseled (both) + fusion (client) to fixed jars
Distribution replaced the wrong-version jars: rechiseled now
mc1.21 (gate [1.21,1.21.2) — valid for 1.21.1, no longer the broken
mc1.21.11 build) so back to `both`; fusion bumped 1.3.2a→1.3.2b, stays
`client` (resource-pack texture feature). Dropped the two stale entries.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 23:39:09 +02:00
69871c8a93 fix(mods): drop rechiseled from server — wrong MC version
rechiseled-1.2.5-neoforge-mc1.21.11.jar targets Minecraft 1.21.11 /
NeoForge 21.11, not this server's 1.21.1 / 21.1.233. As `both` it crashed
the server at pre-load (FATAL ModLoader: requires minecraft 1.21.11). Mark
`client` to exclude it from server-mods so the server boots.

NOTE: the jar is still wrong-version for clients too (same gate) — it must
be removed from / replaced in the distribution to be usable at all.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 23:36:03 +02:00
015bf7fbe3 chore(mods): classify fusion (client) + rechiseled (both)
Two new distribution mods. rechiseled adds decorative blocks → both
(server needs the block registry). fusion is a client-only resource-pack
texture/model feature (no blocks/logic) → client, so sync drops it from
server-mods.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 23:31:25 +02:00
d0bc81f0f7 chore(mods): classify ulicraftmod as both
New custom mod ulicraftmod-1.21.1-1.0.0-6.0.10 added to the distribution;
content mod (server + client), so both.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 23:07:26 +02:00
35be2e6b76 docs(plan): scrub stale pack subdomain + packwiz from live-arch docs
The pack./packwiz service was removed operationally long ago, but several
plan docs still presented pack. as a live caddy vhost / DNS subdomain and
render-pack.sh as a current tool. Remove those references from the
current-architecture docs (overview, caddy, tooling, uptime-kuma,
letsencrypt, mc-backup); leave the migration log (04-mods.md), superseded
banner (04-packwiz.md), commit history (12-build-order.md), and planned
landing rework (18) intact as deliberate history.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 20:15:22 +02:00
33b9ebc7f6 feat(landing): slim status section, hero, and server-card icon
- Remove the stat-grid from the status section (server card only); prune the
  now-orphaned site.stats, MOD_COUNT_KEY, statLabels (3 locales), and
  .stat-grid/.tile CSS.
- Empty-roster message -> "Nobody online", now localized (status.empty in
  en/es/eu) and wired to both ServerCard instances.
- Flatten the server-card icon (drop the inset emboss bevel on .sc-icon).
- Drop "Solo LAN" (hero metaLan) from the hero meta row; prune metaLan (3 locales).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 19:45:19 +02:00
b9929da54d chore(mods): add geckolib + terrablender (Yungs worldgen deps)
YUNG's Cave Biomes hard-requires geckolib>=4.7.6 and terrablender>=4.1.0.8;
both now in the distribution. Classified both (server worldgen libs).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 19:21:56 +02:00
36c28362bc chore(mods): sync mods-sides.json with distribution
+21 new (Yungs* + Moogs* worldgen, lootjs, solcarrot, melter,
seamless-loading-screen), -8 removed (FramedBlocks, GnKinetics,
create_vibrant_vaults, createtransmission, interiors, picaxe,
bellsandwhistles, welcomescreen). seamless-loading-screen hand-edited
to client (pure client UI). Worldgen mods stay both — server generates
structures.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 19:05:44 +02:00
07a4ae469d docs(minecraft): document OP-via-RCON, not itzg OPS env
OPS env resolves names via Mojang lookup, but the server is offline-mode
with Drasl auth (own UUIDs) → wrong UUID, inert op entry. Document the
RCON procedure that uses the cached Drasl UUID from usercache.json.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-21 15:00:22 +02:00
2c3e4cf385 feat(branding): use goat logo in header on all pages
The home page header already used ulicraft-logo-mini.svg; apply the same
brand mark to the register, account, and fjord page headers (and footers),
replacing the leftover Creeper pixel-art.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-11 10:11:09 +02:00
4855447b29 feat(branding): use Ulicraft goat logo in header, ServerCard, and server icon
- landing header + footer brand: swap the Creeper pixel-art for the
  ulicraft-logo-mini.svg goat mark.
- ServerCard fallback icon: same logo (real SLP favicon still overrides on
  a successful ping).
- minecraft: set ICON=/extras/server-icon.png + OVERRIDE_ICON so the
  in-game server-list entry and the SLP favicon use the goat logo. PNG
  ships in ./runtime (mounted /extras).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-11 09:59:07 +02:00
14ef545bbb chore: remove pack (packwiz) service and subdomain
The pack service was already gone from compose/caddy and the landing is
off packwiz. Remove the remaining live references: the pack. TLS vhost in
the host nginx template, pack from LE_SUBDOMAINS, and stale docs in README
and CLAUDE.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-11 09:38:28 +02:00
7222904c91 docs(readme): document the mc-status server-status JSON endpoint
Describe the self-hosted mc-status pinger (mcstatus.io v2 JSON, same-origin via
caddy /api/mcstatus/* → mc-status:8080) that the landing ServerCard reads, with
the apex endpoint and a direct-to-caddy curl example.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 02:27:41 +02:00
8a71709048 docs(deploy): caddy conf bind mounts are inode-pinned — recreate, not reload
Document the gotcha hit fixing distribution CORS: caddy/conf.d/*.caddy are
single-file bind mounts pinned to the host inode at container creation. git pull
rewrites tracked files via atomic rename (new inode), so a running caddy keeps
the old config; `restart`/`caddy reload` reuse the stale inode. Apply conf
changes with `docker compose up -d --force-recreate caddy` (or the --hard
down/up). Added to plan/14-deploy.md and the deploy skill guardrails.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 02:26:42 +02:00
db63aa7d10 fix(caddy): allow CORS on distribution /launcher/* for launcher.json fetch
The landing page (apex origin) fetches launcher.json from the distribution
vhost cross-origin to render download buttons; add Access-Control-Allow-Origin
on /launcher/* so the browser doesn't block it. Public assets, no credentials.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 02:05:54 +02:00
39b9262ee9 fix(landing): fetch launcher downloads from live launcher.json on load
The build-time download buttons baked stale/placeholder URLs (the host has no
synced launcher.json, so the build fell back to launcher.example.json). Render
a skeleton at build time instead and fetch the live launcher.json client-side
once on page load (no polling) from
https://distribution.${BASE_DOMAIN}/launcher/launcher.json, building per-OS
buttons from files[]. On fetch error the skeleton clears.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 02:03:22 +02:00
037b1777d6 feat(landing): rename crew to "El valle" + source downloads from launcher.json
Rename all "crew" mentions (en/es/eu) to the untranslated proper name
"El valle" across hero, members, and features copy in i18n/ui.ts.

Rewire the homepage launcher download list to the custom-launcher build
output launcher.json (productName/version/files[]) instead of the
never-produced launcher-manifest.json shape. site.ts now reads launcher.json
and normalizes files[] -> internal builds[]; launcher.example.json is the
committed fallback. Drop the stale launcher-manifest.example/schema, update
.gitignore and docs (CLAUDE.md, plan/18).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 01:55:05 +02:00
1019da66a3 chore(mods): reconcile sides for distribution mod changes
Added picaxe (both). Pruned 5 stale keys for removed jars: LittleFrames,
waterframes, watermedia, watervision (WaterMedia stack dropped from the
pack) and the orphan iris key. sides keys 135→131 = current dist count.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 01:36:25 +02:00
0b098ae06e fix(mods): mark WaterMedia stack client — refuses dedicated server
watermedia throws IllegalEnvironmentException on server-side ("keep it
on client"). Its natives (wm_binaries) and dependents (watervision,
waterframes) are client-render media mods too — flip all four to client
so sync drops them.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 01:26:24 +02:00
db270a9695 fix(mods): mark cwb (Cubes Without Borders) client — crashes dedicated server
cwb declares @Mod(dist=CLIENT); classify-mods.py read its toml side as
BOTH (the dist annotation isn't in the manifest), so it synced to the
server and RuntimeDistCleaner FATAL'd on CubesWithoutBordersImpl. Flip
to client so sync drops it.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 01:23:40 +02:00
4750c0d6c7 feat(mods): classify 59 new distribution jars (Create ecosystem)
Distribution grew 76→135 forgemods; classify-mods.py seeded the 59
new jars into mods-sides.json (57 both, 2 client). Unblocks the server
mod sync — server was stuck on the old 52-jar subset.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 01:21:42 +02:00
220b43d007 docs(deploy): document update-all.sh as the post-pull orchestrator
Rewrite the routine-redeploy section around update-all.sh (rolling vs --hard),
list the steps it runs, note the python>=3.11 requirement for build-modlist on
cochi (default python3 is 3.10), and that www/ + mods.json are generated every
run. The deploy skill = pull + fetch-authlib + ./update-all.sh --hard.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 01:06:39 +02:00
37d21cacf9 fix(update-all): run build-modlist.py under python >=3.11
The host's default python3 may predate stdlib tomllib (cochi/Ubuntu 22.04 ships
3.10), so the shebang-resolved python3 failed the version guard and strict-halt
aborted the run. Pick the first python3.11+ interpreter instead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 00:05:03 +02:00
3af14d0144 feat(tooling): add update-all.sh post-pull orchestrator; deploy skill uses it
update-all.sh is the single source of truth for the on-host post-pull build +
restart steps: render drasl/nmsr configs, sync server mods, regen the landing
mod list, rebuild www/, then apply via docker compose. Two modes:
- default (rolling): up -d --build, then restart ONLY services whose mounted
  inputs changed since a pre-run snapshot — drasl/nmsr on a config re-render,
  minecraft on a mod change. Minimal downtime. (Cannot detect caddy static-conf
  changes — use --hard for those.)
- --hard: down --remove-orphans && up -d --build (full restart, MC downtime).

Strict halt on any error; landing build sources nvm + pnpm (never npm) and bakes
.env. fetch-authlib stays out (rarely changes) — the deploy skill runs it before
update-all. Refactor the deploy skill to `pull && fetch-authlib && update-all.sh
--hard` so the step list can't drift.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 00:03:57 +02:00
369b4dc0a0 style(landing): bump roster player name to 18px
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 23:28:01 +02:00
c3b2d89ddc feat(landing): switch heading font to Block Blueprint
Replace Pixelify Sans with Block Blueprint as the heading font (theme.headFont).
Block Blueprint isn't on Google Fonts, so it's vendored straight from 1001fonts
(License: 1001Fonts Free For Personal Use — fine for this private friends'
server) as a TTF, with a hand-written @font-face appended to fonts.css. The
vendor step is added to fetch-fonts.sh (runs after the Google rewrite so it
survives re-runs). Pixelify stays available as a HEAD_FONTS option + the
hard-coded fallback.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 22:17:52 +02:00
362228f985 feat(landing): 230px fullbody roster, features goat column, trimmed header
- Members roster avatars render 230px tall (full body); NMSR size bumped to 256
  and tiles widened to fit the portrait.
- Features section is now two columns: the 4 feature cards stacked on the left, a
  Minecraft goat image on the right (public/Goat_JE1_BE1.webp). Stacks on narrow
  screens.
- Header nav links trimmed to How to Join + Status; the auth CTA cluster is now
  Register / Account / Play (the old "Log in" button relabeled Account →
  Cuenta/Kontua).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 22:13:58 +02:00
c8a6c77a8e feat(landing): rework — es default, 2-step join, roster + account polish
- Default language Spanish at root /, English moves to /en/ (eu unchanged):
  getStaticPaths {lang:undefined}->es + LANG_*_PATH maps swapped in ui.ts.
- Section order: hero -> join -> status -> members -> mods -> features.
- Join flow 3 -> 2 steps (drop the Connect/IP step; launcher handles the
  address). Remove the hero IP CopyChip. Header CTA renamed Play/Jugar/Jolastu
  and gains Register + Login links on all four pages.
- Account page: hide the whole login block once authenticated (not just the
  form), add an avatar Refresh button (cache-busted NMSR re-fetch), flatten the
  avatar (no bevel). New i18n key account.refresh.
- Register page: new REGISTRATION_SHOW_INVITE env (default false/hidden) toggles
  the invite-code field independently of the REGISTRATION_MODE backend gate.
- Members roster: drop the `admin` account, render full-body via a new
  ROSTER_AVATAR_MODE (default fullbodyiso); portrait tiles.
- Style: flatten emboss on feature icons (.picon) + player tiles (.roster-tile).
  PixelIcon gains optional image support (/icons/<name>.png|svg).
- Favicon now /favicon.png (committed) on all pages.
- Docs: plan/09-landing.md Assets section (logo/favicon/features-icons drop
  points) + default-language note; .env.example documents the two new vars.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 22:03:18 +02:00
c233b1bfbc docs(drasl): record admin bootstrap + config-key/CORS/NMSR gotchas
Capture what this session learned the hard way, in plan/03-drasl.md and CLAUDE.md:

- Correct admin key is DefaultAdmins (not DefaultAdminUsernames); wrong/unknown
  keys are silently ignored by drasl (logged as "unknown config option").
- CORSAllowOrigins must be top-level, before any [Section], or it's ignored.
- First-admin bootstrap under invite mode is a chicken-egg → temp-flip
  RequireInvite=false, register, revert.
- NMSR needs the auth. host-gateway pin + https mojank endpoints or avatars
  render the default skin (cross-ref plan/19-routes.md).
- Fix the stale example config and mark the admin-bootstrap task done.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 21:20:54 +02:00
de1ac2ee17 fix(nmsr): render real skins, not default — pin auth. to host over https
Every avatar rendered the default skin. NMSR fetched the player profile from
Drasl fine, but the profile embeds an absolute HTTPS skin URL (Drasl BaseURL is
https), and NMSR could not connect to auth.${BASE_DOMAIN}:443: the mcnet alias
resolves auth. -> caddy, which only listens on :80 internally. Logs showed
`fetch_texture_from_mojang … client error (Connect)` for the skin URL, so NMSR
fell back to the default skin.

Mirror what the minecraft service already does: pin auth.${BASE_DOMAIN} to the
host via extra_hosts so NMSR reaches the host nginx on :443 (real LE cert,
publicly trusted — no private CA needed), and switch the nmsr mojank endpoints
from http:// to https:// so the profile/texture scheme matches the embedded
skin URLs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 21:12:59 +02:00
5d5602fbd7 feat(nmsr): cut avatar refresh lag to ~1min + document HTTP routes
NMSR has no per-request avatar refresh (the `?skin=` override is ignored by this
build), so the only lever for a changed skin to appear is the resolve cache.
Drop resolve_cache_duration 15m -> 60s so account-page skin changes propagate
within ~1 min; texture cache stays 48h (Drasl skin URLs are content-hashed, so a
new skin is always a new URL — never stale). Cost is one extra internal Drasl
profile lookup per avatar per minute, trivial for 4-10 players.

Update the now-stale "~15 min" copy (skinLead + skinPreviewNote, en/es/eu) and
code comments to "~1 min".

Add plan/19-routes.md: a reference for the nmsr / landing / auth HTTP routes
(public via caddy + browser->Drasl + internal service-to-service), indexed in
plan/00-overview.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 20:58:57 +02:00
97347693b6 fix(drasl): correct admin key + CORS placement in config template
Two config keys were silently ignored by drasl (logged as "unknown config
option"), so neither took effect in production:

- `DefaultAdminUsernames` is not a drasl option; the correct top-level key is
  `DefaultAdmins`. With the wrong key, the `admin` user never got promoted —
  admin-only API routes (e.g. GET /players for the registered-players roster)
  returned 403.
- `CORSAllowOrigins` sat after the `[RegistrationNewPlayer]` table header, so
  TOML parsed it as `RegistrationNewPlayer.CORSAllowOrigins` (ignored → no CORS
  headers → landing register/account browser calls blocked). Moved it top-level,
  before any [Section], with a comment warning against re-nesting.

Verified against drasl master configuration.md.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 18:34:48 +02:00
a138bbfd72 fix(landing): add valid pnpm-workspace.yaml (packages + build approvals)
Host cochi carried an untracked landing/pnpm-workspace.yaml with a bogus
`allowBuilds:` key and no `packages:` field, which made pnpm 11 abort every
command with "packages field missing or empty" — breaking the deploy landing
rebuild. Track a correct file: `packages: ['.']` plus `onlyBuiltDependencies`
for esbuild/sharp. Verified install + astro build clean locally.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 18:27:30 +02:00
6c7e259fcb feat(landing): join-flow rework, player rosters, account page, mod list
Execute plan/18 (WS1-6) + plan/17.

- WS1: homepage join = 3 steps off packwiz (register -> UlicraftLauncher
  -> join); per-OS downloads from a synced launcher-manifest.json (schema +
  example committed); Fjord moved to its own /fjord page. Drop packwizUrl.
- WS2/3: mc-status gains an isolated /players endpoint (admin login ->
  Drasl GET /players, own client+TTL+token cache, never blocks the status
  path); online + registered rosters render shared name+avatar tiles;
  AVATAR_MODE env (default headiso).
- WS4: /account skin CRUD via browser-direct Drasl (login -> upload ->
  reset), in-memory token, players[0]; register relinks "Manage it here".
- WS5: footer link to status.${BASE_DOMAIN} in every footer.
- WS6: tooling/build-modlist.py generates mods.json + extracted logos from
  the distribution forgemods; ModList.astro renders a flat list; stat tile
  fed from the count.

Manifest/mods loaders read at build with a process.cwd() fallback (the
import.meta.url-only path does not resolve in Astro's bundled build).

New env: AVATAR_MODE, DRASL_ADMIN_USERNAME, DRASL_ADMIN_PASSWORD (mc-status
only). Generated mods.json / launcher-manifest.json / logos are gitignored;
.example.json files document the shapes. Build: 12 pages; mc-status builds.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 18:17:14 +02:00
096ef82420 docs(04-mods): record first-cutover deploy gotchas
Document the two crash classes hit on first deploy: NeoForge pin must match
the distribution's version, and client-only mods that declare BOTH crash the
dedicated server with "invalid dist DEDICATED_SERVER" (tomllib can't catch
them — hand-set to client + re-sync). Mark the decommission checklist done;
flag the landing join-flow rework as the one remaining open item. Current
state: 24 client / 52 both.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 01:16:48 +02:00
c249172baa fix(mods): mark client-only GUI mods as client in mods-sides.json
Drippy Loading Screen (and other client-only mods declaring BOTH in their
manifest) crashed the dedicated server with "Attempted to load class
net/minecraft/client/gui/screens/Screen for invalid dist DEDICATED_SERVER".
tomllib can't catch these (they declare BOTH), so hand-classify the leaf
client-only mods as `client`: BetterF3, JustEnoughResources, MouseTweaks,
Searchables, TravelersTitles, drippyloadingscreen, entityculling, fancymenu,
konkrete, melody, ponderjs, welcomescreen, yeetusexperimentus. Now 24 client
/ 52 both.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 00:07:50 +02:00
fa8cede6ae docs(roadmap): track post-migration mod follow-ups
Two follow-ups from the packwiz→04-mods migration: curate cosmetic-client
entries in mods-sides.json, and rework the landing join flow off the dead
packwiz pack.toml URL onto the HeliosLauncher/distribution.json flow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-10 00:03:07 +02:00
84196d59d0 fix(minecraft): bump NeoForge pin to 21.1.233 to match distribution
The distribution-fed modset is built against NeoForge 21.1.233
(distribution.json); several mods hard-require it (ferritecore ≥21.1.218,
farmersdelight ≥21.1.219, configured ≥21.1.211). The old 21.1.209 pin made
the server crash in pre-load with "Missing or unsupported mandatory
dependencies: neoforge".

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 23:59:23 +02:00
27237bc7c1 feat(mods): replace packwiz with distribution-fed custom mod volume
Drop packwiz entirely. The server now loads a filtered mod subset from a
local ./server-mods volume instead of fetching a packwiz pack at boot.

New flow:
- tooling/classify-mods.py (tomllib only, no network) reads each jar's
  META-INF/neoforge.mods.toml and seeds mods-sides.json with a side
  (client|server|both; default both). Existing entries are preserved.
- mods-sides.json: committed, keyed by jar filename, hand-editable override
  surface. Initial seed: 65 both, 11 client, 0 server (76 jars).
- tooling/sync-server-mods.sh mirrors the both/server jars from
  $DISTRIBUTION_WEB_ROOT into ./server-mods/ (authoritative; prunes strays;
  halts on a missing jar). Replaces render-pack.sh.
- compose: minecraft mounts ./server-mods:/mods:ro with REMOVE_OLD_MODS=TRUE
  (itzg auto-syncs /mods -> /data/mods). Removed PACKWIZ_URL, the pack.
  extra_host (auth. kept for authlib), and depends_on caddy (drasl kept).

Both classify-mods.py and sync-server-mods.sh resolve their source dir as:
CLI arg / MODS_DIST_DIR env / $DISTRIBUTION_WEB_ROOT (in that order).

Removed: tooling/render-pack.sh + add-custom-mod.sh (packwiz tooling),
pack/ (packwiz source), custom/ (76 jars now sourced from the distribution),
the pack. caddy vhost + its mounts/alias, and the packwiz .gitignore block.

Client distribution is UNCHANGED: HeliosLauncher still installs the full
modset from distribution.json. Docs (CLAUDE.md, plan/04/05/14, runtime)
updated; plan/04-packwiz.md stubbed as superseded by plan/04-mods.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 23:34:38 +02:00
90c3be7bb5 https auth 2026-06-09 22:13:31 +02:00
d21a7f0e92 feat(landing): live server card backed by self-hosted mc-status
Add a featured live ServerCard to the landing (replaces the static
ServerListPanel in hero + status sections): server favicon, color MOTD,
online/offline pill, players online/max with fill bar, and a player-head
row rendered by our own NMSR from Drasl skins. Progressive enhancement —
SSG skeleton degrades gracefully when JS or the API is unavailable.

Back it with a self-hosted pinger instead of the public api.mcstatus.io:
mcstatus.io's API service is closed-source (only the mcutil library is
open), so docker/mc-status wraps mcutil and re-emits its v2 JSON shape,
keeping the frontend unchanged. The service ignores the path address and
only pings MC_STATUS_TARGET (no SSRF relay), with a 30s TTL cache.

Exposed same-origin via caddy at the apex /api/mcstatus/* path (no new DNS
subdomain or LE cert change, no CORS). Uptime Kuma stays the uptime
history + alerting backend; see plan/15-mc-status.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 22:08:30 +02:00
df8ffca53e feat(landing): self-serve registration page via Drasl API (B1)
Add a static /register page (en/es/eu) that calls the Drasl REST API v2
directly from the browser: register -> login -> optional skin upload, all
in the pixel design. Guests never touch Drasl's own web UI.

Drasl config gains the pieces this needs:
- CORSAllowOrigins scoped to the apex (the API has no CORS until set;
  never "*").
- [RateLimit] for the now public-facing anonymous POST /users.
- [RegistrationNewPlayer] with RequireInvite driven by a new
  REGISTRATION_MODE (invite|open) .env flag.

REGISTRATION_MODE has two consumers from one key: render-config.sh derives
the TOML boolean for Drasl (drasl is TOML-only, no env), and the landing
build reads it to show/hide the invite-code field. render-config.sh halts
on any value other than invite/open.

Security verified against drasl source: anonymous POST /users cannot set
privileged fields (isAdmin/isLocked/chosenUuid/maxPlayerCount are gated on
callerIsAdmin in CreateUser), so browser-direct registration is safe.

Docs: plan/16-landing-registration.md captures the design + the B1 vs fork
decision; build-order, deploy, and the deploy skill wire REGISTRATION_MODE
and the landing-rebuild requirement (www/ is gitignored, not updated by a
git pull).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 21:55:51 +02:00
067e990306 mods 2026-06-09 18:29:48 +02:00
673202e1e4 fix(compose): pin auth./pack. to host-gateway so HTTPS resolves in-container
Containers don't inherit the host's /etc/hosts; the LAN resolver returns a
dead address (192.168.0.3:443) for the public names, crash-looping the
packwiz install on boot. extra_hosts host-gateway routes HTTPS through the
host's nginx (valid LE cert) -> caddy -> service.

Also add plan/10-uptime-kuma.md (Minecraft monitor: internal + public probes)
and document the HTTPS resolution variant in plan/00-overview.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 04:11:53 +02:00
1ec3a9c1ee internals http 2026-06-09 03:55:54 +02:00
663b87a4e4 change to https 2026-06-09 03:37:48 +02:00
a2821f2bbc feat(tooling): fetch-authlib.sh to download authlib-injector.jar
The server JVM agent (runtime/authlib-injector.jar, mounted at /extras) is
gitignored and was previously fetched by the deleted build-stack.sh prep. A
fresh checkout had no jar, so minecraft crashlooped with "Error opening zip
file or JAR manifest missing". Add a standalone fetch tool: resolves the latest
release asset, downloads, and verifies it's a real zip/jar (PK magic) before
trusting it. Idempotent (skips if valid, --force to re-download). Wire it into
the deploy skill and README launch steps.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 03:06:59 +02:00
cfd60131fb fix(landing): https + correct subdomains, drop dead CA-cert step
The guest landing page advertised http:// service URLs (mixed-content on the
https origin) and the wrong packwiz subdomain:
- authUrl / authlibUrl: http -> https
- packwizUrl: http://packwiz. -> https://pack.  (correct vhost)
- serverAddress: mc. -> apex (connect to ${BASE_DOMAIN}:25565)
- remove caCertUrl + the "trust the local CA" join step (airgap-only, /ca.crt
  no longer exists) and its en/es/eu i18n strings + type.

Also fix the stale http BaseURL example in plan/03-drasl.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 02:56:59 +02:00
95c63e1ee0 fix(drasl): use https BaseURL to match TLS ingress
Public scheme is HTTPS (host nginx terminates TLS in front of caddy). Drasl
builds absolute URLs — texture URLs and the authlib-injector API location —
from BaseURL, so an http:// value caused mixed-content blocking and broken
login on the https origin. Point BaseURL at https://auth.${BASE_DOMAIN}.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 02:53:35 +02:00
46103495fb fix(compose): pre-create pack/custom mountpoint for nested ro bind
The ./custom:/srv/pack/custom mount nests inside the read-only ./pack:/srv/pack
mount. Docker can't mkdir the child mountpoint under a :ro parent, so on a fresh
checkout (no pack/custom/ dir) container init fails with "read-only file system".
Track an empty pack/custom/ so the mountpoint always exists.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 02:28:15 +02:00
1709bcd340 docs(claude): rewrite project context for unified stack
Drop stale Keycloak/OIDC, NetBird, AdGuard/.home.local, airgap, and
Prism-specific content. Reflect the current reality: single docker-compose.yml
(drasl, minecraft, mc-backup, caddy, nmsr, uptime-kuma), Drasl password-login
auth (no OIDC), public nginx+LE -> caddy ingress, DNS handled outside the repo,
FjordLauncher for guests. Point to plan/ as the source of truth; keep the
still-valid gotchas (secure-profile, authlib-injector, NeoForge pinning, mod
source) and carry-over comms prefs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 02:16:42 +02:00
67d1f82e6a refactor!: unify into one compose, drop airgap/mirror/dnsmasq/avahi/blessingskin
Collapse the override-file matrix into a single docker-compose.yml holding the
whole stack: drasl, minecraft, mc-backup, caddy, nmsr, uptime-kuma. Bring-up is
now just `docker compose up -d --build`.

Removed features (dead-ends for this deployment):
- airgap / full asset mirror (mirror-airgap.sh, mirror-mods.sh, 20-mirror.caddy,
  caddy local-CA export, /ca.crt)
- dnsmasq + avahi/mDNS + dns-records.sh + mdns-host-setup.sh + ENABLE_MDNS;
  DNS is now handled outside this repo (HOST_LAN_IP dropped)
- Blessing Skin auth variant (compose + 00-core-blessingskin.caddy + BS_* env)
- host-nginx-static variant (docker-compose.nginx.yml, nginx/ulicraft.conf.tmpl)
- build-stack.sh and its run modes (online/airgap/core)

Production ingress is the only path now: host nginx terminates TLS (LE certs)
in front of caddy on a localhost-only port; caddy routes every vhost by Host
header. Launcher downloads move mirror/launcher -> launcher/.

Docs: README, deploy skill, and plan/ rewritten to match; obsolete plan docs
(dnsmasq, blessing-skin, assets-mirror, full-airgap-mirror, dns-and-run-modes)
deleted.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 02:14:09 +02:00
126 changed files with 6554 additions and 3075 deletions

View File

@@ -1,6 +1,6 @@
---
name: deploy
description: Redeploy the Ulicraft Minecraft stack to the production host `cochi` — git pull on main then a hard restart (compose down + build-stack.sh --up online). Use when the user says "deploy", "redeploy", "deploy to cochi", "push to prod", "ship it", or "restart the server" for this project. Causes brief Minecraft downtime.
description: Redeploy the Ulicraft Minecraft stack to the production host `cochi` — git pull on main then a hard restart (compose down + up). Use when the user says "deploy", "redeploy", "deploy to cochi", "push to prod", "ship it", or "restart the server" for this project. Causes brief Minecraft downtime.
---
# Deploy Ulicraft to `cochi`
@@ -13,8 +13,9 @@ Redeploy the running stack on the production host. Full reference:
- Host: `cochi` (SSH alias)
- Path: `/home/ubuntu/mc/ulicraft-server-v1`
- Branch: `main`
- Run mode: `online` → compose files `docker-compose.yml` + `docker-compose.static.yml`
- Auth: Drasl (base stack)
- Stack: single unified `docker-compose.yml` (drasl, minecraft, mc-backup,
caddy, nmsr, mc-status, uptime-kuma, filestash)
- Auth: Drasl
- Restart: **hard** (down → up) — players are disconnected for a few minutes
## Procedure
@@ -30,37 +31,96 @@ invoking this skill is the authorization to proceed, but:
already up to date and ask whether to restart anyway (they may want a plain
restart). If `git fetch` fails (host unreachable, auth), STOP and report.
2. **Pull + hard restart** (single SSH session, halts on any error):
**If the incoming commits ADD A SERVICE, check `.env` on the host first.**
A new service with `${FOO:?...}` guards (filestash uses them) fails the
**whole compose file**, not just that service — so a missing var means
`up` refuses to start *anything*, and a `--hard` deploy has already run
`down`. The stack stays down. Check before tearing it down:
```bash
ssh cochi 'cd /home/ubuntu/mc/ulicraft-server-v1 && grep -c "^FILES_" .env'
```
Same for a new **subdomain**: it needs a cert (`LE_SUBDOMAINS` +
`issue-letsencrypt.sh`) and an nginx vhost — see step 2b, which the deploy
does NOT do for you.
2. **Pull, ensure authlib, then `update-all.sh --hard`** (single SSH session,
halts on any error):
```bash
ssh cochi 'set -e
cd /home/ubuntu/mc/ulicraft-server-v1
git pull --ff-only
docker compose -f docker-compose.yml -f docker-compose.static.yml down --remove-orphans
tooling/build-stack.sh --up online'
tooling/fetch-authlib.sh
./update-all.sh --hard'
```
- `--ff-only` refuses to merge — if the pull is not a fast-forward, STOP and
report (local changes on the host need manual resolution).
- `build-stack.sh --up online` renders configs (needs `.env` complete:
`BASE_DOMAIN`, `HOST_LAN_IP`, `RCON_PASSWORD`) and runs `compose up -d`.
- `fetch-authlib.sh` ensures `runtime/authlib-injector.jar` exists (gitignored;
skips if already valid; NOT part of update-all since it rarely changes).
Missing jar = minecraft crashloops with "Error opening zip file or JAR
manifest missing". Run it before `update-all` so the jar is present when
compose brings minecraft up.
- **`update-all.sh` is the single source of truth** for the post-pull build +
restart steps (render drasl/nmsr configs from `.env`, sync server mods, regen
the landing mod list, rebuild `www/`, then apply via docker compose). It is
also runnable on its own for a lighter rolling update (no `--hard` =
change-detected restart, no world downtime). `--hard` here does
`down --remove-orphans && up -d --build` for the deliberate full restart.
`render-config.sh` halts on an invalid `REGISTRATION_MODE` (must be `invite`
or `open`); a missing distribution jar halts `sync-server-mods.sh`. The
landing rebuild is unconditional (the gitignored `www/` is never updated by
`git pull`), so no separate landing step is needed.
2b. **Only if the deploy changed `nginx/ulicraft-caddy.conf.tmpl`** (a new
subdomain, a new body-size/rate-limit rule, a changed `CADDY_HTTP_PORT`).
`update-all.sh` does **not** touch the host nginx, so a new vhost simply
won't exist and the subdomain 404s / hits the wrong server block:
```bash
ssh cochi 'cd /home/ubuntu/mc/ulicraft-server-v1 && tooling/render-nginx.sh --install'
```
It runs `nginx -t` before reloading, so a bad render fails safe. The cert
must already exist (`certs/<name>/cert.pem`) or nginx won't load the block —
issue it first with `tooling/issue-letsencrypt.sh` (reads `LE_SUBDOMAINS`).
3. **Verify.**
```bash
ssh cochi 'cd /home/ubuntu/mc/ulicraft-server-v1 && docker compose -f docker-compose.yml -f docker-compose.static.yml ps'
ssh cochi 'cd /home/ubuntu/mc/ulicraft-server-v1 && docker compose ps'
```
Confirm `caddy`, `drasl`, `minecraft`, `mc-backup` are Up. Tail the minecraft
log briefly and confirm it reaches `Done` (server ready):
Confirm `caddy`, `drasl`, `minecraft`, `mc-backup`, `nmsr`, `mc-status`,
`uptime-kuma`, `filestash` are Up. Tail the minecraft log briefly and confirm
it reaches the ready marker (match `Done (Ns)! For help` — a bare `Done`
also matches unrelated mod-loading lines):
```bash
ssh cochi 'cd /home/ubuntu/mc/ulicraft-server-v1 && timeout 120 docker compose -f docker-compose.yml -f docker-compose.static.yml logs -f minecraft' 2>/dev/null | grep -m1 "Done"
ssh cochi 'cd /home/ubuntu/mc/ulicraft-server-v1 && timeout 180 docker compose logs -f minecraft' 2>/dev/null | grep -m1 'Done ([0-9.]*s)! For help'
```
If a public vhost changed, verify it end-to-end from your workstation rather
than trusting `compose ps` (a container can be Up while nginx never routes to
it): `curl -s -o /dev/null -w '%{http_code}' https://<vhost>/`.
## Guardrails
- Never `git reset --hard` or discard changes on `cochi` without telling the user
first — there may be host-local edits.
- Volumes (`mc_data`, `drasl_state`) persist across `down`; the world is safe. Do
NOT pass `-v`/`--volumes` to `down`.
- **Caddy conf changes need a recreate, not reload/restart.** If the deploy
touched any `caddy/conf.d/*.caddy` or the Caddyfile and you did a *rolling*
`update-all.sh` (not `--hard`), the change WON'T apply: those are single-file
bind mounts pinned to the host inode, and `git pull` gives the file a new inode.
`restart`/`caddy reload` reuse the stale inode. Run
`docker compose up -d --force-recreate caddy`, then verify with
`docker compose exec caddy cat /etc/caddy/conf.d/<file>`. The `--hard` path
(full `down`/`up`) already recreates, so it's unaffected.
- **Same trap for `filestash/config.json`** — also a single-file bind mount, and
it is *re-rendered on every run* by `render-config.sh`, so a rolling
`update-all.sh` leaves filestash reading the stale inode after any `FILES_*`
change (rotating the shared password, flipping `FILES_AUTH`). Apply with
`docker compose up -d --force-recreate filestash`. `--hard` is unaffected.
- **Never let `filestash/config.json` be missing when compose runs.** It is
gitignored and rendered; if it doesn't exist, Docker creates a *directory* at
that path and filestash breaks in a confusing way. `update-all.sh` renders
before `up`, so the normal path is safe — just don't hand-run `docker compose
up` on the host without rendering first. If it happened: `rm -rf
filestash/config.json && tooling/render-config.sh && docker compose up -d
--force-recreate filestash`.
- Volumes (`mc_data`, `drasl_state`, `kuma_data`) persist across `down`; the
world and monitors are safe. Do NOT pass `-v`/`--volumes` to `down`.
- If a step fails, STOP and surface the exact error + the failing command. Do not
improvise recovery on production.
- Blessing Skin variant or `airgap` mode changes the compose file set — if the
user asks for those, follow `plan/14-deploy.md` instead of the fixed commands
above.

View File

@@ -1,35 +1,100 @@
# Copy to .env and fill in real values
# Single base domain for the whole stack; every service is a subdomain of this.
# Use .lan (NOT .local) — .local is intercepted by mDNS on macOS/Linux and
# won't resolve through a normal unicast DNS server.
BASE_DOMAIN=ulicraft.lan
# The Docker host's LAN IP — every service name resolves here.
HOST_LAN_IP=192.168.1.10
# mDNS toggle. true + BASE_DOMAIN=*.local → an Avahi container publishes the
# service names over mDNS (zero-config for macOS/Linux guests; Windows needs
# Bonjour). false → use your own party DNS (records: tooling/dns-records.sh).
# NOTE: mDNS resolves ONLY *.local; it cannot serve the air-gap upstream-host
# spoofs — those always need a real DNS server.
ENABLE_MDNS=false
# DNS is handled OUTSIDE this repo — point ${BASE_DOMAIN} and every subdomain
# (auth. avatar. status. distribution. www.) at the host running nginx.
BASE_DOMAIN=ulicraft.net
RCON_PASSWORD=change-me-to-something-random
# Caddy host-published port (docker-compose.caddy.yml). Default 80 for the
# standalone LAN/air-gap path. When the machine's own nginx fronts caddy
# (nginx terminates TLS → reverse-proxies to caddy), set a high port and bind
# it to localhost so only nginx reaches it:
# CADDY_HTTP_PORT=8880
# CADDY_HTTP_BIND=127.0.0.1
# Then render nginx/ulicraft-caddy.conf.tmpl with CADDY_HTTP_PORT.
CADDY_HTTP_PORT=80
CADDY_HTTP_BIND=0.0.0.0
# Registration mode (BACKEND gate) for self-hosted accounts (Drasl).
# invite = closed; guests need an admin-minted invite code (recommended on a
# public, internet-present host). Admin mints via POST /drasl/api/v2/invites.
# open = anyone can self-register with username+password (set [RateLimit]!).
# Consumed by render-config.sh (-> Drasl RegistrationNewPlayer.RequireInvite).
# Default: invite. NOTE: this no longer controls the landing invite FIELD — that's
# REGISTRATION_SHOW_INVITE below.
REGISTRATION_MODE=invite
# distribution.${BASE_DOMAIN} static vhost (docker-compose.distribution.yml).
# Absolute host path to the built static site — it lives in ANOTHER repo.
# Bind-mounted read-only into caddy and served at distribution.${BASE_DOMAIN}.
# Show the invite-code FIELD on the landing register form. Read by the landing
# BUILD (data/site.ts) only; default false (hidden). Independent of the backend
# gate above. CAVEAT: if REGISTRATION_MODE=invite (Drasl requires a code) but this
# is false, public self-registration can't supply one — enable both together, or
# mint accounts admin-side. true | false.
REGISTRATION_SHOW_INVITE=false
# NMSR avatar render mode for the landing's avatar tiles. Read by the landing
# BUILD (data/site.ts) only. Avatar URL =
# https://avatar.${BASE_DOMAIN}/<mode>/<uuid>?size=N. e.g. headiso | head | fullbody.
# AVATAR_MODE → ServerCard online row + account preview (heads)
# ROSTER_AVATAR_MODE → Members grid (full body; default fullbodyiso)
AVATAR_MODE=headiso
ROSTER_AVATAR_MODE=fullbodyiso
# Drasl admin creds for the registered-players roster (/api/mcstatus/players).
# Consumed ONLY by the mc-status container (server-side login → sanitized
# [{uuid,name}] list); these NEVER reach the browser. Use a DEDICATED, rotatable
# admin account (Drasl has no read-only role) to limit blast radius. Leave blank
# to disable the roster (the Members grid then just shows its empty state).
DRASL_ADMIN_USERNAME=
DRASL_ADMIN_PASSWORD=
# caddy host-published port. The host's own nginx terminates TLS and
# reverse-proxies to caddy by Host header (nginx/ulicraft-caddy.conf.tmpl), so
# bind caddy to a high localhost-only port — only nginx should reach it.
CADDY_HTTP_PORT=8880
CADDY_HTTP_BIND=127.0.0.1
# distribution.${BASE_DOMAIN} static vhost. Absolute host path to the built
# static site — it lives in ANOTHER repo. Bind-mounted read-only into caddy.
DISTRIBUTION_WEB_ROOT=/home/oier/projects/mc-mods/ulicraft-group/ulicraft-distribution/dist
# ── files.${BASE_DOMAIN} — Filestash player file share ────────────────
# Screenshots / schematics / maps. ONE shared login for all players, writable.
# Full design + gotchas: plan/20-files.md.
# Host path holding the shared files. Keep it OUTSIDE the repo — guest-writable
# data must not live in a git tree we `git pull` into.
FILES_DATA_DIR=/srv/ulicraft-files
# Literal mount flag for FILES_DATA_DIR: rw | ro. `ro` makes the share
# read-only at the KERNEL, regardless of what the Filestash UI thinks. It is a
# mount flag rather than a boolean because compose has no conditionals — the
# value is substituted straight into the volume string.
FILES_MOUNT_MODE=rw
# Auth middleware (rendered into config.json by render-config.sh):
# htpasswd one shared user/pass — the only internet-safe value
# passthrough NO LOGIN. Anyone reaching the vhost is in.
# none alias of passthrough
# passthrough/none on a WRITABLE, internet-reachable share is an open upload
# relay (malware/phishing hosted on your domain, under your cert, with your
# bandwidth — and a domain blocklisting would take auth. and the apex down
# with it). Only set it once this host is unreachable from the internet.
FILES_AUTH=htpasswd
# The shared player credential (FILES_AUTH=htpasswd).
# FILES_PASSWORD_HASH: openssl passwd -6 '<password>'
# MUST be $6$ (sha512). The htpasswd plugin's bcrypt branch only accepts $2a$,
# so a $2y$ hash from `htpasswd -B` fails EVERY login, silently.
# render-config.sh rejects the wrong format rather than shipping it.
FILES_USER=uli
FILES_PASSWORD_HASH=
# Filestash /admin console password — bcrypt, and /admin IS publicly exposed, so
# use a 20+ char generated password. It is the only credential guarding config.
# docker run --rm caddy:alpine caddy hash-password --plaintext '<password>'
FILES_ADMIN_PASSWORD_HASH=
# Session key (openssl rand -hex 16). Must be non-empty: an empty secret_key
# makes filestash rewrite config.json at boot, which fails on the :ro mount.
FILES_SECRET_KEY=
# Unlocks the local storage backend, which filestash admin-gates: it refuses to
# init unless the connection params carry this secret. config.json supplies it
# server-side; players never see it. openssl rand -hex 24.
FILES_LOCAL_SECRET=
# Only needed if using CurseForge-exclusive mods:
# CF_API_KEY=your-curseforge-api-key
@@ -37,7 +102,7 @@ DISTRIBUTION_WEB_ROOT=/home/oier/projects/mc-mods/ulicraft-group/ulicraft-distri
# Only needed to issue real TLS certs. DNS-01 needs no inbound ports.
LE_EMAIL=you@example.com
# space-separated subdomains; apex ${BASE_DOMAIN} is always included
LE_SUBDOMAINS=auth pack distribution www avatar status
LE_SUBDOMAINS=auth distribution www avatar status files
# OVH API creds (DNS zone write). Create at https://eu.api.ovh.com/createToken/
# OVH_CK can be blank on first run — acme.sh prints an auth URL, then paste it.
OVH_END_POINT=ovh-eu
@@ -45,13 +110,3 @@ OVH_AK=
OVH_AS=
OVH_CK=
# LE_STAGING=1 # use the untrusted staging CA for dry runs
# ── Blessing Skin auth variant (docker-compose.blessingskin.yml) ──────
# Only needed when running the Blessing Skin override instead of Drasl.
BS_DB_NAME=blessingskin
BS_DB_USER=blessingskin
BS_DB_PASSWORD=change-me-bs-db
BS_DB_ROOT_PASSWORD=change-me-bs-root
# Generate once and paste here so it survives container recreates:
# docker run --rm azusamikan/blessing-skin-server-docker:latest php artisan key:generate --show
BS_APP_KEY=base64:replace-with-generated-key

32
.gitignore vendored
View File

@@ -6,16 +6,16 @@ runtime/authlib-injector.jar
# rendered configs (from tooling/render-config.sh)
drasl/config/config.toml
nmsr/config.toml
dnsmasq/dnsmasq.conf
# packwiz pack files rendered from pack/**/*.tmpl by tooling/render-pack.sh
# (domain-dependent build output); source of truth is the .tmpl + custom/ jars.
pack/mods/*.pw.toml
pack/index.toml
pack/CustomSkinLoader/CustomSkinLoader.json
# holds the admin bcrypt hash, the shared player hash, the session key and the
# local-backend secret — only the .tmpl is tracked
filestash/config.json
# vendored / mirrored binaries
mirror/
pack/mods-files/
# server mod subset synced from the distribution repo by
# tooling/sync-server-mods.sh (source of truth is mods-sides.json + $DIST jars)
server-mods/
# vendored binaries
launcher/
# landing page: generated build output + deps
www/
@@ -23,8 +23,18 @@ landing/node_modules/
landing/.astro/
landing/dist/
# exported Caddy CA (per-deploy artifact)
caddy/caddy-root-ca.crt
# launcher download list: the custom-launcher build output launcher.json,
# synced from UlicraftLauncher/dist/launcher.json (launcher.example.json is
# committed as the documented shape)
landing/src/data/launcher.json
# mod catalogue + extracted logos: generated by tooling/build-modlist.py from
# the distribution forgemods (the .example.json is committed as the empty shape)
landing/src/data/mods.json
landing/public/mod-logos/
# compiled mc-status binary (built into the image; stray local `go build` output)
docker/mc-status/mc-status
# Let's Encrypt certs + private keys (issued by tooling/issue-letsencrypt.sh)
certs/

415
CLAUDE.md
View File

@@ -1,280 +1,219 @@
# Minecraft LAN Party Server — Project Context
# Ulicraft Server — Project Context
> Self-hosted modded Minecraft server for a LAN party (~8 players), with
> persistent auth/skin infrastructure designed to outlive the LAN weekend
> and integrate with the existing homelab.
> Self-hosted modded Minecraft (NeoForge 1.21.1) with self-hosted auth/skins
> (Drasl), a distribution-fed modpack, avatar rendering, a guest landing page, and uptime
> monitoring. Public, internet-present deployment behind the host's nginx + TLS.
**`plan/` is the source of truth for the design.** Start at `plan/00-overview.md`.
This file is a fast orientation + the durable decisions/gotchas; when it disagrees
with `plan/` or the code, those win.
## Goals & Constraints
- **Players**: 410 friends, LAN-based
- **Players**: 410 friends
- **Modpack vibe**: Kitchen-sink (tech + magic + exploration + QoL)
- **Pack approach**: Manually curated (~50100 mods), NOT a forked existing pack
- **Minecraft version**: 1.21.1
- **Mod loader**: NeoForge (NOT classic Forge — see Decisions below)
- **Network**: LAN party context, but stack is persistent (lives past the weekend)
- **Auth**: Self-hosted Yggdrasil-compatible (Drasl) + Keycloak OIDC
- **Skins**: Handled by Drasl
- **Persistence horizon**: Long-term homelab service, not disposable
## Existing Homelab Context (relevant to this project)
- **Keycloak 26.0.7** running in Docker Compose (PostgreSQL 17, production mode,
bind-mounted secrets, xforwarded proxy headers). This is the IdP for everything.
- **NetBird** as the proxy/networking layer for remote access (NOT used for the
LAN party itself — see Decisions).
- **AdGuard Home** as recursive DNS resolver — used here for `*.home.local` LAN records.
- **Multi-VPS topology**: this Minecraft project likely runs on a local box or
beefier homelab node, not a VPS (RAM/CPU requirements).
- Operator timezone: Europe/Madrid.
## Key Decisions (with reasoning)
### NeoForge over classic Forge
Despite the user originally saying "Forge", the 1.21.x kitchen-sink ecosystem
(ATM10, Leaking Kitchen Sink, etc.) is overwhelmingly NeoForge in 2025/2026.
The original Forge team essentially migrated to NeoForge. `itzg/minecraft-server`
supports both via `TYPE=NEOFORGE`. Going with NeoForge 1.21.1.
### Drasl over Ely.by or vanilla offline mode
- **Ely.by**: not self-hosted, Russian-hosted, no control over identity layer.
- **Vanilla offline + no auth server**: works for one weekend but skins break,
no persistent identity, doesn't match homelab philosophy.
- **Drasl**: self-hosted Go service, Yggdrasil-compatible, drop-in Mojang
replacement, supports skins + capes, **has first-class OIDC support with
PKCE** (perfect for Keycloak), actively maintained (current version 3.4.2+).
GPLv3 licensed.
### LAN (not NetBird) for the party itself
NetBird is the homelab's remote access layer, but adding a mesh VPN on top
of a LAN party introduces complexity for guests with no upside. Drasl and
Minecraft live on the LAN; clients reach them via `drasl.home.local` resolved
through AdGuard.
### Manual curation (user choice — flagged as expensive)
User insisted on manual curation despite my pushback that forking ATM10 or
Leaking Kitchen Sink would save weeks of crash-log triage. **Note for future
sessions**: if curation gets painful, the fork-and-trim option is still on
the table — Leaking Kitchen Sink is the closest match to the requested vibe.
### itzg/minecraft-server as base image
The de facto standard. Handles NeoForge installation automatically via
`TYPE=NEOFORGE` + `VERSION` + `NEOFORGE_VERSION`. Supports Modrinth and
CurseForge mod auto-download via `MODRINTH_PROJECTS` and `CURSEFORGE_FILES`.
- **Minecraft version**: 1.21.1, **NeoForge** (not classic Forge)
- **Auth/skins**: Drasl (Yggdrasil-compatible), **password login** — no OIDC
- **DNS**: handled OUTSIDE this repo; point `${BASE_DOMAIN}` + subdomains at the host
- **Persistence horizon**: long-term service, not disposable
## Architecture
```
LAN segment
├── AdGuard Home → resolves drasl.home.local, keycloak.home.local
│ to the Docker host's LAN IP
├── Keycloak (existing, separate compose)
│ realm: homelab
│ client: drasl (confidential, PKCE S256)
└── Minecraft host (this project's compose)
├── drasl :25585 (Yggdrasil API + web UI)
│ └── OIDC → Keycloak
├── minecraft :25565 (server)
│ :24454/udp (Simple Voice Chat, optional)
│ └── -javaagent:authlib-injector.jar=http://drasl.home.local:25585/authlib-injector
│ └── ONLINE_MODE=false (required for authlib-injector)
└── mc-backup (itzg/mc-backup, 6h interval)
└── RCON → minecraft
One unified `docker-compose.yml`. The host's own nginx terminates TLS (Let's
Encrypt) and reverse-proxies every vhost to caddy (published localhost-only) by
Host header. caddy is the internal router; containers reach the stack's own names
via caddy's `mcnet` aliases (`auth.`).
Clients (LAN party guests):
Prism Launcher → authlib-injector account pointing at Drasl
→ joins minecraft:25565
```
Internet ── host nginx (TLS, LE certs, HSTS) ──► caddy (127.0.0.1:8880)
│ routes by Host:
${BASE_DOMAIN} ─► /srv/www landing + /launcher/ downloads
auth.${BASE_DOMAIN} ─► drasl (Yggdrasil API + web UI)
avatar.${BASE_DOMAIN} ─► nmsr (skin/avatar renderer, Drasl-backed)
status.${BASE_DOMAIN} ─► uptime-kuma (status page + monitors)
files.${BASE_DOMAIN} ─► filestash (player file share, ONE shared login, writable)
distribution.${BASE} ─► static site from ANOTHER repo (DISTRIBUTION_WEB_ROOT)
minecraft :25565 (+ 24454/udp Simple Voice Chat)
└ ONLINE_MODE=true (validated against Drasl, NOT offline), -javaagent authlib-injector → http://auth.${BASE_DOMAIN}/authlib-injector
└ mods from ./server-mods volume (/mods, REMOVE_OLD_MODS) — see plan/04-mods.md
mc-backup ── RCON → minecraft (6h interval, prune 14d, world-only)
```
## Auth Flow (end-to-end)
Bring-up: render configs → sync server mods → build landing → fetch launcher → `docker compose up -d --build`.
See `plan/12-build-order.md` and `plan/14-deploy.md`. Deploy to prod host `cochi`
via the `deploy` skill.
1. Guest opens `http://drasl.home.local:25585` in browser.
2. Clicks "Register with Keycloak" → redirected to Keycloak login.
3. Logs in with homelab Keycloak credentials.
4. Returned to Drasl, picks a player name, uploads a skin.
5. Drasl shows them a "Minecraft Token" on their profile page.
6. In Prism Launcher: Settings → Accounts → Add authlib-injector account
with URL `http://drasl.home.local:25585/authlib-injector` and the
Minecraft Token as password.
7. Joins Minecraft server. Server validates session against Drasl (via
authlib-injector JVM agent), Drasl confirms, player enters with their skin.
## Key Decisions
- **NeoForge over Forge** — the 1.21.x kitchen-sink ecosystem is overwhelmingly
NeoForge; the Forge team migrated. `itzg/minecraft-server` via `TYPE=NEOFORGE`.
- **Drasl over Ely.by / vanilla offline** — self-hosted Go service, Yggdrasil
drop-in, skins + capes, actively maintained. Run with **password login**
(no OIDC/Keycloak in this stack).
- **Manual curation** (user choice, flagged expensive) — if it gets painful,
fork-and-trim Leaking Kitchen Sink is still on the table (closest vibe match).
- **itzg/minecraft-server** base image — de-facto standard, auto-installs NeoForge.
- **Distribution-fed mod volume (replaced packwiz)** — the modset's source of
truth is the HeliosLauncher distribution repo (`$DISTRIBUTION_WEB_ROOT`).
Clients install the full set via `distribution.json`. The SERVER loads a
filtered subset (`both`/`server`) from a mounted `./server-mods` volume
(`REMOVE_OLD_MODS=TRUE`). See `plan/04-mods.md`.
## Critical Gotchas
### Minecraft 1.21+ secure profile incompatibility
- Server: must set `enforce-secure-profile=false` (compose: `ENFORCE_SECURE_PROFILE=FALSE`)
- Drasl: must set `SignPublicKeys = false`
- These are linked. The Drasl docs explicitly warn: *"Mixed authentication does
not work with `SignPublicKeys = true` on Minecraft 1.21+."*
### Minecraft 1.21+ secure profile
- Server: `ENFORCE_SECURE_PROFILE=FALSE` (`enforce-secure-profile=false`)
- Drasl: `SignPublicKeys = false`
- Linked. Drasl docs: *"Mixed authentication does not work with
`SignPublicKeys = true` on Minecraft 1.21+."*
- **This is the ONLY auth flag that goes off. `ONLINE_MODE` stays TRUE** — see
next gotcha. Do not conflate "secure profile off" with "offline mode".
### ONLINE_MODE must be TRUE (authlib-injector ≠ offline)
authlib-injector redirects the server's normal **online**-auth handshake from
Mojang to Drasl. `ONLINE_MODE=FALSE` skips that handshake → offline-hash UUIDs,
no Drasl session validation, and **no skins** (everyone joins but everyone is
Steve; `usercache.json` shows offline-hash UUIDs). Keep `ONLINE_MODE=TRUE`.
### authlib-injector JVM agent
- Syntax: `-javaagent:/path/to/authlib-injector.jar=<yggdrasil-api-url>`
- The URL after `=` is the **API root**, which for Drasl is
`<BaseURL>/authlib-injector`.
- **Must match between server and client.** If server uses
`http://drasl.home.local:25585/authlib-injector` and client uses anything
else (e.g. an IP), session validation fails silently with "Invalid session".
- Download from: https://github.com/yushijinhun/authlib-injector/releases
- Mount into the itzg container at `/extras/authlib-injector.jar`.
### Keycloak reachability on LAN day
If Keycloak is only reachable via NetBird or only from the public internet,
**Drasl OIDC registration breaks on LAN-only day**. Options:
1. Expose Keycloak on the LAN (simplest)
2. Pre-register all guests before the party
3. Temporarily disable OIDC and allow password registration during the LAN
(`AllowPasswordLogin = true`, comment out the OIDC block)
### HTTP vs HTTPS for OIDC
Modern browsers warn on plain HTTP for OIDC flows but they work. For a
production-grade setup, front Drasl with Caddy or Traefik using a local CA
cert (smallstep/step-ca pairs well with the existing homelab). For LAN-only
HTTP is fine.
- Syntax: `-javaagent:/extras/authlib-injector.jar=<yggdrasil-api-url>`
- URL after `=` is the **API root** = `<BaseURL>/authlib-injector`. For this
stack: `http://auth.${BASE_DOMAIN}/authlib-injector` (internal, over mcnet).
- **Must match between server and client** (clients use the public
`https://auth.${BASE_DOMAIN}/authlib-injector`), else session validation fails
silently with "Invalid session".
- Releases: https://github.com/yushijinhun/authlib-injector — jar lives in
`runtime/` (mounted at `/extras/authlib-injector.jar`).
### NeoForge version pinning
Mods are picky about exact NeoForge minor versions. The compose currently
pins `NEOFORGE_VERSION: "21.1.209"` as a placeholder. **Verify against
https://projects.neoforged.net/neoforged/neoforge before deploying.** Don't
use `"latest"` for a stable server.
Mods are picky about exact minor versions. Compose pins `NEOFORGE_VERSION:
"21.1.233"` **must match the distribution's NeoForge** (`distribution.json`),
since mods are built against it (e.g. ferritecore≥218, farmersdelight≥219).
**Verify against https://projects.neoforged.net/neoforged/neoforge before
deploying.** Never `"latest"` for a stable server.
### Drasl username vs player name
- **Drasl username** = OIDC user's email (used for web UI login)
- **Player name** = `preferred_username` from OIDC, or user-chosen if
`AllowChoosingPlayerName = true`
- Keycloak users must have email set. Verify the realm's email-as-username
setting and the `preferred_username` mapper are configured.
### Mod source + server filtering
The full modset lives in the distribution repo (`$DISTRIBUTION_WEB_ROOT/servers/
ulicraft-1.21.1/forgemods/required/*.jar`), managed by Nebula. Clients get
everything via `distribution.json`. The server runs a **filtered subset**:
`tooling/classify-mods.py` reads each jar's `neoforge.mods.toml` with tomllib and
seeds `mods-sides.json` (`client|server|both`, default `both`), then
`tooling/sync-server-mods.sh` copies the `both`/`server` jars into `./server-mods`
(mounted at `/mods`). Hard client-only mods (sodium/iris) classify as `client`
automatically; cosmetic-client mods that declare `BOTH` stay `both` until you
hand-edit `mods-sides.json` to `client`. No Modrinth/packwiz, no network at
classify/sync time. See `plan/04-mods.md`.
### Mod source preference
Prefer **Modrinth over CurseForge** for itzg auto-download. CurseForge
requires an API key (`CF_API_KEY`) and has been historically flakier with
the itzg image. Use CF only for mods that are exclusive to it.
### Filestash (files.) — four traps
Full list in `plan/20-files.md`; the ones that cost real time:
- **`general.host` is a BARE HOSTNAME** (`files.${BASE_DOMAIN}`, no scheme) +
`force_ssl: true`. The SPA builds its origin as `scheme + host`, so a URL there
yields `http://https://files...` and every client-side redirect dies. The
server strips the scheme before its own Host check, so **curl and the uptime
monitor stay green while every browser is broken**. Cost a debugging round on
2026-07-14.
- The `local` backend is **admin-gated**: without `LOCAL_BACKEND_SECRET` in the
connection params, every login fails with `backend error - Not Allowed` (looks
like bad credentials, isn't).
- `FILES_PASSWORD_HASH` must be **`$6$`** (`openssl passwd -6`). A `$2y$` bcrypt
from `htpasswd -B` fails every login silently — the plugin only matches `$2a$`.
- `config.json` is rendered + mounted `:ro` (the admin console can't save, on
purpose). Single-file bind mount ⇒ **`--force-recreate` after re-rendering**,
never `restart`.
## Compose Stack
The working compose file is at `./docker-compose.yml`. Key environment vars
documented inline. Adjacent files:
```
.
├── docker-compose.yml
├── .env # RCON_PASSWORD, CF_API_KEY (if needed)
├── drasl/
│ └── config/
│ ├── config.toml # see ./drasl-config.toml example
│ └── keycloak-client-secret # single line, no trailing newline
├── extras/
│ ├── authlib-injector.jar # downloaded from yushijinhun's releases
│ ├── modrinth-mods.txt # one mod slug per line
│ └── cf-mods.txt # only if using CurseForge mods
├── backups/ # mc-backup writes here
└── CLAUDE.md # this file
```
**Verifying an SPA:** a 200 on `/` proves the server is up, not that the app
works. After any filestash config change, check the browser-facing values
(`curl /api/config``origin`) and re-read `docker compose logs filestash`
the broken redirect announced itself there (`msg=Redirecting to http://https://`)
while every other check passed.
### Memory sizing
With ~50100 mods and 8 concurrent players on 1.21.1:
- `INIT_MEMORY: 4G`, `MAX_MEMORY: 10G` is a safe starting point
- Use `USE_AIKAR_FLAGS: TRUE` for the well-known GC tuning
- Monitor with `mc-monitor` (itzg makes one) if you want metrics
~50100 mods, 8 players, 1.21.1: `INIT_MEMORY: 4G`, `MAX_MEMORY: 10G`,
`USE_AIKAR_FLAGS: TRUE`.
### Backups
`itzg/mc-backup` runs alongside, talks to the server via RCON, takes
snapshots every 6h, prunes after 14 days. Backups are world-only (no mod
jars), which is correct — mods are reproducible from the mod list files.
## Config (.env)
## Keycloak Client Configuration
`BASE_DOMAIN`, `RCON_PASSWORD`, `CADDY_HTTP_PORT`/`CADDY_HTTP_BIND`,
`DISTRIBUTION_WEB_ROOT` (source of the modset + caddy `distribution.` mount), the
Let's Encrypt block (`LE_EMAIL`, `LE_SUBDOMAINS`, `OVH_*`). Rendered configs
(drasl, nmsr) come from `*.tmpl` via `tooling/render-config.sh` (substitutes
`${BASE_DOMAIN}` only). Server mods are synced (not rendered) by
`tooling/sync-server-mods.sh`.
In the `homelab` realm (or whatever the realm is called):
## Client Distribution (guests)
1. **Clients → Create client**
- Client type: `OpenID Connect`
- Client ID: `drasl`
- Name: `Drasl Minecraft Auth`
2. **Capability config**
- Client authentication: **ON** (confidential client)
- Authentication flow: **Standard flow** only
- Disable: Direct access grants, Implicit, Service accounts
3. **Login settings**
- Root URL: `http://drasl.home.local:25585`
- Valid redirect URIs: `http://drasl.home.local:25585/web/oidc-callback/Keycloak`
(the `Keycloak` at the end MUST match the `Name = "Keycloak"` in Drasl's
`[[RegistrationOIDC]]` block — case sensitive)
- Web origins: `http://drasl.home.local:25585`
4. **Credentials tab** → copy Client Secret to
`./drasl/config/keycloak-client-secret` (no trailing newline).
5. **Advanced tab** → PKCE Code Challenge Method: `S256`
## Client Distribution (LAN guests)
### Recommended launcher
**Prism Launcher** — open source, cross-platform (Win/Mac/Linux), first-class
authlib-injector support, can import/export instance ZIPs.
### Per-guest one-time setup
1. Install Prism Launcher.
2. Add authlib-injector account:
- URL: `http://drasl.home.local:25585/authlib-injector`
- Username/password: their Drasl credentials (or Minecraft Token if
registered via Keycloak OIDC)
3. Import the modpack instance ZIP.
### What to ship guests
- A Prism instance ZIP (right-click instance → Export Instance)
- A one-page README with the auth URL and import steps
- Optionally `authlib-injector.jar` for guests who refuse Prism
Launcher: **FjordLauncherUnlocked** (Prism fork, first-class authlib-injector),
mirrored at apex `/launcher/`. Per guest:
1. Download from `https://${BASE_DOMAIN}``/launcher/`.
2. Add an authlib-injector account, URL
`https://auth.${BASE_DOMAIN}/authlib-injector` (register/login at
`https://auth.${BASE_DOMAIN}`).
3. The launcher installs the modpack from the distribution (`distribution.json`).
(packwiz and the `pack.` service/subdomain have been fully removed.)
4. Connect to `${BASE_DOMAIN}` (`:25565`).
## Open / Pending Work
These were on the roadmap when we ended the brainstorm:
### Roadmap — mod migration follow-ups (post packwiz→04-mods)
- [ ] **Curate `mods-sides.json` cosmetic-client mods.** tomllib auto-flagged 11
hard client-only mods; the other 65 default `both`, including client-cosmetic
ones (BetterF3, entityculling, MouseTweaks, ponderjs, fancymenu, drippy, melody,
welcomescreen, Searchables, JustEnoughResources, TravelersTitles, yeetus…) that
load harmlessly on the server but waste RAM. Hand-edit them to `client` so
`sync-server-mods.sh` drops them from `./server-mods`. (Also review `appleskin`,
flagged `client` — flip to `both` if server-side food data wanted.)
### Landing rework + mod list (PLANNED — see `plan/18-landing-rework.md`)
Full design settled across WS1WS6; all tasks unchecked, ready to execute.
- [ ] **WS1 — Join flow off packwiz.** Homepage = UlicraftLauncher, 3 steps
(register → download launcher → join); drop `packwizUrl` + packwiz step.
Per-OS downloads from a synced `launcher.json` (shape
`productName/version/files[]`, the build output of the `custom-launcher`
repo; `launcher.example.json` committed as the documented fallback). Fjord
moves to its own `/fjord` page.
- [ ] **WS2/3 — Player rosters.** Online (mc-status, live) + all-registered (new
`mc-status /api/mcstatus/players`, admin-login → Drasl `GET /players`, ~60s
cache). Shared avatar tile, `AVATAR_MODE` env (default `headiso`). Admin creds
→ mc-status only.
- [ ] **WS4 — Account page** (`/account`): skin CRUD via browser-direct Drasl
(reuses `register.astro` skin JS). Skins only, in-memory token, `players[0]`.
- [ ] **WS5 — Footer status link** to `status.${BASE_DOMAIN}` (nav unchanged).
- [ ] **Mod shortlist for the kitchen-sink pack.** Categories to fill:
- Performance (Embeddium/Sodium-equivalent for NeoForge, FerriteCore, ModernFix)
- Tech/automation (Mekanism, Create, Immersive Engineering, AE2)
- Magic (Ars Nouveau, Botania, Iron's Spells 'n Spellbooks)
- Storage (Sophisticated Storage/Backpacks, Functional Storage)
- Exploration (YUNG's structures, Repurposed Structures, biome packs)
- QoL (JEI, Jade, JEI Resources, Inventory Profiles Next, AppleSkin)
- World gen (Tectonic, Terralith — check NeoForge 1.21.1 compat)
- Compat glue (Polymorph for recipe conflicts)
- Map (XaeroMinimap + Xaero World Map)
- Voice (Simple Voice Chat — port 24454/udp already in compose)
- [ ] **Decide on dimension/server-side performance mods** (C2ME, Lithium-equivalent)
- [ ] **Reverse proxy + local TLS** for Drasl (Caddy + step-ca recommended,
given the existing homelab)
- [ ] **DNS record** in AdGuard for `drasl.home.local` → Docker host LAN IP
- [ ] **Keycloak client** creation per the section above
- [ ] **Verify NeoForge version** against current stable before first deploy
- [ ] **Bootstrap admin in Drasl**: leave `AllowPasswordLogin = true` initially,
create the admin account, then optionally disable password login to force OIDC
- [ ] **WS6 — Mod shortlist + list component (`plan/17-mod-shortlist.md`).**
Light gap doc: current 76-jar pack is vanilla+ QoL/perf; **empty** on tech &
magic, thin worldgen, no map; orphan deps `ponderjs`/`Necronomicon`. Landing
mod-list component = auto-generated `mods.json` + extracted logos from the
distribution forgemods (`tooling/build-modlist.py`), flat alphabetical, pretty
names, no categories/links; feeds the "50+" stat tile.
- [ ] Server-side perf mods (C2ME, etc.).
- [x] **Filestash file share** (`files.`, 2026-07-14) — live in prod. One shared
htpasswd login, writable, rendered `:ro` config. See `plan/20-files.md`.
Follow-ups: add the Uptime Kuma HTTP monitor for `files.`; the share is
**outside mc-backup** and unquota'd (accepted — eyeballed).
- [ ] **Verify NeoForge version** against current stable before first deploy.
- [x] **Bootstrap Drasl admin** account (`admin`, 2026-06-10). Key is
`DefaultAdmins` (not `DefaultAdminUsernames`); first admin needs an invite-flip.
See `plan/03-drasl.md` gotchas.
## Reference URLs
- Drasl repo: https://github.com/unmojang/drasl
- Drasl configuration docs: https://github.com/unmojang/drasl/blob/master/doc/configuration.md
- Drasl recipes (example configs): https://github.com/unmojang/drasl/blob/master/doc/recipes.md
- Drasl: https://github.com/unmojang/drasl — config docs:
https://github.com/unmojang/drasl/blob/master/doc/configuration.md
- authlib-injector: https://github.com/yushijinhun/authlib-injector
- itzg/minecraft-server: https://github.com/itzg/docker-minecraft-server
- itzg NeoForge docs: https://github.com/itzg/docker-minecraft-server/blob/master/docs/types-and-platforms/server-types/forge.md
(NeoForge: …/docs/types-and-platforms/server-types/forge.md)
- itzg/mc-backup: https://github.com/itzg/docker-mc-backup
- NeoForge versions: https://projects.neoforged.net/neoforged/neoforge
- Prism Launcher: https://prismlauncher.org/
- Reference modpacks for inspiration (NOT forking):
- ATM10 (Modrinth/CurseForge — ~500 mods, NeoForge 1.21.1)
- Leaking Kitchen Sink (CurseForge — trimmed ~150 mods, NeoForge 1.21.1)
- NMSR: https://github.com/NickAcPT/nmsr-rs
- Uptime Kuma: https://github.com/louislam/uptime-kuma
- FjordLauncherUnlocked: https://github.com/hero-persson/FjordLauncherUnlocked
- Reference packs (inspiration, NOT forking): ATM10, Leaking Kitchen Sink.
## Communication Preferences (carry-over from past sessions)
## Communication Preferences (carry-over)
- Concise and direct
- Diagnose and resolve without demanding detailed reproduction steps
- Prefer iterative single-change updates over large rewrites
- Cautious scripts that halt on ambiguity rather than proceeding silently
- Avoid over-engineered responses when a simple answer suffices
- Spanish or English fine; user is comfortable in both
- Concise and direct; diagnose + resolve without demanding repro steps.
- Prefer iterative single-change updates over large rewrites.
- Cautious scripts that halt on ambiguity rather than proceeding silently.
- Avoid over-engineering when a simple answer suffices.
- Spanish or English both fine.

284
README.md
View File

@@ -1,132 +1,89 @@
# Ulicraft Server
Self-hosted modded Minecraft (NeoForge 1.21.1) for a LAN party. Runs **online**
(internet present) or **fully air-gapped** (offline). Self-hosted auth/skins
(Drasl), a packwiz modpack, a guest landing page, and a transparent mirror of
Mojang/launcher/NeoForge assets so guest laptops need no internet.
Self-hosted modded Minecraft (NeoForge 1.21.1) with self-hosted auth/skins
(Drasl), a distribution-fed modpack, avatar rendering, a guest landing page, and
uptime monitoring. One unified `docker-compose.yml` runs the whole stack behind
the host's nginx + Let's Encrypt.
## Stack
One compose file, one `docker compose up -d`:
| Service | Image | Role |
|---|---|---|
| `minecraft` | itzg/minecraft-server | NeoForge 1.21.1 server, `:25565` |
| `drasl` | unmojang/drasl | Yggdrasil auth + skins (password login) |
| `caddy` | caddy:alpine | ingress: landing, auth/packwiz proxy, asset mirror (`tls internal`) |
| `caddy` | caddy:alpine | internal ingress: routes every vhost by Host header |
| `nmsr` | built from source | skin/avatar renderer at `avatar.${BASE_DOMAIN}` |
| `mc-status` | built from source | live server-status JSON for the landing card |
| `uptime-kuma` | louislam/uptime-kuma | status page at `status.${BASE_DOMAIN}` |
| `filestash` | machines/filestash (digest-pinned) | player file share at `files.${BASE_DOMAIN}` |
| `mc-backup` | itzg/mc-backup | world backups every 6h via RCON |
Optional layers (each its own `docker-compose.<name>.yml`):
- `avahi` (mDNS `.local`), `dnsmasq` (turnkey DNS) — only if you don't run your
own DNS.
- `nmsr` (NickAcPT/nmsr-rs, built from source) — skin/avatar renderer at
`avatar.${BASE_DOMAIN}`, sourced from Drasl. See **Avatar renderer** below.
- `distribution` — extra static vhost at `distribution.${BASE_DOMAIN}` whose web
root (`DISTRIBUTION_WEB_ROOT`) lives in another repo.
- `status` (louislam/uptime-kuma) — uptime monitoring + public status page at
`status.${BASE_DOMAIN}`. See **Status monitoring** below.
Vhosts (all proxied through the host nginx → caddy):
Config lives in `.env`: `BASE_DOMAIN` (default `ulicraft.lan`), `HOST_LAN_IP`,
`RCON_PASSWORD`, `ENABLE_MDNS`. Services are subdomains: `auth.`, `packwiz.`,
`mc.`, plus the apex landing page.
- apex `${BASE_DOMAIN}` — landing page + `/launcher/` downloads + `/api/mcstatus/*`
- `auth.` — Drasl
- `avatar.` — NMSR
- `status.` — Uptime Kuma
- `files.` — Filestash player file share (one shared login, writable)
- `distribution.` — static site from another repo (`DISTRIBUTION_WEB_ROOT`)
## DNS (pick one)
Config lives in `.env`: `BASE_DOMAIN`, `RCON_PASSWORD`, `CADDY_HTTP_PORT` /
`CADDY_HTTP_BIND`, `DISTRIBUTION_WEB_ROOT`, the `FILES_*` block. See `.env.example`.
Names must resolve to `HOST_LAN_IP`. Use **your own party DNS server** (recommended):
## DNS
```sh
tooling/dns-records.sh online # service names only (internet present)
tooling/dns-records.sh airgap # + Mojang/launcher/NeoForge spoofs (offline)
```
Paste the printed records into your DNS. **Use `.lan`, not `.local`**`.local`
is intercepted by mDNS and won't resolve via unicast DNS.
Alternatives: `ENABLE_MDNS=true` + `BASE_DOMAIN=*.local` (zero-config mDNS,
macOS/Linux native, Windows needs Bonjour) — but mDNS can't serve the air-gap
upstream spoofs. Or layer in `docker-compose.dnsmasq.yml` for a turnkey DNS.
### Simulate the DNS via /etc/hosts (single machine, testing)
No DNS server? Append the records straight to `/etc/hosts` (marker-wrapped):
```sh
tooling/dns-records.sh online hosts | sudo tee -a /etc/hosts # services only
tooling/dns-records.sh airgap hosts | sudo tee -a /etc/hosts # + Mojang spoofs
```
Remove them later:
```sh
sudo sed -i '/# >>> ulicraft/,/# <<< ulicraft/d' /etc/hosts
```
Notes:
- `/etc/hosts` has **no wildcard** — only the listed names resolve.
- `airgap` adds the Mojang/launcher/NeoForge hostnames pointing at the LAN; this
**breaks normal internet access to those domains** while present. Use it only
while offline; for an online box use `online`.
- `mc.<domain>` works (client defaults to :25565); SRV isn't used via `/etc/hosts`.
Handled **outside this repo**. Point `${BASE_DOMAIN}` and every subdomain
(`auth. avatar. status. files. distribution. www.`) at the host running nginx.
## Prerequisites
Docker + Docker Compose; for prep also `pnpm`, `packwiz`, `jq`, `curl`,
`envsubst`, `sha1sum`.
Docker + Docker Compose; for prep also `pnpm`, `jq`, `curl`, `envsubst`.
## Launch
```sh
cp .env.example .env # set BASE_DOMAIN, HOST_LAN_IP, RCON_PASSWORD
cp .env.example .env # set BASE_DOMAIN, RCON_PASSWORD, DISTRIBUTION_WEB_ROOT
tooling/build-stack.sh --prep # ONLINE, once: render, build landing,
# mirror mods+assets, fetch launcher +
# authlib, pre-bake the server volume
# One-time / on change — render configs + build content:
tooling/render-config.sh # drasl + nmsr configs from *.tmpl
tooling/sync-server-mods.sh # filtered server mods → ./server-mods
( cd landing && pnpm install && BASE_DOMAIN="$BASE_DOMAIN" pnpm run build ) # → www/
tooling/fetch-launcher.sh # FjordLauncher assets → launcher/ (served at /launcher/)
tooling/fetch-authlib.sh # authlib-injector.jar → runtime/ (server JVM agent)
tooling/build-stack.sh --up online # internet present, no mirror
tooling/build-stack.sh --up airgap # offline; full asset mirror on :443 (default)
tooling/build-stack.sh --up core # base only (debugging)
docker compose up -d --build # first run installs NeoForge + mods, builds nmsr
docker compose down # stop
```
`--up` prints the DNS records to add for that mode. Down:
`docker compose -f docker-compose.yml -f docker-compose.static.yml -f docker-compose.mirror.yml down`
First boot: itzg installs NeoForge + the synced server mods into the `mc_data` volume;
nmsr does a one-time Rust compile. Watch `docker compose logs -f minecraft` until
`Done`.
## Public TLS (host nginx in front of caddy)
The LAN path above runs caddy on `:80`. To expose the stack publicly with real
certs, the machine's own nginx terminates TLS and reverse-proxies every vhost to
caddy by Host header. Caddy stays the single router (apex landing, `www.`
apex, `auth.` → drasl, `pack.` packwiz, `distribution.` static, `avatar.`
nmsr). HTTPS-only: HTTP 301s to HTTPS and every TLS vhost sends HSTS.
caddy is published on a localhost-only port (`CADDY_HTTP_BIND=127.0.0.1`,
`CADDY_HTTP_PORT=8880`). The host's own nginx terminates TLS with Let's Encrypt
certs and reverse-proxies every vhost to caddy by Host header. HTTPS-only: HTTP
301s to HTTPS and every TLS vhost sends HSTS.
1. **Issue certs** (OVH DNS-01, no inbound ports needed):
```sh
# .env: BASE_DOMAIN, LE_EMAIL, OVH_* creds,
# LE_SUBDOMAINS="auth pack distribution www avatar status"
# LE_SUBDOMAINS="auth distribution www avatar status"
tooling/issue-letsencrypt.sh # → certs/<name>/{cert,key}.pem
```
2. **Bind caddy to a localhost-only port** so only nginx reaches it (`.env`):
```sh
CADDY_HTTP_PORT=8880
CADDY_HTTP_BIND=127.0.0.1
```
3. **Bring up the caddy ingress** (+ static, + distribution/nmsr if used):
```sh
docker compose -f docker-compose.yml -f docker-compose.caddy.yml \
-f docker-compose.static.yml -f docker-compose.distribution.yml \
-f docker-compose.nmsr.yml -f docker-compose.status.yml up -d --build
```
4. **Render + install the nginx vhost** with `tooling/render-nginx.sh`. It pulls
2. **Render + install the nginx vhost** with `tooling/render-nginx.sh`. It pulls
`BASE_DOMAIN` + `CADDY_HTTP_PORT` from `.env`, defaults `APP_DIR` to the repo
checkout (where `certs/` live), and renders `nginx/ulicraft-caddy.conf.tmpl`:
```sh
tooling/render-nginx.sh # preview to stdout (dry run)
tooling/render-nginx.sh --install # write, symlink, nginx -t, reload
```
Overrides via env: `APP_DIR=/path` (if the repo isn't at the cert location),
`SITE_NAME=foo.conf`, `TEMPLATE=nginx/ulicraft.conf.tmpl` (the static variant —
nginx serves the files itself + proxies only drasl; pick one, not both).
Re-run step 4 whenever you add a subdomain so its server block is rendered.
Override `APP_DIR=/path` if the repo isn't at the cert location. Re-run
whenever you add a subdomain so its server block is rendered.
## Avatar renderer (NMSR)
@@ -140,87 +97,136 @@ pins a commit; bump `ARG NMSR_REF` to update.
`http://auth.${BASE_DOMAIN}`; Drasl serves the Mojang-compatible routes at its
bare BaseURL and embeds absolute skin URLs that NMSR fetches directly.
`allow_offline_mode_uuids = true` (Drasl issues offline v3 UUIDs).
- **Network**: skin resolution stays internal over `mcnet` (the caddy alias
`auth.${BASE_DOMAIN}` → drasl) — no public round-trip. caddy reverse-proxies
`avatar.` → `nmsr:8080`. The host port is published on `127.0.0.1:9898` only
(local debugging; not reachable from outside).
- **Endpoints** (NMSR): e.g. `https://avatar.${BASE_DOMAIN}/skin/<player>`,
- **Network**: skin resolution stays internal over `mcnet` (caddy alias
`auth.${BASE_DOMAIN}` → drasl). caddy reverse-proxies `avatar.` → `nmsr:8080`.
- **Endpoints**: e.g. `https://avatar.${BASE_DOMAIN}/skin/<player>`,
`/face/<player>`, `/fullbody/<player>` — by username or UUID.
Bring up: add `-f docker-compose.nmsr.yml` (with `--build`) as shown above. The
first build is heavy (Rust compile). Headless rendering uses lavapipe (software
First build is heavy (Rust compile). Headless rendering uses lavapipe (software
Vulkan); if renders fail, check `docker logs nmsr` for Vulkan device init.
`distribution.${BASE_DOMAIN}` serves a static site whose web root lives in
another repo: set `DISTRIBUTION_WEB_ROOT` (absolute host path) in `.env`; it's
bind-mounted read-only via `docker-compose.distribution.yml`.
## Status monitoring (Uptime Kuma)
`status.${BASE_DOMAIN}` runs [Uptime Kuma](https://github.com/louislam/uptime-kuma)
— uptime probes for every vhost **and** a native Minecraft-protocol ping (player
count + up/down), plus a public status page. The container joins `mcnet`, so it
can probe the stack by internal service name without leaving the host. caddy
reverse-proxies `status.` → `uptime-kuma:3001`; the host port is published on
`127.0.0.1:3001` only (first-run admin setup / local debugging).
count + up/down), plus a public status page. It joins `mcnet`, so monitors can
probe the stack by internal service name. caddy reverse-proxies `status.` →
`uptime-kuma:3001`.
Bring up (layer on the caddy ingress):
```sh
docker compose -f docker-compose.yml -f docker-compose.caddy.yml \
-f docker-compose.status.yml up -d
```
Then open `https://status.${BASE_DOMAIN}` (or `http://127.0.0.1:3001` first run),
create the admin account, and add monitors. Kuma has no config-as-code — add
these once via the UI (data persists in the `kuma_data` volume):
First run, open `https://status.${BASE_DOMAIN}`, create the admin account, and
add monitors. Kuma has no config-as-code — add these once via the UI (data
persists in the `kuma_data` volume):
| Monitor | Type | Target |
|---|---|---|
| Minecraft | Minecraft Server | `minecraft` : `25565` |
| Drasl auth | HTTP(s) | `https://auth.${BASE_DOMAIN}` |
| Landing (apex) | HTTP(s) | `https://${BASE_DOMAIN}` |
| Packwiz | HTTP(s) | `https://pack.${BASE_DOMAIN}` |
| Distribution | HTTP(s) | `https://distribution.${BASE_DOMAIN}` |
| Avatar (NMSR) | HTTP(s) | `https://avatar.${BASE_DOMAIN}` |
| Files (Filestash) | HTTP(s) | `https://files.${BASE_DOMAIN}` (expect 200 — the login page is a 200) |
Internal-name targets (`minecraft`, `drasl:25585`, `nmsr:8080`) isolate "service
down" from "ingress/TLS/DNS down"; public-URL targets test the whole chain. Mix
as you like. `status` is in the default `LE_SUBDOMAINS` so its TLS cert issues
with the rest; the nginx vhost adds websocket upgrade headers for Kuma's live UI.
down" from "ingress/TLS/DNS down"; public-URL targets test the whole chain.
`status` is in the default `LE_SUBDOMAINS`; the nginx vhost adds websocket
upgrade headers for Kuma's live UI.
## Server status JSON (mc-status)
`mc-status` is a self-hosted SLP→JSON pinger (built from `docker/mc-status`, an
mcutil wrapper) that the landing's `ServerCard` reads for live player count + MOTD.
It emits **mcstatus.io v2** JSON, so the card consumes it unchanged — but
same-origin, with no CORS and no third-party calls. caddy proxies the apex
`/api/mcstatus/*` path to `mc-status:8080` (strips the prefix); the container has
no published port. The pinger only ever probes its configured `MC_STATUS_TARGET`,
so the path after the prefix is ignored.
Endpoint (apex, same-origin):
```
https://${BASE_DOMAIN}/api/mcstatus/v2/status/java/${BASE_DOMAIN}
```
Hitting caddy directly (localhost-only, routes by Host header) — e.g. `ulicraft.net`
on `127.0.0.1:8880`:
```sh
curl -H "Host: ulicraft.net" \
http://127.0.0.1:8880/api/mcstatus/v2/status/java/ulicraft.net
```
Wired in `landing/src/data/site.ts` (`statusApi`) and `caddy/conf.d/10-static.caddy`.
## Player file share (Filestash)
`files.${BASE_DOMAIN}` is a web file share for player media — screenshots,
schematics, maps, guides. **One shared username/password for everybody**
(`FILES_USER` / `FILES_PASSWORD_HASH`), read **and** write. It is *not* a backup
browser and *not* a mod mirror: world snapshots contain every player's inventory
and coordinates, and the modset already ships via `distribution.`.
Full design, deploy steps and gotchas: **`plan/20-files.md`**. The short version:
- Config is `filestash/config.json`, **rendered from a template and mounted
`:ro`** — git is the source of truth. The admin console at `/admin` loads but
**cannot save**; that's deliberate. Change config by editing the `.tmpl`,
re-rendering, and **recreating** the container (`up -d --force-recreate
filestash` — a single-file bind mount pins the inode, so `restart` reads the
stale file).
- Files live in `${FILES_DATA_DIR}` on the host, outside the repo. **Not backed
up** by mc-backup — treat the share as disposable.
- `FILES_MOUNT_MODE=ro|rw` is the literal mount flag: `ro` makes the share
read-only at the *kernel*, whatever the UI thinks.
- `FILES_AUTH=htpasswd|passthrough` — `passthrough` means **no login at all**.
Only valid once the host is off the public internet: an unauthenticated
*writable* share on a public domain is an open upload relay.
Four traps that cost real time (all enforced or documented in the tooling):
- **`general.host` is a bare hostname**, no scheme (`files.${BASE_DOMAIN}`), with
`force_ssl: true`. The SPA builds its redirect origin as `scheme + host`, so a
URL there produces `http://https://files...` and every client-side redirect
breaks. The server strips the scheme before its *own* Host check, so `curl`
and the uptime monitor stay **green while every browser is broken**.
- **`FILES_PASSWORD_HASH` must be `$6$`** (`openssl passwd -6`). The htpasswd
plugin's bcrypt branch only matches `$2a$`, so a `$2y$` hash from
`htpasswd -B` fails *every* login, silently. `render-config.sh` rejects it.
- **The `local` storage backend is admin-gated** — without `FILES_LOCAL_SECRET`
reaching it through the connection params, every login dies with
`backend error - Not Allowed`, which looks like bad credentials and isn't.
- **Don't set `APPLICATION_URL`/`ADMIN_PASSWORD` env** — either makes Filestash
rewrite `config.json` at boot, which fails against the `:ro` mount.
> Verifying this service: a 200 on `/` only proves the server is up. Check the
> browser-facing origin — `curl -s -H 'X-Requested-With: XmlHttpRequest`
> `https://files.${BASE_DOMAIN}/api/config | jq -r .result.origin` must print
> `https://files.${BASE_DOMAIN}` — and re-read `docker compose logs filestash`.
## Join (guests)
1. Open `http://ulicraft.lan`, download FjordLauncherUnlocked for your OS.
2. Add an **authlib-injector** account, URL `http://auth.ulicraft.lan/authlib-injector`
(register/login at `http://auth.ulicraft.lan`).
3. **Air-gap only:** trust the local CA — download `http://ulicraft.lan/ca.crt`
and add it to your OS trust store (so the HTTPS asset mirror is trusted).
4. Import the pack: `http://packwiz.ulicraft.lan/pack.toml`.
5. Connect to **`mc.ulicraft.lan`** (no port needed).
1. Open `https://${BASE_DOMAIN}`, download FjordLauncherUnlocked for your OS.
2. Add an **authlib-injector** account, URL
`https://auth.${BASE_DOMAIN}/authlib-injector` (register/login at
`https://auth.${BASE_DOMAIN}`).
3. The launcher installs the modpack from the distribution automatically.
4. Connect to **`${BASE_DOMAIN}`** (Minecraft, `:25565`).
## Layout
```
docker-compose.yml # core: drasl, minecraft, mc-backup, caddy
.static.yml .mirror.yml # online/airgap layers
.caddy.yml .nginx.yml # ingress paths (caddy-front vs nginx static)
.nmsr.yml .distribution.yml # avatar renderer / extra static vhost
.avahi.yml .dnsmasq.yml # optional DNS layers
caddy/Caddyfile + conf.d/*.caddy # ingress vhost snippets (core/static/mirror/
# distribution/avatar)
docker-compose.yml # the whole stack (one file)
caddy/Caddyfile + conf.d/*.caddy # ingress vhost snippets
# (core/static/distribution/avatar/status)
drasl/config/config.toml.tmpl # auth config (rendered)
nmsr/config.toml.tmpl # avatar renderer config, Drasl-backed (rendered)
dnsmasq/dnsmasq.conf.tmpl # optional DNS config (rendered)
docker/avahi/ docker/nmsr/ # built-from-source images (mDNS, NMSR)
pack/ # packwiz modpack source
docker/nmsr/ # built-from-source NMSR image
landing/ # Astro site → www/
tooling/ # build-stack, render-config, render-nginx,
# dns-records, issue-letsencrypt,
# mirror-mods, mirror-airgap, fetch-launcher
nginx/*.conf.tmpl # host-nginx TLS vhost templates
mirror/ # vendored jars + launcher + asset mirror (gitignored)
plan/ # full design docs (0012)
launcher/ # FjordLauncher assets (gitignored)
server-mods/ # filtered server mod jars (synced, gitignored)
tooling/ # render-config, sync-server-mods, render-nginx,
# issue-letsencrypt, fetch-launcher
nginx/ulicraft-caddy.conf.tmpl # host-nginx TLS vhost template (front of caddy)
plan/ # design docs
```
See `plan/00-overview.md` for the full design.

View File

@@ -1,10 +1,12 @@
# Base Caddy config. Vhosts live in conf.d/*.caddy snippets that are mounted
# in selectively so the stack can run with or without the static site / mirror:
# conf.d/00-core.caddy auth + packwiz (always — core ingress)
# conf.d/10-static.caddy apex landing + launcher downloads (static toggle)
# conf.d/20-mirror.caddy air-gap upstream mirror (tls internal) (mirror toggle)
# auto_https disable_redirects: http:// sites stay plaintext on :80; the mirror
# snippet's hosts still get internal TLS on :443 when that snippet is present.
# Base Caddy config. Vhosts live in conf.d/*.caddy snippets:
# conf.d/00-core.caddy auth
# conf.d/10-static.caddy apex landing + launcher downloads
# conf.d/30-distribution.caddy static site from another repo
# conf.d/40-avatar.caddy nmsr skin/avatar renderer
# conf.d/50-status.caddy uptime-kuma status page
# All snippets are plain http:// on :80 — the host's nginx terminates TLS in
# front (nginx/ulicraft-caddy.conf.tmpl). disable_redirects keeps caddy from
# upgrading to its own https.
{
auto_https disable_redirects
}

View File

@@ -1,14 +0,0 @@
# Core ingress — Blessing Skin variant. Replaces 00-core.caddy when the
# docker-compose.blessingskin.yml override is in play (mounted at the same
# target path). auth.* now points at Blessing Skin instead of Drasl.
#
# Blessing Skin serves BOTH its web UI (/) and the Yggdrasil API (/api/yggdrasil)
# on the same vhost, so a single reverse_proxy covers everything.
http://auth.{$BASE_DOMAIN} {
reverse_proxy blessing-skin:80
}
http://pack.{$BASE_DOMAIN} {
root * /srv/pack
file_server browse
}

View File

@@ -1,9 +1,4 @@
# Core ingress — always mounted. Drasl auth + packwiz pack metadata.
# Core ingress — always mounted. Drasl auth.
http://auth.{$BASE_DOMAIN} {
reverse_proxy drasl:25585
}
http://pack.{$BASE_DOMAIN} {
root * /srv/pack
file_server browse
}

View File

@@ -1,19 +1,18 @@
# Static toggle — apex landing page + launcher downloads.
# Mounted only when the stack runs with static files (build-stack.sh up static|full).
# Apex landing page (/srv/www) + launcher downloads (/srv/launcher).
http://{$BASE_DOMAIN} {
# Caddy's local CA root, so guests can trust the air-gap HTTPS mirror.
# Mounted from ./caddy/caddy-root-ca.crt (exported by build-stack prep;
# the live pki dir is root-only 0600 and can't be served directly).
handle /ca.crt {
root * /srv/ca-pub
file_server
}
# Launcher downloads are a sibling mount (/srv/launcher), not nested under
# the read-only /srv/www. handle_path strips the /launcher prefix.
handle_path /launcher/* {
root * /srv/launcher
file_server browse
}
# Self-hosted Minecraft status JSON (mc-status service). Same-origin, so the
# landing's ServerCard fetch needs no CORS. The <addr> in the path is
# ignored by mc-status — it only ever pings its configured MC_STATUS_TARGET.
handle /api/mcstatus/* {
uri strip_prefix /api/mcstatus
reverse_proxy mc-status:8080
}
handle {
root * /srv/www
file_server

View File

@@ -1,9 +0,0 @@
# Mirror toggle — full client air-gap mirror (see plan/11-full-airgap-mirror.md).
# Byte-exact copies of the real upstream hosts over HTTPS with Caddy's local CA.
# dnsmasq spoofs these hostnames -> our host; {host} roots each at its subtree.
# Mounted only when the stack runs with the mirror (build-stack.sh up mirror|full).
meta.prismlauncher.org, piston-meta.mojang.com, piston-data.mojang.com, libraries.minecraft.net, maven.neoforged.net, resources.download.minecraft.net {
tls internal
root * /srv/mirror/{host}
file_server
}

View File

@@ -1,8 +1,10 @@
# Distribution toggle — static site served from a web root in ANOTHER repo.
# The host path is set by DISTRIBUTION_WEB_ROOT in .env and bind-mounted to
# /srv/distribution by docker-compose.caddy.yml. Mounted only when that var is
# set (see the distribution override).
# Distribution — static site served from a web root in ANOTHER repo. The host
# path is set by DISTRIBUTION_WEB_ROOT in .env and bind-mounted to
# /srv/distribution by the caddy service in docker-compose.yml.
http://distribution.{$BASE_DOMAIN} {
root * /srv/distribution
# The landing page (apex origin) fetches launcher.json cross-origin to render
# the download buttons. Allow it — launcher assets are fully public, no creds.
header /launcher/* Access-Control-Allow-Origin "*"
file_server browse
}

View File

@@ -1,5 +1,4 @@
# Avatar toggle — NMSR skin/avatar renderer (docker-compose.nmsr.yml).
# Mounted only when the nmsr override is present.
# Avatar — NMSR skin/avatar renderer (nmsr service), Drasl-backed.
http://avatar.{$BASE_DOMAIN} {
reverse_proxy nmsr:8080
}

View File

@@ -1,5 +1,4 @@
# Status toggle — Uptime Kuma monitoring + public status page
# (docker-compose.status.yml). Mounted only when the status override is present.
# Status — Uptime Kuma monitoring + public status page (uptime-kuma service).
http://status.{$BASE_DOMAIN} {
reverse_proxy uptime-kuma:3001
}

View File

@@ -0,0 +1,10 @@
# Files — Filestash player file share (filestash service). Shared login,
# writable. See plan/20-files.md.
#
# Filestash blocks any request whose Host header doesn't match its configured
# `general.host` (https://files.${BASE_DOMAIN}), with "only traffic from X is
# allowed". The host nginx forwards the original Host, and caddy passes it
# through untouched — do NOT rewrite it here or every request 403s.
http://files.{$BASE_DOMAIN} {
reverse_proxy filestash:8334
}

View File

@@ -1,21 +0,0 @@
# Resolve every *.${BASE_DOMAIN} (and the apex) to the Docker host LAN IP.
# Rendered by tooling/render-config.sh -> dnsmasq/dnsmasq.conf (gitignored).
address=/${BASE_DOMAIN}/${HOST_LAN_IP}
no-resolv
# Minecraft SRV record: guests connect to "mc.${BASE_DOMAIN}" with NO port —
# the SRV lookup points the client at port 25565. Target mc.${BASE_DOMAIN}
# resolves to HOST_LAN_IP via the wildcard above.
# Format: srv-host=_service._proto.name,target,port
srv-host=_minecraft._tcp.mc.${BASE_DOMAIN},mc.${BASE_DOMAIN},25565
# Full client air-gap (see plan/11-full-airgap-mirror.md): spoof the real
# upstream hosts -> our Caddy mirror. Auth hosts (session/textures/api.mojang)
# are NOT spoofed — drasl handles those via authlib-injector. Keep this list in
# sync with the proxy-capture step.
address=/meta.prismlauncher.org/${HOST_LAN_IP}
address=/piston-meta.mojang.com/${HOST_LAN_IP}
address=/piston-data.mojang.com/${HOST_LAN_IP}
address=/libraries.minecraft.net/${HOST_LAN_IP}
address=/maven.neoforged.net/${HOST_LAN_IP}
address=/resources.download.minecraft.net/${HOST_LAN_IP}

View File

@@ -1,28 +0,0 @@
# mDNS toggle — publish *.local service names via the HOST's avahi-daemon for
# zero-config guest resolution. Enabled when ENABLE_MDNS=true in .env and only
# meaningful when BASE_DOMAIN=*.local.
#
# Host prerequisites:
# - avahi-daemon running on the host
# - if the host has many interfaces (e.g. lots of docker bridges), restrict
# avahi to the LAN NIC in /etc/avahi/avahi-daemon.conf:
# allow-interfaces=<lan-iface>
# otherwise avahi sees its own announcements across bridges → "Local name
# collision" and publishing fails.
services:
avahi:
build: ./docker/avahi
image: ulicraft-avahi:local
container_name: avahi
restart: unless-stopped
network_mode: host
# AppArmor's docker-default profile blocks the D-Bus publish to host avahi.
security_opt:
- apparmor=unconfined
environment:
BASE_DOMAIN: ${BASE_DOMAIN}
HOST_LAN_IP: ${HOST_LAN_IP}
DBUS_SYSTEM_BUS_ADDRESS: "unix:path=/run/dbus/system_bus_socket"
volumes:
# Talk to the host's avahi-daemon (host must run avahi-daemon).
- /run/dbus/system_bus_socket:/run/dbus/system_bus_socket

View File

@@ -1,105 +0,0 @@
# ──────────────────────────────────────────────────────────────────
# Blessing Skin auth variant — use INSTEAD of Drasl.
# ──────────────────────────────────────────────────────────────────
# Layer this over the base file AND the caddy ingress (caddy lives in its own
# file now; this override only swaps caddy's core conf, so caddy.yml is required):
#
# docker compose -f docker-compose.yml -f docker-compose.caddy.yml \
# -f docker-compose.blessingskin.yml up -d
#
# What it does vs the base stack:
# - drasl → left running but UNUSED + unreachable (Caddy no longer
# routes to it; it has no host port). Compose merges
# depends_on, so it can't be removed from an override —
# idling it is the clean option. `docker compose ... stop
# drasl` after up if you want it down.
# - caddy → auth.* now reverse-proxies blessing-skin:80
# - mariadb → new; Blessing Skin's datastore (no SQLite support)
# - blessing-skin → new; PHP skin server + yggdrasil-api plugin
# - minecraft → authlib-injector now points at /api/yggdrasil,
# ONLINE_MODE=TRUE (real session validation against BSS)
#
# First-run is a WEB WIZARD — see plan/03b-blessing-skin.md. The yggdrasil-api
# plugin must be installed + enabled from the BSS admin panel before the
# /api/yggdrasil endpoint (and thus Minecraft login) works.
#
# DB creds + APP_KEY come from .env (see .env.example: BS_* vars).
# ──────────────────────────────────────────────────────────────────
services:
caddy:
# Swap the core ingress conf for the Blessing Skin one. Compose MERGES
# volumes by container path, so mounting the BSS conf at the SAME target
# (/etc/caddy/conf.d/00-core.caddy) shadows the base 00-core.caddy; all
# other base mounts (pack, custom, static, ca) are kept automatically.
volumes:
- ./caddy/conf.d/00-core-blessingskin.caddy:/etc/caddy/conf.d/00-core.caddy:ro
depends_on:
- blessing-skin
mariadb:
image: mariadb:11
container_name: mariadb
restart: unless-stopped
environment:
MARIADB_DATABASE: ${BS_DB_NAME}
MARIADB_USER: ${BS_DB_USER}
MARIADB_PASSWORD: ${BS_DB_PASSWORD}
MARIADB_ROOT_PASSWORD: ${BS_DB_ROOT_PASSWORD}
TZ: "Europe/Madrid"
volumes:
- bs_db:/var/lib/mysql
healthcheck:
test: ["CMD", "healthcheck.sh", "--connect", "--innodb_initialized"]
interval: 10s
timeout: 5s
retries: 10
networks:
- mcnet
blessing-skin:
image: azusamikan/blessing-skin-server-docker:latest
container_name: blessing-skin
restart: unless-stopped
# Internal-only — reached via Caddy at auth.${BASE_DOMAIN}.
environment:
APP_URL: "http://auth.${BASE_DOMAIN}"
# Persist APP_KEY across recreates (else sessions/encryption break).
# Generate once: docker run --rm azusamikan/blessing-skin-server-docker:latest php artisan key:generate --show
APP_KEY: ${BS_APP_KEY}
DB_DRIVER: "mysql"
DB_HOST: "mariadb"
DB_PORT: "3306"
DB_DATABASE: ${BS_DB_NAME}
DB_USERNAME: ${BS_DB_USER}
DB_PASSWORD: ${BS_DB_PASSWORD}
TZ: "Europe/Madrid"
volumes:
- bs_storage:/app/storage # uploaded skins/capes + textures
- bs_plugins:/app/plugins # yggdrasil-api plugin lives here
depends_on:
mariadb:
condition: service_healthy
networks:
- mcnet
minecraft:
environment:
# authlib-injector API root for Blessing Skin's yggdrasil-api plugin
# is <site>/api/yggdrasil (NOT /authlib-injector like Drasl).
JVM_OPTS: "-javaagent:/extras/authlib-injector.jar=http://auth.${BASE_DOMAIN}/api/yggdrasil"
# authlib-injector needs real auth: online-mode TRUE so the server
# validates sessions against Blessing Skin. (Drasl variant used FALSE.)
ONLINE_MODE: "TRUE"
# Keep FALSE for safety on 1.21+. The yggdrasil-api plugin DOES sign
# profile keys, so you MAY flip this to TRUE if signed chat is wanted.
ENFORCE_SECURE_PROFILE: "FALSE"
# Merged with the base depends_on (drasl, caddy); just adds blessing-skin so
# Minecraft starts after the skin server is up.
depends_on:
- blessing-skin
volumes:
bs_db:
bs_storage:
bs_plugins:

View File

@@ -1,50 +0,0 @@
# ──────────────────────────────────────────────────────────────────
# Caddy ingress — LAN / air-gap path. NOT started with the base stack.
# ──────────────────────────────────────────────────────────────────
# Caddy was moved out of docker-compose.yml so the base stack can run behind
# the host's nginx (production) without it. build-stack.sh adds this file for
# its online/airgap/core modes; static/mirror overrides mount extra vhosts in.
#
# docker compose -f docker-compose.yml -f docker-compose.caddy.yml up -d
#
# Holds the mcnet aliases (auth./pack.${BASE_DOMAIN}) so containers resolve the
# stack's own names internally — this is why minecraft can reach the pack here
# without extra_hosts (the nginx path uses extra_hosts instead).
services:
caddy:
image: caddy:alpine
container_name: caddy
restart: unless-stopped
# Host-published port. Default 80 for the standalone LAN/air-gap path; set
# CADDY_HTTP_PORT to a high localhost-only port when the machine's nginx
# fronts caddy (nginx terminates TLS, reverse-proxies here by Host header —
# see nginx/ulicraft-caddy.conf.tmpl).
ports:
- "${CADDY_HTTP_BIND:-0.0.0.0}:${CADDY_HTTP_PORT:-80}:80"
environment:
BASE_DOMAIN: ${BASE_DOMAIN}
volumes:
- ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
- ./caddy/conf.d/00-core.caddy:/etc/caddy/conf.d/00-core.caddy:ro
- ./caddy/conf.d/10-static.caddy:/etc/caddy/conf.d/10-static.caddy:ro
- ./www:/srv/www:ro
- ./mirror/launcher:/srv/launcher:ro
- ./caddy/caddy-root-ca.crt:/srv/ca-pub/ca.crt:ro
- ./pack:/srv/pack:ro
# Custom (locally-hosted) mod jars live OUTSIDE ./pack so packwiz refresh
# doesn't index them as direct files. Served at pack.${BASE_DOMAIN}/custom/.
- ./custom:/srv/pack/custom:ro
networks:
mcnet:
# The upstream spoof-host aliases live in docker-compose.mirror.yml —
# adding them here would hijack maven.neoforged.net etc. for ALL mcnet
# containers, breaking the ONLINE NeoForge install during pre-bake.
aliases:
- "auth.${BASE_DOMAIN}"
- "pack.${BASE_DOMAIN}"
# Restore the ordering the base file used to have (base drops it so it can run
# caddy-less behind nginx).
minecraft:
depends_on:
- caddy

View File

@@ -1,15 +0,0 @@
# ──────────────────────────────────────────────────────────────────
# Distribution vhost — distribution.${BASE_DOMAIN}, static files from a web
# root that lives in ANOTHER repo. Layered on top of the caddy ingress.
# ──────────────────────────────────────────────────────────────────
# docker compose -f docker-compose.yml -f docker-compose.caddy.yml \
# -f docker-compose.distribution.yml up -d
#
# DISTRIBUTION_WEB_ROOT (.env) = absolute host path to the built static site in
# the other repo. Bind-mounted read-only; caddy serves it via the
# conf.d/30-distribution.caddy snippet.
services:
caddy:
volumes:
- ./caddy/conf.d/30-distribution.caddy:/etc/caddy/conf.d/30-distribution.caddy:ro
- ${DISTRIBUTION_WEB_ROOT:?DISTRIBUTION_WEB_ROOT unset in .env}:/srv/distribution:ro

View File

@@ -1,20 +0,0 @@
# Optional turnkey DNS — only if you DON'T run your own party DNS server.
# Layer on: `docker compose -f docker-compose.yml -f docker-compose.dnsmasq.yml ... up -d`.
# Serves dnsmasq/dnsmasq.conf (rendered from the template, includes the airgap
# spoof records). If you have your own DNS, skip this and use the records from
# `tooling/dns-records.sh` instead.
services:
dnsmasq:
image: jpillora/dnsmasq
container_name: dnsmasq
restart: unless-stopped
ports:
# Bind DNS to the host LAN IP so it doesn't clash with systemd-resolved on :53.
- "${HOST_LAN_IP}:53:53/udp"
- "${HOST_LAN_IP}:53:53/tcp"
volumes:
- ./dnsmasq/dnsmasq.conf:/etc/dnsmasq.conf:ro
networks:
- mcnet
# webproc UI (:8080) can be exposed behind Caddy as dns.${BASE_DOMAIN};
# guard with HTTP_USER / HTTP_PASS.

View File

@@ -1,25 +0,0 @@
# Mirror toggle — full client air-gap upstream mirror (see plan/11).
# Layer on top of the base: `docker compose -f docker-compose.yml -f docker-compose.mirror.yml up -d`
# (or `tooling/build-stack.sh --up mirror`). Adds the mirror vhost snippet, the
# upstream content mount, and publishes :443 for Caddy's `tls internal` certs.
# Populate the mirror first: tooling/mirror-airgap.sh (+ the proxy-capture step).
services:
caddy:
ports:
- "443:443"
volumes:
- ./caddy/conf.d/20-mirror.caddy:/etc/caddy/conf.d/20-mirror.caddy:ro
- ./mirror/upstream:/srv/mirror:ro
networks:
mcnet:
# Spoof the real upstream hosts -> Caddy (air-gap runtime only). Includes
# the base aliases because compose replaces (not merges) the alias list.
aliases:
- "auth.${BASE_DOMAIN}"
- "packwiz.${BASE_DOMAIN}"
- "meta.prismlauncher.org"
- "piston-meta.mojang.com"
- "piston-data.mojang.com"
- "libraries.minecraft.net"
- "maven.neoforged.net"
- "resources.download.minecraft.net"

View File

@@ -1,30 +0,0 @@
# ──────────────────────────────────────────────────────────────────
# Production ingress = the HOST's nginx + Let's Encrypt. No caddy.
# ──────────────────────────────────────────────────────────────────
# docker compose -f docker-compose.yml -f docker-compose.nginx.yml up -d
#
# nginx (on the host, already installed) terminates TLS with the LE certs from
# tooling/issue-letsencrypt.sh and:
# - serves apex + pack.${BASE_DOMAIN} as static files (./www, ./pack, ./custom)
# - reverse-proxies auth.${BASE_DOMAIN} -> 127.0.0.1:25585 (drasl)
# See nginx/ulicraft.conf.tmpl.
#
# This override:
# - publishes drasl on localhost so the host nginx can reach it
# - points the minecraft container at the host (extra_hosts) over HTTPS, so it
# fetches the pack and validates sessions through the same public names the
# LE certs cover (JVM trusts Let's Encrypt out of the box)
services:
drasl:
ports:
- "127.0.0.1:25585:25585"
minecraft:
# Make the public names resolve to the host running nginx.
extra_hosts:
- "auth.${BASE_DOMAIN}:host-gateway"
- "pack.${BASE_DOMAIN}:host-gateway"
environment:
# Use HTTPS now that nginx terminates TLS with a publicly-trusted cert.
JVM_OPTS: "-javaagent:/extras/authlib-injector.jar=https://auth.${BASE_DOMAIN}/authlib-injector"
PACKWIZ_URL: "https://pack.${BASE_DOMAIN}/pack.toml"

View File

@@ -1,32 +0,0 @@
# ──────────────────────────────────────────────────────────────────
# NMSR-aas — avatar/skin renderer at avatar.${BASE_DOMAIN}.
# ──────────────────────────────────────────────────────────────────
# docker compose -f docker-compose.yml -f docker-compose.caddy.yml \
# -f docker-compose.nmsr.yml up -d --build
#
# Built from source (no upstream image) — see docker/nmsr/Dockerfile.
# Renders YOUR players' skins by pulling profiles from Drasl over the internal
# mcnet network (config: nmsr/config.toml, rendered from .tmpl).
#
# Caddy reverse-proxies avatar.${BASE_DOMAIN} -> nmsr:8080 internally. The host
# port is published on 127.0.0.1:9898 ONLY (local debugging / not reachable from
# outside) — public access goes through nginx -> caddy.
services:
# Mount the avatar vhost snippet into caddy (the caddy override owns the base
# config; this adds one more conf.d file like the distribution override does).
caddy:
volumes:
- ./caddy/conf.d/40-avatar.caddy:/etc/caddy/conf.d/40-avatar.caddy:ro
nmsr:
build:
context: ./docker/nmsr
image: ulicraft/nmsr:local
container_name: nmsr
restart: unless-stopped
ports:
- "127.0.0.1:9898:8080"
volumes:
- ./nmsr/config.toml:/nmsr/config.toml:ro
networks:
- mcnet

View File

@@ -1,11 +0,0 @@
# Static toggle — apex landing page + launcher downloads.
# Layer on top of the base: `docker compose -f docker-compose.yml -f docker-compose.static.yml up -d`
# (or `tooling/build-stack.sh --up static`). Adds the static vhost snippet plus
# the www + launcher content mounts. Build www first: cd landing && pnpm run build.
services:
caddy:
volumes:
- ./caddy/conf.d/10-static.caddy:/etc/caddy/conf.d/10-static.caddy:ro
- ./www:/srv/www:ro
- ./mirror/launcher:/srv/launcher:ro
- ./caddy/caddy-root-ca.crt:/srv/ca-pub/ca.crt:ro

View File

@@ -1,36 +0,0 @@
# ──────────────────────────────────────────────────────────────────
# Uptime Kuma — status/monitoring for every vhost + the Minecraft server,
# reachable at status.${BASE_DOMAIN}.
# ──────────────────────────────────────────────────────────────────
# docker compose -f docker-compose.yml -f docker-compose.caddy.yml \
# -f docker-compose.status.yml up -d
#
# Joins mcnet so monitors can probe the stack BY ITS INTERNAL SERVICE NAME
# (drasl:25585, nmsr:8080, minecraft:25565) without leaving the host — and can
# also hit the public https vhosts end-to-end through the host's DNS.
#
# Caddy reverse-proxies status.${BASE_DOMAIN} -> uptime-kuma:3001 internally
# (caddy/conf.d/50-status.caddy). The host port is published on 127.0.0.1:3001
# ONLY (local debugging / first-run admin setup) — public access goes through
# nginx -> caddy. Add status.${BASE_DOMAIN} to LE_SUBDOMAINS for its TLS cert.
#
# Monitors are stored in the kuma_data volume (Kuma has no config-as-code);
# add them once via the web UI — see README for the recommended monitor list.
services:
caddy:
volumes:
- ./caddy/conf.d/50-status.caddy:/etc/caddy/conf.d/50-status.caddy:ro
uptime-kuma:
image: louislam/uptime-kuma:1
container_name: uptime-kuma
restart: unless-stopped
ports:
- "127.0.0.1:3001:3001"
volumes:
- kuma_data:/app/data
networks:
- mcnet
volumes:
kuma_data:

View File

@@ -1,31 +1,31 @@
# ──────────────────────────────────────────────────────────────────
# Ulicraft LAN-party stack — Minecraft 1.21.1 NeoForge + Drasl auth
# ──────────────────────────────────────────────────────────────────
# Single source of config: BASE_DOMAIN + HOST_LAN_IP in .env.
# DNS is provided by YOUR party DNS server — see tooling/dns-records.sh for the
# records to add (online vs airgap). A turnkey dnsmasq is available as an
# optional layer: docker-compose.dnsmasq.yml.
# - ingress is layered on, NOT in this base file: caddy (docker-compose.caddy.yml,
# LAN/air-gap, holds mcnet aliases) OR the host's nginx (docker-compose.nginx.yml
# + Let's Encrypt, production)
# - drasl handles auth (password login; NO Keycloak/OIDC in this stack)
# - packwiz pack is served by the ingress at pack.${BASE_DOMAIN}
# - minecraft installs mods via PACKWIZ_URL, authlib-injector -> auth.
# Single, unified compose. One file holds the whole stack:
# drasl auth + skins (Yggdrasil), internal only
# minecraft the server (itzg/NEOFORGE), mods from ./server-mods volume
# mc-backup world backups every 6h via RCON
# caddy internal ingress — routes auth./apex/launcher/avatar.
# /distribution. by Host header (conf.d/*.caddy)
# nmsr skin/avatar renderer at avatar.${BASE_DOMAIN}
# uptime-kuma status monitoring at status.${BASE_DOMAIN}
#
# Bring up: docker compose up -d (render configs first: tooling/render-config.sh)
#
# DNS is handled OUTSIDE this repo — point every service name at the host.
# Production TLS terminates at the HOST's nginx in front of caddy
# (nginx/ulicraft-caddy.conf.tmpl + Let's Encrypt); caddy is published on a
# localhost-only port (CADDY_HTTP_BIND/CADDY_HTTP_PORT in .env). Containers reach
# the stack's own names internally via caddy's mcnet alias (auth.).
# ──────────────────────────────────────────────────────────────────
services:
# NOTE: the HTTP(S) ingress is NOT in this base file.
# - LAN / air-gap: caddy (docker-compose.caddy.yml) — added by build-stack.sh
# - production: the HOST's nginx + Let's Encrypt (docker-compose.nginx.yml
# publishes drasl to localhost; nginx/ulicraft.conf.tmpl)
# Base alone (drasl + minecraft + mc-backup) is not a complete deployment —
# always layer one ingress file on top.
drasl:
image: unmojang/drasl:latest
container_name: drasl
restart: unless-stopped
# Internal-only: no published host port. Reached via Caddy at
# auth.${BASE_DOMAIN} (Caddy holds the network alias on mcnet).
# Internal-only: no published host port. Reached via caddy at
# auth.${BASE_DOMAIN} (caddy holds the network alias on mcnet).
volumes:
- ./drasl/config:/etc/drasl:ro
- drasl_state:/var/lib/drasl
@@ -48,7 +48,9 @@ services:
TYPE: "NEOFORGE"
VERSION: "1.21.1"
# Verify NEOFORGE_VERSION against projects.neoforged.net before deploy.
NEOFORGE_VERSION: "21.1.209" # pin a known-good build; update deliberately
# Must match the distribution's NeoForge (distribution.json → 21.1.233);
# several mods (ferritecore≥218, farmersdelight≥219, configured≥211) need it.
NEOFORGE_VERSION: "21.1.233" # pin a known-good build; update deliberately
# ── Memory / performance ────────────────────────────────────
INIT_MEMORY: "4G"
@@ -56,25 +58,37 @@ services:
USE_AIKAR_FLAGS: "TRUE"
JVM_XX_OPTS: "-XX:+UseG1GC"
# ── Auth: offline mode + authlib-injector pointing at Drasl
ONLINE_MODE: "FALSE"
# mount authlib-injector.jar at /extras/authlib-injector.jar
JVM_OPTS: "-javaagent:/extras/authlib-injector.jar=http://auth.${BASE_DOMAIN}/authlib-injector"
# ── Auth: ONLINE mode validated against Drasl via authlib-injector
# MUST be true: authlib-injector redirects the normal online-auth
# handshake from Mojang to Drasl. online-mode=false skips the handshake
# entirely -> offline UUIDs, no session validation, NO SKINS for anyone.
# Secure-profile is the part that must stay off on 1.21+ (see
# ENFORCE_SECURE_PROFILE + Drasl SignPublicKeys=false), NOT online-mode.
ONLINE_MODE: "TRUE"
# Resolves over mcnet to caddy (alias auth.${BASE_DOMAIN}) -> drasl.
JVM_OPTS: "-javaagent:/extras/authlib-injector.jar=https://auth.${BASE_DOMAIN}/authlib-injector"
# ── Server config ───────────────────────────────────────────
DIFFICULTY: "normal"
MODE: "survival"
MOTD: "Uli LAN party"
# Server-list icon (auto-scaled to 64x64). PNG lives in ./runtime (mounted
# /extras); OVERRIDE_ICON re-applies it on every boot. Also surfaces in the
# landing ServerCard via the SLP favicon.
ICON: "/extras/server-icon.png"
OVERRIDE_ICON: "TRUE"
MAX_PLAYERS: "10"
VIEW_DISTANCE: "10"
SIMULATION_DISTANCE: "8"
ENFORCE_SECURE_PROFILE: "FALSE" # required for authlib-injector on 1.21+
ALLOW_FLIGHT: "TRUE" # many tech mods need this
# ── Mod source: packwiz pack served by the ingress ──────────
# http + caddy alias by default; the nginx override switches this to
# https + host-gateway (extra_hosts) for the production path.
PACKWIZ_URL: "http://pack.${BASE_DOMAIN}/pack.toml"
# ── Mod source: filtered subset of the distribution modset ──
# Jars are synced into ./server-mods by tooling/sync-server-mods.sh
# (both/server entries from mods-sides.json) and mounted at /mods below;
# itzg auto-syncs /mods → /data/mods. REMOVE_OLD_MODS makes that mirror
# authoritative so removed mods get pruned. See plan/04-mods.md.
REMOVE_OLD_MODS: "TRUE"
# ── RCON for remote admin ───────────────────────────────────
ENABLE_RCON: "TRUE"
@@ -84,13 +98,29 @@ services:
TZ: "Europe/Madrid"
volumes:
- mc_data:/data
- ./runtime:/extras:ro # authlib-injector.jar lives here
- ./runtime:/extras:ro # authlib-injector.jar lives here
- ./server-mods:/mods:ro # itzg auto-syncs /mods → /data/mods
# Distribution client-override files the server also needs, from the live
# distribution (DISTRIBUTION_WEB_ROOT), same source as caddy. Only the kubejs
# *source* subdirs are bind-mounted ro — kubejs itself writes config/, cache/,
# generated/, logs/ at boot, so the kubejs ROOT must stay writable (lives in
# mc_data). Mounting the whole kubejs dir ro makes BaseProperties.save() NPE
# and kubejs never initialises. CustomSkinLoader is ro (read-only json).
- ${DISTRIBUTION_WEB_ROOT:?DISTRIBUTION_WEB_ROOT unset in .env}/servers/ulicraft-1.21.1/files/kubejs/server_scripts:/data/kubejs/server_scripts:ro
- ${DISTRIBUTION_WEB_ROOT}/servers/ulicraft-1.21.1/files/kubejs/startup_scripts:/data/kubejs/startup_scripts:ro
- ${DISTRIBUTION_WEB_ROOT}/servers/ulicraft-1.21.1/files/kubejs/data:/data/kubejs/data:ro
- ${DISTRIBUTION_WEB_ROOT}/servers/ulicraft-1.21.1/files/kubejs/assets:/data/kubejs/assets:ro
- ${DISTRIBUTION_WEB_ROOT}/servers/ulicraft-1.21.1/files/CustomSkinLoader:/data/CustomSkinLoader:ro
depends_on:
- drasl # ingress (caddy/nginx) is layered separately
- drasl # authlib (auth.) must resolve at boot
# Containers don't inherit the host's /etc/hosts; the LAN resolver returns a
# dead address for the public names. Pin auth. to the host so HTTPS to it
# lands on the host's nginx (valid LE cert) -> caddy -> drasl.
extra_hosts:
- "auth.${BASE_DOMAIN}:host-gateway"
networks:
- mcnet
# Optional: backups
mc-backup:
image: itzg/mc-backup
container_name: mc-backup
@@ -109,9 +139,129 @@ services:
networks:
- mcnet
# Internal ingress. Routes every vhost by Host header (conf.d/*.caddy):
# auth. -> drasl, apex -> landing + /launcher,
# avatar. -> nmsr, status. -> uptime-kuma, distribution. -> static site.
# Published on a localhost-only port; the host's nginx terminates TLS in
# front of it (nginx/ulicraft-caddy.conf.tmpl).
caddy:
image: caddy:alpine
container_name: caddy
restart: unless-stopped
ports:
- "${CADDY_HTTP_BIND:-127.0.0.1}:${CADDY_HTTP_PORT:-8880}:80"
environment:
BASE_DOMAIN: ${BASE_DOMAIN}
volumes:
- ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
- ./caddy/conf.d/00-core.caddy:/etc/caddy/conf.d/00-core.caddy:ro
- ./caddy/conf.d/10-static.caddy:/etc/caddy/conf.d/10-static.caddy:ro
- ./caddy/conf.d/30-distribution.caddy:/etc/caddy/conf.d/30-distribution.caddy:ro
- ./caddy/conf.d/40-avatar.caddy:/etc/caddy/conf.d/40-avatar.caddy:ro
- ./caddy/conf.d/50-status.caddy:/etc/caddy/conf.d/50-status.caddy:ro
- ./caddy/conf.d/60-files.caddy:/etc/caddy/conf.d/60-files.caddy:ro
- ./www:/srv/www:ro
- ./launcher:/srv/launcher:ro
# Static site from ANOTHER repo (absolute host path in .env).
- ${DISTRIBUTION_WEB_ROOT:?DISTRIBUTION_WEB_ROOT unset in .env}:/srv/distribution:ro
networks:
mcnet:
# Containers resolve the stack's own public names to caddy internally.
aliases:
- "auth.${BASE_DOMAIN}"
# Avatar/skin renderer — built from source (docker/nmsr/Dockerfile), pulls
# player profiles from Drasl over mcnet. caddy proxies avatar. -> nmsr:8080.
nmsr:
build:
context: ./docker/nmsr
image: ulicraft/nmsr:local
container_name: nmsr
restart: unless-stopped
volumes:
- ./nmsr/config.toml:/nmsr/config.toml:ro
# Drasl embeds absolute HTTPS skin URLs (BaseURL is https) in the profile.
# The mcnet alias resolves auth. -> caddy (http :80 only), so NMSR's https
# skin fetch to auth.:443 finds no listener and every avatar falls back to
# the default skin. Pin auth. to the host (same as the minecraft service) so
# NMSR reaches the host nginx on :443 with the real LE cert.
extra_hosts:
- "auth.${BASE_DOMAIN}:host-gateway"
networks:
- mcnet
# Self-hosted SLP→JSON pinger (built from docker/mc-status, mcutil wrapper).
# Emits mcstatus.io v2 JSON so the landing's ServerCard reads it unchanged.
# No published port — caddy proxies apex /api/mcstatus/* -> mc-status:8080.
# Pings the minecraft service internally over mcnet; result cached 30s.
mc-status:
build:
context: ./docker/mc-status
image: ulicraft/mc-status:local
container_name: mc-status
restart: unless-stopped
environment:
MC_STATUS_TARGET: "minecraft:25565"
MC_STATUS_CACHE_TTL: "30s"
# Registered-players roster (/api/mcstatus/players). mc-status logs into
# the Drasl admin API server-side and exposes a sanitized [{uuid,name}]
# list; these creds NEVER reach the browser. Use a dedicated, rotatable
# admin account. Isolated from the status pinger (own TTL/client).
DRASL_API_URL: "http://drasl:25585/drasl/api/v2"
DRASL_ADMIN_USERNAME: ${DRASL_ADMIN_USERNAME}
DRASL_ADMIN_PASSWORD: ${DRASL_ADMIN_PASSWORD}
MC_STATUS_ROSTER_TTL: "60s"
networks:
- mcnet
# Player file share (screenshots, schematics, maps) at files.${BASE_DOMAIN}.
# ONE shared login for everybody (FILES_AUTH=htpasswd), writable. See
# plan/20-files.md — it documents every non-obvious bit of this service.
#
# Config is rendered read-only from filestash/config.json.tmpl: filestash has
# no env-var config, and its admin console writes config.json back at runtime,
# so pinning it :ro is what keeps git authoritative. The console still loads —
# it just cannot save. That is intentional, not a bug.
filestash:
image: machines/filestash@sha256:8cb09d42470328a02aec6e3861f912addf8a9d54ad63d9c965bcb48df5ad36b1
container_name: filestash
restart: unless-stopped
environment:
# The `local` storage backend is admin-gated in filestash: it refuses to
# init unless the connection params carry this secret (or the admin
# password). config.json's attribute_mapping supplies it server-side, so
# players never see it. Without this, every login dies on "Not Allowed".
LOCAL_BACKEND_SECRET: ${FILES_LOCAL_SECRET:?FILES_LOCAL_SECRET unset in .env}
# Do NOT set APPLICATION_URL / ADMIN_PASSWORD here: either one makes
# filestash rewrite config.json at boot, which fails on the :ro mount.
# Both live in the rendered config instead (general.host / auth.admin).
volumes:
# /app/data/state holds config + sqlite + search index + logs, so the
# DIRECTORY must stay writable. Only config.json is pinned read-only.
- filestash_state:/app/data/state
- ./filestash/config.json:/app/data/state/config/config.json:ro
# The share itself. FILES_MOUNT_MODE is the literal mount flag (ro|rw) —
# `ro` enforces a read-only share at the KERNEL, whatever the UI thinks.
- ${FILES_DATA_DIR:?FILES_DATA_DIR unset in .env}:/data/files:${FILES_MOUNT_MODE:-ro}
networks:
- mcnet
# Status monitoring + public status page. caddy proxies status. -> :3001.
# Joins mcnet so monitors probe the stack by internal service name.
uptime-kuma:
image: louislam/uptime-kuma:1
container_name: uptime-kuma
restart: unless-stopped
volumes:
- kuma_data:/app/data
networks:
- mcnet
volumes:
drasl_state:
mc_data:
kuma_data:
filestash_state:
networks:
mcnet:

View File

@@ -1,9 +0,0 @@
# Publishes the stack's service names on .local via the HOST's avahi-daemon
# (over its D-Bus socket — no second daemon, avoids the :5353 collision).
# Requires the host to run avahi-daemon and the socket to be mounted (see
# docker-compose.avahi.yml). Used when ENABLE_MDNS=true and BASE_DOMAIN=*.local.
FROM alpine:3.20
RUN apk add --no-cache avahi-tools
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

View File

@@ -1,32 +0,0 @@
#!/bin/sh
# Publish A records for the stack's service names on .local via the HOST's
# avahi-daemon (reached over its mounted D-Bus socket). One avahi-publish per
# name; if any drops the container exits so Docker restarts it.
set -eu
: "${BASE_DOMAIN:?BASE_DOMAIN unset}"
: "${HOST_LAN_IP:?HOST_LAN_IP unset}"
case "$BASE_DOMAIN" in
*.local) ;;
*) echo "WARN: mDNS resolves only .local — BASE_DOMAIN=$BASE_DOMAIN will NOT be discoverable via avahi. Set BASE_DOMAIN=*.local to use mDNS." >&2 ;;
esac
bus="${DBUS_SYSTEM_BUS_ADDRESS:-unix:path=/run/dbus/system_bus_socket}"
sock=${bus#unix:path=}
if [ ! -S "$sock" ]; then
echo "ERROR: host D-Bus socket '$sock' not found. Mount the host's" >&2
echo " /run/dbus/system_bus_socket and ensure avahi-daemon runs on the host." >&2
exit 1
fi
export DBUS_SYSTEM_BUS_ADDRESS="$bus"
pids=""
for n in "$BASE_DOMAIN" "auth.$BASE_DOMAIN" "packwiz.$BASE_DOMAIN" "mc.$BASE_DOMAIN"; do
echo "mDNS publish (host avahi): $n -> $HOST_LAN_IP"
avahi-publish -a "$n" "$HOST_LAN_IP" &
pids="$pids $!"
done
# shellcheck disable=SC2086
wait -n $pids 2>/dev/null || wait

View File

@@ -0,0 +1,15 @@
# mc-status — self-hosted SLP→JSON pinger (mcutil wrapper). Multi-stage:
# build a static binary, ship it on scratch.
FROM golang:1.25-alpine AS build
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /out/mc-status .
FROM scratch
# CA roots so SRV/DNS over the resolver and any TLS lookups work.
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=build /out/mc-status /mc-status
EXPOSE 8080
ENTRYPOINT ["/mc-status"]

5
docker/mc-status/go.mod Normal file
View File

@@ -0,0 +1,5 @@
module ulicraft/mc-status
go 1.25.0
require github.com/mcstatus-io/mcutil/v4 v4.0.1

2
docker/mc-status/go.sum Normal file
View File

@@ -0,0 +1,2 @@
github.com/mcstatus-io/mcutil/v4 v4.0.1 h1:/AQkHrz7irCU7USGnrH3kneQw80aDQOVdOWc8xu/NUY=
github.com/mcstatus-io/mcutil/v4 v4.0.1/go.mod h1:yC91WInI1U2GAMFWgpPgsAULPVS2o+4JCZbiiWhHwxM=

397
docker/mc-status/main.go Normal file
View File

@@ -0,0 +1,397 @@
// mc-status — a tiny self-hosted Minecraft Server List Ping → JSON service.
//
// It wraps github.com/mcstatus-io/mcutil (the same library that powers
// api.mcstatus.io) and re-emits the result in mcstatus.io's *v2* JSON shape, so
// the landing's ServerCard.astro can talk to it with zero changes — just point
// `statusApi` at this service instead of the public API.
//
// Hardening notes:
// - The address in the request path is IGNORED. We only ever ping the single
// allow-listed MC_STATUS_TARGET. This is deliberate: a path-controlled
// pinger would be an open SSRF relay. The path segment is kept only so the
// URL stays drop-in compatible with api.mcstatus.io/v2/status/java/<addr>.
// - Results are cached in-memory for MC_STATUS_CACHE_TTL so a busy landing
// page can't hammer the Minecraft server with a ping per visitor.
package main
import (
"bytes"
"context"
"encoding/json"
"io"
"log"
"net/http"
"os"
"strconv"
"strings"
"sync"
"time"
"github.com/mcstatus-io/mcutil/v4/status"
)
// --- mcstatus.io v2 response shape (only the fields ServerCard reads) ---
type v2Version struct {
NameRaw string `json:"name_raw"`
NameClean string `json:"name_clean"`
NameHTML string `json:"name_html"`
Protocol int64 `json:"protocol"`
}
type v2Player struct {
UUID string `json:"uuid"`
NameRaw string `json:"name_raw"`
NameClean string `json:"name_clean"`
NameHTML string `json:"name_html"`
}
type v2Players struct {
Online int64 `json:"online"`
Max int64 `json:"max"`
List []v2Player `json:"list"`
}
type v2MOTD struct {
Raw string `json:"raw"`
Clean string `json:"clean"`
HTML string `json:"html"`
}
type v2Response struct {
Online bool `json:"online"`
Host string `json:"host"`
Port uint16 `json:"port"`
Version *v2Version `json:"version,omitempty"`
Players *v2Players `json:"players,omitempty"`
MOTD *v2MOTD `json:"motd,omitempty"`
Icon *string `json:"icon"`
}
// --- tiny TTL cache (single target → single entry) ---
type cache struct {
mu sync.Mutex
payload []byte
expires time.Time
}
func deref[T any](p *T) (v T) {
if p != nil {
v = *p
}
return
}
// --- registered-players roster (Drasl admin) ---
//
// The roster path is DELIBERATELY isolated from the status path: its own
// http.Client (with a timeout), its own TTL cache, and its own cached admin
// token. Drasl being slow or down must never block or break /v2/status — on any
// failure we serve stale-or-empty JSON rather than hanging. Mirrors the status
// cache style above (single entry, mutex-guarded).
// rosterPlayer is the sanitized shape we expose publicly: uuid + name only,
// everything else from Drasl stripped (no emails, capes, admin flags, etc.).
type rosterPlayer struct {
UUID string `json:"uuid"`
Name string `json:"name"`
}
// draslPlayer is the subset of Drasl's GET /players entries we read.
type draslPlayer struct {
UUID string `json:"uuid"`
Name string `json:"name"`
}
// roster holds the cached public payload plus the cached admin token. Both are
// guarded by the same mutex; token reuse avoids a login per request.
type roster struct {
mu sync.Mutex
payload []byte
expires time.Time
token string
apiURL string
username string
password string
ttl time.Duration
client *http.Client
}
// payloadOrEmpty returns the cached payload, or an empty JSON array if nothing
// has ever been fetched. Used so a Drasl failure on the very first request
// still yields valid JSON ("[]") instead of an error.
func (rs *roster) payloadOrEmpty() []byte {
if rs.payload != nil {
return rs.payload
}
return []byte("[]")
}
// fetch logs in (if no token) and lists players, re-logging in once on a 401.
// On any error it returns the previous payload (stale-or-empty), never an error
// to the caller — the handler always serves something.
func (rs *roster) fetch() []byte {
players, err := rs.listPlayers(false)
if err != nil {
log.Printf("roster: list players failed: %v", err)
return rs.payloadOrEmpty()
}
out := make([]rosterPlayer, 0, len(players))
for _, p := range players {
out = append(out, rosterPlayer{UUID: p.UUID, Name: p.Name})
}
b, err := json.Marshal(out)
if err != nil {
return rs.payloadOrEmpty()
}
return b
}
// listPlayers performs GET {apiURL}/players with the cached token, logging in
// first if needed. On 401 it clears the token and retries once (retried=true
// prevents a loop). Caller holds rs.mu.
func (rs *roster) listPlayers(retried bool) ([]draslPlayer, error) {
if rs.token == "" {
if err := rs.login(); err != nil {
return nil, err
}
}
req, err := http.NewRequest(http.MethodGet, rs.apiURL+"/players", nil)
if err != nil {
return nil, err
}
req.Header.Set("Authorization", "Bearer "+rs.token)
req.Header.Set("Accept", "application/json")
resp, err := rs.client.Do(req)
if err != nil {
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusUnauthorized && !retried {
// Token expired/invalid — drop it and re-login once.
rs.token = ""
io.Copy(io.Discard, resp.Body)
return rs.listPlayers(true)
}
if resp.StatusCode != http.StatusOK {
io.Copy(io.Discard, resp.Body)
return nil, &httpError{status: resp.StatusCode, op: "list players"}
}
var players []draslPlayer
if err := json.NewDecoder(resp.Body).Decode(&players); err != nil {
return nil, err
}
return players, nil
}
// login posts admin creds to {apiURL}/login and caches the returned apiToken.
// Caller holds rs.mu.
func (rs *roster) login() error {
body, err := json.Marshal(map[string]string{
"username": rs.username,
"password": rs.password,
})
if err != nil {
return err
}
req, err := http.NewRequest(http.MethodPost, rs.apiURL+"/login", bytes.NewReader(body))
if err != nil {
return err
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Accept", "application/json")
resp, err := rs.client.Do(req)
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
io.Copy(io.Discard, resp.Body)
return &httpError{status: resp.StatusCode, op: "login"}
}
var out struct {
APIToken string `json:"apiToken"`
}
if err := json.NewDecoder(resp.Body).Decode(&out); err != nil {
return err
}
if out.APIToken == "" {
return &httpError{status: resp.StatusCode, op: "login (no apiToken)"}
}
rs.token = out.APIToken
return nil
}
type httpError struct {
status int
op string
}
func (e *httpError) Error() string {
return "drasl " + e.op + ": status " + strconv.Itoa(e.status)
}
func main() {
target := envOr("MC_STATUS_TARGET", "minecraft:25565")
listen := envOr("MC_STATUS_LISTEN", ":8080")
ttl, err := time.ParseDuration(envOr("MC_STATUS_CACHE_TTL", "30s"))
if err != nil {
log.Fatalf("invalid MC_STATUS_CACHE_TTL: %v", err)
}
rosterTTL, err := time.ParseDuration(envOr("MC_STATUS_ROSTER_TTL", "60s"))
if err != nil {
log.Fatalf("invalid MC_STATUS_ROSTER_TTL: %v", err)
}
host, port := splitHostPort(target)
c := &cache{}
// Registered-players roster, fed by the Drasl admin API. Isolated from the
// status pinger above (own client + timeout + cache). If the admin creds are
// unset, /players still works — it just always serves "[]".
rs := &roster{
apiURL: strings.TrimRight(envOr("DRASL_API_URL", "http://drasl:25585/drasl/api/v2"), "/"),
username: os.Getenv("DRASL_ADMIN_USERNAME"),
password: os.Getenv("DRASL_ADMIN_PASSWORD"),
ttl: rosterTTL,
client: &http.Client{Timeout: 5 * time.Second},
}
mux := http.NewServeMux()
// Drop-in path: /v2/status/java/<addr> — <addr> is ignored (see file header).
mux.HandleFunc("/v2/status/java/", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.Header().Set("Access-Control-Allow-Origin", "*")
c.mu.Lock()
fresh := c.payload != nil && time.Now().Before(c.expires)
if fresh {
payload := c.payload
c.mu.Unlock()
w.Write(payload)
return
}
c.mu.Unlock()
payload := buildPayload(host, port)
c.mu.Lock()
c.payload = payload
c.expires = time.Now().Add(ttl)
c.mu.Unlock()
w.Write(payload)
})
// Registered-players roster — public path /api/mcstatus/players (caddy
// strips the /api/mcstatus prefix → internal /players). Serves a sanitized
// [{uuid,name}] of all Drasl players. Same CORS:* as the status route.
// Isolated from the status path: own TTL cache, own token, own client; on
// any Drasl failure it serves stale-or-empty rather than hanging.
mux.HandleFunc("/players", func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
w.Header().Set("Access-Control-Allow-Origin", "*")
rs.mu.Lock()
defer rs.mu.Unlock()
if rs.payload != nil && time.Now().Before(rs.expires) {
w.Write(rs.payload)
return
}
payload := rs.fetch()
rs.payload = payload
rs.expires = time.Now().Add(rs.ttl)
w.Write(payload)
})
mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("ok"))
})
log.Printf("mc-status listening on %s, target=%s:%d, ttl=%s, roster-ttl=%s", listen, host, port, ttl, rosterTTL)
log.Fatal(http.ListenAndServe(listen, mux))
}
// buildPayload pings the target and marshals the v2 response. On any ping
// failure it returns a minimal {"online":false} so the frontend can show an
// offline state without erroring.
func buildPayload(host string, port uint16) []byte {
ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
defer cancel()
resp, err := status.Modern(ctx, host, port)
if err != nil {
b, _ := json.Marshal(v2Response{Online: false, Host: host, Port: port})
return b
}
out := v2Response{
Online: true,
Host: host,
Port: port,
Icon: resp.Favicon,
Version: &v2Version{
NameRaw: resp.Version.Name.Raw,
NameClean: resp.Version.Name.Clean,
NameHTML: resp.Version.Name.HTML,
Protocol: resp.Version.Protocol,
},
MOTD: &v2MOTD{
Raw: resp.MOTD.Raw,
Clean: resp.MOTD.Clean,
HTML: resp.MOTD.HTML,
},
Players: &v2Players{
Online: deref(resp.Players.Online),
Max: deref(resp.Players.Max),
List: make([]v2Player, 0, len(resp.Players.Sample)),
},
}
for _, p := range resp.Players.Sample {
out.Players.List = append(out.Players.List, v2Player{
UUID: p.ID,
NameRaw: p.Name.Raw,
NameClean: p.Name.Clean,
NameHTML: p.Name.HTML,
})
}
b, _ := json.Marshal(out)
return b
}
func envOr(key, def string) string {
if v := os.Getenv(key); v != "" {
return v
}
return def
}
func splitHostPort(target string) (string, uint16) {
host, portStr, found := strings.Cut(target, ":")
if !found {
return target, 25565
}
p, err := strconv.ParseUint(portStr, 10, 16)
if err != nil {
return host, 25565
}
return host, uint16(p)
}

View File

@@ -1,12 +1,16 @@
# Drasl config — password-login mode (NO Keycloak/OIDC for now).
# TOML only (drasl has no env support). Rendered by tooling/render-config.sh
# -> drasl/config/config.toml (gitignored). Only ${BASE_DOMAIN} is substituted.
# -> drasl/config/config.toml (gitignored). Substitutes ${BASE_DOMAIN} and
# ${REGISTRATION_REQUIRE_INVITE} (derived from REGISTRATION_MODE in .env).
# Reached only via Caddy at auth.${BASE_DOMAIN}; drasl has no published host port.
BaseURL = "http://auth.${BASE_DOMAIN}"
# Public scheme is HTTPS — the host nginx terminates TLS in front of caddy.
# Drasl builds absolute URLs (textures, authlib-injector API location) from this;
# an http:// value triggers mixed-content + broken login on the https origin.
BaseURL = "https://auth.${BASE_DOMAIN}"
Domain = "auth.${BASE_DOMAIN}"
ListenAddress = "0.0.0.0:25585" # internal; Caddy reverse-proxies to it
DefaultAdminUsernames = ["admin"]
DefaultAdmins = ["admin"]
# Password login: admin + guests register a username/password on the web UI.
AllowPasswordLogin = true
@@ -18,5 +22,29 @@ SignPublicKeys = false
# Free-text owner label shown in the web UI (a string, not a table).
ApplicationOwner = "Ulicraft"
# CORS: the landing register/account form (served from the apex) calls the
# Drasl API from the browser. Without this the API has NO CORS headers and the
# browser blocks every cross-origin call. Scope to the apex only — never "*",
# which would let any site script the auth API. Echo backfills AllowMethods
# (incl. PATCH/DELETE) and reflects requested headers (Content-Type/Authorization).
# MUST stay top-level (before any [Section]) — under a table it parses as
# <table>.CORSAllowOrigins and drasl ignores it (silent: no CORS headers).
CORSAllowOrigins = ["https://${BASE_DOMAIN}"]
# New-account registration (username+password). RequireInvite is derived from
# REGISTRATION_MODE in .env by render-config.sh: invite -> true, open -> false.
# When true, non-admin callers (web UI + landing register form) must supply a
# valid invite code; admins bypass. Mint codes via POST /drasl/api/v2/invites
# with an admin api token.
[RegistrationNewPlayer]
Allow = true
RequireInvite = ${REGISTRATION_REQUIRE_INVITE}
# Rate limit the now public-facing API (anonymous POST /users etc). Token
# bucket; admins are exempt. Conservative for a 4-10 player server.
[RateLimit]
RequestsPerSecond = 5
Burst = 10
# OIDC block intentionally omitted for now (no Keycloak).
# [[RegistrationOIDC]] <- future task

View File

@@ -0,0 +1,31 @@
{
"general": {
"name": "Ulicraft Files",
"host": "files.${BASE_DOMAIN}",
"force_ssl": true,
"secret_key": "${FILES_SECRET_KEY}",
"editor": "base",
"display_hidden": false,
"upload_button": true,
"fork_button": false
},
"auth": {
"admin": "${FILES_ADMIN_PASSWORD_HASH}"
},
"middleware": {
"identity_provider": {
"type": "${FILES_IDP_TYPE}",
"params": "${FILES_IDP_PARAMS}"
},
"attribute_mapping": {
"related_backend": "files",
"params": "{\"files\":{\"type\":\"local\",\"path\":\"/data/files/\",\"password\":\"${FILES_LOCAL_SECRET}\"}}"
}
},
"connections": [
{
"label": "files",
"type": "local"
}
]
}

View File

@@ -0,0 +1,5 @@
packages:
- '.'
onlyBuiltDependencies:
- esbuild
- sharp

Binary file not shown.

After

Width:  |  Height:  |  Size: 34 KiB

BIN
landing/public/favicon.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.0 KiB

Binary file not shown.

View File

@@ -268,3 +268,13 @@
src: url(/fonts/pxiKyp0ihIEF2isfFJU.woff2) format('woff2');
unicode-range: U+0000-00FF, U+0131, U+0152-0153, U+02BB-02BC, U+02C6, U+02DA, U+02DC, U+0304, U+0308, U+0329, U+2000-206F, U+20AC, U+2122, U+2191, U+2193, U+2212, U+2215, U+FEFF, U+FFFD;
}
/* Block Blueprint — vendored from 1001fonts (NOT on Google Fonts; appended by
fetch-fonts.sh after the Google rewrite). License: 1001Fonts Free For Personal
Use. Single weight, TTF (no woff2 toolchain on the build box). */
@font-face {
font-family: 'Block Blueprint';
font-style: normal;
font-weight: 400;
font-display: swap;
src: url(/fonts/BlockBlueprint.ttf) format('truetype');
}

View File

@@ -0,0 +1,52 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg
width="64"
height="64"
viewBox="0 0 9.677 9.667"
version="1.1"
id="svg3"
sodipodi:docname="mojang.svg"
inkscape:version="1.4.3 (0d15f75042, 2025-12-25)"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg">
<defs
id="defs3" />
<sodipodi:namedview
id="namedview3"
pagecolor="#ffffff"
bordercolor="#000000"
borderopacity="0.25"
inkscape:showpageshadow="2"
inkscape:pageopacity="0.0"
inkscape:pagecheckerboard="0"
inkscape:deskcolor="#d1d1d1"
inkscape:zoom="2.0467427"
inkscape:cx="-92.830429"
inkscape:cy="96.006206"
inkscape:window-width="1920"
inkscape:window-height="992"
inkscape:window-x="0"
inkscape:window-y="0"
inkscape:window-maximized="1"
inkscape:current-layer="g3" />
<path
d="M1.54 2.844c.314-.76 1.31-.46 1.954-.528.785-.083 1.503.272 2.1.758l.164-.9c.327.345.587.756.964 1.052.28.254.655-.342.86-.013.42.864.408 1.86.54 2.795l-.788-.373C6.9 4.17 5.126 3.052 3.656 3.685c-1.294.592-1.156 2.65.06 3.255 1.354.703 2.953.51 4.405.292-.07.42-.34.87-.834.816l-4.95.002c-.5.055-.886-.413-.838-.89l.04-4.315z"
fill="#fff"
id="path3" />
<g
id="g3"
transform="matrix(0.33310606,0,0,0.33310606,8.7658015,-1.332)">
<circle
style="fill:#283c63;fill-opacity:1;stroke:none;stroke-width:4.73305"
id="path1-9"
r="14.345329"
cy="18.66217"
cx="-11.946259" />
<path
id="logo"
d="m -16.05726,28.400159 c -0.04546,-0.07393 -0.04146,-0.951547 0.009,-1.949545 l 0.09191,-1.81518 -0.526472,-0.542457 c -0.672825,-0.692806 -1.103893,-0.809189 -1.679816,-0.453545 -0.538461,0.333165 -0.830668,0.335663 -1.972023,0.01948 -0.862137,-0.23926 -1.268729,-0.459538 -1.120876,-0.607391 0.03746,-0.03797 0.539459,-0.211288 1.113883,-0.385613 1.338658,-0.405094 1.827167,-0.597401 1.740754,-0.684314 -0.03847,-0.03746 -0.615382,0.08842 -1.283213,0.280718 -1.289707,0.370628 -1.760235,0.354645 -1.986009,-0.06693 -0.109385,-0.204296 -0.07793,-0.311188 0.153347,-0.526972 0.159839,-0.148851 0.329669,-0.270729 0.376622,-0.270729 0.04745,0 0.407591,-0.182817 0.801196,-0.406593 l 0.714784,-0.406592 -0.627871,0.07393 c -0.554444,0.06494 -0.62787,0.04396 -0.62787,-0.177322 0,-0.497002 0.182316,-0.679319 1.807687,-1.811185 2.161834,-1.50599 2.788706,-2.085909 3.82167,-3.534457 0.472526,-0.662836 1.121376,-1.3966 1.441555,-1.630866 0.416083,-0.304693 0.627371,-0.578419 0.741756,-0.959537 0.174825,-0.584415 0.423575,-0.866132 0.643355,-0.730268 0.07793,0.04795 0.376124,0.554444 0.663335,1.124871 0.495503,0.985014 0.792705,1.382116 0.792705,1.057441 0,-0.08142 -0.279719,-0.693305 -0.620877,-1.359636 -0.56843,-1.107891 -0.770727,-1.918578 -0.537462,-2.151844 0.143857,-0.143855 0.308192,0.03196 1.558938,1.673323 1.3971002,1.833162 1.6083883,2.205789 1.7192766,3.026966 0.076421,0.567931 0.084919,0.57792 0.1873128,0.217782 0.07543,-0.264735 0.041463,-0.515983 -0.1143866,-0.842656 -0.1218821,-0.255744 -0.1923077,-0.494004 -0.1568436,-0.52947 0.076922,-0.07692 3.2342583,1.562934 4.8366523,2.511483 1.3516446,0.800198 1.8501452,1.238759 1.8501452,1.62637 0,0.467532 -1.0164816,2.36463 -1.8831125,3.514478 -1.1038935,1.465529 -3.3566354,3.276715 -4.0799095,3.280711 -0.2612379,0.0015 -2.1603357,-1.960035 -2.2577377,-2.332162 -0.04496,-0.173826 0.17882,-0.701797 0.63936,-1.505991 0.6992989,-1.221275 0.9160807,-1.784211 0.4735251,-1.227769 l -0.8541441,1.073923 c -0.469529,0.590908 -0.860637,0.910587 -1.561435,1.278718 -0.513984,0.270729 -0.969029,0.580419 -1.010487,0.689309 -0.04146,0.108396 0,0.510987 0.09141,0.894104 0.132368,0.551947 0.133367,0.803694 0.006,1.211286 -0.253246,0.809189 -1.090407,2.56343 -1.223774,2.56343 -0.06593,0 -0.0889,-0.104396 -0.05095,-0.231267 0.03747,-0.127373 0.104397,-0.40959 0.147852,-0.627872 0.07543,-0.376622 0.05095,-0.363135 -0.489509,0.264236 -0.742257,0.863135 -1.41708,1.519976 -1.561435,1.519976 -0.06293,0 -0.152347,-0.06044 -0.197802,-0.134865 z m 3.54145,-11.877094 c 0.213785,-0.214286 -0.03447,-0.411587 -0.516982,-0.411587 -0.567931,0 -0.974523,0.202296 -0.974523,0.485512 0,0.177822 0.110388,0.198801 0.683815,0.130869 0.375623,-0.04446 0.739259,-0.136863 0.80769,-0.204794 z m 2.467027,-4.450039 c -0.167332,-0.201798 0.631368,-0.91908 1.5134836,-1.359638 1.1278687,-0.563436 2.9155763,-0.601397 3.9170734,-0.08341 0.3346641,0.172825 0.9740234,0.845152 0.8866115,0.932564 -0.019979,0.01998 -0.3626379,-0.07642 -0.7617364,-0.214285 -1.3331643,-0.460038 -3.0534394,-0.26973 -4.6588303,0.514484 -0.5889094,0.288211 -0.7927059,0.335664 -0.8966018,0.210289 z m -0.83716,-0.906592 c -0.262737,-0.321178 -0.478521,-0.643355 -0.478521,-0.716281 0,-0.204296 1.587908,-1.2002978 2.160335,-1.3746227 0.5724257,-0.173826 1.252744,-0.2857133 2.3086856,-0.2857133 1.0559416,0 1.7432527,0.1608381 2.547446,0.5429553 0.8121863,0.3861131 2.468526,1.7382577 2.1448505,1.7507447 -0.085909,0.0035 -0.650848,-0.243257 -1.2557409,-0.547452 -1.0034949,-0.504993 -1.2057923,-0.5584397 -2.3261694,-0.6108863 -1.6183763,-0.07543 -2.2127818,0.1048983 -3.4750167,1.0559403 -0.5614371,0.423076 -1.0489481,0.769229 -1.0839131,0.769229 -0.03497,0 -0.27872,-0.262735 -0.541956,-0.584413 z"
style="fill:#bbbbbb;fill-opacity:1;stroke:none;stroke-width:0.499498;stroke-opacity:1" />
</g>
</svg>

After

Width:  |  Height:  |  Size: 5.4 KiB

View File

@@ -1,8 +1,8 @@
---
// MC-GUI slot + copy button. variant "ip" = big gold mono (server address);
// "url" = smaller, wraps (auth / packwiz URLs). Copy handled by the global
// [data-copy] script in [...lang].astro; data-label / data-copied drive the
// (localized) button text and transient feedback.
// "url" = smaller, wraps (auth / authlib URLs). Copy handled by the global
// [data-copy] script in [...lang].astro (and the equivalent on /fjord);
// data-label / data-copied drive the (localized) button text + feedback.
interface Props {
value: string;
variant?: "ip" | "url";

View File

@@ -0,0 +1,84 @@
---
// Installed-pack mod list (the "Mods" section). Build-time baked from the
// auto-generated catalogue (tooling/build-modlist.py → src/data/mods.json),
// loaded via ./data/mods.ts (resilient: missing file → empty list, build never
// fails). Flat alphabetical grid: extracted logo (or a pixel placeholder) +
// pretty name + version. description is exposed as a tooltip. No categories, no
// external links. Tiles share the MC-GUI bevel treatment used by .feat.
import { MODS } from "../data/mods";
interface Props {
emptyLabel?: string;
}
const { emptyLabel = "Mod list not generated yet." } = Astro.props;
const mods = MODS.mods;
---
{mods.length === 0 ? (
<p class="mods-empty">{emptyLabel}</p>
) : (
<div class="mod-grid">
{mods.map((m) => (
<div class="mod" title={m.description || m.name}>
<div class="mod-logo">
{m.logo ? (
<img src={m.logo} alt="" width="40" height="40" loading="lazy" />
) : (
<span class="mod-noicon" aria-hidden="true">{m.name.slice(0, 1).toUpperCase()}</span>
)}
</div>
<div class="mod-meta">
<span class="mod-name">{m.name}</span>
{m.version && <span class="mod-ver">{m.version}</span>}
</div>
</div>
))}
</div>
)}
<style>
.mod-grid {
display: grid;
grid-template-columns: repeat(auto-fill, minmax(220px, 1fr));
gap: 12px;
}
.mod {
display: flex;
align-items: center;
gap: 12px;
padding: 12px 14px;
background: var(--surface);
box-shadow: inset 2px 2px 0 var(--bevel-hi), inset -2px -2px 0 var(--bevel-lo);
transition: transform .14s ease, filter .14s ease;
}
.mod:hover { transform: translateY(-2px); filter: brightness(1.06); }
.mod-logo {
width: 40px; height: 40px; flex-shrink: 0;
display: grid; place-items: center;
background: var(--bg-2);
box-shadow: inset 1px 1px 0 var(--bevel-lo), inset -1px -1px 0 var(--bevel-hi);
}
.mod-logo img { width: 40px; height: 40px; image-rendering: pixelated; }
.mod-noicon {
font-family: var(--font-head);
font-weight: 600;
font-size: 20px;
color: var(--accent);
line-height: 1;
}
.mod-meta { min-width: 0; display: flex; flex-direction: column; gap: 2px; }
.mod-name {
font-size: 15px;
color: var(--text);
white-space: nowrap;
overflow: hidden;
text-overflow: ellipsis;
}
.mod-ver {
font-family: var(--font-mono);
font-size: 12px;
color: var(--dim);
font-variant-numeric: tabular-nums;
}
.mods-empty { margin: 0; color: var(--dim); font-size: 14px; }
</style>

View File

@@ -1,10 +1,13 @@
---
// 7x7 feature glyphs — styled by .picon in main.css.
// Feature icon. Default: a 7x7 procedural glyph (styled by .picon in main.css).
// Optional: pass `img` (an absolute path like "/icons/foo.png|svg" under
// landing/public/) to render a custom image instead of a glyph.
interface Props {
glyph: "shield" | "diamond" | "orb" | "heart";
gold?: boolean;
img?: string; // custom icon path in /public/icons/ — overrides the glyph
}
const { glyph, gold = false } = Astro.props;
const { glyph, gold = false, img } = Astro.props;
const GLYPHS: Record<Props["glyph"], string[]> = {
shield: ["0111110", "1111111", "1111111", "1111111", "0111110", "0011100", "0001000"],
@@ -15,6 +18,10 @@ const GLYPHS: Record<Props["glyph"], string[]> = {
const cells = GLYPHS[glyph].join("").split("");
const onClass = gold ? "go" : "on";
---
<div class="picon" aria-hidden="true">
{cells.map((c) => <i class={c === "1" ? onClass : undefined} />)}
</div>
{img ? (
<img class="picon-img" src={img} alt="" aria-hidden="true" width="52" height="52" />
) : (
<div class="picon" aria-hidden="true">
{cells.map((c) => <i class={c === "1" ? onClass : undefined} />)}
</div>
)}

View File

@@ -0,0 +1,91 @@
---
// Registered-players roster (the "Members" section). Progressive enhancement,
// same shape as ServerCard:
// SSG → renders an empty skeleton (a single .roster grid + an empty-state
// line) so the page is valid with JS off.
// Client → fetches OUR mc-status roster endpoint (site.status.rosterApi,
// same-origin via caddy /api/mcstatus/* → internal /players). It
// returns a sanitized [{uuid,name}] of every Drasl player (admin login
// is server-side in mc-status — no admin token reaches the page). Each
// player renders as a SHARED avatar tile (.roster-tile, styled in
// main.css alongside ServerCard's online tiles).
//
// Empty/error → hide the grid and show the "no members yet" line (data-empty).
import { site } from "../data/site";
interface Props {
// Empty-state copy (passed from the page for i18n; English default).
emptyLabel?: string;
}
const { emptyLabel = "No members yet." } = Astro.props;
const { status, avatarUrl, rosterAvatarMode } = site;
---
<div
class="roster-block"
data-api={status.rosterApi}
data-avatar={avatarUrl}
data-mode={rosterAvatarMode}
data-empty={emptyLabel}
>
<div class="roster" aria-label="Registered players"></div>
<p class="roster-empty" hidden></p>
</div>
<script>
async function hydrate(el: HTMLElement) {
const { api, avatar, mode, empty } = el.dataset;
if (!api || !avatar || !mode) return;
const grid = el.querySelector<HTMLElement>(".roster");
const emptyEl = el.querySelector<HTMLElement>(".roster-empty");
if (!grid) return;
const showEmpty = () => {
grid.hidden = true;
if (emptyEl) {
emptyEl.textContent = empty ?? "No members yet.";
emptyEl.hidden = false;
}
};
let data: Array<{ uuid?: string; name?: string }>;
try {
const r = await fetch(api, { headers: { Accept: "application/json" } });
if (!r.ok) return showEmpty();
data = await r.json();
} catch {
return showEmpty();
}
// Drop the service `admin` account from the public members grid.
const players = Array.isArray(data)
? data.filter((p) => p && p.uuid && p.name?.toLowerCase() !== "admin")
: [];
if (players.length === 0) return showEmpty();
grid.innerHTML = "";
for (const p of players) {
grid.appendChild(rosterTile(p.uuid!, p.name ?? "", avatar, mode));
}
}
// Shared avatar tile (avatar + name) — identical markup to ServerCard's
// online tiles, so .roster / .roster-tile (global, main.css) style both.
function rosterTile(uuid: string, name: string, avatar: string, mode: string) {
const tile = document.createElement("div");
tile.className = "roster-tile";
const img = document.createElement("img");
img.loading = "lazy";
img.alt = name;
img.src = `${avatar}/${mode}/${uuid}?size=256`;
const label = document.createElement("span");
label.className = "roster-name";
label.textContent = name;
label.title = name;
tile.append(img, label);
return tile;
}
document.querySelectorAll<HTMLElement>(".roster-block").forEach(hydrate);
</script>

View File

@@ -0,0 +1,239 @@
---
// Featured LIVE server card. Progressive enhancement:
// SSG → renders a static skeleton (server icon, MOTD, slot cap) identical in
// spirit to the old ServerListPanel, so it looks right with JS off or
// if the status API is unreachable.
// Client → fetches mcstatus.io (CORS:*, no key, 60s cache) for the public
// address and fills in: live online/offline pill, players online/max +
// fill bar, the real server favicon, color MOTD, and a row of player
// HEADS rendered by OUR NMSR from Drasl skins (not Mojang/Crafatar).
//
// Live labels are passed as data-* so copy stays translatable from the page
// (defaults are English). Heads use /headiso. Promo/placeholder players with
// the all-zero UUID are filtered out.
import { site } from "../data/site";
interface Props {
// SSG fallback copy (same props the old ServerListPanel took).
modded: string;
motd: string;
upTo: string;
// Live labels (optional, English defaults). Pass t.* from the page to i18n.
onlineLabel?: string;
offlineLabel?: string;
emptyLabel?: string;
}
const {
modded,
motd,
upTo,
onlineLabel = "Online",
offlineLabel = "Offline",
emptyLabel = "Nobody online",
} = Astro.props;
const { status, avatarUrl, avatarMode } = site;
---
<div
class="servercard"
data-api={status.statusApi}
data-avatar={avatarUrl}
data-mode={avatarMode}
data-slots={status.slots}
data-online={onlineLabel}
data-offline={offlineLabel}
data-empty={emptyLabel}
>
<div class="sc-top">
<div class="sc-icon">
<!-- Replaced by the real server favicon on success; Ulicraft logo otherwise. -->
<img class="sc-favicon" alt="" hidden />
<span class="sc-creeper"><img src="/ulicraft-logo-mini.svg" alt="" width="56" height="56" /></span>
</div>
<div class="sc-meta">
<div class="sc-row1">
<span class="sc-title">{site.name}</span>
<span class="sc-ver">Java {site.mcVersion}</span>
</div>
<p class="sc-motd"><span class="a">⛏ {modded}</span> · <span class="sc-motd-text">{motd}</span></p>
</div>
<div class="sc-state">
<span class="sc-pill" data-up="">
<span class="sc-dot"></span>
<span class="sc-pill-txt">·</span>
</span>
<div class="sc-count">
<span class="sc-on">{upTo}</span> <b class="sc-max">{status.slots}</b>
</div>
</div>
</div>
<!-- Player fill bar (online/max). Hidden until a live count arrives. -->
<div class="sc-bar" hidden><span class="sc-bar-fill"></span></div>
<!-- Avatar tiles + empty state. Populated client-side. -->
<div class="sc-players" hidden>
<div class="roster" aria-label="Players online"></div>
<p class="sc-empty" hidden></p>
</div>
</div>
<style>
.servercard {
background: var(--slot);
padding: 16px;
display: flex;
flex-direction: column;
gap: 14px;
box-shadow:
inset 2px 2px 0 var(--bevel-hi),
inset -2px -2px 0 var(--bevel-lo),
0 8px 24px oklch(0 0 0 / 0.4);
}
.sc-top { display: flex; gap: 18px; align-items: center; }
.sc-icon {
width: 72px; height: 72px; flex-shrink: 0;
display: grid; place-items: center; position: relative;
background: var(--bg-2);
}
.sc-favicon { width: 64px; height: 64px; image-rendering: pixelated; }
.sc-creeper img { width: 56px; height: 56px; }
.sc-meta { flex: 1; min-width: 0; }
.sc-row1 { display: flex; align-items: baseline; gap: 12px; }
.sc-title { font-family: var(--font-head); font-weight: 600; font-size: 22px; white-space: nowrap; }
.sc-ver { color: var(--dim); font-family: var(--font-mono); font-size: 17px; white-space: nowrap; }
.sc-motd { margin: 6px 0 0; color: var(--muted); font-size: 15px; }
.sc-motd .a { color: var(--accent); }
/* mcstatus.io motd.html ships inline color styles; keep its spans inline. */
.sc-motd-text :global(span) { display: inline; }
.sc-state { text-align: right; flex-shrink: 0; display: flex; flex-direction: column; align-items: flex-end; gap: 6px; }
.sc-pill {
display: inline-flex; align-items: center; gap: 6px;
font-size: 11px; font-family: var(--font-pixel, var(--font-mono));
letter-spacing: 0.04em; text-transform: uppercase;
padding: 3px 8px; color: var(--dim);
box-shadow: inset 1px 1px 0 var(--bevel-hi), inset -1px -1px 0 var(--bevel-lo);
}
.sc-dot { width: 9px; height: 9px; background: var(--dim); image-rendering: pixelated; }
.sc-pill[data-up="1"] { color: var(--accent-hi); }
.sc-pill[data-up="1"] .sc-dot { background: var(--accent); box-shadow: 0 0 6px var(--glow); }
.sc-pill[data-up="0"] { color: oklch(0.65 0.18 25); }
.sc-pill[data-up="0"] .sc-dot { background: oklch(0.62 0.2 25); }
.sc-count { font-variant-numeric: tabular-nums; font-size: 15px; color: var(--muted); }
.sc-count b { color: var(--text); }
.sc-bar { height: 6px; background: var(--bg-2); box-shadow: inset 1px 1px 0 var(--bevel-lo); }
.sc-bar-fill { display: block; height: 100%; width: 0; background: var(--accent); transition: width 0.6s ease; }
/* Online avatar tiles use the shared .roster / .roster-tile styles in
main.css (also used by PlayerRoster.astro). */
.sc-empty { margin: 0; color: var(--dim); font-size: 13px; }
</style>
<script>
const ZERO_UUID = "00000000-0000-0000-0000-000000000000";
async function hydrate(el: HTMLElement) {
const { api, avatar, mode, slots, online, offline, empty } = el.dataset;
if (!api || !avatar || !mode) return;
const q = <T extends HTMLElement>(s: string) => el.querySelector<T>(s);
const pill = q(".sc-pill");
const pillTxt = q(".sc-pill-txt");
const favicon = q<HTMLImageElement>(".sc-favicon");
const creeper = q(".sc-creeper");
const onEl = q(".sc-on");
const maxEl = q(".sc-max");
const motdEl = q(".sc-motd-text");
const bar = q(".sc-bar");
const fill = q<HTMLElement>(".sc-bar-fill");
const players = q(".sc-players");
const roster = q(".roster");
const emptyEl = q(".sc-empty");
let data: any;
try {
const r = await fetch(api, { headers: { Accept: "application/json" } });
if (!r.ok) return; // keep SSG skeleton
data = await r.json();
} catch {
return; // offline/network → keep SSG skeleton
}
const up = data.online === true;
pill?.setAttribute("data-up", up ? "1" : "0");
if (pillTxt) pillTxt.textContent = up ? (online ?? "Online") : (offline ?? "Offline");
if (!up) return; // offline pill set; leave the rest as the static fallback
// Live count + bar.
const on = data.players?.online ?? 0;
const max = data.players?.max ?? (Number(slots) || 0);
if (onEl) onEl.textContent = String(on);
if (maxEl) maxEl.textContent = String(max);
if (bar && fill) {
bar.hidden = false;
fill.style.width = max > 0 ? `${Math.min(100, (on / max) * 100)}%` : "0%";
}
// Real server favicon.
if (favicon && typeof data.icon === "string" && data.icon.startsWith("data:image")) {
favicon.src = data.icon;
favicon.hidden = false;
creeper?.setAttribute("hidden", "");
}
// Color MOTD (mcstatus ships inline-styled spans for our own server).
if (motdEl && data.motd?.html) motdEl.innerHTML = data.motd.html;
// Labeled avatar tiles from OUR NMSR (Drasl skins). Filter promo/placeholder
// rows (all-zero UUID) and dedupe. Tiles share .roster styles with the
// Members grid (PlayerRoster.astro) — see rosterTile() below.
const list: Array<{ uuid?: string; name_clean?: string }> = data.players?.list ?? [];
const seen = new Set<string>();
const real = list.filter((p) => {
const u = (p.uuid ?? "").toLowerCase();
if (!u || u === ZERO_UUID || seen.has(u)) return false;
seen.add(u);
return true;
});
if (players && roster) {
players.hidden = false;
if (real.length === 0) {
if (emptyEl) {
emptyEl.textContent = empty ?? "Nobody online";
emptyEl.hidden = false;
}
} else {
roster.innerHTML = "";
for (const p of real.slice(0, 16)) {
roster.appendChild(rosterTile(p.uuid!, p.name_clean ?? "", avatar, mode));
}
}
}
}
// Build one shared avatar tile (avatar + name). Same markup PlayerRoster
// builds, so .roster / .roster-tile (global, in main.css) style both.
function rosterTile(uuid: string, name: string, avatar: string, mode: string) {
const tile = document.createElement("div");
tile.className = "roster-tile";
const img = document.createElement("img");
img.loading = "lazy";
img.alt = name;
img.src = `${avatar}/${mode}/${uuid}?size=64`;
const label = document.createElement("span");
label.className = "roster-name";
label.textContent = name;
label.title = name;
tile.append(img, label);
return tile;
}
document.querySelectorAll<HTMLElement>(".servercard").forEach(hydrate);
</script>

View File

@@ -0,0 +1,39 @@
{
"productName": "Ulicraft",
"version": "1.0.0",
"baseUrl": "https://distribution.ulicraft.net/launcher",
"files": [
{
"name": "Ulicraft-1.0.0.exe",
"os": "windows",
"arch": "x64",
"ext": "exe",
"size": 90893289,
"url": "https://distribution.ulicraft.net/launcher/Ulicraft-1.0.0.exe"
},
{
"name": "Ulicraft-1.0.0.AppImage",
"os": "linux",
"arch": "x64",
"ext": "AppImage",
"size": 95722608,
"url": "https://distribution.ulicraft.net/launcher/Ulicraft-1.0.0.AppImage"
},
{
"name": "Ulicraft-1.0.0.deb",
"os": "linux",
"arch": "x64",
"ext": "deb",
"size": 87751876,
"url": "https://distribution.ulicraft.net/launcher/Ulicraft-1.0.0.deb"
},
{
"name": "Ulicraft-1.0.0.tar.gz",
"os": "linux",
"arch": "x64",
"ext": "tar.gz",
"size": 116347746,
"url": "https://distribution.ulicraft.net/launcher/Ulicraft-1.0.0.tar.gz"
}
]
}

View File

@@ -0,0 +1,5 @@
{
"schemaVersion": 1,
"count": 0,
"mods": []
}

56
landing/src/data/mods.ts Normal file
View File

@@ -0,0 +1,56 @@
// Build-time loader for the auto-generated mod catalogue. tooling/build-modlist.py
// writes src/data/mods.json (gitignored, generated) from the distribution's full
// client modset; it MAY NOT EXIST on a fresh checkout, so we read it at runtime
// with fs (a static `import` would hard-fail the build when absent). Fall back to
// the committed .example.json (an empty catalogue); if even that is unreadable,
// expose an empty catalogue so the page simply renders no mods and the stat tile
// keeps its default. Same pattern as loadLauncherManifest in site.ts.
// @ts-ignore — node builtins (no @types/node in this Astro SSG; same reason
// `process`/`import.meta.url` reads work at build time, as in site.ts).
import { readFileSync } from "node:fs";
export type Mod = {
id: string;
name: string;
version: string;
authors: string;
description: string;
logo: string | null;
};
export type ModCatalogue = {
schemaVersion: number;
count: number;
mods: Mod[];
};
export function loadMods(): ModCatalogue {
const empty: ModCatalogue = { schemaVersion: 1, count: 0, mods: [] };
// Resolve relative to this module first (works when import.meta.url points at
// the source dir), then fall back to a cwd-relative path (Astro runs the build
// from the landing root, so src/data/* resolves there even when the module has
// been bundled to a different location). Prefer the generated mods.json, then
// the committed empty mods.example.json.
// @ts-ignore — `process` is untyped here (no @types/node), same as site.ts.
const cwd: string = typeof process !== "undefined" ? process.cwd() : ".";
const candidates: Array<string | URL> = [];
for (const name of ["mods.json", "mods.example.json"]) {
try {
candidates.push(new URL(name, import.meta.url));
} catch {
// import.meta.url unavailable — skip the module-relative candidate.
}
candidates.push(`${cwd}/src/data/${name}`);
}
for (const c of candidates) {
try {
const parsed = JSON.parse(readFileSync(c, "utf8")) as ModCatalogue;
if (parsed && Array.isArray(parsed.mods)) return parsed;
} catch {
// try the next candidate (file missing/unreadable → fall back)
}
}
return empty;
}
export const MODS = loadMods();

View File

@@ -2,8 +2,114 @@
// domains, URLs, theme, launcher files, and the structural shape of the
// stat/feature lists. Translatable copy lives in src/i18n/ui.ts.
// BASE_DOMAIN is read at build time; falls back to ulicraft.local.
// @ts-ignore — node builtins (no @types/node in this Astro SSG; same reason
// `process` below is untyped). Used only at build time to read the manifest.
import { readFileSync } from "node:fs";
const BASE_DOMAIN = process.env.BASE_DOMAIN ?? "ulicraft.local";
// NMSR render mode for avatar tiles. AVATAR_MODE is the ServerCard online row +
// account preview (heads); ROSTER_AVATAR_MODE is the Members grid (full body by
// default). Read at build time, same as BASE_DOMAIN. e.g. "headiso" | "head" |
// "fullbody" | "fullbodyiso".
// @ts-ignore — `process` is untyped here (no @types/node), same as BASE_DOMAIN.
const AVATAR_MODE = process.env.AVATAR_MODE ?? "headiso";
// @ts-ignore — `process` is untyped here (no @types/node).
const ROSTER_AVATAR_MODE = process.env.ROSTER_AVATAR_MODE ?? "fullbodyiso";
// UlicraftLauncher download list. Source of truth is the custom-launcher repo's
// build output `launcher.json` (shape: productName/version/baseUrl/files[]),
// published to https://distribution.${BASE}/launcher/launcher.json. The release
// flow syncs that file into this dir as `launcher.json` (gitignored, generated)
// — same pattern as sync-server-mods.sh. It MAY NOT EXIST at build time, so we
// read it at runtime with fs (a static `import` would hard-fail the build when
// absent). Fall back to the committed `launcher.example.json` (the documented
// shape); if even that is unreadable, expose an empty file list so the homepage
// simply renders no download buttons. The raw launcher.json is normalized into
// the internal shape the page renders against (builds[]).
type LauncherBuild = {
os: string; // "windows" | "macos" | "linux"
arch: string; // "x64" | "arm64" | "universal"
format: string; // file extension: "exe" | "dmg" | "AppImage" | "deb" | "tar.gz" | …
filename: string;
url: string;
size?: number;
};
type LauncherFile = { filename: string; url: string; size?: number };
type LauncherManifest = {
product: string;
version: string;
builds: LauncherBuild[];
// Not present in launcher.json; the Fjord page degrades gracefully when absent.
fjordPack?: LauncherFile;
};
// Raw shape as produced by the custom-launcher build (UlicraftLauncher/dist/launcher.json).
type RawLauncherJson = {
productName?: string;
version?: string;
baseUrl?: string;
files?: Array<{ name: string; os: string; arch: string; ext: string; url: string; size?: number }>;
};
function normalizeLauncher(raw: RawLauncherJson): LauncherManifest {
return {
product: raw.productName ?? "UlicraftLauncher",
version: raw.version ?? "0.0.0",
builds: (raw.files ?? []).map((f) => ({
os: f.os,
arch: f.arch,
format: f.ext,
filename: f.name,
url: f.url,
size: f.size,
})),
};
}
function loadLauncherManifest(): LauncherManifest {
const empty: LauncherManifest = { product: "UlicraftLauncher", version: "0.0.0", builds: [] };
// Resolve relative to this module first, then fall back to a cwd-relative path:
// Astro bundles this module so import.meta.url may not point at src/data/ at
// build time, but the build runs from the landing root, so <cwd>/src/data/*
// resolves. Prefer the synced launcher.json, then the committed example.
// @ts-ignore — `process` is untyped here (no @types/node).
const cwd: string = typeof process !== "undefined" ? process.cwd() : ".";
const candidates: Array<string | URL> = [];
for (const name of ["launcher.json", "launcher.example.json"]) {
try {
candidates.push(new URL(name, import.meta.url));
} catch {
// import.meta.url unavailable — skip the module-relative candidate.
}
candidates.push(`${cwd}/src/data/${name}`);
}
for (const c of candidates) {
try {
const raw = JSON.parse(readFileSync(c, "utf8")) as RawLauncherJson;
if (raw && Array.isArray(raw.files)) return normalizeLauncher(raw);
} catch {
// try the next candidate (synced file missing → fall back to example)
}
}
return empty;
}
const LAUNCHER_MANIFEST = loadLauncherManifest();
// REGISTRATION_MODE (invite|open) is read at build time, same .env as Drasl's
// render-config.sh. "invite" => the register form must collect an invite code.
const REGISTRATION_MODE = process.env.REGISTRATION_MODE ?? "invite";
// REGISTRATION_SHOW_INVITE (true|false, default false=hidden) ONLY toggles the
// visibility of the invite-code field on the register form. The backend invite
// gate stays on Drasl's RequireInvite (driven by REGISTRATION_MODE). Decoupled on
// purpose: invites are usually admin-minted and the field is hidden by default.
// CAVEAT: if REGISTRATION_MODE=invite (backend requires a code) but this is
// false, public self-registration can't supply one — set both together.
// @ts-ignore — `process` is untyped here (no @types/node).
const REGISTRATION_SHOW_INVITE = process.env.REGISTRATION_SHOW_INVITE ?? "false";
// Minecraft / pack facts, surfaced in a few places.
const MC_VERSION = "1.21.1";
@@ -12,47 +118,65 @@ export const site = {
baseDomain: BASE_DOMAIN,
mcVersion: MC_VERSION,
// Register form behaviour, driven by REGISTRATION_MODE in .env.
// true => Drasl RequireInvite = true (backend gate)
// false => open self-registration
registrationRequiresInvite: REGISTRATION_MODE === "invite",
// Whether the invite-code FIELD is shown on the register form (default false).
// Independent of the backend gate above — see REGISTRATION_SHOW_INVITE note.
registrationShowInvite: REGISTRATION_SHOW_INVITE === "true",
// Design knobs (replace the design's in-browser TweaksPanel). Baked at build.
// mood: "grass" | "nether" | "end"
// hero: "centered" | "split" | "spotlight"
// headFont: "pixelify" | "8bit" | "silkscreen"
// headFont: "blockblueprint" | "pixelify" | "8bit" | "silkscreen"
// dust: floating pixel particles in the hero
theme: {
mood: "grass",
hero: "centered",
headFont: "pixelify",
headFont: "blockblueprint",
dust: true,
},
// Connect target shown to guests. No port needed — a dnsmasq SRV record
// (_minecraft._tcp.mc.<domain>) points clients at 25565.
serverAddress: `mc.${BASE_DOMAIN}`,
// Connect target shown to guests. No port needed (defaults to 25565).
serverAddress: `${BASE_DOMAIN}`,
// Drasl auth web UI + authlib-injector API root.
authUrl: `http://auth.${BASE_DOMAIN}`,
authlibUrl: `http://auth.${BASE_DOMAIN}/authlib-injector`,
// Drasl auth web UI + authlib-injector API root (public HTTPS).
authUrl: `https://auth.${BASE_DOMAIN}`,
authlibUrl: `https://auth.${BASE_DOMAIN}/authlib-injector`,
// Drasl REST API v2 root — the /register form calls this from the browser.
// Requires CORSAllowOrigins to include the apex in drasl config.toml.
draslApiUrl: `https://auth.${BASE_DOMAIN}/drasl/api/v2`,
// packwiz modpack entrypoint.
packwizUrl: `http://packwiz.${BASE_DOMAIN}/pack.toml`,
// NMSR avatar renderer root. Player heads come from OUR Drasl skins, not
// Mojang/Crafatar — head URL is `${avatarUrl}/headiso/<uuid>?size=64`.
avatarUrl: `https://avatar.${BASE_DOMAIN}`,
// Caddy local CA root — guests import this to trust the offline asset mirror.
caCertUrl: `http://${BASE_DOMAIN}/ca.crt`,
// NMSR render mode for avatar tiles. Avatar URL = `${avatarUrl}/<mode>/<uuid>?size=N`.
// avatarMode → ServerCard online row + account preview (heads)
// rosterAvatarMode → PlayerRoster members grid (full body)
avatarMode: AVATAR_MODE,
rosterAvatarMode: ROSTER_AVATAR_MODE,
// Static server-list panel (Status section). No fake live count — see plan
// 09-landing.md option B.
// Uptime Kuma status page (external link in footer).
statusUrl: `https://status.${BASE_DOMAIN}`,
// Live server card (ServerCard.astro). `slots` is the SSG fallback cap shown
// before/without JS; live data comes from our SELF-HOSTED mc-status service
// (docker/mc-status, mcutil wrapper) reverse-proxied same-origin at the apex
// /api/mcstatus/* path — no CORS, no third-party calls. It emits mcstatus.io
// v2 JSON, so the URL stays drop-in compatible. Uptime Kuma stays the history
// + alerting backend (plan/10).
status: {
slots: 10,
statusApi: `/api/mcstatus/v2/status/java/${BASE_DOMAIN}`,
// Registered-players roster (PlayerRoster.astro). Same mc-status service,
// same-origin via caddy /api/mcstatus/* → internal /players. Returns a
// sanitized [{uuid,name}] of every Drasl player (admin login is server-side
// in mc-status; no admin token in the page).
rosterApi: `/api/mcstatus/players`,
},
// Honest stat tiles. Keys (numbers/versions) are language-neutral; labels
// come from ui.ts (same order).
stats: [
{ key: "50+" },
{ key: MC_VERSION },
{ key: "10" },
{ key: "6h" },
],
// Feature cards. glyph ∈ shield|diamond|orb|heart; gold = gold pixel fill.
// Text (h/p) comes from ui.ts (same order).
features: [
@@ -62,10 +186,16 @@ export const site = {
{ glyph: "heart", gold: true },
],
// Launcher downloads. Stable filenames are symlinks created by
// UlicraftLauncher download manifest — feeds the homepage join step 2
// per-OS buttons from `builds[]` (and the Fjord page's .mrpack via
// `fjordPack`). Synced from the custom-launcher repo; see loader above.
launcherManifest: LAUNCHER_MANIFEST,
// Fjord Launcher downloads (the alternative manual path on /fjord, OFF the
// homepage flow). Stable filenames are symlinks created by
// tooling/fetch-launcher.sh — keep these in sync with that script. OS names
// and hints are technical, kept language-neutral here.
launcher: {
fjord: {
name: "Fjord Launcher",
base: "/launcher/latest",
downloads: [
@@ -86,6 +216,7 @@ export const LITERALS = {
// Head-font CSS stacks, keyed by theme.headFont.
export const HEAD_FONTS: Record<string, string> = {
blockblueprint: "'Block Blueprint', system-ui, sans-serif",
pixelify: "'Pixelify Sans', system-ui, sans-serif",
"8bit": "'Press Start 2P', monospace",
silkscreen: "'Silkscreen', system-ui, sans-serif",

View File

@@ -2,7 +2,7 @@
// locales; the page (src/pages/[...lang].astro) renders against it.
//
// Conventions:
// - "{name}" in step1 is replaced with the launcher name at render time.
// - "{name}" is replaced with the launcher name at render time.
// - Sentences containing links/kbd/literals are split into parts (a/b/pre/
// post/link) so the markup stays in the template, not in the strings.
// - Product / in-game literals (authlib-injector, Multiplayer, Add Server)
@@ -11,13 +11,31 @@
export type Lang = "en" | "es" | "eu";
export const LANGS: Lang[] = ["en", "es", "eu"];
export const LANG_LABEL: Record<Lang, string> = { en: "EN", es: "ES", eu: "EU" };
// URL path per locale (en is default, served at root).
export const LANG_PATH: Record<Lang, string> = { en: "/", es: "/es/", eu: "/eu/" };
// URL path per locale (es is default, served at root; en moves to /en/).
export const LANG_PATH: Record<Lang, string> = { es: "/", en: "/en/", eu: "/eu/" };
// Register page path per locale (mirrors LANG_PATH: es at /register).
export const LANG_REGISTER_PATH: Record<Lang, string> = {
es: "/register",
en: "/en/register",
eu: "/eu/register",
};
// Fjord (alternative path) page path per locale (mirrors LANG_REGISTER_PATH).
export const LANG_FJORD_PATH: Record<Lang, string> = {
es: "/fjord",
en: "/en/fjord",
eu: "/eu/fjord",
};
// Account page path per locale (mirrors LANG_REGISTER_PATH).
export const LANG_ACCOUNT_PATH: Record<Lang, string> = {
es: "/account",
en: "/en/account",
eu: "/eu/account",
};
export interface UI {
htmlLang: string;
copied: string; // transient copy-button feedback
nav: { status: string; features: string; join: string; play: string };
nav: { status: string; members: string; features: string; mods: string; join: string; play: string; register: string; login: string };
hero: {
eyebrow: string; // "Modded LAN · NeoForge" — version appended at render
tagline: string;
@@ -25,7 +43,6 @@ export interface UI {
copyIp: string;
howToJoin: string;
metaModpack: string;
metaLan: string;
};
status: {
eyebrow: string;
@@ -34,15 +51,41 @@ export interface UI {
modded: string;
motd: string;
upTo: string;
empty: string; // shown on the ServerCard when nobody is online
};
members: {
eyebrow: string;
title: string;
lead: string;
empty: string; // shown when the roster is empty or unreachable
};
statLabels: [string, string, string, string];
features: {
eyebrow: string;
title: string;
lead: string;
items: { h: string; p: string }[];
};
mods: {
eyebrow: string;
title: string;
lead: string;
empty: string; // shown when the catalogue is absent/empty (not yet generated)
};
join: {
eyebrow: string;
title: string;
lead: string;
s1: {
kicker: string;
h: string;
pa: string; // before the register link
pb: string; // after it
registerLink: string;
};
s2: { kicker: string; h: string; p: string };
};
fjord: {
navHome: string; // "← Home" link in nav
eyebrow: string;
title: string;
lead: string;
@@ -53,10 +96,6 @@ export interface UI {
pa: string; // before the authlib-injector literal
pb: string; // after it
copy: string;
registerPre: string;
caPre: string;
caLink: string;
caPost: string;
};
s3: { kicker: string; h: string; p: string };
s4: {
@@ -66,26 +105,94 @@ export interface UI {
pb: string; // after them
copy: string;
};
noPack: string; // shown when fjordPack is missing from the manifest
};
footer: { join: string; status: string; disc: string };
register: {
navHome: string; // "← Home" link in nav
eyebrow: string;
title: string;
lead: string;
usernameLabel: string;
usernamePlaceholder: string;
passwordLabel: string;
passwordPlaceholder: string;
inviteLabel: string;
invitePlaceholder: string;
inviteHint: string; // where to get a code
submit: string;
submitting: string;
haveAccount: string; // "Already have an account?"
loginLink: string; // links to the account page
successTitle: string;
successBody: string; // {name} = player name
uuidLabel: string;
skinTitle: string;
skinLead: string;
skinChoose: string;
modelLabel: string;
modelClassic: string;
modelSlim: string;
skinUpload: string;
skinUploading: string;
skinOk: string;
finish: string; // proceed to How to Join
errFields: string;
errSkinType: string;
errNetwork: string;
};
account: {
navHome: string; // "← Home" link in nav
eyebrow: string;
title: string;
lead: string;
// Login form
usernameLabel: string;
usernamePlaceholder: string;
passwordLabel: string;
passwordPlaceholder: string;
submit: string;
submitting: string;
noAccount: string; // "No account yet?"
registerLink: string; // links to /register
// Skin panel
refresh: string; // re-fetch the NMSR avatar
playerLabel: string; // "Logged in as"
skinTitle: string;
skinLead: string; // reuses register.skinLead concept
skinChoose: string;
modelLabel: string;
modelClassic: string;
modelSlim: string;
skinUpload: string;
skinUploading: string;
skinOk: string;
skinPreviewNote: string; // "NMSR takes ~1 min to update" hint
resetSkin: string;
resetConfirm: string; // window.confirm text
resetOk: string;
// Errors
errFields: string;
errSkinType: string;
errNetwork: string;
};
footer: { join: string; disc: string };
}
export const ui: Record<Lang, UI> = {
en: {
htmlLang: "en",
copied: "Copied!",
nav: { status: "Status", features: "Features", join: "How to Join", play: "Play Now" },
nav: { status: "Status", members: "Members", features: "Features", mods: "Mods", join: "How to Join", play: "Play", register: "Register", login: "Account" },
hero: {
eyebrow: "Modded LAN · NeoForge",
tagline: "Kitchen-sink survival, built to outlast the weekend.",
sub:
"A self-hosted modded server for the crew — a curated tech + magic + " +
"A self-hosted modded server for El valle — a curated tech + magic + " +
"exploration pack, your own skins, one-click setup. Grab the address, " +
"import the pack, dig in.",
copyIp: "Copy IP",
howToJoin: "How to Join",
metaModpack: "NeoForge modpack",
metaLan: "LAN-only",
},
status: {
eyebrow: "Server",
@@ -94,11 +201,17 @@ export const ui: Record<Lang, UI> = {
modded: "Modded",
motd: "NeoForge modpack · Simple Voice Chat · LAN-only",
upTo: "up to",
empty: "Nobody online",
},
members: {
eyebrow: "El valle",
title: "Who's on the server.",
lead: "Everyone registered on Ulicraft, with their own self-hosted skin.",
empty: "No members yet — be the first to register.",
},
statLabels: ["Mods", "NeoForge", "Player slots", "World backups"],
features: {
eyebrow: "What makes it Ulicraft",
title: "Built for the crew.",
title: "Built for El valle.",
lead:
"Self-hosted, curated, and persistent — a modded server that respects " +
"your time and outlives the LAN.",
@@ -113,7 +226,7 @@ export const ui: Record<Lang, UI> = {
},
{
h: "One-click setup",
p: "packwiz installs and updates the whole modpack inside your launcher, so everyone stays in sync.",
p: "The Ulicraft Launcher installs and updates the whole modpack from our distribution, so everyone stays in sync.",
},
{
h: "Built to last",
@@ -121,30 +234,50 @@ export const ui: Record<Lang, UI> = {
},
],
},
mods: {
eyebrow: "The pack",
title: "Every mod in the pack.",
lead: "The full client modset, installed automatically by the launcher. No hunting, no version mismatches.",
empty: "Mod list not generated yet — check back soon.",
},
join: {
eyebrow: "How to Join · 4 Steps",
eyebrow: "How to Join · 2 Steps",
title: "From zero to spawning in.",
lead: "One-time setup. After this, the launcher keeps you in sync.",
s1: {
kicker: "Account",
h: "Register",
pa: "Create your Ulicraft account at",
pb: "— one username and password for the server and your skin.",
registerLink: "Register",
},
s2: {
kicker: "Launcher",
h: "Download {name}",
p: "Grab {name} for your system — a Prism-based launcher with authlib-injector support built in.",
p: "Grab {name}, log in with your Ulicraft credentials, and hit play. Everything else — the modpack, the server address, updates — is handled inside the launcher.",
},
},
fjord: {
navHome: "← Home",
eyebrow: "Alternative · Fjord Launcher",
title: "Play with Fjord Launcher.",
lead: "Prefer a vanilla Prism-based launcher? Set it up manually with Fjord and import the Ulicraft pack.",
s1: {
kicker: "Launcher",
h: "Download Fjord",
p: "Grab Fjord Launcher for your system — a Prism-based launcher with authlib-injector support built in.",
},
s2: {
kicker: "Account",
h: "Add your account",
pa: "In the launcher, add an",
pa: "In Fjord, add an",
pb: "account using this URL, then log in with your Ulicraft credentials.",
copy: "Copy",
registerPre: "Need credentials? Register at",
caPre: "Offline party? Download and trust the",
caLink: "local CA certificate",
caPost: "so the game-file mirror works over HTTPS.",
},
s3: {
kicker: "Modpack",
h: "Import the modpack",
p: "Add a new instance from this packwiz URL — it installs and updates the whole pack.",
h: "Import the Ulicraft pack",
p: "Download the Ulicraft modpack and import it into Fjord as a new instance — it installs the whole pack.",
},
s4: {
kicker: "Connect",
@@ -153,28 +286,94 @@ export const ui: Record<Lang, UI> = {
pb: ", paste the address, and join.",
copy: "Copy IP",
},
noPack: "The pack download isn't available yet — check back soon.",
},
footer: {
join: "How to Join",
status: "Server status",
disc: "Not affiliated with Mojang or Microsoft. Minecraft is a trademark of Mojang AB.",
},
register: {
navHome: "← Home",
eyebrow: "Account",
title: "Create your Ulicraft account.",
lead: "One username and password for the server, your skin, and your cape. Takes a minute.",
usernameLabel: "Username",
usernamePlaceholder: "your in-game name",
passwordLabel: "Password",
passwordPlaceholder: "choose a password",
inviteLabel: "Invite code",
invitePlaceholder: "paste your invite code",
inviteHint: "Ask an admin for an invite code.",
submit: "Create account",
submitting: "Creating…",
haveAccount: "Already have an account?",
loginLink: "Manage it here",
successTitle: "Account created.",
successBody: "Welcome, {name}. You can set a skin now, or head straight to How to Join.",
uuidLabel: "Player UUID",
skinTitle: "Set your skin (optional)",
skinLead: "Upload a Minecraft skin PNG. You can always change it later in the account page.",
skinChoose: "Choose PNG…",
modelLabel: "Model",
modelClassic: "Classic",
modelSlim: "Slim",
skinUpload: "Upload skin",
skinUploading: "Uploading…",
skinOk: "Skin set!",
finish: "Continue to How to Join",
errFields: "Fill in every field.",
errSkinType: "Pick a PNG image.",
errNetwork: "Network error — try again.",
},
account: {
navHome: "← Home",
eyebrow: "Account",
title: "Manage your skin.",
lead: "Log in to upload or reset your Minecraft skin.",
usernameLabel: "Username",
usernamePlaceholder: "your in-game name",
passwordLabel: "Password",
passwordPlaceholder: "your password",
submit: "Log in",
submitting: "Logging in…",
noAccount: "No account yet?",
registerLink: "Register here",
refresh: "Refresh",
playerLabel: "Logged in as",
skinTitle: "Your skin",
skinLead: "Upload a Minecraft skin PNG. The 3D preview below updates instantly; the in-game avatar takes ~1 minute.",
skinChoose: "Choose PNG…",
modelLabel: "Model",
modelClassic: "Classic",
modelSlim: "Slim",
skinUpload: "Upload skin",
skinUploading: "Uploading…",
skinOk: "Skin updated!",
skinPreviewNote: "Avatar updates in ~1 min.",
resetSkin: "Reset to default",
resetConfirm: "Reset your skin to the default? This cannot be undone.",
resetOk: "Skin reset to default.",
errFields: "Fill in every field.",
errSkinType: "Pick a PNG image.",
errNetwork: "Network error — try again.",
},
},
es: {
htmlLang: "es",
copied: "¡Copiado!",
nav: { status: "Estado", features: "Características", join: "Cómo entrar", play: "Jugar ahora" },
nav: { status: "Estado", members: "Miembros", features: "Características", mods: "Mods", join: "Cómo entrar", play: "Jugar", register: "Registro", login: "Cuenta" },
hero: {
eyebrow: "LAN con mods · NeoForge",
tagline: "Supervivencia todo incluido, para durar más que el finde.",
sub:
"Un servidor con mods autoalojado para la cuadrilla: un pack curado de " +
"Un servidor con mods autoalojado para El valle: un pack curado de " +
"tecnología, magia y exploración, tus propias skins y configuración en un " +
"clic. Copia la dirección, importa el pack y a cavar.",
copyIp: "Copiar IP",
howToJoin: "Cómo entrar",
metaModpack: "Pack NeoForge",
metaLan: "Solo LAN",
},
status: {
eyebrow: "Servidor",
@@ -183,11 +382,17 @@ export const ui: Record<Lang, UI> = {
modded: "Con mods",
motd: "Pack NeoForge · Simple Voice Chat · Solo LAN",
upTo: "hasta",
empty: "No hay nadie conectado",
},
members: {
eyebrow: "El valle",
title: "Quién está en el servidor.",
lead: "Todos los registrados en Ulicraft, cada uno con su skin autoalojada.",
empty: "Aún no hay miembros — sé el primero en registrarte.",
},
statLabels: ["Mods", "NeoForge", "Plazas", "Copias del mundo"],
features: {
eyebrow: "Qué hace especial a Ulicraft",
title: "Hecho para la cuadrilla.",
title: "Hecho para El valle.",
lead:
"Autoalojado, curado y persistente: un servidor con mods que respeta tu " +
"tiempo y sobrevive a la LAN.",
@@ -202,7 +407,7 @@ export const ui: Record<Lang, UI> = {
},
{
h: "Configuración en un clic",
p: "packwiz instala y actualiza todo el modpack dentro de tu launcher, así todos vais sincronizados.",
p: "El Ulicraft Launcher instala y actualiza todo el modpack desde nuestra distribución, así todos vais sincronizados.",
},
{
h: "Hecho para durar",
@@ -210,30 +415,50 @@ export const ui: Record<Lang, UI> = {
},
],
},
mods: {
eyebrow: "El pack",
title: "Todos los mods del pack.",
lead: "El modset completo del cliente, instalado automáticamente por el launcher. Sin búsquedas ni versiones incompatibles.",
empty: "La lista de mods aún no está generada — vuelve pronto.",
},
join: {
eyebrow: "Cómo entrar · 4 pasos",
eyebrow: "Cómo entrar · 2 pasos",
title: "De cero a aparecer en el mundo.",
lead: "Configuración única. Después, el launcher te mantiene sincronizado.",
s1: {
kicker: "Cuenta",
h: "Regístrate",
pa: "Crea tu cuenta de Ulicraft en",
pb: "— un usuario y contraseña para el servidor y tu skin.",
registerLink: "Registro",
},
s2: {
kicker: "Launcher",
h: "Descarga {name}",
p: "Coge {name} para tu sistema: un launcher basado en Prism con soporte authlib-injector integrado.",
p: "Coge {name}, inicia sesión con tus credenciales de Ulicraft y dale a jugar. Todo lo demás — el modpack, la dirección del servidor, las actualizaciones — se gestiona dentro del launcher.",
},
},
fjord: {
navHome: "← Inicio",
eyebrow: "Alternativa · Fjord Launcher",
title: "Juega con Fjord Launcher.",
lead: "¿Prefieres un launcher vanilla basado en Prism? Configúralo a mano con Fjord e importa el pack de Ulicraft.",
s1: {
kicker: "Launcher",
h: "Descarga Fjord",
p: "Coge Fjord Launcher para tu sistema: un launcher basado en Prism con soporte authlib-injector integrado.",
},
s2: {
kicker: "Cuenta",
h: "Añade tu cuenta",
pa: "En el launcher, añade una cuenta",
pa: "En Fjord, añade una cuenta",
pb: "con esta URL y luego inicia sesión con tus credenciales de Ulicraft.",
copy: "Copiar",
registerPre: "¿Sin credenciales? Regístrate en",
caPre: "¿Fiesta sin internet? Descarga y confía en el",
caLink: "certificado CA local",
caPost: "para que el mirror de archivos funcione por HTTPS.",
},
s3: {
kicker: "Modpack",
h: "Importa el modpack",
p: "Añade una instancia nueva desde esta URL de packwiz: instala y actualiza todo el pack.",
h: "Importa el pack de Ulicraft",
p: "Descarga el modpack de Ulicraft e impórtalo en Fjord como instancia nueva: instala todo el pack.",
},
s4: {
kicker: "Conectar",
@@ -242,28 +467,94 @@ export const ui: Record<Lang, UI> = {
pb: ", pega la dirección y entra.",
copy: "Copiar IP",
},
noPack: "La descarga del pack aún no está disponible — vuelve pronto.",
},
footer: {
join: "Cómo entrar",
status: "Estado del servidor",
disc: "No afiliado a Mojang ni Microsoft. Minecraft es una marca de Mojang AB.",
},
register: {
navHome: "← Inicio",
eyebrow: "Cuenta",
title: "Crea tu cuenta de Ulicraft.",
lead: "Un usuario y contraseña para el servidor, tu skin y tu capa. Cosa de un minuto.",
usernameLabel: "Usuario",
usernamePlaceholder: "tu nombre en el juego",
passwordLabel: "Contraseña",
passwordPlaceholder: "elige una contraseña",
inviteLabel: "Código de invitación",
invitePlaceholder: "pega tu código de invitación",
inviteHint: "Pide un código de invitación a un admin.",
submit: "Crear cuenta",
submitting: "Creando…",
haveAccount: "¿Ya tienes cuenta?",
loginLink: "Gestiónala aquí",
successTitle: "Cuenta creada.",
successBody: "Bienvenido, {name}. Puedes poner una skin ahora o ir directo a Cómo entrar.",
uuidLabel: "UUID del jugador",
skinTitle: "Pon tu skin (opcional)",
skinLead: "Sube un PNG de skin de Minecraft. Siempre puedes cambiarla luego en tu cuenta.",
skinChoose: "Elegir PNG…",
modelLabel: "Modelo",
modelClassic: "Clásico",
modelSlim: "Fino",
skinUpload: "Subir skin",
skinUploading: "Subiendo…",
skinOk: "¡Skin puesta!",
finish: "Continuar a Cómo entrar",
errFields: "Rellena todos los campos.",
errSkinType: "Elige una imagen PNG.",
errNetwork: "Error de red: inténtalo de nuevo.",
},
account: {
navHome: "← Inicio",
eyebrow: "Cuenta",
title: "Gestiona tu skin.",
lead: "Inicia sesión para subir o restablecer tu skin de Minecraft.",
usernameLabel: "Usuario",
usernamePlaceholder: "tu nombre en el juego",
passwordLabel: "Contraseña",
passwordPlaceholder: "tu contraseña",
submit: "Iniciar sesión",
submitting: "Entrando…",
noAccount: "¿Aún no tienes cuenta?",
registerLink: "Regístrate aquí",
refresh: "Actualizar",
playerLabel: "Sesión iniciada como",
skinTitle: "Tu skin",
skinLead: "Sube un PNG de skin de Minecraft. La vista previa 3D se actualiza al instante; el avatar en el juego tarda ~1 minuto.",
skinChoose: "Elegir PNG…",
modelLabel: "Modelo",
modelClassic: "Clásico",
modelSlim: "Fino",
skinUpload: "Subir skin",
skinUploading: "Subiendo…",
skinOk: "¡Skin actualizada!",
skinPreviewNote: "El avatar se actualiza en ~1 min.",
resetSkin: "Restablecer skin",
resetConfirm: "¿Restablecer tu skin a la predeterminada? Esta acción no se puede deshacer.",
resetOk: "Skin restablecida.",
errFields: "Rellena todos los campos.",
errSkinType: "Elige una imagen PNG.",
errNetwork: "Error de red: inténtalo de nuevo.",
},
},
eu: {
htmlLang: "eu",
copied: "Kopiatuta!",
nav: { status: "Egoera", features: "Ezaugarriak", join: "Nola sartu", play: "Jokatu orain" },
nav: { status: "Egoera", members: "Kideak", features: "Ezaugarriak", mods: "Mods", join: "Nola sartu", play: "Jolastu", register: "Erregistroa", login: "Kontua" },
hero: {
eyebrow: "Mod-dun LANa · NeoForge",
tagline: "Mod ugariko biziraupena, irauteko egina.",
sub:
"Koadrilarentzako mod-dun zerbitzari auto-ostatatua: teknologia, magia eta " +
"El valle-rentzako mod-dun zerbitzari auto-ostatatua: teknologia, magia eta " +
"esplorazio pack zaindua, zure azalak eta konfigurazioa klik bakarrean. " +
"Hartu helbidea, inportatu packa eta hasi zulatzen.",
copyIp: "Kopiatu IPa",
howToJoin: "Nola sartu",
metaModpack: "NeoForge packa",
metaLan: "LAN soilik",
},
status: {
eyebrow: "Zerbitzaria",
@@ -272,11 +563,17 @@ export const ui: Record<Lang, UI> = {
modded: "Mod-duna",
motd: "NeoForge packa · Simple Voice Chat · LAN soilik",
upTo: "gehienez",
empty: "Inor ez dago konektatuta",
},
members: {
eyebrow: "El valle",
title: "Nor dago zerbitzarian.",
lead: "Ulicraft-en erregistratutako guztiak, bakoitza bere azal auto-ostatatuarekin.",
empty: "Oraindik ez dago kiderik — izan zaitez lehena erregistratzen.",
},
statLabels: ["Modak", "NeoForge", "Plazak", "Munduaren babeskopiak"],
features: {
eyebrow: "Zerk egiten du Ulicraft berezi",
title: "Koadrilarentzat eginda.",
title: "El valle-rentzat eginda.",
lead:
"Auto-ostatatua, zaindua eta iraunkorra: zure denbora errespetatzen duen " +
"eta LANa gainditzen duen mod-dun zerbitzaria.",
@@ -291,7 +588,7 @@ export const ui: Record<Lang, UI> = {
},
{
h: "Konfigurazioa klik batean",
p: "packwiz-ek modpack osoa instalatu eta eguneratzen du zure launcherrean, denok sinkronizatuta egoteko.",
p: "Ulicraft Launcher-ek modpack osoa instalatu eta eguneratzen du gure banaketatik, denok sinkronizatuta egoteko.",
},
{
h: "Irauteko eginda",
@@ -299,30 +596,50 @@ export const ui: Record<Lang, UI> = {
},
],
},
mods: {
eyebrow: "Packa",
title: "Packeko mod guztiak.",
lead: "Bezeroaren mod-multzo osoa, launcherrak automatikoki instalatua. Bilaketarik gabe, bertsio-gatazkarik gabe.",
empty: "Mod zerrenda oraindik ez da sortu — itzuli laster.",
},
join: {
eyebrow: "Nola sartu · 4 urrats",
eyebrow: "Nola sartu · 2 urrats",
title: "Zerotik mundura agertzera.",
lead: "Behin bakarrik konfiguratu. Gero, launcherrak sinkronizatuta mantenduko zaitu.",
s1: {
kicker: "Kontua",
h: "Erregistratu",
pa: "Sortu zure Ulicraft kontua hemen:",
pb: "— erabiltzaile eta pasahitz bat zerbitzarirako eta zure azalerako.",
registerLink: "Erregistroa",
},
s2: {
kicker: "Launcherra",
h: "Deskargatu {name}",
p: "Hartu {name} zure sistemarako: Prism-en oinarritutako launcherra, authlib-injector euskarriarekin.",
p: "Hartu {name}, hasi saioa zure Ulicraft kredentzialekin eta sakatu jolastu. Gainerako guztia — modpacka, zerbitzariaren helbidea, eguneraketak launcherraren barruan kudeatzen da.",
},
},
fjord: {
navHome: "← Hasiera",
eyebrow: "Alternatiba · Fjord Launcher",
title: "Jokatu Fjord Launcher-ekin.",
lead: "Prism-en oinarritutako launcher vanilla nahiago duzu? Konfiguratu eskuz Fjord-ekin eta inportatu Ulicraft packa.",
s1: {
kicker: "Launcherra",
h: "Deskargatu Fjord",
p: "Hartu Fjord Launcher zure sistemarako: Prism-en oinarritutako launcherra, authlib-injector euskarriarekin.",
},
s2: {
kicker: "Kontua",
h: "Gehitu zure kontua",
pa: "Launcherrean, gehitu",
pa: "Fjord-en, gehitu",
pb: "kontu bat URL honekin, eta gero hasi saioa zure Ulicraft kredentzialekin.",
copy: "Kopiatu",
registerPre: "Kredentzialik ez? Erregistratu hemen:",
caPre: "Internetik gabeko festa? Deskargatu eta fidatu",
caLink: "tokiko CA ziurtagiriaz",
caPost: "fitxategi-mirrorrak HTTPS bidez ibil dadin.",
},
s3: {
kicker: "Modpacka",
h: "Inportatu modpacka",
p: "Gehitu instantzia berri bat packwiz URL honetatik: pack osoa instalatu eta eguneratzen du.",
h: "Inportatu Ulicraft packa",
p: "Deskargatu Ulicraft modpacka eta inportatu Fjord-en instantzia berri gisa: pack osoa instalatzen du.",
},
s4: {
kicker: "Konektatu",
@@ -331,10 +648,77 @@ export const ui: Record<Lang, UI> = {
pb: ", itsatsi helbidea eta sartu.",
copy: "Kopiatu IPa",
},
noPack: "Packaren deskarga ez dago oraindik eskuragarri — itzuli laster.",
},
footer: {
join: "Nola sartu",
status: "Zerbitzariaren egoera",
disc: "Ez dago Mojang edo Microsoft-ekin lotuta. Minecraft Mojang AB-ren marka da.",
},
register: {
navHome: "← Hasiera",
eyebrow: "Kontua",
title: "Sortu zure Ulicraft kontua.",
lead: "Erabiltzaile eta pasahitz bat zerbitzarirako, zure azalerako eta kaparako. Minutu batean.",
usernameLabel: "Erabiltzailea",
usernamePlaceholder: "zure jokoko izena",
passwordLabel: "Pasahitza",
passwordPlaceholder: "aukeratu pasahitz bat",
inviteLabel: "Gonbidapen-kodea",
invitePlaceholder: "itsatsi zure gonbidapen-kodea",
inviteHint: "Eskatu gonbidapen-kode bat admin bati.",
submit: "Sortu kontua",
submitting: "Sortzen…",
haveAccount: "Baduzu kontua?",
loginLink: "Kudeatu hemen",
successTitle: "Kontua sortuta.",
successBody: "Ongi etorri, {name}. Azala orain jar dezakezu, edo zuzenean Nola sartu atalera joan.",
uuidLabel: "Jokalariaren UUIDa",
skinTitle: "Jarri zure azala (aukerakoa)",
skinLead: "Igo Minecraft azal PNG bat. Beti alda dezakezu gero zure kontuan.",
skinChoose: "Aukeratu PNGa…",
modelLabel: "Eredua",
modelClassic: "Klasikoa",
modelSlim: "Mehea",
skinUpload: "Igo azala",
skinUploading: "Igotzen…",
skinOk: "Azala jarrita!",
finish: "Jarraitu Nola sartura",
errFields: "Bete eremu guztiak.",
errSkinType: "Aukeratu PNG irudi bat.",
errNetwork: "Sare-errorea: saiatu berriro.",
},
account: {
navHome: "← Hasiera",
eyebrow: "Kontua",
title: "Kudeatu zure azala.",
lead: "Hasi saioa zure Minecraft azala igotzeko edo berrezartzeko.",
usernameLabel: "Erabiltzailea",
usernamePlaceholder: "zure jokoko izena",
passwordLabel: "Pasahitza",
passwordPlaceholder: "zure pasahitza",
submit: "Hasi saioa",
submitting: "Sartzen…",
noAccount: "Oraindik konturik ez?",
registerLink: "Erregistratu hemen",
refresh: "Eguneratu",
playerLabel: "Saioa hasita:",
skinTitle: "Zure azala",
skinLead: "Igo Minecraft azal PNG bat. 3D aurrebista berehala eguneratzen da; jokoko avatarra ~1 minutuan.",
skinChoose: "Aukeratu PNGa…",
modelLabel: "Eredua",
modelClassic: "Klasikoa",
modelSlim: "Mehea",
skinUpload: "Igo azala",
skinUploading: "Igotzen…",
skinOk: "Azala eguneratuta!",
skinPreviewNote: "Avatarra ~1 min barru eguneratzen da.",
resetSkin: "Berrezarri azala",
resetConfirm: "Zure azala lehenetsi nahi duzu? Ezin da desegin.",
resetOk: "Azala berrezarrita.",
errFields: "Bete eremu guztiak.",
errSkinType: "Aukeratu PNG irudi bat.",
errNetwork: "Sare-errorea: saiatu berriro.",
},
},
};

View File

@@ -1,26 +1,34 @@
---
import { site, LITERALS, HEAD_FONTS } from "../data/site";
import { ui, LANGS, LANG_LABEL, LANG_PATH, type Lang } from "../i18n/ui";
import Creeper from "../components/Creeper.astro";
import { site, HEAD_FONTS } from "../data/site";
import { ui, LANGS, LANG_LABEL, LANG_PATH, LANG_REGISTER_PATH, LANG_ACCOUNT_PATH, type Lang } from "../i18n/ui";
import PixelIcon from "../components/PixelIcon.astro";
import CopyChip from "../components/CopyChip.astro";
import ServerListPanel from "../components/ServerListPanel.astro";
import ServerCard from "../components/ServerCard.astro";
import PlayerRoster from "../components/PlayerRoster.astro";
import ModList from "../components/ModList.astro";
import "../styles/main.css";
// One static page per locale: en at "/", es at "/es/", eu at "/eu/".
export function getStaticPaths() {
return [
{ params: { lang: undefined }, props: { locale: "en" as Lang } },
{ params: { lang: "es" }, props: { locale: "es" as Lang } },
{ params: { lang: undefined }, props: { locale: "es" as Lang } },
{ params: { lang: "en" }, props: { locale: "en" as Lang } },
{ params: { lang: "eu" }, props: { locale: "eu" as Lang } },
];
}
const { locale } = Astro.props;
const t = ui[locale];
const { theme, launcher } = site;
const { theme, launcherManifest } = site;
const headFont = HEAD_FONTS[theme.headFont] ?? HEAD_FONTS.pixelify;
const launcherName = launcher.name;
const launcherName = launcherManifest.product;
const registerPath = LANG_REGISTER_PATH[locale];
const accountPath = LANG_ACCOUNT_PATH[locale];
// Per-OS download buttons (join step 2) are fetched client-side from the live
// launcher.json on page load (no build-time baking, no polling) — see the
// script below. We only pass the URL; buttons render into the #launcher-dl
// skeleton. URL derives from the distribution subdomain.
const launcherJsonUrl = `https://distribution.${site.baseDomain}/launcher/launcher.json`;
// Build-time floating dust bits (index-derived, no runtime RNG).
const dustBits = Array.from({ length: 16 }, (_, i) => {
@@ -48,7 +56,7 @@ const dustBits = Array.from({ length: 16 }, (_, i) => {
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>{site.name} — {t.hero.howToJoin}</title>
<meta name="description" content={`${site.name}: ${t.hero.tagline}`} />
<link rel="icon" type="image/png" href="/logo.png" />
<link rel="icon" type="image/png" href="/favicon.png" />
<link rel="stylesheet" href="/fonts/fonts.css" />
{LANGS.map((l) => <link rel="alternate" hreflang={l} href={LANG_PATH[l]} />)}
</head>
@@ -57,13 +65,12 @@ const dustBits = Array.from({ length: 16 }, (_, i) => {
<header class="nav">
<div class="wrap nav-in">
<a class="brand" href="#top">
<Creeper />
<img class="brand-logo" src="/ulicraft-logo-mini.svg" alt="" width="34" height="34" />
<span class="name">ULICRAFT</span>
</a>
<nav class="nav-links">
<a href="#status">{t.nav.status}</a>
<a href="#features">{t.nav.features}</a>
<a href="#join">{t.nav.join}</a>
<a href="#status">{t.nav.status}</a>
</nav>
<span class="nav-spacer"></span>
<div class="lang-switch" aria-label="Language">
@@ -71,6 +78,8 @@ const dustBits = Array.from({ length: 16 }, (_, i) => {
<a href={LANG_PATH[l]} class:list={[l === locale && "on"]} aria-current={l === locale ? "true" : undefined}>{LANG_LABEL[l]}</a>
))}
</div>
<a class="mc-btn sm" href={registerPath}>{t.nav.register}</a>
<a class="mc-btn sm" href={accountPath}>{t.nav.login}</a>
<a class="mc-btn primary sm" href="#join">{t.nav.play}</a>
</div>
</header>
@@ -96,75 +105,25 @@ const dustBits = Array.from({ length: 16 }, (_, i) => {
<h1 class="hero-tagline">{t.hero.tagline}</h1>
<p class="hero-sub">{t.hero.sub}</p>
<div class="hero-ip-row">
<CopyChip value={site.serverAddress} variant="ip" label={t.hero.copyIp} copiedLabel={t.copied} />
<a class="mc-btn" href="#join">{t.hero.howToJoin}</a>
<a class="mc-btn primary" href="#join">{t.hero.howToJoin}</a>
</div>
<div class="hero-meta">
<span>Java {site.mcVersion}</span>
<span class="dot"></span>
<span>{t.hero.metaModpack}</span>
<span class="dot"></span>
<span>{t.hero.metaLan}</span>
</div>
</div>
<div class="hero-status">
<ServerListPanel
<ServerCard
modded={t.status.modded}
motd={t.status.motd}
upTo={t.status.upTo}
emptyLabel={t.status.empty}
/>
</div>
</div>
</section>
<!-- STATUS -->
<section id="status" class="pad">
<div class="wrap">
<div class="sec-head reveal">
<span class="eyebrow">{t.status.eyebrow}</span>
<h2 class="section-title">{t.status.title}</h2>
<p class="lead">{t.status.lead}</p>
</div>
<div class="reveal">
<ServerListPanel
modded={t.status.modded}
motd={t.status.motd}
upTo={t.status.upTo}
/>
</div>
<div class="stat-grid">
{site.stats.map((s, i) => (
<div class="tile reveal" style={`transition-delay:${i * 60}ms`}>
<div class="k">{s.key}</div>
<div class="l">{t.statLabels[i]}</div>
</div>
))}
</div>
</div>
</section>
<!-- FEATURES -->
<section id="features" class="pad" style="background: var(--bg-2)">
<div class="wrap">
<div class="sec-head reveal">
<span class="eyebrow">{t.features.eyebrow}</span>
<h2 class="section-title">{t.features.title}</h2>
<p class="lead">{t.features.lead}</p>
</div>
<div class="feat-grid">
{site.features.map((f, i) => (
<div class="feat reveal" style={`transition-delay:${(i % 2) * 80}ms`}>
<PixelIcon glyph={f.glyph} gold={f.gold} />
<div>
<h3>{t.features.items[i].h}</h3>
<p>{t.features.items[i].p}</p>
</div>
</div>
))}
</div>
</div>
</section>
<!-- HOW TO JOIN -->
<section id="join" class="pad">
<div class="wrap">
@@ -180,15 +139,10 @@ const dustBits = Array.from({ length: 16 }, (_, i) => {
<div class="num">1</div>
<div class="body">
<span class="kicker">{t.join.s1.kicker}</span>
<h3>{t.join.s1.h.replace("{name}", launcherName)}</h3>
<p>{t.join.s1.p.replace(/\{name\}/g, launcherName)}</p>
<div class="actions">
{launcher.downloads.map((d) => (
<a class="mc-btn sm" href={`${launcher.base}/${d.file}`}>
{d.os} <span class="hint">· {d.hint}</span>
</a>
))}
</div>
<h3>{t.join.s1.h}</h3>
<p>
{t.join.s1.pa} <a href={registerPath}>{t.join.s1.registerLink}</a> {t.join.s1.pb}
</p>
</div>
</div>
@@ -197,48 +151,88 @@ const dustBits = Array.from({ length: 16 }, (_, i) => {
<div class="num">2</div>
<div class="body">
<span class="kicker">{t.join.s2.kicker}</span>
<h3>{t.join.s2.h}</h3>
<p>
{t.join.s2.pa} <strong style="color:var(--text)">{LITERALS.authlib}</strong> {t.join.s2.pb}
</p>
<div class="actions" style="margin-bottom:14px">
<CopyChip value={site.authlibUrl} variant="url" label={t.join.s2.copy} copiedLabel={t.copied} />
</div>
<p>
{t.join.s2.registerPre} <a href={site.authUrl}>{site.authUrl}</a>.
</p>
<span class="hint">
{t.join.s2.caPre} <a href={site.caCertUrl}>{t.join.s2.caLink}</a> {t.join.s2.caPost}
</span>
</div>
</div>
<!-- STEP 3 -->
<div class="step reveal">
<div class="num">3</div>
<div class="body">
<span class="kicker">{t.join.s3.kicker}</span>
<h3>{t.join.s3.h}</h3>
<p>{t.join.s3.p}</p>
<div class="actions">
<CopyChip value={site.packwizUrl} variant="url" label={t.join.s2.copy} copiedLabel={t.copied} />
<h3>{t.join.s2.h.replace("{name}", launcherName)}</h3>
<p>{t.join.s2.p.replace(/\{name\}/g, launcherName)}</p>
<div class="actions" id="launcher-dl" data-src={launcherJsonUrl}>
<span class="mc-btn sm dl-skeleton" aria-hidden="true"></span>
<span class="mc-btn sm dl-skeleton" aria-hidden="true"></span>
<span class="mc-btn sm dl-skeleton" aria-hidden="true"></span>
</div>
</div>
</div>
</div>
</div>
</section>
<!-- STEP 4 -->
<div class="step reveal">
<div class="num">4</div>
<div class="body">
<span class="kicker">{t.join.s4.kicker}</span>
<h3>{t.join.s4.h}</h3>
<p>
{t.join.s4.pa} <kbd>{LITERALS.multiplayer}</kbd> → <kbd>{LITERALS.addServer}</kbd>{t.join.s4.pb}
</p>
<div class="actions">
<CopyChip value={site.serverAddress} variant="ip" label={t.join.s4.copy} copiedLabel={t.copied} />
<!-- STATUS -->
<section id="status" class="pad">
<div class="wrap">
<div class="sec-head reveal">
<span class="eyebrow">{t.status.eyebrow}</span>
<h2 class="section-title">{t.status.title}</h2>
<p class="lead">{t.status.lead}</p>
</div>
<div class="reveal">
<ServerCard
modded={t.status.modded}
motd={t.status.motd}
upTo={t.status.upTo}
emptyLabel={t.status.empty}
/>
</div>
</div>
</section>
<!-- MEMBERS (registered players roster) -->
<section id="members" class="pad" style="background: var(--bg-2)">
<div class="wrap">
<div class="sec-head reveal">
<span class="eyebrow">{t.members.eyebrow}</span>
<h2 class="section-title">{t.members.title}</h2>
<p class="lead">{t.members.lead}</p>
</div>
<div class="reveal">
<PlayerRoster emptyLabel={t.members.empty} />
</div>
</div>
</section>
<!-- MODS (installed-pack list, auto-generated) -->
<section id="mods" class="pad" style="background: var(--bg-2)">
<div class="wrap">
<div class="sec-head reveal">
<span class="eyebrow">{t.mods.eyebrow}</span>
<h2 class="section-title">{t.mods.title}</h2>
<p class="lead">{t.mods.lead}</p>
</div>
<div class="reveal">
<ModList emptyLabel={t.mods.empty} />
</div>
</div>
</section>
<!-- FEATURES -->
<section id="features" class="pad">
<div class="wrap">
<div class="sec-head reveal">
<span class="eyebrow">{t.features.eyebrow}</span>
<h2 class="section-title">{t.features.title}</h2>
<p class="lead">{t.features.lead}</p>
</div>
<div class="feat-split">
<div class="feat-grid">
{site.features.map((f, i) => (
<div class="feat reveal" style={`transition-delay:${(i % 2) * 80}ms`}>
<PixelIcon glyph={f.glyph} gold={f.gold} />
<div>
<h3>{t.features.items[i].h}</h3>
<p>{t.features.items[i].p}</p>
</div>
</div>
</div>
))}
</div>
<div class="feat-aside reveal">
<img src="/Goat_JE1_BE1.webp" alt="" width="1200" height="1200" loading="lazy" />
</div>
</div>
</div>
@@ -249,11 +243,12 @@ const dustBits = Array.from({ length: 16 }, (_, i) => {
<footer class="footer">
<div class="wrap footer-in">
<a class="brand" href="#top">
<Creeper />
<img class="brand-logo" src="/ulicraft-logo-mini.svg" alt="" width="34" height="34" />
<span class="name">ULICRAFT</span>
</a>
<div class="footer-links">
<a class="mc-btn primary sm" href="#join">{t.footer.join}</a>
<a class="mc-btn sm" href={site.statusUrl} target="_blank" rel="noopener">{t.footer.status}</a>
</div>
<p class="disc">
{t.footer.disc} {site.name} · {site.baseDomain}
@@ -312,6 +307,35 @@ const dustBits = Array.from({ length: 16 }, (_, i) => {
);
els.forEach((el) => io.observe(el));
}
// Launcher downloads — fetch the live launcher.json once on load (no
// polling) and render per-OS buttons into the #launcher-dl skeleton.
// launcher.json shape: { files: [{ name, os, arch, ext, url }] }.
const dl = document.getElementById("launcher-dl");
const src = dl?.dataset.src;
if (dl && src) {
const OS: Record<string, string> = { windows: "Windows", macos: "macOS", linux: "Linux" };
fetch(src, { cache: "no-store" })
.then((r) => (r.ok ? r.json() : Promise.reject(new Error(`HTTP ${r.status}`))))
.then((data) => {
const files = Array.isArray(data?.files) ? data.files : [];
const frag = document.createDocumentFragment();
for (const f of files) {
if (!f?.url) continue;
const a = document.createElement("a");
a.className = "mc-btn sm";
a.href = f.url;
a.append(`${OS[f.os] ?? f.os ?? "Download"} `);
const hint = document.createElement("span");
hint.className = "hint";
hint.textContent = `· ${[f.arch, f.ext].filter(Boolean).join(" · ")}`;
a.append(hint);
frag.append(a);
}
dl.replaceChildren(frag); // empty list → no buttons (skeleton cleared)
})
.catch(() => dl.replaceChildren()); // unreachable/error → clear skeleton
}
</script>
</body>
</html>

View File

@@ -0,0 +1,370 @@
---
import { site, HEAD_FONTS } from "../../data/site";
import {
ui,
LANGS,
LANG_LABEL,
LANG_PATH,
LANG_ACCOUNT_PATH,
LANG_REGISTER_PATH,
type Lang,
} from "../../i18n/ui";
import "../../styles/main.css";
// One static account page per locale: /account, /es/account, /eu/account.
export function getStaticPaths() {
return [
{ params: { lang: undefined }, props: { locale: "es" as Lang } },
{ params: { lang: "en" }, props: { locale: "en" as Lang } },
{ params: { lang: "eu" }, props: { locale: "eu" as Lang } },
];
}
const { locale } = Astro.props;
const t = ui[locale];
const a = t.account;
const { theme } = site;
const headFont = HEAD_FONTS[theme.headFont] ?? HEAD_FONTS.pixelify;
const homePath = LANG_PATH[locale];
const registerPath = LANG_REGISTER_PATH[locale];
const accountPath = LANG_ACCOUNT_PATH[locale];
// Strings the client script needs at runtime (kept minimal, passed via define:vars).
const clientCfg = {
apiUrl: site.draslApiUrl,
avatarUrl: site.avatarUrl,
avatarMode: site.avatarMode,
submit: a.submit,
submitting: a.submitting,
skinUpload: a.skinUpload,
skinUploading: a.skinUploading,
skinOk: a.skinOk,
refresh: a.refresh,
skinPreviewNote: a.skinPreviewNote,
resetSkin: a.resetSkin,
resetConfirm: a.resetConfirm,
resetOk: a.resetOk,
errFields: a.errFields,
errSkinType: a.errSkinType,
errNetwork: a.errNetwork,
};
---
<!doctype html>
<html
lang={t.htmlLang}
data-mood={theme.mood}
data-head={theme.headFont}
style={`--font-head: ${headFont}`}
>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>{site.name} — {a.title}</title>
<meta name="description" content={a.lead} />
<link rel="icon" type="image/png" href="/favicon.png" />
<link rel="stylesheet" href="/fonts/fonts.css" />
{LANGS.map((l) => <link rel="alternate" hreflang={l} href={LANG_ACCOUNT_PATH[l]} />)}
</head>
<body>
<!-- NAV -->
<header class="nav">
<div class="wrap nav-in">
<a class="brand" href={homePath}>
<img class="brand-logo" src="/ulicraft-logo-mini.svg" alt="" width="34" height="34" />
<span class="name">ULICRAFT</span>
</a>
<nav class="nav-links">
<a href={homePath}>{a.navHome}</a>
</nav>
<span class="nav-spacer"></span>
<div class="lang-switch" aria-label="Language">
{LANGS.map((l) => (
<a
href={LANG_ACCOUNT_PATH[l]}
class:list={[l === locale && "on"]}
aria-current={l === locale ? "true" : undefined}
>{LANG_LABEL[l]}</a>
))}
</div>
<a class="mc-btn sm" href={registerPath}>{t.nav.register}</a>
<a class="mc-btn sm" href={accountPath}>{t.nav.login}</a>
<a class="mc-btn primary sm" href={`${homePath}#join`}>{t.nav.play}</a>
</div>
</header>
<main id="top">
<section class="pad">
<div class="reg-wrap">
<div class="reg-card">
<span class="eyebrow">{a.eyebrow}</span>
<h1>{a.title}</h1>
<p class="lead">{a.lead}</p>
<!-- LOGIN (hidden once authenticated) -->
<div id="acc-login">
<form class="reg-form" id="acc-form" novalidate>
<div class="reg-field">
<label for="acc-username">{a.usernameLabel}</label>
<input class="reg-input" id="acc-username" name="username"
type="text" autocomplete="username" placeholder={a.usernamePlaceholder} required />
</div>
<div class="reg-field">
<label for="acc-password">{a.passwordLabel}</label>
<input class="reg-input" id="acc-password" name="password"
type="password" autocomplete="current-password" placeholder={a.passwordPlaceholder} required />
</div>
<div class="reg-msg err" id="acc-error" role="alert" hidden></div>
<button class="mc-btn primary" id="acc-submit" type="submit">{a.submit}</button>
</form>
<p class="reg-foot">
{a.noAccount} <a href={registerPath}>{a.registerLink}</a>
</p>
</div>
<!-- SKIN PANEL (revealed after login) -->
<div class="reg-success" id="acc-panel" hidden>
<div>
<span class="eyebrow" style="color:var(--accent)">{a.playerLabel}</span>
<p class="lead" id="acc-player-name" style="margin-top:6px;font-size:20px;color:var(--text)"></p>
</div>
<!-- Current avatar preview (NMSR) -->
<div id="acc-avatar-wrap" style="display:flex;align-items:flex-start;gap:20px;flex-wrap:wrap">
<img id="acc-avatar" src="" alt="avatar" width="96" height="96"
style="image-rendering:pixelated;width:96px;height:96px;background:var(--slot)" />
<div style="flex:1;min-width:0;display:flex;flex-direction:column;gap:10px;align-items:flex-start">
<button class="mc-btn sm" id="acc-avatar-refresh" type="button">{a.refresh}</button>
<p class="reg-skin" style="border:none;padding-top:0;margin:0;color:var(--dim);font-size:13px" id="acc-preview-note"></p>
</div>
</div>
<div class="reg-skin" id="acc-skin">
<div>
<h3>{a.skinTitle}</h3>
<p class="lead">{a.skinLead}</p>
</div>
<div class="reg-field">
<label class="mc-btn sm" for="acc-skin-file" style="align-self:flex-start">{a.skinChoose}</label>
<input id="acc-skin-file" type="file" accept="image/png" hidden />
<span class="reg-file-name" id="acc-skin-name"></span>
</div>
<div class="reg-field">
<label>{a.modelLabel}</label>
<div class="reg-models">
<label><input type="radio" name="skin-model" value="classic" checked /> {a.modelClassic}</label>
<label><input type="radio" name="skin-model" value="slim" /> {a.modelSlim}</label>
</div>
</div>
<div class="reg-msg" id="acc-skin-msg" role="status" hidden></div>
<div style="display:flex;flex-wrap:wrap;gap:12px;align-items:center">
<button class="mc-btn primary" id="acc-skin-upload" type="button">{a.skinUpload}</button>
<button class="mc-btn" id="acc-skin-reset" type="button" style="color:var(--dim)">{a.resetSkin}</button>
</div>
</div>
<a class="mc-btn sm" href={homePath}>{a.navHome}</a>
</div>
</div>
</div>
</section>
</main>
<!-- FOOTER -->
<footer class="footer">
<div class="wrap footer-in">
<a class="brand" href={homePath}>
<img class="brand-logo" src="/ulicraft-logo-mini.svg" alt="" width="34" height="34" />
<span class="name">ULICRAFT</span>
</a>
<div class="footer-links">
<a class="mc-btn sm" href={site.statusUrl} target="_blank" rel="noopener">{t.footer.status}</a>
</div>
<p class="disc">
{t.footer.disc} {site.name} · {site.baseDomain}
</p>
</div>
</footer>
<script define:vars={{ cfg: clientCfg }}>
const $ = (id) => document.getElementById(id);
const form = $("acc-form");
const loginBox = $("acc-login");
const errBox = $("acc-error");
const submitBtn = $("acc-submit");
const panel = $("acc-panel");
const headers = { "Content-Type": "application/json" };
// Token + player kept in memory only — never stored in localStorage.
let apiToken = null;
let player = null;
const showMsg = (box, msg) => {
box.textContent = msg;
box.hidden = false;
};
const apiMessage = async (res, fallback) => {
try {
const data = await res.json();
return data && data.message ? data.message : fallback;
} catch {
return fallback;
}
};
// ---- Login ----
form.addEventListener("submit", async (e) => {
e.preventDefault();
errBox.hidden = true;
const username = $("acc-username").value.trim();
const password = $("acc-password").value;
if (!username || !password) {
errBox.classList.add("err");
showMsg(errBox, cfg.errFields);
return;
}
submitBtn.disabled = true;
submitBtn.textContent = cfg.submitting;
try {
const res = await fetch(`${cfg.apiUrl}/login`, {
method: "POST",
headers,
body: JSON.stringify({ username, password }),
});
if (!res.ok) {
errBox.classList.add("err");
showMsg(errBox, await apiMessage(res, cfg.errNetwork));
return;
}
const data = await res.json();
apiToken = data.apiToken;
player = data.user.players[0];
// Show panel — hide the whole login block (form + heading foot).
loginBox.hidden = true;
$("acc-player-name").textContent = player.name;
// Set NMSR avatar
const avatarImg = $("acc-avatar");
avatarImg.src = `${cfg.avatarUrl}/${cfg.avatarMode}/${player.uuid}?size=96`;
avatarImg.alt = player.name;
// Show NMSR lag hint
$("acc-preview-note").textContent = cfg.skinPreviewNote;
panel.hidden = false;
} catch {
errBox.classList.add("err");
showMsg(errBox, cfg.errNetwork);
} finally {
submitBtn.disabled = false;
submitBtn.textContent = cfg.submit;
}
});
// ---- Avatar refresh (re-fetch NMSR with a cache-bust) ----
$("acc-avatar-refresh").addEventListener("click", () => {
if (!player) return;
$("acc-avatar").src = `${cfg.avatarUrl}/${cfg.avatarMode}/${player.uuid}?size=96&t=${Date.now()}`;
});
// ---- Skin upload ----
const fileInput = $("acc-skin-file");
const fileName = $("acc-skin-name");
const skinMsg = $("acc-skin-msg");
const skinBtn = $("acc-skin-upload");
const resetBtn = $("acc-skin-reset");
fileInput.addEventListener("change", () => {
skinMsg.hidden = true;
skinMsg.classList.remove("ok", "err");
fileName.textContent = fileInput.files && fileInput.files[0] ? fileInput.files[0].name : "";
});
const readBase64 = (file) =>
new Promise((resolve, reject) => {
const fr = new FileReader();
fr.onload = () => resolve(String(fr.result).split(",")[1]);
fr.onerror = reject;
fr.readAsDataURL(file);
});
skinBtn.addEventListener("click", async () => {
skinMsg.hidden = true;
skinMsg.classList.remove("ok", "err");
const file = fileInput.files && fileInput.files[0];
if (!file) {
skinMsg.classList.add("err");
showMsg(skinMsg, cfg.errSkinType);
return;
}
if (file.type !== "image/png") {
skinMsg.classList.add("err");
showMsg(skinMsg, cfg.errSkinType);
return;
}
const model = document.querySelector('input[name="skin-model"]:checked').value;
skinBtn.disabled = true;
resetBtn.disabled = true;
skinBtn.textContent = cfg.skinUploading;
try {
const skinBase64 = await readBase64(file);
const res = await fetch(`${cfg.apiUrl}/players/${player.uuid}`, {
method: "PATCH",
headers: { ...headers, Authorization: `Bearer ${apiToken}` },
body: JSON.stringify({ skinBase64, skinModel: model }),
});
if (!res.ok) {
skinMsg.classList.add("err");
showMsg(skinMsg, await apiMessage(res, cfg.errNetwork));
return;
}
// Show the local file immediately as instant confirmation (NMSR lags ~1m).
const dataUrl = URL.createObjectURL(file);
$("acc-avatar").src = dataUrl;
skinMsg.classList.add("ok");
showMsg(skinMsg, cfg.skinOk);
// Clear file picker
fileInput.value = "";
fileName.textContent = "";
} catch {
skinMsg.classList.add("err");
showMsg(skinMsg, cfg.errNetwork);
} finally {
skinBtn.disabled = false;
resetBtn.disabled = false;
skinBtn.textContent = cfg.skinUpload;
}
});
// ---- Reset to default ----
resetBtn.addEventListener("click", async () => {
if (!window.confirm(cfg.resetConfirm)) return;
skinMsg.hidden = true;
skinMsg.classList.remove("ok", "err");
skinBtn.disabled = true;
resetBtn.disabled = true;
try {
const res = await fetch(`${cfg.apiUrl}/players/${player.uuid}`, {
method: "PATCH",
headers: { ...headers, Authorization: `Bearer ${apiToken}` },
body: JSON.stringify({ deleteSkin: true }),
});
if (!res.ok) {
skinMsg.classList.add("err");
showMsg(skinMsg, await apiMessage(res, cfg.errNetwork));
return;
}
// Reset preview back to NMSR (will eventually show the default skin).
$("acc-avatar").src = `${cfg.avatarUrl}/${cfg.avatarMode}/${player.uuid}?size=96&t=${Date.now()}`;
skinMsg.classList.add("ok");
showMsg(skinMsg, cfg.resetOk);
} catch {
skinMsg.classList.add("err");
showMsg(skinMsg, cfg.errNetwork);
} finally {
skinBtn.disabled = false;
resetBtn.disabled = false;
}
});
</script>
</body>
</html>

View File

@@ -0,0 +1,231 @@
---
import { site, LITERALS, HEAD_FONTS } from "../../data/site";
import {
ui,
LANGS,
LANG_LABEL,
LANG_PATH,
LANG_FJORD_PATH,
LANG_REGISTER_PATH,
LANG_ACCOUNT_PATH,
type Lang,
} from "../../i18n/ui";
import CopyChip from "../../components/CopyChip.astro";
import "../../styles/main.css";
// One static Fjord page per locale: /fjord, /es/fjord, /eu/fjord. This is the
// alternative manual path — intentionally NOT linked from the homepage nav.
export function getStaticPaths() {
return [
{ params: { lang: undefined }, props: { locale: "es" as Lang } },
{ params: { lang: "en" }, props: { locale: "en" as Lang } },
{ params: { lang: "eu" }, props: { locale: "eu" as Lang } },
];
}
const { locale } = Astro.props;
const t = ui[locale];
const f = t.fjord;
const { theme, fjord } = site;
const headFont = HEAD_FONTS[theme.headFont] ?? HEAD_FONTS.pixelify;
const homePath = LANG_PATH[locale];
const registerPath = LANG_REGISTER_PATH[locale];
const accountPath = LANG_ACCOUNT_PATH[locale];
const fjordPack = site.launcherManifest.fjordPack;
---
<!doctype html>
<html
lang={t.htmlLang}
data-mood={theme.mood}
data-head={theme.headFont}
style={`--font-head: ${headFont}`}
>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>{site.name} — {f.title}</title>
<meta name="description" content={f.lead} />
<link rel="icon" type="image/png" href="/favicon.png" />
<link rel="stylesheet" href="/fonts/fonts.css" />
{LANGS.map((l) => <link rel="alternate" hreflang={l} href={LANG_FJORD_PATH[l]} />)}
</head>
<body>
<!-- NAV -->
<header class="nav">
<div class="wrap nav-in">
<a class="brand" href={homePath}>
<img class="brand-logo" src="/ulicraft-logo-mini.svg" alt="" width="34" height="34" />
<span class="name">ULICRAFT</span>
</a>
<nav class="nav-links">
<a href={homePath}>{f.navHome}</a>
</nav>
<span class="nav-spacer"></span>
<div class="lang-switch" aria-label="Language">
{LANGS.map((l) => (
<a
href={LANG_FJORD_PATH[l]}
class:list={[l === locale && "on"]}
aria-current={l === locale ? "true" : undefined}
>{LANG_LABEL[l]}</a>
))}
</div>
<a class="mc-btn sm" href={registerPath}>{t.nav.register}</a>
<a class="mc-btn sm" href={accountPath}>{t.nav.login}</a>
<a class="mc-btn primary sm" href={`${homePath}#join`}>{t.nav.play}</a>
</div>
</header>
<main id="top">
<section id="join" class="pad">
<div class="wrap">
<div class="sec-head reveal">
<span class="eyebrow">{f.eyebrow}</span>
<h2 class="section-title">{f.title}</h2>
<p class="lead">{f.lead}</p>
</div>
<div class="steps">
<!-- STEP 1 -->
<div class="step reveal">
<div class="num">1</div>
<div class="body">
<span class="kicker">{f.s1.kicker}</span>
<h3>{f.s1.h}</h3>
<p>{f.s1.p}</p>
<div class="actions">
{fjord.downloads.map((d) => (
<a class="mc-btn sm" href={`${fjord.base}/${d.file}`}>
{d.os} <span class="hint">· {d.hint}</span>
</a>
))}
</div>
</div>
</div>
<!-- STEP 2 -->
<div class="step reveal">
<div class="num">2</div>
<div class="body">
<span class="kicker">{f.s2.kicker}</span>
<h3>{f.s2.h}</h3>
<p>
{f.s2.pa} <strong style="color:var(--text)">{LITERALS.authlib}</strong> {f.s2.pb}
</p>
<div class="actions">
<CopyChip value={site.authlibUrl} variant="url" label={f.s2.copy} copiedLabel={t.copied} />
</div>
</div>
</div>
<!-- STEP 3 -->
<div class="step reveal">
<div class="num">3</div>
<div class="body">
<span class="kicker">{f.s3.kicker}</span>
<h3>{f.s3.h}</h3>
<p>{f.s3.p}</p>
<div class="actions">
{fjordPack ? (
<a class="mc-btn sm" href={fjordPack.url}>
{fjordPack.filename} <span class="hint">· .mrpack</span>
</a>
) : (
<p class="hint">{f.noPack}</p>
)}
</div>
</div>
</div>
<!-- STEP 4 -->
<div class="step reveal">
<div class="num">4</div>
<div class="body">
<span class="kicker">{f.s4.kicker}</span>
<h3>{f.s4.h}</h3>
<p>
{f.s4.pa} <kbd>{LITERALS.multiplayer}</kbd> → <kbd>{LITERALS.addServer}</kbd>{f.s4.pb}
</p>
<div class="actions">
<CopyChip value={site.serverAddress} variant="ip" label={f.s4.copy} copiedLabel={t.copied} />
</div>
</div>
</div>
</div>
</div>
</section>
</main>
<!-- FOOTER -->
<footer class="footer">
<div class="wrap footer-in">
<a class="brand" href={homePath}>
<img class="brand-logo" src="/ulicraft-logo-mini.svg" alt="" width="34" height="34" />
<span class="name">ULICRAFT</span>
</a>
<div class="footer-links">
<a class="mc-btn primary sm" href={`${homePath}#join`}>{t.footer.join}</a>
<a class="mc-btn sm" href={site.statusUrl} target="_blank" rel="noopener">{t.footer.status}</a>
</div>
<p class="disc">
{t.footer.disc} {site.name} · {site.baseDomain}
</p>
</div>
</footer>
<script>
// Copy-to-clipboard for every [data-copy] button (HTTP-LAN safe fallback).
// Mirrors the global handler in [...lang].astro (CopyChip depends on it).
function copyText(text: string) {
try {
if (navigator.clipboard && window.isSecureContext) {
navigator.clipboard.writeText(text);
return;
}
} catch {}
const ta = document.createElement("textarea");
ta.value = text;
ta.style.position = "fixed";
ta.style.opacity = "0";
document.body.appendChild(ta);
ta.select();
try {
document.execCommand("copy");
} catch {}
document.body.removeChild(ta);
}
document.querySelectorAll<HTMLButtonElement>("button[data-copy]").forEach((btn) => {
let timer: number | undefined;
btn.addEventListener("click", () => {
copyText(btn.dataset.copy ?? "");
const label = btn.dataset.label ?? "Copy";
btn.textContent = btn.dataset.copied ?? "Copied!";
btn.classList.add("copied");
clearTimeout(timer);
timer = window.setTimeout(() => {
btn.textContent = label;
btn.classList.remove("copied");
}, 1600);
});
});
// Scroll reveal — visible at rest; .anim added when scrolled into view.
if (!window.matchMedia("(prefers-reduced-motion: reduce)").matches) {
const els = [...document.querySelectorAll<HTMLElement>(".reveal")];
const io = new IntersectionObserver(
(entries) => {
for (const e of entries) {
if (e.isIntersecting) {
e.target.classList.add("anim");
io.unobserve(e.target);
}
}
},
{ rootMargin: "0px 0px -10% 0px" }
);
els.forEach((el) => io.observe(el));
}
</script>
</body>
</html>

View File

@@ -0,0 +1,319 @@
---
import { site, HEAD_FONTS } from "../../data/site";
import {
ui,
LANGS,
LANG_LABEL,
LANG_PATH,
LANG_REGISTER_PATH,
LANG_ACCOUNT_PATH,
type Lang,
} from "../../i18n/ui";
import "../../styles/main.css";
// One static register page per locale: /register, /es/register, /eu/register.
export function getStaticPaths() {
return [
{ params: { lang: undefined }, props: { locale: "es" as Lang } },
{ params: { lang: "en" }, props: { locale: "en" as Lang } },
{ params: { lang: "eu" }, props: { locale: "eu" as Lang } },
];
}
const { locale } = Astro.props;
const t = ui[locale];
const r = t.register;
const { theme } = site;
const headFont = HEAD_FONTS[theme.headFont] ?? HEAD_FONTS.pixelify;
const homePath = LANG_PATH[locale];
const registerPath = LANG_REGISTER_PATH[locale];
const accountPath = LANG_ACCOUNT_PATH[locale];
// Visibility of the invite-code field (default hidden). Independent of the
// backend gate (site.registrationRequiresInvite / Drasl RequireInvite).
const showInvite = site.registrationShowInvite;
// Strings the client script needs at runtime (kept minimal, passed via define:vars).
const clientCfg = {
apiUrl: site.draslApiUrl,
showInvite,
submit: r.submit,
submitting: r.submitting,
skinUpload: r.skinUpload,
skinUploading: r.skinUploading,
skinOk: r.skinOk,
successBody: r.successBody,
errFields: r.errFields,
errSkinType: r.errSkinType,
errNetwork: r.errNetwork,
};
---
<!doctype html>
<html
lang={t.htmlLang}
data-mood={theme.mood}
data-head={theme.headFont}
style={`--font-head: ${headFont}`}
>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>{site.name} — {r.title}</title>
<meta name="description" content={r.lead} />
<link rel="icon" type="image/png" href="/favicon.png" />
<link rel="stylesheet" href="/fonts/fonts.css" />
{LANGS.map((l) => <link rel="alternate" hreflang={l} href={LANG_REGISTER_PATH[l]} />)}
</head>
<body>
<!-- NAV -->
<header class="nav">
<div class="wrap nav-in">
<a class="brand" href={homePath}>
<img class="brand-logo" src="/ulicraft-logo-mini.svg" alt="" width="34" height="34" />
<span class="name">ULICRAFT</span>
</a>
<nav class="nav-links">
<a href={homePath}>{r.navHome}</a>
</nav>
<span class="nav-spacer"></span>
<div class="lang-switch" aria-label="Language">
{LANGS.map((l) => (
<a
href={LANG_REGISTER_PATH[l]}
class:list={[l === locale && "on"]}
aria-current={l === locale ? "true" : undefined}
>{LANG_LABEL[l]}</a>
))}
</div>
<a class="mc-btn sm" href={registerPath}>{t.nav.register}</a>
<a class="mc-btn sm" href={accountPath}>{t.nav.login}</a>
<a class="mc-btn primary sm" href={`${homePath}#join`}>{t.nav.play}</a>
</div>
</header>
<main id="top">
<section class="pad">
<div class="reg-wrap">
<div class="reg-card">
<span class="eyebrow">{r.eyebrow}</span>
<h1>{r.title}</h1>
<p class="lead">{r.lead}</p>
<!-- REGISTER FORM -->
<form class="reg-form" id="reg-form" novalidate>
<div class="reg-field">
<label for="reg-username">{r.usernameLabel}</label>
<input class="reg-input" id="reg-username" name="username"
type="text" autocomplete="username" placeholder={r.usernamePlaceholder} required />
</div>
<div class="reg-field">
<label for="reg-password">{r.passwordLabel}</label>
<input class="reg-input" id="reg-password" name="password"
type="password" autocomplete="new-password" placeholder={r.passwordPlaceholder} required />
</div>
{showInvite && (
<div class="reg-field">
<label for="reg-invite">{r.inviteLabel}</label>
<input class="reg-input" id="reg-invite" name="invite"
type="text" placeholder={r.invitePlaceholder} required />
<span class="hint">{r.inviteHint}</span>
</div>
)}
<div class="reg-msg err" id="reg-error" role="alert" hidden></div>
<button class="mc-btn primary" id="reg-submit" type="submit">{r.submit}</button>
</form>
<p class="reg-foot">
{r.haveAccount} <a href={LANG_ACCOUNT_PATH[locale]}>{r.loginLink}</a>
</p>
<!-- SUCCESS + SKIN -->
<div class="reg-success" id="reg-success" hidden>
<div>
<span class="eyebrow" style="color:var(--accent)">{r.successTitle}</span>
<p class="lead" id="reg-success-body" style="margin-top:10px"></p>
</div>
<div class="reg-field">
<label>{r.uuidLabel}</label>
<div class="reg-uuid" id="reg-uuid"></div>
</div>
<div class="reg-skin" id="reg-skin">
<div>
<h3>{r.skinTitle}</h3>
<p class="lead">{r.skinLead}</p>
</div>
<div class="reg-field">
<label class="mc-btn sm" for="reg-skin-file" style="align-self:flex-start">{r.skinChoose}</label>
<input id="reg-skin-file" type="file" accept="image/png" hidden />
<span class="reg-file-name" id="reg-skin-name"></span>
</div>
<div class="reg-field">
<label>{r.modelLabel}</label>
<div class="reg-models">
<label><input type="radio" name="skin-model" value="classic" checked /> {r.modelClassic}</label>
<label><input type="radio" name="skin-model" value="slim" /> {r.modelSlim}</label>
</div>
</div>
<div class="reg-msg" id="reg-skin-msg" role="status" hidden></div>
<button class="mc-btn" id="reg-skin-upload" type="button">{r.skinUpload}</button>
</div>
<a class="mc-btn primary" href={`${homePath}#join`}>{r.finish}</a>
</div>
</div>
</div>
</section>
</main>
<!-- FOOTER -->
<footer class="footer">
<div class="wrap footer-in">
<a class="brand" href={homePath}>
<img class="brand-logo" src="/ulicraft-logo-mini.svg" alt="" width="34" height="34" />
<span class="name">ULICRAFT</span>
</a>
<div class="footer-links">
<a class="mc-btn sm" href={site.statusUrl} target="_blank" rel="noopener">{t.footer.status}</a>
</div>
<p class="disc">
{t.footer.disc} {site.name} · {site.baseDomain}
</p>
</div>
</footer>
<script define:vars={{ cfg: clientCfg }}>
const $ = (id) => document.getElementById(id);
const form = $("reg-form");
const errBox = $("reg-error");
const submitBtn = $("reg-submit");
const successBox = $("reg-success");
const headers = { "Content-Type": "application/json" };
let apiToken = null;
let player = null;
const showErr = (box, msg) => {
box.textContent = msg;
box.hidden = false;
};
const apiMessage = async (res, fallback) => {
try {
const data = await res.json();
return data && data.message ? data.message : fallback;
} catch {
return fallback;
}
};
form.addEventListener("submit", async (e) => {
e.preventDefault();
errBox.hidden = true;
const username = $("reg-username").value.trim();
const password = $("reg-password").value;
const inviteEl = $("reg-invite");
const invite = inviteEl ? inviteEl.value.trim() : null;
if (!username || !password || (cfg.showInvite && !invite)) {
showErr(errBox, cfg.errFields);
return;
}
submitBtn.disabled = true;
submitBtn.textContent = cfg.submitting;
try {
const body = { username, password, playerName: username };
if (invite) body.inviteCode = invite;
let res = await fetch(`${cfg.apiUrl}/users`, {
method: "POST",
headers,
body: JSON.stringify(body),
});
if (!res.ok) {
showErr(errBox, await apiMessage(res, cfg.errNetwork));
return;
}
// Log in to get an API token for the (optional) skin upload.
res = await fetch(`${cfg.apiUrl}/login`, {
method: "POST",
headers,
body: JSON.stringify({ username, password }),
});
if (!res.ok) {
showErr(errBox, await apiMessage(res, cfg.errNetwork));
return;
}
const data = await res.json();
apiToken = data.apiToken;
player = data.user.players[0];
form.hidden = true;
$("reg-uuid").textContent = player.uuid;
$("reg-success-body").textContent = cfg.successBody.replace("{name}", player.name);
successBox.hidden = false;
} catch {
showErr(errBox, cfg.errNetwork);
} finally {
submitBtn.disabled = false;
submitBtn.textContent = cfg.submit;
}
});
// ---- Skin upload ----
const fileInput = $("reg-skin-file");
const fileName = $("reg-skin-name");
const skinMsg = $("reg-skin-msg");
const skinBtn = $("reg-skin-upload");
fileInput.addEventListener("change", () => {
skinMsg.hidden = true;
fileName.textContent = fileInput.files && fileInput.files[0] ? fileInput.files[0].name : "";
});
const readBase64 = (file) =>
new Promise((resolve, reject) => {
const fr = new FileReader();
fr.onload = () => resolve(String(fr.result).split(",")[1]);
fr.onerror = reject;
fr.readAsDataURL(file);
});
skinBtn.addEventListener("click", async () => {
skinMsg.hidden = true;
skinMsg.classList.remove("ok", "err");
const file = fileInput.files && fileInput.files[0];
if (!file) {
skinMsg.classList.add("err");
showErr(skinMsg, cfg.errSkinType);
return;
}
if (file.type !== "image/png") {
skinMsg.classList.add("err");
showErr(skinMsg, cfg.errSkinType);
return;
}
const model = document.querySelector('input[name="skin-model"]:checked').value;
skinBtn.disabled = true;
skinBtn.textContent = cfg.skinUploading;
try {
const skinBase64 = await readBase64(file);
const res = await fetch(`${cfg.apiUrl}/players/${player.uuid}`, {
method: "PATCH",
headers: { ...headers, Authorization: `Bearer ${apiToken}` },
body: JSON.stringify({ skinBase64, skinModel: model }),
});
if (!res.ok) {
skinMsg.classList.add("err");
showErr(skinMsg, await apiMessage(res, cfg.errNetwork));
return;
}
skinMsg.classList.add("ok");
showErr(skinMsg, cfg.skinOk);
} catch {
skinMsg.classList.add("err");
showErr(skinMsg, cfg.errNetwork);
} finally {
skinBtn.disabled = false;
skinBtn.textContent = cfg.skinUpload;
}
});
</script>
</body>
</html>

View File

@@ -207,6 +207,26 @@ section { position: relative; z-index: 1; }
}
.mc-btn.sm { font-size: 14px; padding: 10px 16px 12px; }
/* Launcher download skeleton (placeholder while launcher.json loads). */
.dl-skeleton {
min-width: 9.5rem;
color: transparent;
pointer-events: none;
background-image: linear-gradient(
90deg,
oklch(1 0 0 / 0.04),
oklch(1 0 0 / 0.14),
oklch(1 0 0 / 0.04)
);
background-size: 200% 100%;
animation: dl-shimmer 1.2s linear infinite;
}
.dl-skeleton::after { content: "\00a0"; } /* keep height when text is empty */
@keyframes dl-shimmer {
from { background-position: 200% 0; }
to { background-position: -200% 0; }
}
/* ---- Copy-IP chip ---- */
.ip-chip {
display: inline-flex;
@@ -245,7 +265,7 @@ section { position: relative; z-index: 1; }
.ip-chip button:hover { filter: brightness(1.1); }
.ip-chip button.copied { background: var(--gold); color: oklch(0.20 0.05 80); }
/* url variant: long auth/packwiz URLs — smaller, wraps instead of overflowing */
/* url variant: long auth URLs — smaller, wraps instead of overflowing */
.ip-chip.url { max-width: 100%; }
.ip-chip.url .ip-val {
font-family: var(--font-mono);
@@ -275,6 +295,7 @@ section { position: relative; z-index: 1; }
height: 68px;
}
.brand { display: flex; align-items: center; gap: 12px; text-decoration: none; color: var(--text); }
.brand-logo { width: 34px; height: 34px; flex-shrink: 0; }
.brand .name {
font-family: var(--font-head);
font-weight: 600;
@@ -451,30 +472,69 @@ section { position: relative; z-index: 1; }
.bars i:nth-child(4){height:85%}
.bars i:nth-child(5){height:100%}
/* stat tiles */
.stat-grid {
/* ============================================================
PLAYER ROSTER (shared avatar tiles)
Used by ServerCard.astro (online row) and PlayerRoster.astro
(Members grid). A tile is an NMSR avatar + the player name.
============================================================ */
.roster {
display: grid;
grid-template-columns: repeat(4, 1fr);
gap: 16px;
margin-top: 28px;
grid-template-columns: repeat(auto-fill, minmax(140px, 1fr));
gap: 12px;
}
.tile {
background: var(--surface);
padding: 22px;
box-shadow: inset 2px 2px 0 var(--bevel-hi), inset -2px -2px 0 var(--bevel-lo);
.roster-tile {
display: flex;
flex-direction: column;
align-items: center;
gap: 8px;
padding: 12px 8px;
background: var(--bg-2);
}
.tile .k { font-family: var(--font-head); font-weight: 600; font-size: 38px; color: var(--text); line-height: 1; font-variant-numeric: tabular-nums; }
.tile .k .u { color: var(--accent); font-size: 22px; }
.tile .l { margin-top: 8px; color: var(--dim); font-size: 13px; letter-spacing: 0.04em; text-transform: uppercase; font-family: var(--font-pixel); font-size: 9px; line-height: 1.8; }
.roster-tile img {
width: auto;
height: 230px;
object-fit: contain;
image-rendering: pixelated;
}
.roster-name {
max-width: 100%;
color: var(--muted);
font-size: 18px;
text-align: center;
white-space: nowrap;
overflow: hidden;
text-overflow: ellipsis;
}
.roster-empty { margin: 0; color: var(--dim); font-size: 14px; }
/* ============================================================
FEATURES
============================================================ */
.feat-split {
display: grid;
grid-template-columns: 1.2fr 1fr;
gap: 28px;
align-items: center;
}
.feat-grid {
display: grid;
grid-template-columns: repeat(2, 1fr);
grid-template-columns: 1fr;
gap: 18px;
}
.feat-aside {
display: flex;
align-items: center;
justify-content: center;
}
.feat-aside img {
width: 100%;
max-width: 420px;
height: auto;
image-rendering: pixelated;
}
@media (max-width: 760px) {
.feat-split { grid-template-columns: 1fr; }
}
.feat {
display: flex;
gap: 18px;
@@ -487,7 +547,7 @@ section { position: relative; z-index: 1; }
.feat h3 { font-size: 21px; margin-bottom: 8px; }
.feat p { margin: 0; color: var(--muted); font-size: 16px; }
/* pixel icon */
/* pixel icon — plain (no bevel) */
.picon {
width: 52px; height: 52px; flex-shrink: 0;
display: grid;
@@ -495,12 +555,17 @@ section { position: relative; z-index: 1; }
grid-template-rows: repeat(7, 1fr);
background: var(--slot);
padding: 4px;
box-shadow: inset 2px 2px 0 var(--bevel-lo), inset -2px -2px 0 var(--bevel-hi);
image-rendering: pixelated;
}
.picon i { background: transparent; }
.picon i.on { background: var(--accent); }
.picon i.go { background: var(--gold); }
/* custom image icon (PixelIcon `img` prop) */
.picon-img {
width: 52px; height: 52px; flex-shrink: 0;
object-fit: contain;
image-rendering: pixelated;
}
/* ============================================================
HOW TO JOIN — steps
@@ -569,7 +634,6 @@ section { position: relative; z-index: 1; }
:root[data-head="8bit"] .step .num { font-size: 30px; }
:root[data-head="8bit"] .feat h3 { font-size: 15px; line-height: 1.4; }
:root[data-head="8bit"] .serverlist .title { font-size: 16px; }
:root[data-head="8bit"] .tile .k { font-size: 26px; }
:root[data-head="8bit"] .ip-chip button { font-size: 12px; }
:root[data-head="8bit"] .live-pill { font-size: 12px; }
@@ -588,13 +652,70 @@ section { position: relative; z-index: 1; }
.reveal.anim { animation: reveal-in .6s cubic-bezier(.2,.7,.3,1) both; }
}
/* ============================================================
REGISTER PAGE
============================================================ */
.reg-wrap { width: min(560px, calc(100% - 48px)); margin-inline: auto; }
.reg-card {
background: var(--surface);
padding: clamp(24px, 4vw, 40px);
box-shadow: inset 2px 2px 0 var(--bevel-hi), inset -2px -2px 0 var(--bevel-lo), 0 8px 24px oklch(0 0 0 / 0.4);
}
.reg-card .eyebrow { display: block; margin-bottom: 12px; }
.reg-card h1 { font-size: clamp(28px, 4vw, 40px); }
.reg-card .lead { margin: 14px 0 0; font-size: 17px; }
.reg-form { display: flex; flex-direction: column; gap: 18px; margin-top: 28px; }
.reg-field { display: flex; flex-direction: column; gap: 7px; }
.reg-field label {
font-family: var(--font-pixel); font-size: 9px; letter-spacing: 0.1em;
color: var(--dim); text-transform: uppercase; line-height: 1.8;
}
.reg-input {
font-family: var(--font-body); font-size: 16px; color: var(--text);
background: var(--slot); border: 0; padding: 13px 14px;
box-shadow: inset 2px 2px 0 var(--bevel-lo), inset -2px -2px 0 var(--bevel-hi);
}
.reg-input::placeholder { color: var(--dim); }
.reg-input:focus { outline: 2px solid var(--accent); outline-offset: 1px; }
.reg-field .hint { color: var(--dim); font-size: 13px; }
.reg-models { display: flex; gap: 10px; }
.reg-models label {
display: inline-flex; align-items: center; gap: 8px;
font-family: var(--font-body); font-size: 15px; letter-spacing: 0; text-transform: none;
color: var(--muted); cursor: pointer;
background: var(--slot); padding: 9px 14px;
box-shadow: inset 2px 2px 0 var(--bevel-lo), inset -2px -2px 0 var(--bevel-hi);
}
.reg-models input { accent-color: var(--accent); }
.reg-msg { font-size: 15px; padding: 12px 14px; box-shadow: inset 2px 2px 0 var(--bevel-lo), inset -2px -2px 0 var(--bevel-hi); }
.reg-msg[hidden] { display: none; }
.reg-msg.err { background: oklch(0.30 0.10 30); color: oklch(0.92 0.04 40); }
.reg-msg.ok { background: var(--slot); color: var(--accent); }
.reg-foot { margin-top: 22px; color: var(--dim); font-size: 14.5px; }
.reg-foot a { color: var(--accent); }
.reg-success[hidden], .reg-skin[hidden] { display: none; }
.reg-success { margin-top: 26px; display: flex; flex-direction: column; gap: 16px; }
.reg-uuid {
font-family: var(--font-mono); font-size: 17px; color: var(--gold);
background: var(--slot); padding: 8px 12px; word-break: break-all;
box-shadow: inset 2px 2px 0 var(--bevel-lo), inset -2px -2px 0 var(--bevel-hi);
}
.reg-skin { margin-top: 8px; display: flex; flex-direction: column; gap: 16px; border-top: 1px solid var(--line); padding-top: 22px; }
.reg-skin h3 { font-size: 22px; }
.reg-skin .lead { font-size: 15px; }
.reg-file-name { color: var(--muted); font-size: 14px; }
/* ============================================================
RESPONSIVE
============================================================ */
@media (max-width: 880px) {
:root[data-hero="split"] .hero-grid { grid-template-columns: 1fr; }
:root[data-hero="split"] .hero-status { display: block; }
.stat-grid { grid-template-columns: repeat(2, 1fr); }
.feat-grid { grid-template-columns: 1fr; }
.nav-links { display: none; }
.serverlist { flex-wrap: wrap; }
@@ -604,5 +725,4 @@ section { position: relative; z-index: 1; }
.step { grid-template-columns: 1fr; gap: 18px; }
.step .num { width: 64px; height: 64px; font-size: 32px; }
.ip-chip .ip-val { font-size: 22px; }
.stat-grid { grid-template-columns: 1fr 1fr; }
}

163
mods-sides.json Normal file
View File

@@ -0,0 +1,163 @@
{
"BetterF3-11.0.3-NeoForge-1.21.1.jar": "client",
"BridgingMod-2.6.2+1.21.1.neoforge-release.jar": "client",
"CodeChickenLib-1.21.1-4.6.1.526.jar": "both",
"Controlling-neoforge-1.21.1-19.0.5.jar": "client",
"CreateDragonsPlus-1.11.2b.jar": "both",
"CreativeCore_NEOFORGE_v2.13.41_mc1.21.1.jar": "both",
"CustomSkinLoader_Universal-14.28.jar": "client",
"EasierSleeping-1.21.1-4.0.1.jar": "both",
"EasyAnvils-v21.1.0-1.21.1-NeoForge.jar": "both",
"EasyMagic-v21.1.4-1.21.1-NeoForge.jar": "both",
"EnderStorage-1.21.1-2.13.0.191.jar": "both",
"ExplorersCompass-1.21.1-3.4.0-neoforge.jar": "both",
"ExtremeSoundMuffler-3.56_NeoForge-1.21.jar": "client",
"FarmersDelight-1.21.1-1.3.2.jar": "both",
"HangGlider-v21.1.0-1.21.1-NeoForge.jar": "both",
"ImmediatelyFast-NeoForge-1.6.10+1.21.1.jar": "client",
"Jade-1.21.1-NeoForge-15.10.5.jar": "both",
"JadeAddons-1.21.1-NeoForge-6.1.0.jar": "both",
"JustEnoughProfessions-neoforge-1.21.1-4.0.5.jar": "both",
"JustEnoughResources-NeoForge-1.21.1-1.6.0.17.jar": "client",
"MoogsEndStructures-1.21-2.0.3.jar": "both",
"MoogsMissingVillages-1.21-2.1.1.jar": "both",
"MoogsNetherStructures-1.21-3.0.0-alpha.2.jar": "both",
"MoogsVoyagerStructures-1.21-5.0.11.jar": "both",
"MouseTweaks-neoforge-mc1.21-2.26.1.jar": "client",
"Neat-1.21-47-NEOFORGE.jar": "both",
"Necronomicon-NeoForge-1.6.0+1.21.jar": "both",
"Patchouli-1.21.1-93-NEOFORGE.jar": "both",
"Ping-Wheel-1.12.2-neoforge-1.21.1.jar": "both",
"Placebo-1.21.1-9.9.1.jar": "both",
"PuzzlesLib-v21.1.51-1.21.1-NeoForge.jar": "both",
"Searchables-neoforge-1.21.1-1.0.2.jar": "client",
"TerraBlender-neoforge-1.21.1-4.1.0.8.jar": "both",
"ToastControl-1.21.1-9.0.1.jar": "client",
"TravelersTitles-1.21.1-NeoForge-5.1.3.jar": "client",
"UsefulSlime-neoforge-1.21-1.12.1.jar": "both",
"YungsApi-1.21.1-NeoForge-5.1.6.jar": "both",
"YungsBetterCaves-1.21.1-NeoForge-3.1.4.jar": "both",
"YungsBetterDesertTemples-1.21.1-NeoForge-4.1.5.jar": "both",
"YungsBetterDungeons-1.21.1-NeoForge-5.1.4.jar": "both",
"YungsBetterEndIsland-1.21.1-NeoForge-3.1.2.jar": "both",
"YungsBetterJungleTemples-1.21.1-NeoForge-3.1.2.jar": "both",
"YungsBetterMineshafts-1.21.1-NeoForge-5.1.1.jar": "both",
"YungsBetterNetherFortresses-1.21.1-NeoForge-3.1.5.jar": "both",
"YungsBetterOceanMonuments-1.21.1-NeoForge-4.1.2.jar": "both",
"YungsBetterStrongholds-1.21.1-NeoForge-5.1.3.jar": "both",
"YungsBetterWitchHuts-1.21.1-NeoForge-4.1.1.jar": "both",
"YungsBridges-1.21.1-NeoForge-5.1.1.jar": "both",
"YungsCaveBiomes-1.21.1-NeoForge-3.1.1.jar": "both",
"amendments-neoforge-1.21-2.1.5.jar": "both",
"appleskin-neoforge-mc1.21-3.0.9.jar": "client",
"architectury-13.0.8-neoforge.jar": "both",
"baguettelib-1.21.1-NeoForge-2.0.3.jar": "both",
"balm-neoforge-1.21.1-21.0.58.jar": "both",
"buildinggadgets2-1.3.9.jar": "both",
"caelus-neoforge-7.0.1+1.21.1.jar": "both",
"cardboardboxes-1.21.1-0.1.2.jar": "both",
"charginggadgets-1.14.1.jar": "both",
"cloth-config-15.0.140-neoforge.jar": "both",
"colorfulhearts-neoforge-1.21.1-10.5.9.jar": "client",
"comforts-neoforge-9.0.5+1.21.1.jar": "both",
"configured-neoforge-1.21.1-2.6.3.jar": "both",
"copycats-3.0.4+mc.1.21.1-neoforge.jar": "both",
"corpse-neoforge-1.21.1-1.1.13.jar": "both",
"corpsecurioscompat-1.21.1-NeoForge-4.0.1.jar": "both",
"create-1.21.1-6.0.10.jar": "both",
"create-central-kitchen-2.5.0.jar": "both",
"create-enchantment-industry-2.4.1.jar": "both",
"create-integrated-farming-1.2.6.jar": "both",
"create_connected-1.2.2-mc1.21.1.jar": "both",
"create_jetpack-forge-5.1.2.jar": "both",
"create_jetpack_curios-1.2.0-neoforge-1.21.1.jar": "both",
"create_mechanical_chicken-1.21.1-1.3.3-6.0.6.jar": "both",
"create_mechanical_extruder-1.21.1-2.2.0-6.0.8.jar": "both",
"create_mechanical_spawner-1.21.1-1.3.0-6.0.8.jar": "both",
"createaddition-1.6.0.jar": "both",
"createdeco-2.1.3.jar": "both",
"createornithopterglider-1.2.0-1.21.1.jar": "both",
"createsifter-1.21.1-2.2.1.jar": "both",
"createultimine-1.21.1-neoforge-1.3.2.jar": "both",
"curios-neoforge-9.5.1+1.21.1.jar": "both",
"cwb-neoforge-3.0.0+mc1.21.jar": "client",
"defaultoptions-neoforge-1.21.1-21.1.6.jar": "both",
"drippyloadingscreen_neoforge_3.1.2_MC_1.21.1.jar": "client",
"easy-piglins-neoforge-1.21.1-1.1.0.jar": "both",
"easy-villagers-neoforge-1.21.1-1.1.42.jar": "both",
"easydisenchanting-neoforge-1.0.0-1.21.1.jar": "both",
"emotecraft-for-MC1.21.1-2.4.12-neoforge.jar": "both",
"enderrf-1.21.1-1.0.1.jar": "both",
"entity_model_features-3.2.4-1.21-neoforge.jar": "client",
"entity_texture_features_1.21-neoforge-7.1.jar": "client",
"entityculling-neoforge-1.10.2-mc1.21.1.jar": "client",
"etched-5.1.0.jar": "both",
"fancymenu_neoforge_3.9.1_MC_1.21.1.jar": "client",
"fastleafdecay-35.jar": "both",
"ferritecore-7.0.3-neoforge.jar": "both",
"fishingoverhaul-1.21.1-1.2.1.jar": "both",
"ftb-chunks-neoforge-2101.1.17.jar": "both",
"ftb-essentials-neoforge-2101.1.9.jar": "both",
"ftb-library-neoforge-2101.1.31.jar": "both",
"ftb-teams-neoforge-2101.1.10.jar": "both",
"ftb-ultimine-neoforge-2101.1.14.jar": "both",
"functionalstorage-1.21.1-1.5.7.jar": "both",
"fusion-1.3.2b-neoforge-mc1.21.1.jar": "client",
"fzzy_config-0.7.6+1.21+neoforge.jar": "both",
"geckolib-neoforge-1.21.1-4.8.4.jar": "both",
"handcrafted-neoforge-1.21.1-4.0.3.jar": "both",
"immersive_paintings-neoforge-1.21.1-0.7.8.jar": "both",
"inventoryessentials-neoforge-1.21.1-21.1.15.jar": "both",
"iris-neoforge-1.8.12+mc1.21.1.jar": "client",
"jamlib-neoforge-1.3.6+1.21.1.jar": "both",
"jei-1.21.1-neoforge-19.27.0.340.jar": "both",
"konkrete_neoforge_1.9.9_MC_1.21.jar": "client",
"kotlinforforge-5.11.0-all.jar": "both",
"kubejs-create-neoforge-2101.3.1-build.18.jar": "both",
"kubejs-neoforge-2101.7.2-build.368.jar": "both",
"kubejsdelight-1.1.6.jar": "both",
"laserio-1.9.11.jar": "both",
"lithium-neoforge-0.15.3+mc1.21.1.jar": "both",
"lootjs-neoforge-1.21.1-3.7.0.jar": "both",
"lootr-neoforge-1.21.1-1.11.37.120.jar": "both",
"mechanical_cow-1.21.1-1.2.0-6.0.8.jar": "both",
"mechanicals-1.21.1-1.1.0.jar": "both",
"melody_neoforge_1.0.10_MC_1.21.jar": "client",
"melter-1.21.1-1.8.2.jar": "both",
"mob_grinding_utils-1.1.10+mc1.21.1.jar": "both",
"modernfix-neoforge-5.27.12+mc1.21.1.jar": "both",
"moogs_structures-neoforge-1.21.1-3.0.0.jar": "both",
"moonlight-neoforge-1.21.1-3.0.22.jar": "both",
"morefunctionalstorage-1.2.3.jar": "both",
"moreoverlays-1.24.2-mc1.21.1-neoforge.jar": "client",
"polymorph-neoforge-1.1.0+1.21.1.jar": "both",
"ponderjs-neoforge-1.21.1-2.4.0.jar": "client",
"rechiseled-1.2.5-neoforge-mc1.21.jar": "both",
"resourcefullib-neoforge-1.21-3.0.12.jar": "both",
"rhino-2101.2.7-build.85.jar": "both",
"rightclickharvest-neoforge-4.6.1+1.21.1.jar": "both",
"seamless-loading-screen-2.2.1+1.21-neoforge.jar": "client",
"simplemagnets-1.1.12c-neoforge-mc1.21.jar": "both",
"sliceanddice-forge-4.2.4.jar": "both",
"sodium-extra-neoforge-0.8.7+mc1.21.1.jar": "client",
"sodium-neoforge-0.8.12-alpha.4+mc1.21.1.jar": "client",
"solcarrot-1.21.1-1.16.6.jar": "both",
"sophisticatedbackpacks-1.21.1-3.25.55.1852.jar": "both",
"sophisticatedbackpackscreateintegration-1.21.1-0.1.6.99.jar": "both",
"sophisticatedcore-1.21.1-1.4.49.1976.jar": "both",
"spark-1.10.124-neoforge.jar": "both",
"supermartijn642configlib-1.1.8-neoforge-mc1.21.jar": "both",
"supermartijn642corelib-1.1.21-neoforge-mc1.21.jar": "both",
"tagtooltips-neoforge-1.21.1-1.2.0.jar": "client",
"titanium-1.21-4.0.43.jar": "both",
"toolsjs-0.1.1.jar": "both",
"torchmaster-neoforge-1.21.1-21.1.9.jar": "both",
"trashcans-1.0.18c-neoforge-mc1.21.jar": "both",
"txnilib-neoforge-1.0.24-1.21.1.jar": "both",
"ulicraftmod-1.21.1-1.0.0-6.0.10.jar": "both",
"utilitarian-1.21.1-0.19.2.jar": "both",
"voicechat-neoforge-1.21.1-2.6.18.jar": "both",
"wm_binaries-3.0.0-rc.1.jar": "client",
"yeetusexperimentus-neoforge-87.0.0.jar": "client",
"yet_another_config_lib_v3-3.8.2+1.21.1-neoforge.jar": "both"
}

View File

@@ -1,19 +1,17 @@
# ──────────────────────────────────────────────────────────────────
# Ulicraft host nginx — TLS terminator in FRONT of caddy.
# ──────────────────────────────────────────────────────────────────
# Alternative to ulicraft.conf.tmpl. Instead of nginx serving the static
# files + proxying only drasl, here caddy (the docker container) is the single
# ingress for ALL vhosts and nginx just terminates TLS and reverse-proxies
# everything to caddy by Host header.
# caddy (in docker-compose.yml) is the single internal ingress for ALL vhosts;
# this host nginx terminates TLS and reverse-proxies everything to caddy by Host
# header. Prefer tooling/render-nginx.sh over hand-rendering.
#
# Caddy must be published on a localhost port — set in .env:
# CADDY_HTTP_PORT=8880
# CADDY_HTTP_BIND=127.0.0.1
# and the stack brought up with the caddy override (NOT the nginx override):
# docker compose -f docker-compose.yml -f docker-compose.caddy.yml \
# -f docker-compose.static.yml up -d
# and the stack brought up:
# docker compose up -d
#
# Render with BOTH vars then install:
# Render with the vars then install:
# CADDY_HTTP_PORT=8880 BASE_DOMAIN=ulicraft.net APP_DIR=/home/ubuntu/mc/ulicraft-server-v1 \
# envsubst '$CADDY_HTTP_PORT $BASE_DOMAIN $APP_DIR' \
# < nginx/ulicraft-caddy.conf.tmpl | sudo tee /etc/nginx/sites-available/ulicraft.conf
@@ -28,17 +26,20 @@ upstream ulicraft_caddy {
server 127.0.0.1:${CADDY_HTTP_PORT};
}
# Brute-force throttle for the publicly-exposed Filestash /admin console (it is
# the only credential on files.), applied in its location block below.
limit_req_zone $binary_remote_addr zone=files_admin:10m rate=6r/m;
# HTTP -> HTTPS for every name.
server {
listen 80;
listen [::]:80;
server_name ${BASE_DOMAIN} www.${BASE_DOMAIN} auth.${BASE_DOMAIN} pack.${BASE_DOMAIN} distribution.${BASE_DOMAIN} avatar.${BASE_DOMAIN} status.${BASE_DOMAIN};
server_name ${BASE_DOMAIN} www.${BASE_DOMAIN} auth.${BASE_DOMAIN} distribution.${BASE_DOMAIN} avatar.${BASE_DOMAIN} status.${BASE_DOMAIN} files.${BASE_DOMAIN};
return 301 https://$host$request_uri;
}
# One TLS server block per name (each has its own LE cert). All proxy to caddy;
# caddy routes by the forwarded Host header (apex -> www, auth -> drasl,
# pack -> packwiz files).
# caddy routes by the forwarded Host header (apex -> www, auth -> drasl).
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
@@ -92,24 +93,6 @@ server {
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name pack.${BASE_DOMAIN};
ssl_certificate ${APP_DIR}/certs/pack.${BASE_DOMAIN}/cert.pem;
ssl_certificate_key ${APP_DIR}/certs/pack.${BASE_DOMAIN}/key.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
proxy_pass http://ulicraft_caddy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
@@ -146,6 +129,44 @@ server {
}
}
# Filestash player file share. Uploads need a real body limit (nginx defaults to
# 1m, which rejects almost anything worth sharing) and streaming rather than
# spooling — a 2g upload buffered to disk would write it twice on a host whose
# disk is already the shared failure domain for Minecraft + Drasl + backups.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name files.${BASE_DOMAIN};
ssl_certificate ${APP_DIR}/certs/files.${BASE_DOMAIN}/cert.pem;
ssl_certificate_key ${APP_DIR}/certs/files.${BASE_DOMAIN}/key.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
client_max_body_size 2g; # uploads; other vhosts stay at 4m
proxy_request_buffering off; # stream uploads, don't spool them to disk
proxy_read_timeout 300s;
proxy_send_timeout 300s;
# /admin is reachable on purpose, so throttle it: it is the only password
# on this vhost. 6 req/min, small burst.
location /admin {
limit_req zone=files_admin burst=3 nodelay;
proxy_pass http://ulicraft_caddy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
proxy_pass http://ulicraft_caddy;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

View File

@@ -1,93 +0,0 @@
# ──────────────────────────────────────────────────────────────────
# Ulicraft host nginx — TLS ingress with Let's Encrypt certs.
# ──────────────────────────────────────────────────────────────────
# Template. Render with BOTH vars then install:
#
# APP_DIR=/home/ubuntu/mc/ulicraft-server-v1 BASE_DOMAIN=ulicraft.net \
# envsubst '$APP_DIR $BASE_DOMAIN' \
# < nginx/ulicraft.conf.tmpl | sudo tee /etc/nginx/sites-available/ulicraft.conf
# sudo ln -sf /etc/nginx/sites-available/ulicraft.conf /etc/nginx/sites-enabled/
# sudo nginx -t && sudo systemctl reload nginx
#
# Prereqs:
# - certs issued: tooling/issue-letsencrypt.sh -> $APP_DIR/certs/<name>/{cert,key}.pem
# - the docker stack up with the nginx override (publishes drasl on 127.0.0.1:25585):
# docker compose -f docker-compose.yml -f docker-compose.nginx.yml up -d
# - nginx's user (www-data) can READ $APP_DIR/{www,pack,custom,certs}
# ──────────────────────────────────────────────────────────────────
# HTTP -> HTTPS for every name.
server {
listen 80;
listen [::]:80;
server_name ${BASE_DOMAIN} auth.${BASE_DOMAIN} pack.${BASE_DOMAIN};
return 301 https://$host$request_uri;
}
# Apex — static landing page (./www) + launcher downloads (./mirror/launcher).
# /ca.crt from the caddy path is intentionally omitted: LE certs are publicly
# trusted, so guests need no CA import.
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${BASE_DOMAIN};
ssl_certificate ${APP_DIR}/certs/${BASE_DOMAIN}/cert.pem;
ssl_certificate_key ${APP_DIR}/certs/${BASE_DOMAIN}/key.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Launcher downloads (populated by tooling/fetch-launcher.sh -> ./mirror/launcher).
location /launcher/ {
alias ${APP_DIR}/mirror/launcher/;
autoindex on;
}
location / {
root ${APP_DIR}/www;
index index.html;
try_files $uri $uri/ =404;
}
}
# Pack — packwiz metadata (./pack) + custom jars (./custom at /custom/).
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name pack.${BASE_DOMAIN};
ssl_certificate ${APP_DIR}/certs/pack.${BASE_DOMAIN}/cert.pem;
ssl_certificate_key ${APP_DIR}/certs/pack.${BASE_DOMAIN}/key.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Locally-hosted custom mod jars live outside ./pack; expose them at /custom/.
location /custom/ {
alias ${APP_DIR}/custom/;
autoindex on;
}
location / {
root ${APP_DIR}/pack;
autoindex on;
}
}
# Auth — reverse proxy to drasl (published on localhost by the nginx override).
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name auth.${BASE_DOMAIN};
ssl_certificate ${APP_DIR}/certs/auth.${BASE_DOMAIN}/cert.pem;
ssl_certificate_key ${APP_DIR}/certs/auth.${BASE_DOMAIN}/key.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
client_max_body_size 4m; # skin uploads
location / {
proxy_pass http://127.0.0.1:25585;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

View File

@@ -5,10 +5,13 @@
# the bare BaseURL:
# session_server -> {url}/session/minecraft/profile/{uuid}
# mojang_api_server -> {url}/users/profiles/minecraft/{name}
# and embeds absolute skin URLs (http://auth.${BASE_DOMAIN}/web/texture/skin/…)
# in the profile, which NMSR fetches directly (textures_server is only a
# fallback). NMSR resolves auth.${BASE_DOMAIN} internally over the docker
# network (caddy holds the mcnet alias → drasl), so no public round-trip.
# and embeds absolute skin URLs (https://auth.${BASE_DOMAIN}/web/texture/skin/…)
# in the profile — Drasl's BaseURL is https, so these are https and NMSR must
# fetch them over :443. The mcnet alias only resolves auth. -> caddy on :80, so
# the nmsr service pins auth.${BASE_DOMAIN} to the host (extra_hosts in
# docker-compose.yml) and talks to the host nginx on :443 (real LE cert). Hence
# the https:// endpoints below — they must match the scheme of the embedded
# skin URLs, or the skin fetch Connect-fails and avatars render the default skin.
[server]
address = "0.0.0.0"
@@ -16,16 +19,27 @@ port = 8080
[caching]
cleanup_interval = "1h"
resolve_cache_duration = "15m"
# resolve_cache_duration caches the uuid -> profile (incl. skin URL) lookup, so
# it bounds how long a changed skin keeps showing the OLD avatar. Kept short so
# skin changes on the account page propagate within ~1 min (NMSR has no
# per-request force-refresh; a `?skin=` override is ignored by this build). Cost
# is one extra internal Drasl profile lookup per avatar per minute — trivial over
# mcnet for a 4-10 player server. For an instant global flush: restart nmsr.
resolve_cache_duration = "60s"
# texture cache stays long: Drasl skin URLs are content-hashed
# (/web/texture/skin/<sha256>.png), so a new skin = new URL = fresh fetch; this
# 48h cache never serves a stale skin.
texture_cache_duration = "48h"
[caching.cache_biases]
[mojank]
# Point every Mojang endpoint at Drasl (internal, plain http via the caddy alias).
session_server = "http://auth.${BASE_DOMAIN}"
textures_server = "http://auth.${BASE_DOMAIN}"
mojang_api_server = "http://auth.${BASE_DOMAIN}"
# Point every Mojang endpoint at Drasl over https — auth. is pinned to the host
# (extra_hosts), so this reaches the host nginx on :443 with the real LE cert.
# Must stay https to match the https skin URLs Drasl embeds in the profile.
session_server = "https://auth.${BASE_DOMAIN}"
textures_server = "https://auth.${BASE_DOMAIN}"
mojang_api_server = "https://auth.${BASE_DOMAIN}"
session_server_rate_limit = 10
# This is an offline-mode (authlib-injector) server — Drasl issues v3 offline
# UUIDs, so they must be accepted.

View File

@@ -1,3 +0,0 @@
# Template sources for pack metadata/config — rendered to their real files by
# tooling/render-pack.sh. packwiz must NOT index the templates themselves.
*.tmpl

View File

@@ -1,11 +0,0 @@
{
"enable": true,
"loadlist": [
{
"name": "Ulicraft Skins",
"type": "MojangAPI",
"apiRoot": "https://auth.${BASE_DOMAIN}/account/",
"sessionRoot": "https://auth.${BASE_DOMAIN}/session/"
}
]
}

View File

@@ -1,3 +0,0 @@
# Ulicraft modpack (packwiz)
This directory is the **single source of truth** for the modpack (MC 1.21.1, NeoForge 21.1.209). Curate mods from here with `packwiz modrinth add <slug>` (prefer Modrinth over CurseForge); each mod produces a `mods/<slug>.pw.toml` metadata file referencing the upstream CDN. **Client-only mods must be tagged `side = "client"`** in their `.pw.toml` so the itzg server does not pull and crash on them. After adding/removing mods run `packwiz refresh` to recompute `index.toml`; for offline LAN play run `tooling/mirror-mods.sh` to vendor the jars and rewrite the download URLs to the local Caddy mirror. Curation is an ongoing manual task — no mods are added yet.

View File

@@ -1,8 +0,0 @@
name = "balm-neoforge-1.21.1-21.0.58"
filename = "balm-neoforge-1.21.1-21.0.58.jar"
side = "both"
[download]
url = "http://pack.${BASE_DOMAIN}/custom/balm-neoforge-1.21.1-21.0.58.jar"
hash-format = "sha256"
hash = "aa2463747bad4c2351869226ea7bce7839510dfd2ac387f8d1588b1ce9309c67"

View File

@@ -1,8 +0,0 @@
name = "CustomSkinLoader_Universal-14.28"
filename = "CustomSkinLoader_Universal-14.28.jar"
side = "both"
[download]
url = "http://pack.${BASE_DOMAIN}/custom/CustomSkinLoader_Universal-14.28.jar"
hash-format = "sha256"
hash = "0008fb0a91dd1e84d52162cfe96addb5f6aed3b76d426ea7305d7624e31f1894"

View File

@@ -1,8 +0,0 @@
name = "inventoryessentials-neoforge-1.21.1-21.1.15"
filename = "inventoryessentials-neoforge-1.21.1-21.1.15.jar"
side = "both"
[download]
url = "http://pack.${BASE_DOMAIN}/custom/inventoryessentials-neoforge-1.21.1-21.1.15.jar"
hash-format = "sha256"
hash = "b7a5c5526a45256551543419ba2b5d54e56c585d76a645a8cea8cb8ea843ae2c"

View File

@@ -1,8 +0,0 @@
name = "Jade-1.21.1-NeoForge-15.10.5"
filename = "Jade-1.21.1-NeoForge-15.10.5.jar"
side = "both"
[download]
url = "http://pack.${BASE_DOMAIN}/custom/Jade-1.21.1-NeoForge-15.10.5.jar"
hash-format = "sha256"
hash = "067bb4b007e1d6f6b79f0afe99c91252aa825472b99a76d33a60d24442f9e92d"

View File

@@ -1,8 +0,0 @@
name = "JadeAddons-1.21.1-NeoForge-6.1.0"
filename = "JadeAddons-1.21.1-NeoForge-6.1.0.jar"
side = "both"
[download]
url = "http://pack.${BASE_DOMAIN}/custom/JadeAddons-1.21.1-NeoForge-6.1.0.jar"
hash-format = "sha256"
hash = "5f242668ad710092964d4d9afda8a94fa2401665ea13eea67d55d07e4dff8a64"

View File

@@ -1,8 +0,0 @@
name = "jei-1.21.1-neoforge-19.27.0.340"
filename = "jei-1.21.1-neoforge-19.27.0.340.jar"
side = "both"
[download]
url = "http://pack.${BASE_DOMAIN}/custom/jei-1.21.1-neoforge-19.27.0.340.jar"
hash-format = "sha256"
hash = "8aaf547432f1b4958239b036356b910692fe40f858c3073d996f56bbf7c99826"

View File

@@ -1,8 +0,0 @@
name = "JustEnoughProfessions-neoforge-1.21.1-4.0.5"
filename = "JustEnoughProfessions-neoforge-1.21.1-4.0.5.jar"
side = "both"
[download]
url = "http://pack.${BASE_DOMAIN}/custom/JustEnoughProfessions-neoforge-1.21.1-4.0.5.jar"
hash-format = "sha256"
hash = "b320b47f1791f56df9e1a05138f0e312e6e54541945ff15f2f1fd398cd1d4d9d"

View File

@@ -1,8 +0,0 @@
name = "JustEnoughResources-NeoForge-1.21.1-1.6.0.17"
filename = "JustEnoughResources-NeoForge-1.21.1-1.6.0.17.jar"
side = "both"
[download]
url = "http://pack.${BASE_DOMAIN}/custom/JustEnoughResources-NeoForge-1.21.1-1.6.0.17.jar"
hash-format = "sha256"
hash = "7a47d69b5530704690d5a5f0726cd74a2d6c57df17dd4a8589c4ab5212f91460"

View File

@@ -1,8 +0,0 @@
name = "MouseTweaks-neoforge-mc1.21-2.26.1"
filename = "MouseTweaks-neoforge-mc1.21-2.26.1.jar"
side = "both"
[download]
url = "http://pack.${BASE_DOMAIN}/custom/MouseTweaks-neoforge-mc1.21-2.26.1.jar"
hash-format = "sha256"
hash = "68e6f4201c5de97b77929a7215c9552495696ca6a3bf3ae4eacc34e135f6cc8b"

View File

@@ -1,13 +0,0 @@
name = "Ulicraft"
author = "Oier"
version = "1.0.0"
pack-format = "packwiz:1.1.0"
[index]
file = "index.toml"
hash-format = "sha256"
hash = "9bca0b1a4434050835cab46116d7c14aafec971ff5a95a1ee0c4232c8bcbc355"
[versions]
minecraft = "1.21.1"
neoforge = "21.1.209"

View File

@@ -1,124 +1,160 @@
# Ulicraft Server — Plan Overview
Self-hosted modded Minecraft LAN-party stack, designed to run **fully offline**
(air-gapped) during the party while remaining a persistent homelab service.
Self-hosted modded Minecraft stack — a single Docker Compose file holds the
entire thing, fronted by the host's own nginx (Let's Encrypt TLS) and a caddy
internal router. Built for a LAN party but runs as a persistent homelab service.
Assumes the internet is present.
## Single source of configuration
Everything is driven by two env vars in `.env`:
Everything is driven by one env var in `.env`:
```
BASE_DOMAIN=ulicraft.local # all services are subdomains of this
HOST_LAN_IP=192.168.x.x # the Docker host's LAN IP (dnsmasq target)
BASE_DOMAIN=ulicraft.net # all services are subdomains of this
```
> `.local` collides with mDNS/Bonjour (RFC 6762). macOS + Linux Avahi may resolve
> `*.local` via multicast and bypass dnsmasq. Accepted risk for now; alternatives
> if it bites: `.lan`, `home.arpa`. Flagged, user chose `.local`.
`render-config.sh` substitutes `${BASE_DOMAIN}` into the templates (plus the
derived `REGISTRATION_*` and `FILES_*` values — see `20-files.md`).
DNS is **not** this repo's concern: point `${BASE_DOMAIN}` and all subdomains
(`auth.` `avatar.` `status.` `files.` `distribution.` `www.`) at the host running
nginx; that is configured outside this repo.
## Subdomain / ingress map
```
ulicraft.local → caddy → landing page (launcher downloads + guide)
auth.ulicraft.local → caddy → drasl:25585 (auth web UI + Yggdrasil API)
packwiz.ulicraft.local → caddy → /srv/pack (pack metadata + mod-jar mirror)
assets.ulicraft.localcaddy → /srv/assets (MC asset-object mirror; HTTPS forced — see 10)
mc.ulicraft.local:25565 → minecraft (NOT http; raw MC protocol)
ulicraft.net nginx → caddy → landing page (/srv/www) + /launcher/
auth.ulicraft.net → nginx → caddy → drasl:25585 (auth web UI + Yggdrasil API)
avatar.ulicraft.net → nginx → caddy → nmsr:8080 (skin/avatar renderer)
status.ulicraft.net nginx → caddy → uptime-kuma:3001 (status page)
files.ulicraft.net → nginx → caddy → filestash:8334 (player file share, shared login)
distribution.ulicraft.net → nginx → caddy → /srv/distribution (static, another repo)
mc.ulicraft.net:25565 → minecraft (raw MC protocol, not HTTP)
```
Caddy is the only HTTP ingress (plain `:80` for now, TLS/step-ca later).
drasl's host port is removed — internal only, reached through Caddy.
The host's own nginx is the only public ingress: it terminates TLS with Let's
Encrypt certs and reverse-proxies every vhost to caddy by Host header. caddy is
published on a **localhost-only** port (`CADDY_HTTP_BIND=127.0.0.1`,
`CADDY_HTTP_PORT=8880`) and acts as the internal router. drasl, nmsr and
uptime-kuma have no host ports — they are reached only through caddy.
### Internal resolution trick
Containers use the Docker resolver, NOT dnsmasq. Caddy gets network aliases so
the stack resolves its own subdomains internally:
Containers use the Docker resolver. caddy gets network aliases so the stack
resolves its own subdomains internally:
```yaml
caddy:
networks:
mcnet:
aliases: [ "auth.${BASE_DOMAIN}", "packwiz.${BASE_DOMAIN}" ]
aliases: [ "auth.${BASE_DOMAIN}" ]
```
Result: `http://auth.ulicraft.local/authlib-injector` and
`http://packwiz.ulicraft.local/pack.toml` resolve identically inside and outside
the stack. dnsmasq exists **only for guest laptops**.
Result: `http://auth.ulicraft.net/authlib-injector` resolves identically inside
the stack (minecraft → caddy) as the public name does outside it (client → nginx
→ caddy).
## Online vs offline split
#### HTTPS variant (`extra_hosts: host-gateway`)
The caddy alias only serves **http** on `mcnet` (port 80). Once the stack moved
to https URLs (drasl `BaseURL`; the authlib-injector agent must match the
client's https endpoint), the internal http alias is no longer enough — the
container needs to reach a **TLS** terminator holding a valid cert.
Caddy does not terminate TLS internally; the host's nginx does (on `0.0.0.0:443`).
So pin the public name to the host in the service, not to caddy:
```yaml
minecraft:
extra_hosts:
- "auth.${BASE_DOMAIN}:host-gateway"
```
`/etc/hosts` (extra_hosts) wins over the Docker resolver, so the container reaches
the host's nginx (valid LE cert) → caddy → service. This is required because
**containers do not inherit the host's `/etc/hosts`** — on cochi the host resolves
`auth.` to the public IP, but inside a container the LAN resolver returns a
dead address (`192.168.0.3:443`, connection refused), which crash-loops session
validation on boot. `host-gateway` sidesteps DNS entirely.
## Build / run flow
```
PRE-PARTY (internet, run once):
1. curate packwiz pack → see 04-packwiz.md
2. mirror mod jars + rewrite URLs → tooling/mirror-mods.sh (08-tooling.md)
3. pre-bake server volume → TYPE=NEOFORGE install (05-minecraft.md)
4. download launcher releases → tooling/fetch-launcher.sh (06-launcher.md)
5. capture+mirror client air-gap → tooling/mirror-airgap.sh (11-full-airgap-mirror.md)
6. build landing page → cd landing && pnpm run build → www/ (09-landing.md)
7. render configs from templates → tooling/render-config.sh (08-tooling.md)
PREP (run once, online):
1. render configs → tooling/render-config.sh (08-tooling.md)
2. build landing page → cd landing && pnpm run build → www/ (09-landing.md)
3. download launcher releases → tooling/fetch-launcher.sh (06-launcher.md)
4. sync server mods → tooling/sync-server-mods.sh (04-mods.md)
5. (TLS) issue Let's Encrypt certs → tooling/issue-letsencrypt.sh (15-letsencrypt.md)
6. (ingress) render+install nginx → tooling/render-nginx.sh --install (15-letsencrypt.md)
PARTY (air-gapped):
dnsmasq : *.ulicraft.local → HOST_LAN_IP
caddy : local CDN + landing page
drasl : password login (NO Keycloak/OIDC for now)
minecraft: TYPE=CUSTOM, no Mojang re-resolution
guests : install Fjord launcher, import pack, add authlib account → auth subdomain
UP:
docker compose up -d --build
```
Bring-up is a single command. There are no run modes and no override compose
files — one `docker-compose.yml` holds drasl, minecraft, mc-backup, caddy, nmsr,
mc-status, uptime-kuma and filestash.
## Why each hard call was made
- **No OIDC/Keycloak (for now)** — drasl password login. Keycloak left out of this
stack's scope. Re-add later if desired.
- **itzg can't air-gap-boot in NEOFORGE mode** (re-resolves Mojang metadata every
start, issue #2340). Pre-bake then switch to `TYPE=CUSTOM`.
- **packwiz only serves metadata** — `.pw.toml` points at Modrinth CDN. Offline
needs jars mirrored onto Caddy + URL rewrite.
- **Fjord launcher** has authlib-injector built in → no manual JVM agent on clients.
- **No OIDC/Keycloak (for now)** — drasl password login. Keycloak left out of
this stack's scope. Re-add later if desired.
- **Distribution-fed mods** — the modset's source of truth is the HeliosLauncher
distribution repo; clients install the full set, the server loads a filtered
`both`/`server` subset from `./server-mods`. See `04-mods.md`.
- **Fjord launcher** has authlib-injector built in → no manual JVM agent on
clients.
- **host nginx in front of caddy** — real Let's Encrypt certs (JVM trusts them
with no CA import) and a single public TLS terminator; caddy stays an internal
Host-routed multiplexer for the stack's own services.
## Target folder layout
```
.
├── docker-compose.yml
├── .env / .env.example # BASE_DOMAIN, HOST_LAN_IP, RCON_PASSWORD
├── caddy/Caddyfile # {$BASE_DOMAIN} vhosts + landing page
├── dnsmasq/dnsmasq.conf.tmpl # wildcard template
├── docker-compose.yml # the entire stack (no overrides)
├── .env / .env.example # BASE_DOMAIN, RCON_PASSWORD, CADDY_*, LE block
├── caddy/conf.d/ # per-vhost snippets (00-core, 10-static, …)
├── nginx/ulicraft-caddy.conf.tmpl # host nginx → caddy template (TLS terminator)
├── certs/<name>/{cert,key}.pem # Let's Encrypt output (gitignored)
├── drasl/config/
│ ├── config.toml.tmpl # envsubst source
│ ├── config.toml.tmpl # render-config.sh source
│ └── config.toml # generated (gitignored)
├── pack/ # packwiz source of truth
├── mirror/ # vendored mod jars + launcher releases (gitignored)
├── runtime/ # authlib-injector.jar (legacy; may be unused w/ Fjord)
├── tooling/
│ ├── render-config.sh # envsubst templates → real configs, halt if unset
│ ├── mirror-mods.sh # vendor mod jars + rewrite .pw.toml URLs
│ ├── mirror-assets.sh # mirror MC asset objects for offline clients (10)
│ └── fetch-launcher.sh # download all Fjord release assets
├── nmsr/ # avatar renderer config + Dockerfile context
├── filestash/
│ ├── config.json.tmpl # render-config.sh source (files. share)
│ └── config.json # generated, mounted :ro (gitignored — holds hashes)
├── docker/nmsr/ # nmsr image build context
├── server-mods/ # filtered server modset (synced, gitignored)
├── launcher/ # vendored Fjord launcher releases (gitignored)
├── runtime/ # authlib-injector.jar
├── tooling/ # render/fetch/issue scripts (see 08-tooling.md)
├── landing/ # Astro+TS landing source (build → www/)
│ ├── astro.config.mjs # outDir ../www
│ ├── public/logo.png # stone 3D logo
│ └── src/{data/site.ts,pages/index.astro}
├── www/ # caddy landing page — GENERATED by landing build (gitignored)
├── www/ # landing build output — caddy apex (gitignored)
├── backups/
└── plan/ # these files
```
## Service plan files
- `01-dnsmasq.md` — LAN wildcard DNS
- `02-caddy.md` — ingress + local CDN + landing page
- `02-caddy.md` — internal router (vhost conf.d snippets) behind host nginx
- `03-drasl.md` — auth (password login)
- `04-packwiz.md`modpack source + mod mirror
- `05-minecraft.md` — itzg NeoForge server + offline launch
- `04-mods.md`distribution-fed mod volume + server filtering (supersedes `04-packwiz.md`)
- `05-minecraft.md` — itzg NeoForge server
- `06-launcher.md` — Fjord launcher fetch + distribution
- `07-mc-backup.md` — world backups
- `08-tooling.md` — render/mirror/fetch scripts
- `08-tooling.md` — render/fetch/issue scripts
- `09-landing.md` — Astro+TS guest onboarding page → www/
- `10-assets-mirror.md` — lighter alternative: objects-only Fjord Assets Server override
- `11-full-airgap-mirror.md` — CHOSEN: DNS+TLS transparent mirror for full client air-gap
- `12-build-order.md` — commit-per-task build sequence
- `13-dns-and-run-modes.md` — domain (.lan), online/airgap modes, party DNS, mDNS option
- `14-deploy.md` — redeploy to the production host
- `15-letsencrypt.md` — Let's Encrypt (OVH DNS-01) + host nginx ingress
- `17-mod-shortlist.md` — kitchen-sink gap doc + landing mod-list dataset (PLANNED)
- `18-landing-rework.md` — join flow / rosters / account / mod list / footer (PLANNED)
- `19-routes.md` — HTTP route reference (nmsr / landing / auth / files + internal)
- `20-files.md` — Filestash player file share (`files.`, one shared login)
## Boot/dependency order
`dnsmasq``caddy` (aliases) → `drasl``minecraft` (depends on drasl + packwiz served by caddy) → `mc-backup`.
`caddy` (aliases) → `drasl``minecraft` (depends on drasl) → `mc-backup`.
`nmsr`, `mc-status`, `uptime-kuma` and `filestash` are always-on and join `mcnet`
(no ordering constraints — none of them are on the auth/boot path).

View File

@@ -1,63 +0,0 @@
# dnsmasq — LAN wildcard DNS
> **SUPERSEDED for the default path — see `13-dns-and-run-modes.md`.** DNS is now
> your own party server (records via `tooling/dns-records.sh`); dnsmasq moved to
> an optional turnkey layer (`docker-compose.dnsmasq.yml`). Default domain is
> `.lan` (not `.local`). The wildcard/spoof template below still applies when you
> opt into dnsmasq.
## Summary
Provides name resolution for guest laptops so `*.ulicraft.local` resolves to the
Docker host. Replaces the homelab's AdGuard (dropped for the LAN party). Image:
`jpillora/dnsmasq` (dnsmasq wrapped in webproc, optional web UI on :8080).
Config is a **file**, not env-driven — `/etc/dnsmasq.conf`, standard dnsmasq
format. Rendered from a template by `tooling/render-config.sh`.
Only guest laptops point their DNS here. Stack-internal resolution is handled by
Docker network aliases on Caddy (see `02-caddy.md`), so dnsmasq is not on the
critical path for the server's own services.
## Config template
`dnsmasq/dnsmasq.conf.tmpl`:
```
# wildcard: every *.ulicraft.local → host LAN IP
address=/${BASE_DOMAIN}/${HOST_LAN_IP}
# upstream optional; party is offline so may be omitted
no-resolv
```
### Air-gap spoof records (see 11)
For full client air-gap, this file also spoofs the real upstream hosts → our
Caddy mirror (`piston-meta`/`piston-data`/`libraries.minecraft.net`/
`maven.neoforged.net`/`resources.download.minecraft.net`/`meta.prismlauncher.org`).
Full list + rationale in `11-full-airgap-mirror.md`. Keep in sync with the
capture step. Auth hosts (session/textures/api.mojang) are NOT spoofed — drasl
handles those via authlib-injector.
## Gotcha — port 53 conflict
Linux Docker hosts usually run `systemd-resolved` bound to `:53`. Publishing
`53:53` will fail with `address already in use`. Resolve by one of:
- Bind dnsmasq only to the LAN IP: publish `${HOST_LAN_IP}:53:53/udp` (+tcp)
- Or disable resolved's stub listener (`DNSStubListener=no`) and restart resolved
## Gotcha — `.local` / mDNS
See overview. Avahi may shortcut `*.local` to multicast before hitting dnsmasq.
Test on a macOS client early; if broken, switch `BASE_DOMAIN` to `.lan`.
## Tasks
- [ ] Add `dnsmasq` service to `docker-compose.yml` (`jpillora/dnsmasq`)
- [ ] Create `dnsmasq/dnsmasq.conf.tmpl` with wildcard `address=` line
- [ ] Wire `render-config.sh` to emit `dnsmasq/dnsmasq.conf` (gitignored)
- [ ] Decide port-53 strategy (bind to `HOST_LAN_IP` vs disable resolved stub)
- [ ] Publish `53/udp` + `53/tcp`; mount rendered conf read-only
- [ ] Optionally expose webproc UI (8080) behind Caddy as `dns.ulicraft.local`
- [ ] Document guest DNS setting (set DNS server = `HOST_LAN_IP`)
- [ ] Verify `*.local` resolves on Windows + macOS + Linux guests (mDNS check)
- [ ] Add air-gap spoof `address=` records (see 11) once capture confirms the host list

View File

@@ -1,15 +1,19 @@
# Caddy — ingress, local CDN, landing page
# Caddy — internal router behind host nginx
## Summary
Single HTTP ingress for the stack. Three roles:
1. **Reverse proxy**`auth.ulicraft.local` → drasl.
2. **Local CDN / static**`packwiz.ulicraft.local` serves pack metadata AND the
mirrored mod jars (offline installs).
3. **Landing page** — apex `ulicraft.local` serves launcher downloads + guest guide.
caddy is the stack's **internal HTTP router**, sitting behind the host's own
nginx (which terminates TLS — see `15-letsencrypt.md`). caddy is published only
on a localhost-only port (`CADDY_HTTP_BIND=127.0.0.1`, `CADDY_HTTP_PORT=8880`);
nginx reverse-proxies every public vhost to it by Host header. Roles:
Plain `:80` for now (LAN). TLS via step-ca deferred. Image: `caddy:alpine`.
Caddy natively reads `{$BASE_DOMAIN}` env placeholders — no template render needed.
1. **Reverse proxy**`auth.` → drasl, `avatar.` → nmsr, `status.` → uptime-kuma,
`files.` → filestash.
2. **Static** — apex serves the landing page + `/launcher/` downloads;
`distribution.` serves a static site from another repo.
Image: `caddy:alpine`. caddy natively reads `{$BASE_DOMAIN}` env placeholders —
no template render needed.
## Network aliases (internal resolution)
@@ -19,51 +23,45 @@ caddy:
mcnet:
aliases:
- "auth.${BASE_DOMAIN}"
- "packwiz.${BASE_DOMAIN}"
```
Lets `minecraft` reach `http://auth.ulicraft.local/authlib-injector` and
`http://packwiz.ulicraft.local/pack.toml` without dnsmasq.
Lets `minecraft` reach `http://auth.ulicraft.net/authlib-injector` from inside
the stack.
## Caddyfile sketch
## conf.d snippets
```
{
auto_https off
}
The Caddyfile imports per-vhost snippets from `caddy/conf.d/`:
http://{$BASE_DOMAIN} {
root * /srv/www
file_server
}
- `00-core.caddy``auth.` → drasl.
- `10-static.caddy` — apex landing (`/srv/www`) + `/launcher/*` (`/srv/launcher`).
- `30-distribution.caddy``distribution.``/srv/distribution` (static, from
`DISTRIBUTION_WEB_ROOT`, another repo).
- `40-avatar.caddy``avatar.``nmsr:8080` (skin/avatar renderer).
- `50-status.caddy``status.``uptime-kuma:3001` (status page).
- `60-files.caddy``files.``filestash:8334` (player file share, `20-files.md`).
http://auth.{$BASE_DOMAIN} {
reverse_proxy drasl:25585
}
All vhosts are plain `http://…`; TLS is nginx's job. Mounts: `./www:/srv/www:ro`,
`./launcher:/srv/launcher:ro`, `${DISTRIBUTION_WEB_ROOT}:/srv/distribution:ro`.
http://packwiz.{$BASE_DOMAIN} {
root * /srv/pack
file_server browse
}
```
Mounts: `./www:/srv/www:ro`, `./pack:/srv/pack:ro`, `./mirror/launcher:/srv/www/launcher:ro`.
> **Don't rewrite the `Host` header for `files.`** — filestash rejects any
> request whose Host doesn't match its configured `general.host`, with *"only
> traffic from X is allowed"* (a 403 that reads like an auth failure). nginx
> forwards the original Host and caddy passes it through untouched. Keep it that
> way.
## Notes / risks
- drasl behind a proxy: docs don't detail `X-Forwarded-*` trust. On plain HTTP LAN
with matching `BaseURL` it should be fine; revisit when TLS is added.
- `file_server browse` gives a directory listing — handy for debugging the pack.
- Mod-jar mirror lives under `/srv/pack/mods/` so packwiz URLs and jars share host.
- drasl behind a proxy: with matching `BaseURL` and nginx terminating TLS it is
fine; nginx passes the original Host through to caddy → drasl.
- `/launcher/` is a sibling mount (`/srv/launcher`), not nested under the
read-only `/srv/www`; `handle_path` strips the prefix.
## Tasks
- [ ] Add `caddy` service to `docker-compose.yml`, ports `80:80` (+`443` later)
- [ ] Pass `BASE_DOMAIN` into caddy env
- [ ] Create `caddy/Caddyfile` with apex + auth + packwiz vhosts
- [ ] Add network aliases for `auth.` and `packwiz.` subdomains
- [ ] Mount `./www`, `./pack`, `./mirror/launcher`
- [ ] `caddy` service in `docker-compose.yml`, published `127.0.0.1:${CADDY_HTTP_PORT}:80`
- [ ] Pass `BASE_DOMAIN` + `DISTRIBUTION_WEB_ROOT` into caddy env
- [ ] Caddyfile imports `conf.d/*.caddy`
- [ ] Network alias for `auth.` subdomain
- [ ] Mount `./www`, `./launcher`, `${DISTRIBUTION_WEB_ROOT}`
- [ ] Confirm reverse_proxy to drasl works (auth web UI loads, Yggdrasil API responds)
- [ ] Verify internal alias resolution from `minecraft` container (curl pack.toml)
- [ ] Air-gap mirror: add per-host `tls internal` vhosts + aliases + mounts (see 11)
- [ ] Export Caddy root CA for guest trust (LAN-party TLS = `tls internal`; step-ca deferred)
- [ ] Defer (reminder): graduate `tls internal` → step-ca for persistent homelab
- [ ] Verify internal alias resolution from `minecraft` container (curl authlib-injector)
- [ ] Verify nmsr + uptime-kuma proxied (`avatar.` renders, `status.` loads)

View File

@@ -4,7 +4,7 @@
Self-hosted, Yggdrasil-compatible auth + skin server. Drop-in Mojang replacement
via authlib-injector. Image: `unmojang/drasl:latest`. Reached only through Caddy
at `auth.ulicraft.local`; no host port.
at `auth.ulicraft.net`; no host port.
**OIDC/Keycloak is OUT for now** — drasl runs in **password-login** mode
(`AllowPasswordLogin = true`). Admin + guests register with a username/password on
@@ -16,13 +16,16 @@ Config is **TOML only** (no env var support). So `config.toml` is rendered from
## config.toml.tmpl (key fields)
```toml
BaseURL = "http://auth.${BASE_DOMAIN}"
BaseURL = "https://auth.${BASE_DOMAIN}" # public scheme is HTTPS (nginx TLS)
Domain = "auth.${BASE_DOMAIN}"
ListenAddress = "0.0.0.0:25585" # internal; Caddy proxies
DefaultAdminUsernames = ["admin"]
DefaultAdmins = ["admin"] # NOT DefaultAdminUsernames (see gotchas)
AllowPasswordLogin = true
# Top-level — NOT under any [Section] (see gotchas).
CORSAllowOrigins = ["https://${BASE_DOMAIN}"]
[ApplicationOwner]
# ...
@@ -35,9 +38,31 @@ AllowPasswordLogin = true
- **1.21+ secure profile**: drasl `SignPublicKeys = false` MUST pair with server
`ENFORCE_SECURE_PROFILE=FALSE`. Linked — both or neither.
- **authlib endpoint** = `BaseURL` + `/authlib-injector`
`http://auth.ulicraft.local/authlib-injector`. Must match on server and client.
`http://auth.ulicraft.net/authlib-injector`. Must match on server and client.
Network alias makes this identical inside/outside the stack.
- **`Domain` affects skins** — if wrong, authlib clients may not see skins.
- **Config keys are validated loosely — wrong keys are silently ignored** (drasl
logs `Warning: unknown config option <key>` and moves on). Two that bit us:
- Admin list key is **`DefaultAdmins`** (top-level), NOT `DefaultAdminUsernames`
(that key never existed → no admin → admin-only routes like `GET /players`
return 403).
- **`CORSAllowOrigins` must be top-level**, before any `[Section]`. Placed after
a table header it parses as `<table>.CORSAllowOrigins`, is ignored, and the
API serves no CORS headers → landing register/account browser calls blocked.
- `RateLimit.Burst` is valid in drasl master but warns on `unmojang/drasl:latest`
(image lags) — harmless.
- **First-admin bootstrap with invite mode on is a chicken-egg.** `DefaultAdmins`
only promotes the account at startup reconciliation, and `POST /drasl/api/v2/users`
is invite-gated (admins do NOT bypass the *register* endpoint). To create the
first admin: temporarily set `RequireInvite = false` in the rendered config,
`docker compose restart drasl`, `POST /users` to register `admin`, then revert +
restart (always trap-revert). API recap: `POST /login {username,password}`
`{apiToken}`; admin-only `GET /players` with `Authorization: Bearer <token>`.
- **NMSR avatars need https + a host-gateway pin** (see `plan/19-routes.md`).
Drasl's profile embeds **https** skin URLs (BaseURL is https). NMSR reaches
those via `extra_hosts: auth.${BASE_DOMAIN}:host-gateway` (host nginx :443, real
LE cert) with https mojank endpoints. Without it the skin fetch Connect-fails to
caddy:443 and every avatar renders the DEFAULT skin.
## Tasks
@@ -47,6 +72,7 @@ AllowPasswordLogin = true
- [ ] Wire `render-config.sh``drasl/config/config.toml` (gitignored)
- [ ] Remove drasl host port from compose (internal only)
- [ ] Update compose: drasl on `mcnet`, no `25585:25585` publish
- [ ] Bootstrap admin account on first run; create guest accounts
- [x] Bootstrap admin account (`admin`, done 2026-06-10 via invite-flip; creds in
cochi `.env` for the mc-status roster). Create guest accounts as needed.
- [ ] Verify authlib endpoint responds through Caddy
- [ ] Future: re-add `[[RegistrationOIDC]]` Keycloak block + secret file

View File

@@ -1,80 +0,0 @@
# Blessing Skin — auth + skin server (Drasl alternative)
## Summary
Drop-in alternative to Drasl (`plan/03-drasl.md`). Blessing Skin Server (BSS) is
a PHP skin station; the **yggdrasil-api plugin** gives it a Yggdrasil API that
authlib-injector talks to — same end result as Drasl, different internals.
Run it as an override **instead of** Drasl:
```
docker compose -f docker-compose.yml -f docker-compose.blessingskin.yml up -d
```
The override (`docker-compose.blessingskin.yml`) repoints Caddy's `auth.*` vhost
at `blessing-skin:80`, adds `mariadb` + `blessing-skin`, and switches the
Minecraft authlib endpoint to `/api/yggdrasil`. Drasl stays defined but idle and
unreachable (compose merges `depends_on`, so an override can't remove it);
`docker compose … stop drasl` after up if you want it down.
## Drasl vs Blessing Skin — what changes
| | Drasl | Blessing Skin |
|---|---|---|
| Backend | single Go binary | PHP app + **MariaDB** (no SQLite) |
| Config | rendered `config.toml` | **web install wizard** + DB |
| Yggdrasil API | built in | **yggdrasil-api plugin** (install + enable) |
| authlib endpoint | `…/authlib-injector` | `…/api/yggdrasil` |
| OIDC/Keycloak | supported (future) | not native (OAuth plugins exist) |
| Server online-mode | repo used FALSE | **TRUE** (real session validation) |
## Setup (first run)
1. `cp .env.example .env`, fill the `BS_*` vars. Generate `BS_APP_KEY`:
```
docker run --rm azusamikan/blessing-skin-server-docker:latest \
php artisan key:generate --show
```
2. Bring the stack up with the override (command above).
3. Open `http://auth.${BASE_DOMAIN}` → BSS install wizard. DB host = `mariadb`,
port `3306`, name/user/pass = the `BS_*` values. Create the admin account.
4. Admin panel → **Plugins → Plugin Market** → install **yggdrasil-api** →
enable it. (Needs internet; for air-gap, pre-place the plugin jar/zip into
the `bs_plugins` volume.) After enabling, the API root is live at
`http://auth.${BASE_DOMAIN}/api/yggdrasil`.
5. Each player: register on the BSS site, add a character whose name == their
in-game player name, upload a skin.
6. Restart minecraft if it came up before the plugin was enabled.
## Client (Prism / authlib-injector)
- authlib-injector URL: `http://auth.${BASE_DOMAIN}/api/yggdrasil`
- Login = BSS **email + password** (BSS uses email as the account id).
- Must match the server's `-javaagent` arg exactly (same host + path).
## Gotchas
- **`/api/yggdrasil`, not `/authlib-injector`.** Wrong path → silent "Invalid
session". Server `JVM_OPTS` and every client must agree.
- **ONLINE_MODE=TRUE.** authlib-injector only authenticates when online-mode is
on; the server then validates the join against BSS. (The Drasl variant in this
repo set FALSE — do not copy that here.)
- **Secure profile (1.21+).** Override ships `ENFORCE_SECURE_PROFILE=FALSE` for
safety. yggdrasil-api *does* sign profile keys, so TRUE may work — flip and
test if signed chat matters; revert on "Invalid signature".
- **APP_KEY must persist.** Set `BS_APP_KEY` in `.env`. Losing it invalidates
all sessions and breaks encrypted data.
- **DB is the source of truth.** `bs_db` volume holds accounts; `bs_storage`
holds skins; `bs_plugins` holds the yggdrasil-api plugin. Back these up.
- **Air-gap:** the plugin market needs internet. Install + enable yggdrasil-api
while online (it persists in `bs_plugins`), or stage the plugin manually.
## Image note
`azusamikan/blessing-skin-server-docker:latest` is a community image and the
env-var names (`DB_*`, `APP_KEY`) may differ slightly by tag — if auto-config
doesn't take, the web wizard is the reliable path. Official source:
https://github.com/bs-community/blessing-skin-server ,
plugin: https://github.com/bs-community/yggdrasil-api , authlib-injector setup:
https://github.com/bs-community/blessing-skin-manual/blob/master/man/yggdrasil-api/authlib-injector.md

212
plan/04-mods.md Normal file
View File

@@ -0,0 +1,212 @@
# 04 — Mods (custom volume, distribution-fed)
> **Supersedes `04-packwiz.md`.** packwiz is being removed. This describes the
> replacement: the server loads mods from a filtered local volume; clients keep
> getting the full set from the HeliosLauncher `distribution.json`.
## Why drop packwiz
- The packwiz index tracked only **9** mods while the real modset (76 jars) lives
in the distribution repo — packwiz was half-built and stale.
- Manual packwiz curation (`.tmpl` render → `refresh` → re-hash) is the flagged
pain point, and a single missing file (`custom/.gitkeep`) crashlooped the
server (404 → installer aborts → minecraft never starts).
- The launcher (HeliosLauncher) already distributes mods to clients via a
Nebula-generated `distribution.json`. That is the canonical client mod list.
The server just needs the same jars, minus client-only ones.
## Architecture
```
ulicraft-distribution/dist (another repo, = $DISTRIBUTION_WEB_ROOT)
servers/ulicraft-1.21.1/
forgemods/required/*.jar ← 76 jars, Nebula-managed (SOURCE OF TRUTH)
distribution.json ← generated by Nebula; CLIENT install list
│ │
│ caddy distribution. vhost │ HeliosLauncher reads it →
▼ ▼ installs ALL listed mods (client)
guests' launcher ◄───────────────────────────────────
ulicraft-server (this repo)
mods-sides.json ← { "<jar>": "client|server|both" } (committed, editable)
tooling/classify-mods ← tomllib: seeds/updates mods-sides.json from jar manifests
tooling/sync-server-mods ← copies both+server jars from $DIST → ./server-mods/
server-mods/ (gitignored) ──mount──► minecraft /mods (REMOVE_OLD_MODS=TRUE)
```
- **Client distribution: unchanged.** HeliosLauncher installs everything in
`distribution.json`. No packwiz, no client zip.
- **Server: filtered subset.** Only `both` + `server` jars are copied into the
mounted `server-mods/`. `client`-tagged jars never reach the server.
- **Single source of jars:** `$DISTRIBUTION_WEB_ROOT/.../forgemods/required/`.
This repo stores no jars — only `mods-sides.json`.
## Classification — tomllib only (no Modrinth)
`tooling/classify-mods.py` reads each jar's `META-INF/neoforge.mods.toml` with
Python `tomllib` and derives a side from the **`minecraft`/`neoforge` dependency
`side`** (the field modders use to declare a mod's environment):
| manifest signal | derived side |
|---|---|
| `minecraft` (or `neoforge`) dep `side = "CLIENT"` | `client` |
| dep `side = "SERVER"` | `server` |
| dep `side = "BOTH"`, unspecified, or no manifest | `both` (default) |
Output is **merged** into `mods-sides.json`: existing (human-edited) entries are
**preserved**; only new/unknown jars get a derived default. So the file is a
one-time seed + permanent manual override surface. New jars default to `both`
(your chosen default) unless their manifest says otherwise.
### Accuracy + the manual step (important)
tomllib reliably catches **hard client-only** mods — ones that declare their
`minecraft`/`neoforge` dep as `CLIENT` (e.g. `sodium`, `iris`). Those are exactly
the mods that refuse/break on a dedicated server, so the must-exclude set is
handled automatically.
It will **not** auto-exclude client-*cosmetic* mods that declare `BOTH` in their
manifest (e.g. `BetterF3`, `entityculling`, `sodium-extra`, `entity_texture_features`,
`entity_model_features`, `ImmediatelyFast`, `drippyloadingscreen`, `melody`,
`welcomescreen`, `Controlling`, `MouseTweaks`, `Searchables`, `tagtooltips`,
`JustEnoughResources`, `TravelersTitles`, `BridgingMod`, `ponderjs`,
`yeetusexperimentus`). These load on the server harmlessly (wasted RAM, no crash)
unless you mark them `client` in `mods-sides.json`. **That manual curation is the
"filter manually" step** — `classify-mods` seeds, you trim cosmetic-client mods.
Also worth an explicit decision in the override file:
- `CustomSkinLoader` — server doesn't need it (skins resolve via Drasl/authlib);
set `client` to keep it off the server.
## `mods-sides.json` format
```json
{
"jei-1.21.1-neoforge-19.27.0.340.jar": "both",
"sodium-neoforge-0.8.12-alpha.4+mc1.21.1.jar": "client",
"ftb-essentials-neoforge-2101.1.9.jar": "both",
"rightclickharvest-neoforge-4.6.1+1.21.1.jar": "server"
}
```
Key = exact jar filename (matches `forgemods/required/*.jar`). Value ∈
`client | server | both`. Hand-edit freely; `classify-mods` won't clobber it.
## Tooling
### `tooling/classify-mods.py` (dev-time, no network)
1. Enumerate `$DISTRIBUTION_WEB_ROOT/servers/ulicraft-1.21.1/forgemods/required/*.jar`.
2. For each jar not already in `mods-sides.json`: parse manifest → derive side
(table above) → add entry.
3. Report: counts per side, and **which jars were defaulted to `both`** (so you
know what to review). Never overwrites existing entries.
4. Optionally warn on entries in `mods-sides.json` whose jar no longer exists.
### `tooling/sync-server-mods.sh` (deploy-time, offline) — replaces `render-pack.sh`
1. Read `mods-sides.json`.
2. `mkdir -p server-mods`; for each `both`/`server` jar, copy from
`$DISTRIBUTION_WEB_ROOT/.../forgemods/required/``server-mods/`.
3. Remove any `server-mods/*.jar` not currently selected (keeps it authoritative;
`REMOVE_OLD_MODS=TRUE` in the container also enforces this on `/data/mods`).
4. **Halt** (non-zero exit) if a selected jar is missing from `$DIST`, or if
`mods-sides.json` is absent — cautious, no silent partial sync.
## docker-compose.yml changes
```yaml
# remove:
# PACKWIZ_URL: ...
# extra_hosts: pack.${BASE_DOMAIN}:host-gateway (auth. stays — authlib)
environment:
MODS_FILE: "" # ensure unset
REMOVE_OLD_MODS: "TRUE" # mounted folder is authoritative
volumes:
- mc_data:/data
- ./runtime:/extras:ro
- ./server-mods:/mods:ro # itzg auto-syncs /mods → /data/mods
```
`depends_on: caddy` can drop (server no longer fetches `pack.` at boot); keep
`drasl` (authlib). `pack.` caddy vhost + the `./pack`/`./custom` mounts become
dead — remove in the same pass.
## Deploy flow (updated `plan/14`)
```
git pull --ff-only
tooling/render-config.sh # drasl/nmsr/etc. (unchanged)
tooling/sync-server-mods.sh # NEW — replaces render-pack.sh
tooling/fetch-authlib.sh
docker compose down --remove-orphans
docker compose up -d --build
```
`$DISTRIBUTION_WEB_ROOT` must be present on the host (already is — caddy mounts
it). `classify-mods.py` is a dev step run when the modset changes; it is **not**
in the deploy path (keeps deploy offline + deterministic).
## Decommission checklist (on execution)
Done at first cutover (commits `27237bc`, `84196d5`, `c249172`):
- [x] `tooling/classify-mods.py` + generated initial `mods-sides.json`.
- [x] `tooling/sync-server-mods.sh`.
- [x] compose: dropped `PACKWIZ_URL`, `pack.` extra_host, `./pack`/`./custom`
mounts, `pack.` caddy vhost; added `server-mods` mount + `REMOVE_OLD_MODS`.
- [x] deleted `tooling/render-pack.sh` (+ dead `add-custom-mod.sh`).
- [x] deleted `pack/` and `custom/` (jars now sourced from `$DIST`).
- [x] `.gitignore`: dropped packwiz lines; added `server-mods/`.
- [x] superseded `plan/04-packwiz.md`; updated `05-minecraft.md`, `14-deploy.md`,
`CLAUDE.md`.
- [x] resolved the host-local divergence around `pack/`
([[cochi-host-local-divergence]]).
- [ ] **STILL OPEN (roadmap):** landing join steps still reference the dead
`pack.toml` URL (`site.ts packwizUrl`, `i18n/ui.ts` step 3) — rework around
the HeliosLauncher/`distribution.json` flow.
- [x] deployed to `cochi`: NeoForge bumped to 21.1.233, 52 server mods, `Done`,
mc-status `online:true`.
## Deployment gotchas (learned 2026-06-10, first cutover)
### NeoForge version MUST match the distribution
The distribution's mods are built against a specific NeoForge (in
`distribution.json``21.1.233`). Several hard-require it (ferritecore ≥21.1.218,
farmersdelight ≥21.1.219, configured ≥21.1.211). A lower `NEOFORGE_VERSION` pin
fails pre-load with `Missing or unsupported mandatory dependencies: neoforge`.
Keep `docker-compose.yml`'s pin in lockstep with the distribution on every mod
update.
### Client-only mods that declare `BOTH` crash the dedicated server
tomllib classifies by the `minecraft`/`neoforge` dependency `side`. Mods that
declare **`BOTH`** but are actually client-only (touch `net.minecraft.client.*`)
pass through as `both`, load on the server, and crash hard:
```
java.lang.RuntimeException: Attempted to load class
net/minecraft/client/gui/screens/Screen for invalid dist DEDICATED_SERVER
- <Mod> has failed to load correctly
```
This is **not** mere RAM waste — it's a fatal crashloop. tomllib cannot detect
it (the manifest lies). **Fix = hand-set the mod to `client` in
`mods-sides.json`, re-sync, recreate minecraft.** First cutover required marking
these (leaf client-GUI mods, nothing server-loaded depends on them):
`BetterF3, JustEnoughResources, MouseTweaks, Searchables, TravelersTitles,
drippyloadingscreen, entityculling, fancymenu, konkrete, melody, ponderjs,
welcomescreen, yeetusexperimentus` — on top of the 11 tomllib auto-caught
(sodium, sodium-extra, iris, ImmediatelyFast, appleskin, Controlling, BridgingMod,
CustomSkinLoader, entity_model_features, entity_texture_features, tagtooltips).
**Current state: 24 `client` / 52 `both`.** The 52 may still hide a client-only
mod that loaded without crashing; if a future restart trips another
`invalid dist DEDICATED_SERVER`, flip that one jar to `client` and re-sync — same
one-line loop. When excluding, prefer leaf mods; if a `both` mod hard-depends on
the one you exclude you'll get a `Missing mandatory dependency` instead — put it
back.
## Open questions / risks
- **No manifest** in a jar → defaults `both`. Acceptable; review the defaulted
list `classify-mods` prints.
- **Nebula regen** may rename jars (version bumps) → `mods-sides.json` keys go
stale; `classify-mods` re-seeds new names as `both`, and `sync` warns on
missing-from-DIST. Re-curate on big mod updates.

View File

@@ -1,48 +1,7 @@
# packwiz — modpack source of truth + offline mod mirror
# packwiz — modpack source of truth (SUPERSEDED)
## Summary
`packwiz` (installed at `~/go/bin/packwiz`) authors the modpack. The `./pack`
directory is the **single source of truth** for mods, consumed by both:
- the **server** (itzg `PACKWIZ_URL`), and
- **clients** (Fjord launcher imports the pack / packwiz-installer).
Caddy serves `./pack` at `packwiz.ulicraft.local`. packwiz only emits **metadata**
(`pack.toml`, `index.toml`, `mods/*.pw.toml`); the `.pw.toml` files reference
Modrinth/CF **CDN URLs**, so true offline requires mirroring jars locally.
## Behaviors confirmed
- **Prune**: packwiz-installer tracks a manifest and **removes** client mods no
longer in the index on re-run. (Server side via itzg likewise re-syncs.)
- **Download source**: jars come from CDN URLs in `.pw.toml`, NOT the pack host —
unless URLs are rewritten to the local mirror.
- **itzg side filtering**: itzg downloads **server-side mods only**. Client-only
mods MUST be tagged `side = "client"` (not `both`) or the server may pull and
crash on them.
## Offline mod mirror (the key work)
`tooling/mirror-mods.sh` (see `08-tooling.md`):
1. Parse each `mods/*.pw.toml`, download the jar into `./mirror/mods/`.
2. Copy jars into `./pack/mods-files/` (served at `packwiz.ulicraft.local/...`).
3. Rewrite each `[download] url` to point at `http://packwiz.ulicraft.local/...`.
4. `packwiz refresh` to recompute hashes/index.
Result: server + clients install mods entirely from the LAN. No CDN at party time.
## NeoForge pinning
`pack.toml` pins MC `1.21.1` + NeoForge `21.1.x`. Verify exact NeoForge build
against projects.neoforged.net before locking.
## Tasks
- [ ] `packwiz init``./pack` (MC 1.21.1, modloader neoforge, pinned version)
- [ ] Curate mod shortlist (perf/tech/magic/storage/QoL/worldgen/map/voice)
- [ ] Tag client-only mods `side = "client"`
- [ ] `packwiz refresh`; verify `index.toml` committed (clients fetch it)
- [ ] Write `tooling/mirror-mods.sh` (vendor jars + rewrite URLs + refresh)
- [ ] Point server `PACKWIZ_URL=http://packwiz.ulicraft.local/pack.toml`
- [ ] `.gitignore` the vendored `./mirror/` jars; keep `./pack/*.toml` tracked
- [ ] Test offline install end-to-end (cut internet, install on a fresh client)
> **Superseded by [`04-mods.md`](04-mods.md).** packwiz has been removed.
> The server now loads a filtered mod subset from a local `server-mods/` volume
> (synced from the distribution repo by `tooling/sync-server-mods.sh`); clients
> still get the full set from the HeliosLauncher `distribution.json`.
> See `04-mods.md` for the current design.

View File

@@ -1,52 +1,126 @@
# Minecraft server — itzg NeoForge + offline launch
# Minecraft server — itzg NeoForge
## Summary
`itzg/minecraft-server:java21`, NeoForge 1.21.1, offline-mode + authlib-injector
pointing at drasl. Mods via `PACKWIZ_URL`. The challenge: **itzg re-resolves Mojang
version metadata on every boot** (issue #2340), so it cannot air-gap-boot in
`TYPE=NEOFORGE` mode. Solved with a pre-bake + custom-launch switch.
pointing at drasl. Mods come from a local `./server-mods` volume (mounted at
`/mods`), NOT packwiz — see `04-mods.md`. itzg installs MC + NeoForge + libraries
on first boot and auto-syncs `/mods``/data/mods` every boot; the stack assumes
the internet is present (for the NeoForge installer), so `TYPE=NEOFORGE` boots
normally every time.
## Offline strategy (two phases)
## Server config
**Phase 1 — pre-bake (online, once):**
```
TYPE=NEOFORGE, VERSION=1.21.1, NEOFORGE_VERSION=21.1.x
PACKWIZ_URL=http://packwiz.ulicraft.local/pack.toml
REMOVE_OLD_MODS=TRUE # ./server-mods is the authoritative mod set
volume ./server-mods:/mods:ro
```
Boot once with internet → installs MC + NeoForge + libraries + server mods into
the `mc_data` volume, generates NeoForge's launch args/`run.sh`.
**Phase 2 — offline launch (party):**
Switch to `TYPE=CUSTOM` + `CUSTOM_SERVER=<container path>` pointing at the
already-installed NeoForge launcher in `/data`. A **container path (not URL)**
means no download, no Mojang resolution → boots air-gapped, survives restarts.
`./server-mods` is populated by `tooling/sync-server-mods.sh` (the `both`/`server`
subset of `mods-sides.json`, copied from `$DISTRIBUTION_WEB_ROOT`). First boot
installs MC + NeoForge + libraries into the `mc_data` volume; every boot itzg
mirrors `/mods` into `/data/mods` and prunes removed ones (`REMOVE_OLD_MODS`).
> OPEN: NeoForge 1.21.1 launches via `@libraries/.../unix_args.txt` / `run.sh`,
> not a single fat jar. Exact `CUSTOM_SERVER` target + any `EXTRA_ARGS` must be
> verified against a real pre-baked volume. Tracked as a task.
## Auth / config (carry-over)
## Auth / config
```
ONLINE_MODE=FALSE
ONLINE_MODE=TRUE
ENFORCE_SECURE_PROFILE=FALSE # pairs with drasl SignPublicKeys=false
JVM_OPTS=-javaagent:/extras/authlib-injector.jar=http://auth.${BASE_DOMAIN}/authlib-injector
```
authlib URL uses the `auth` subdomain; resolves internally via Caddi alias.
authlib URL uses the `auth` subdomain; resolves internally via the caddy alias.
(Server still needs the agent even though Fjord clients have it built in.)
**`ONLINE_MODE` MUST be true.** authlib-injector works by redirecting the
server's normal online-auth handshake from Mojang to Drasl. With
`ONLINE_MODE=FALSE` the server skips that handshake entirely → players get
offline-hash UUIDs, no session validation, and **no skins** (the server never
fetches textures from Drasl). The thing that must stay *off* for 1.21+ is the
**secure profile** (`ENFORCE_SECURE_PROFILE=FALSE` + Drasl `SignPublicKeys=false`),
not online-mode. Symptom of getting this wrong: everyone can join but everyone is
Steve, and `usercache.json` shows offline-hash UUIDs.
Memory: `INIT_MEMORY 4G`, `MAX_MEMORY 10G`, `USE_AIKAR_FLAGS TRUE`.
RCON enabled for mc-backup.
## Server operators (OP)
**Do NOT use the itzg `OPS` env var.** It resolves usernames to UUIDs via a
Mojang lookup, but this server is `ONLINE_MODE=TRUE` validated against Drasl —
Drasl assigns its own UUIDs (not Mojang, not the offline-hash). A Mojang-resolved UUID
would not match the player's real session UUID, so the op entry would be inert
(and could clobber a correct `ops.json` on reboot).
**Op via RCON instead.** The player must have connected at least once so their
real Drasl UUID is cached in `/data/usercache.json`; then `op <name>` writes that
cached UUID to `ops.json`. On the host:
```
ssh cochi
docker exec minecraft rcon-cli list # confirm cache / who's on
docker exec minecraft sh -c 'cat /data/usercache.json' # verify name→UUID cached
docker exec minecraft rcon-cli op <name>
docker exec minecraft sh -c 'cat /data/ops.json' # verify level 4 + right UUID
```
`ops.json` lives in the `mc_data` volume → persists across restarts; no reboot
needed (takes effect live). Current op: `oier`
(`7fbc9adb-bcf4-3913-9a99-46d46acd1009`), level 4, set 2026-06-21.
## Simple Voice Chat — `voice_host` (NOT repo-tracked)
Voice chat is UDP `24454/udp`, published in compose. The mod auto-generates
`/data/config/voicechat/voicechat-server.properties` in the `mc_data` volume.
**Gotcha — `voice_host` must be set or remote clients get a red/crossed icon.**
Behind any NAT/Docker the server announces an address for clients' UDP
connection; if `voice_host=` is empty it auto-detects the internal Docker IP →
unreachable → the secret (TCP) is sent but the UDP handshake never completes
("Sent secret" with no following "successfully connected to voice chat").
Set on prod:
```
docker exec minecraft sed -i 's/^voice_host=.*/voice_host=ulicraft.net/' \
/data/config/voicechat/voicechat-server.properties
docker restart minecraft # mod reads props only at startup
```
**⚠️ This value lives in the `mc_data` volume, NOT auto-managed from this repo.**
It survives restarts and `compose down/up`, but a **world wipe / fresh `mc_data`**
regenerates the file with `voice_host=` empty → voice silently breaks again.
A known-good prod snapshot is committed at
`server-configs/voicechat-server.properties` (reference copy, `voice_host=ulicraft.net`).
After a world reset, either re-run the `sed` + `docker restart` above, or restore
the snapshot:
```
docker cp server-configs/voicechat-server.properties \
minecraft:/data/config/voicechat/voicechat-server.properties
docker restart minecraft
```
(Snapshot is not auto-mounted — to make it durable, add a bind mount of
`server-configs/voicechat-server.properties` into `/data/config/voicechat/` in
compose.)
Verify after a client joins:
`docker logs minecraft 2>&1 | grep -i "connected to voice"` → expect
`Player <name> ... successfully connected to voice chat`.
Note: a red voice icon can ALSO be client-side — a VPN/zero-trust client
(Cloudflare One/WARP, FortiClient) on the player's machine silently drops the
voice UDP. Rule out VPNs before touching the server.
## Tasks
- [ ] Compose: switch authlib URL to `http://auth.${BASE_DOMAIN}/authlib-injector`
- [ ] Compose: replace `MODRINTH_PROJECTS` with `PACKWIZ_URL` (packwiz subdomain)
- [ ] Mount renamed `./runtime` (was `./extras`) for authlib-injector.jar
- [ ] `depends_on`: drasl + caddy (pack served before server installs)
- [ ] Pre-bake the volume online; snapshot it
- [ ] Identify exact NeoForge launch target for `TYPE=CUSTOM` / `CUSTOM_SERVER`
- [ ] Add a documented "offline mode" compose override (`docker-compose.offline.yml`?)
- [ ] Verify air-gapped boot: cut internet, restart container, server comes up
- [ ] Compose: authlib URL `http://auth.${BASE_DOMAIN}/authlib-injector`
- [ ] Compose: mount `./server-mods:/mods:ro` + `REMOVE_OLD_MODS=TRUE`
- [ ] Run `tooling/sync-server-mods.sh` before bring-up (populates `./server-mods`)
- [ ] Mount `./runtime` for authlib-injector.jar at `/extras`
- [ ] `depends_on`: drasl (authlib must resolve at boot)
- [ ] Confirm `ENFORCE_SECURE_PROFILE=FALSE` ↔ drasl `SignPublicKeys=false`
- [ ] Verify a client joins with their drasl skin
- [ ] After any world wipe: re-set `voice_host` (see Simple Voice Chat section)

View File

@@ -8,8 +8,8 @@ drasl account directly in the launcher (no manual JVM `-javaagent`), import the
modpack, and play.
We host the launcher installers for **all platforms** on the landing page
(`ulicraft.local`), served by Caddy from `./mirror/launcher/`. A script downloads
the latest release assets ahead of time so the party is fully offline.
(`ulicraft.net`), served by Caddy from `./launcher/` (mounted at `/srv/launcher`,
reachable at `/launcher/`). A script downloads the release assets ahead of time.
## Release assets (latest = 11.0.2.0)
@@ -26,12 +26,12 @@ Setup `.exe`, macOS `.dmg`, Linux `.AppImage`.
```bash
#!/usr/bin/env bash
# Download all FjordLauncherUnlocked release assets for offline hosting.
# Download all FjordLauncherUnlocked release assets for local hosting.
# Halts on any error or ambiguity (no silent partial downloads).
set -euo pipefail
REPO="hero-persson/FjordLauncherUnlocked"
DEST_ROOT="$(dirname "$0")/../mirror/launcher"
DEST_ROOT="$(dirname "$0")/../launcher"
API="https://api.github.com/repos/${REPO}/releases/latest"
command -v curl >/dev/null || { echo "curl required"; exit 1; }
@@ -59,13 +59,13 @@ ln -sfn "$tag" "${DEST_ROOT}/latest"
echo "Done. ${#urls[@]} assets in ${dest}"
```
Caddy mount: `./mirror/launcher:/srv/www/launcher:ro`.
Caddy mount: `./launcher:/srv/launcher:ro` (served at `/launcher/…`).
### Stable symlinks (so landing links survive version bumps)
The landing page (`09-landing.md`) links to **fixed** filenames, not versioned
ones. After downloading, `fetch-launcher.sh` must create these symlinks under
`mirror/launcher/latest/` pointing at the real assets:
`launcher/latest/` pointing at the real assets:
- `fjord-windows-setup.exe` → Windows Setup `.exe` (x64)
- `fjord-macos.dmg` → macOS `.dmg`
@@ -78,22 +78,19 @@ sync with `landing/src/data/site.ts`.**
## Per-guest flow
1. Open `http://ulicraft.local`, download launcher for their OS, install.
1. Open `https://ulicraft.net`, download launcher for their OS, install.
2. Add account: authlib-injector type, URL
`http://auth.ulicraft.local/authlib-injector`, drasl username/password.
3. (Offline) Settings → APIs → **Assets Server** =
`https://assets.ulicraft.local/` so the heavy asset download comes from the LAN
mirror (see 10-assets-mirror.md). Requires trusting the local CA.
4. Import the modpack (packwiz URL `http://packwiz.ulicraft.local/pack.toml`,
`https://auth.ulicraft.net/authlib-injector`, drasl username/password.
3. Import the modpack (packwiz URL `https://pack.ulicraft.net/pack.toml`,
or a shared instance zip).
5. Connect to `mc.ulicraft.local:25565`.
4. Connect to `mc.ulicraft.net:25565`.
## Tasks
- [ ] Create `tooling/fetch-launcher.sh` (above); `chmod +x`
- [ ] Extend script: create stable symlinks (win/mac/linux) in `mirror/launcher/latest/`
- [ ] Run it pre-party while online; verify all assets land in `./mirror/launcher/<tag>/`
- [ ] `.gitignore` `./mirror/` (done)
- [ ] Extend script: create stable symlinks (win/mac/linux) in `launcher/latest/`
- [ ] Run it pre-party; verify all assets land in `./launcher/<tag>/`
- [ ] `.gitignore` `./launcher/` (done)
- [ ] Landing page DONE — `landing/` Astro project, builds to `www/` (see 09-landing.md)
- [ ] Confirm Fjord authlib-injector account flow against drasl
- [ ] Decide whether to ship a pre-built instance zip vs packwiz URL import

View File

@@ -4,7 +4,7 @@
`itzg/mc-backup` alongside the server, talking via RCON. Snapshots the world every
6h, prunes after 14 days. World-only (no mod jars — mods are reproducible from the
packwiz pack). Unchanged from the original design; lowest-priority service.
distribution). Unchanged from the original design; lowest-priority service.
## Config (carry-over)

View File

@@ -1,77 +1,90 @@
# Tooling — config rendering, mod mirror, launcher fetch
# Tooling — config rendering, mod sync, ingress, fetch scripts
## Summary
Three scripts in `./tooling/` turn the two env vars + templates into a working,
offline-capable stack. All are **cautious**: they halt on unset vars or missing
inputs rather than emit half-broken output.
Scripts in `./tooling/` turn `BASE_DOMAIN` + templates into a working stack and
handle ingress (nginx vhost, TLS certs) and launcher/font fetches. All are
**cautious**: they halt on unset vars or missing inputs rather than emit
half-broken output.
Surviving scripts:
- `render-config.sh` — render `*.tmpl` configs (BASE_DOMAIN only)
- `classify-mods.py` — read each jar's `neoforge.mods.toml`, seed `mods-sides.json` (see 04-mods.md)
- `sync-server-mods.sh` — copy `both`/`server` jars from the distribution → `./server-mods` (see 04-mods.md)
- `build-modlist.py` — generate the landing `mods.json` + extract logos (see 17-mod-shortlist.md)
- `render-nginx.sh` — render/install the host nginx vhost (TLS terminator → caddy)
- `issue-letsencrypt.sh` — issue LE certs via OVH DNS-01 (see 15-letsencrypt.md)
- `fetch-launcher.sh` — download Fjord launcher release assets (see 06-launcher.md)
- `fetch-authlib.sh` — vendor the authlib-injector jar → `runtime/`
- `fetch-fonts.sh` — vendor the landing page fonts (see 09-landing.md)
## render-config.sh
Renders every `*.tmpl` into its real config by substituting `BASE_DOMAIN` /
`HOST_LAN_IP`. Caddy is excluded (it reads `{$BASE_DOMAIN}` natively).
Renders every `*.tmpl` into its real config by substituting **only**
`${BASE_DOMAIN}` (so literal `$`-syntax belonging to the target file — caddy,
toml — is left untouched). Caddy is excluded entirely (it reads `{$BASE_DOMAIN}`
natively).
Targets:
- `drasl/config/config.toml.tmpl` `drasl/config/config.toml`
- `dnsmasq/dnsmasq.conf.tmpl``dnsmasq/dnsmasq.conf`
- `drasl/config/config.toml.tmpl``drasl/config/config.toml`
- `nmsr/config.toml.tmpl` `nmsr/config.toml`
Mods are **not** rendered — they are synced from the distribution by
`sync-server-mods.sh` (see 04-mods.md), no templating involved.
```bash
#!/usr/bin/env bash
set -euo pipefail
[ -f .env ] && set -a && . ./.env && set +a
: "${BASE_DOMAIN:?BASE_DOMAIN unset}"
: "${HOST_LAN_IP:?HOST_LAN_IP unset}"
cd "$(dirname "$0")/.."
[ -f .env ] && { set -a; . ./.env; set +a; }
: "${BASE_DOMAIN:?BASE_DOMAIN unset (set in .env)}"
render() { # $1=tmpl $2=out
[ -f "$1" ] || { echo "missing template: $1"; exit 1; }
envsubst '${BASE_DOMAIN} ${HOST_LAN_IP}' < "$1" > "$2"
[ -f "$1" ] || { echo "missing template: $1" >&2; exit 1; }
envsubst '${BASE_DOMAIN}' < "$1" > "$2"
echo "rendered $2"
}
render drasl/config/config.toml.tmpl drasl/config/config.toml
render dnsmasq/dnsmasq.conf.tmpl dnsmasq/dnsmasq.conf
render nmsr/config.toml.tmpl nmsr/config.toml
```
> Note: `envsubst` with an explicit var list avoids clobbering `$`-syntax that
> belongs to the target file (e.g. dnsmasq/caddy literals).
## render-nginx.sh
## mirror-mods.sh
Renders `nginx/ulicraft-caddy.conf.tmpl` (the host nginx that terminates TLS in
front of caddy), substituting `$BASE_DOMAIN $APP_DIR $CADDY_HTTP_PORT`. Prints to
stdout by default; `--install` writes to sites-available, symlinks sites-enabled,
`nginx -t`, and reloads nginx. See `15-letsencrypt.md`.
Vendors mod jars for offline install and rewrites packwiz URLs to the LAN host.
See `04-packwiz.md`. Outline:
1. For each `pack/mods/*.pw.toml`, read `[download] url` + `filename`.
2. Download jar → `pack/mods-files/` (served by Caddy under packwiz subdomain).
3. Rewrite `url` to `http://packwiz.${BASE_DOMAIN}/mods-files/<filename>`.
4. `packwiz refresh` to recompute hashes + `index.toml`.
Must halt if a download fails or a hash mismatches.
## issue-letsencrypt.sh
## mirror-assets.sh
Mirrors Minecraft asset objects for offline clients (the ~400 MB+ chunk) and lays
them out for Caddy + the Fjord "Assets Server" override. Full design in
`10-assets-mirror.md`. Verifies SHA1, idempotent, halts on mismatch.
Issues a separate cert for the apex and each `LE_SUBDOMAINS` entry via acme.sh +
OVH DNS-01 → `certs/<name>/{cert,key}.pem`. See `15-letsencrypt.md`.
## fetch-launcher.sh
Downloads all FjordLauncherUnlocked release assets → `mirror/launcher/<tag>/`.
Full script in `06-launcher.md`.
Downloads FjordLauncherUnlocked release assets → `launcher/<tag>/` and maintains
a `latest` symlink + stable per-OS filename symlinks. Full script in
`06-launcher.md`.
## Generated / gitignored
```
drasl/config/config.toml # rendered
dnsmasq/dnsmasq.conf # rendered
pack/mods-files/ # vendored jars
mirror/ # launcher assets + mod mirror
nmsr/config.toml # rendered
launcher/ # launcher assets
www/ # landing build output
certs/ # Let's Encrypt certs
.env # secrets + host-specific
```
## Tasks
- [ ] Write `tooling/render-config.sh` (above), `chmod +x`
- [ ] Write `tooling/mirror-mods.sh` (toml parse + download + rewrite + refresh)
- [ ] Write `tooling/mirror-assets.sh` (see 10)
- [ ] Write `tooling/sync-server-mods.sh` (see 04-mods.md)
- [ ] Write `tooling/render-nginx.sh` (see 15)
- [ ] Write `tooling/issue-letsencrypt.sh` (see 15)
- [ ] Write `tooling/fetch-launcher.sh` (see 06)
- [ ] Add `gettext` (envsubst) + `jq` to host prereqs doc
- [ ] Update `.gitignore` for rendered configs + `mirror/` + `pack/mods-files/`
- [ ] `build-stack.sh` orchestrator (preflight + `--prep` online + `--up` offline) — DONE, sequences the sub-scripts; see plan/12
- [ ] Update `.gitignore` for rendered configs + `launcher/` + `www/` + `certs/`

View File

@@ -2,17 +2,18 @@
## Summary
Apex `ulicraft.local` serves a static page guiding guests through joining:
Apex `ulicraft.net` serves a static page guiding guests through joining:
download launcher → add account → import modpack → connect. Built with **Astro +
TypeScript** in `./landing/`; `pnpm run build` emits straight into `./www/`,
which Caddy/nginx serve at the apex. No runtime framework — output is plain
HTML/CSS plus one tiny vanilla script (copy-to-clipboard + scroll reveal).
which Caddy serves at the apex (behind host nginx). No runtime framework —
output is plain HTML/CSS plus one tiny vanilla script (copy-to-clipboard +
scroll reveal).
The visual is the **"Carved from stone"** pixel design ("Claude Design",
`landing/design/`): dark overworld palette, MC-GUI bevel buttons, pixel type,
creeper mark, server-list panel. That design was a React/Babel-via-CDN prototype
for a *fictional public SMP*; it was **ported to static Astro** with the real
modded-LAN content and offline-safe assets.
modded-LAN content and vendored assets.
## Stack & wiring
@@ -20,8 +21,8 @@ modded-LAN content and offline-safe assets.
- `astro.config.mjs``outDir: "../www"`. Build overwrites `www/`; `www/` is
gitignored (generated artifact).
- `BASE_DOMAIN` env read at build time in `src/data/site.ts`
(`process.env.BASE_DOMAIN ?? "ulicraft.local"`). Bake before deploy:
`BASE_DOMAIN=ulicraft.local pnpm run build`.
(`process.env.BASE_DOMAIN ?? "ulicraft.net"`). Bake before deploy:
`BASE_DOMAIN=ulicraft.net pnpm run build`.
- Logo: wide wordmark from the design at `landing/public/logo.png` (hero + favicon).
`image-rendering: pixelated` keeps it crisp.
@@ -31,7 +32,7 @@ landing/
├── design/ # "Claude Design" prototype (reference, not built)
├── public/
│ ├── logo.png # hero wordmark (from design/assets/ulicraft-logo.png)
│ └── fonts/ # vendored woff2 + fonts.css (offline-safe)
│ └── fonts/ # vendored woff2 + fonts.css (self-contained)
└── src/
├── data/site.ts # single source: content + theme knobs
├── styles/main.css # ported design system (mood/hero/bevels)
@@ -39,10 +40,11 @@ landing/
└── pages/index.astro # composition + copy/reveal script + dust
```
## Fonts — vendored for offline LAN
## Fonts — vendored locally
The design pulled fonts from Google Fonts CDN; that breaks on offline LAN day.
`tooling/fetch-fonts.sh` downloads the woff2 + a URL-rewritten `fonts.css` into
The design pulled fonts from Google Fonts CDN; we vendor them instead to keep the
page self-contained. `tooling/fetch-fonts.sh` downloads the woff2 + a
URL-rewritten `fonts.css` into
`landing/public/fonts/`. `index.astro` links `/fonts/fonts.css`. Re-run the
script only if the font set changes (keep families in sync with `main.css`
`--font-*`): Pixelify Sans, Space Grotesk, Press Start 2P, Silkscreen, VT323.
@@ -59,11 +61,15 @@ script only if the font set changes (keep families in sync with `main.css`
## Languages (i18n)
Three locales, static, build-time, offline-safe**English** (default, `/`),
**Spanish** (`/es/`), **Euskera** (`/eu/`).
Three locales, static, build-time — **Spanish** (default, `/`),
**English** (`/en/`), **Euskera** (`/eu/`).
- One template `src/pages/[...lang].astro` with `getStaticPaths` emits all three
routes (`/`, `/es/`, `/eu/`). No runtime/JS routing.
routes (`/`, `/en/`, `/eu/`). No runtime/JS routing. The default locale lives at
the bare root: its `getStaticPaths` entry is `{ lang: undefined }``locale:
"es"`; en/eu get an explicit prefix. The `LANG_*_PATH` maps in `ui.ts` mirror
this (es → no prefix). Changing the default = swap which locale is `undefined`
in all four pages' `getStaticPaths` + the `LANG_*_PATH` maps.
- Translatable copy lives in `src/i18n/ui.ts` (`ui[locale]`), keyed identically
across locales. `site.ts` holds only language-neutral config (URLs, theme,
launcher files, stat/feature *structure*).
@@ -85,8 +91,8 @@ Three locales, static, build-time, offline-safe — **English** (default, `/`),
- Features ×4: kitchen-sink pack · self-hosted Drasl identity+skins · one-click
packwiz · built-to-last (homelab + 6h backups).
- How to Join ×4: **1** Fjord launcher (3 OS) → **2** authlib account
(`auth.${BASE_DOMAIN}/authlib-injector`) + register link + CA-cert note
**3** packwiz import (`packwiz.${BASE_DOMAIN}/pack.toml`) → **4** connect.
(`auth.${BASE_DOMAIN}/authlib-injector`) + register link →
**3** packwiz import (`pack.${BASE_DOMAIN}/pack.toml`) → **4** connect.
- Footer: Mojang trademark disclaimer.
## Launcher download links (Option A — stable symlinks)
@@ -97,9 +103,33 @@ Page links to fixed names so they survive launcher version bumps:
- `fjord-linux-x86_64.AppImage`
`tooling/fetch-launcher.sh` must create these as symlinks under
`mirror/launcher/latest/` pointing at the real versioned assets. **Keep the names
in sync** between `site.ts` and the script. Mounted so they resolve at
`/launcher/latest/…` (see nginx/Caddy ingress).
`launcher/latest/` pointing at the real versioned assets. **Keep the names in
sync** between `site.ts` and the script. Mounted so they resolve at
`/launcher/latest/…` (see Caddy `10-static.caddy`).
## Assets — where to drop images
All static images live under `landing/public/` and are referenced by an absolute
`/path` (Astro copies `public/` to the site root verbatim). After changing any,
rebuild the landing (`pnpm run build`).
- **Header / hero logo** — `landing/public/logo.png` (current 707×148). Referenced
as `/logo.png` in the hero (`[...lang].astro`, the `.hero-logo img`). Replace the
file; keep a wide transparent PNG. Update the `width`/`height` attrs if the
aspect changes.
- **Favicon** — `landing/public/favicon.png` (square, ~175×175). Referenced as
`/favicon.png` in the `<link rel="icon">` of all four pages
(`[...lang].astro`, `register`, `account`, `fjord`). Replace the file.
- **Server-status icon** — NOT a file you place here. The ServerCard pulls the
live server icon over the SLP query (`ServerCard.astro`, the favicon data-URI),
falling back to the `Creeper.astro` SVG. To change it, set `server-icon.png` on
the Minecraft server (64×64), not in the landing.
- **Features icons** — two options (`PixelIcon.astro`, fed by `site.ts` `features[]`):
1. *Procedural glyph* (default): pick `glyph ∈ shield|diamond|orb|heart` and
`gold` per feature in `site.ts`. Add a glyph by editing the 7×7 `GLYPHS` map.
2. *Custom image*: drop a file in `landing/public/icons/<name>.(png|svg)` and add
`img: "/icons/<name>.png"` to that feature's entry in `site.ts` `features[]`.
`PixelIcon` renders the image (`.picon-img`) instead of the glyph.
## Tasks
@@ -107,9 +137,9 @@ in sync** between `site.ts` and the script. Mounted so they resolve at
- [x] Port design → static Astro (components + main.css + index.astro)
- [x] Real content in `site.ts`; theme knobs replace TweaksPanel
- [x] i18n: en/es/eu via `[...lang].astro` + `i18n/ui.ts`; nav language switcher
- [x] `BASE_DOMAIN=ulicraft.local pnpm run build` → verified `www/` output + screenshot
- [x] `BASE_DOMAIN=ulicraft.net pnpm run build` → verified `www/` output + screenshot
- [ ] Extend `fetch-launcher.sh`: symlink stable names → versioned files
- [ ] Confirm ingress serves apex from `./www` and `/launcher/latest/*` from mirror
- [ ] Confirm ingress serves apex from `./www` and `/launcher/latest/*` from `./launcher`
- [ ] Optional: try `mood: nether` / `hero: split` for party day
- [ ] Optional: wire real player count (option C) via mc-monitor JSON if wanted
```

View File

@@ -1,114 +0,0 @@
# Assets mirror — offline Minecraft asset objects for clients
## Summary
Guest launchers (FjordLauncherUnlocked, a Prism soft-fork) download ~400600 MB of
**asset objects** (textures, sounds, lang) from `resources.download.minecraft.net`
on first instance launch. For an air-gapped party that's the single biggest
client-side download. Fjord/Prism expose an **"Assets Server"** override, so we
mirror the objects onto our host and point guests at it.
`tooling/mirror-assets.sh` downloads + verifies every asset object for the pinned
Minecraft version and lays them out so Caddy can serve them in the exact path
shape the launcher expects.
## Fjord/Prism override fields (confirmed)
Settings → APIs → **Services** tab:
| Field | Setting key | Default | What it overrides |
|---|---|---|---|
| **Assets Server** | `ResourceURL` | `https://resources.download.minecraft.net/` | asset **objects only** |
| **Metadata Server** | (meta URL) | `https://meta.prismlauncher.org/v1/` | Prism-format version meta |
- Added in Prism 10.0.0 (PR #3875); inherited by Fjord.
- **There is NO libraries-URL field.** Library + client.jar URLs live inside the
version/meta JSON; only a meta mirror (or DNS spoof) can redirect them.
### ⚠️ HTTPS is forced
PR #3875 validates the Assets Server URL as **HTTPS and auto-rewrites `http://`
`https://`**. So the assets mirror **must be served over TLS** — plain `:80`
Caddy will not work for this endpoint. This pulls local TLS forward for one
subdomain ahead of the rest of the stack.
Options to satisfy it:
1. Caddy TLS on `assets.${BASE_DOMAIN}` with a cert from a local CA
(step-ca); guests import the CA root once. Cleanest, matches homelab.
2. Caddy `internal` CA / self-signed — guests must trust it (more friction, per
machine).
3. Sidestep entirely with **pre-seed** (below) and skip the Assets Server override.
## What this mirror does and does NOT cover
| Client download | Host | Covered here? |
|---|---|---|
| asset objects (bulk) | resources.download.minecraft.net | ✅ this mirror + Assets Server field |
| asset index json | meta/piston | ⚠️ fetched here for completeness; launcher still pulls it from meta unless meta is also mirrored |
| libraries | libraries.minecraft.net | ❌ no override field |
| client.jar | piston-data.mojang.com | ❌ |
| version/meta json | meta.prismlauncher.org | ❌ (separate Metadata Server field) |
**Full client air-gap therefore needs more than this.** For the uncovered, small
(~150 MB) remainder, the pragmatic fallback is **pre-seed**: each guest launches
the instance once while online (on arrival, before air-gapping); Prism caches
libraries/jar/meta locally. The assets mirror still saves the heavy 400 MB+ per
guest. A full meta+libraries mirror (mcm-style / PrismLauncher-meta gen) is the
heavyweight alternative, deferred.
## tooling/mirror-assets.sh — design
Input: `MC_VERSION` (default `1.21.1`, or read from the pre-baked server's
`version.json`). Cautious: verifies SHA1 on every file, halts on mismatch,
idempotent (skips already-valid files).
```
1. GET https://piston-meta.mojang.com/mc/game/version_manifest_v2.json
→ find entry for $MC_VERSION → version-json URL
2. GET version-json → read .assetIndex { id, url, sha1 }
3. GET asset index → mirror/assets/indexes/<id>.json (verify sha1)
4. For each object in index .objects{}:
hash=<sha1>; rel="${hash:0:2}/${hash}"
dest="mirror/assets/objects/${rel}"
[ -f "$dest" ] && sha1 ok → skip
else GET https://resources.download.minecraft.net/${rel} → $dest ; verify sha1
5. Report counts; non-zero exit on any failure.
```
Layout served by Caddy:
```
mirror/assets/
├── indexes/<id>.json # e.g. 17.json / 1.21.json (for pre-seed/meta use)
└── objects/<2hex>/<sha1> # launcher requests <ResourceURL>/<2hex>/<sha1>
```
### Caddy wiring
Serve the **objects** dir at the web root of an HTTPS vhost so the launcher's
`<ResourceURL>/<2hex>/<hash>` resolves directly:
```
https://assets.{$BASE_DOMAIN} {
tls <local-ca-cert> <key> # or `tls internal`
root * /srv/assets/objects
file_server
}
```
Mount `./mirror/assets/objects:/srv/assets/objects:ro`. Add network alias
`assets.${BASE_DOMAIN}` to Caddy (same trick as auth/packwiz).
Fjord "Assets Server" = `https://assets.${BASE_DOMAIN}/`.
## Tasks
- [ ] Write `tooling/mirror-assets.sh` (above); `chmod +x`; deps `curl` + `jq` + `sha1sum`
- [ ] Decide MC_VERSION source: hardcode `1.21.1` vs read pre-baked `version.json`
- [ ] Run pre-party while online; verify `mirror/assets/objects/` populated + sha1 clean
- [ ] Stand up TLS for `assets.${BASE_DOMAIN}` (step-ca or `tls internal`) — REQUIRED (HTTPS forced)
- [ ] Add `assets.` Caddy vhost + network alias + mount
- [ ] Document guest step: Settings → APIs → Assets Server = `https://assets.${BASE_DOMAIN}/`
- [ ] Document guest CA-trust step (import local CA root) if not using a publicly-trusted cert
- [ ] Confirm in Fjord's actual UI that the field exists + HTTPS-forcing behavior matches Prism
- [ ] Fallback path: pre-seed instructions (launch once online) for libraries/jar/meta
- [ ] Defer decision: full meta+libraries mirror (mcm / PrismLauncher-meta) vs pre-seed
- [ ] `.gitignore` already covers `mirror/`
```

63
plan/10-uptime-kuma.md Normal file
View File

@@ -0,0 +1,63 @@
# 10 — Uptime Kuma
> Distinct from **`plan/15-mc-status.md`**: Kuma is the uptime *history* +
> alerting backend; mc-status is the live data feed for the landing's server
> card. Both ping `minecraft` over `mcnet` but serve different purposes.
Status monitoring + public status page. Service `uptime-kuma`
(`louislam/uptime-kuma:1`), web UI on `:3001`, reached only through caddy at
`https://status.${BASE_DOMAIN}`. Joined to `mcnet`, so it can probe every other
service by its internal container name.
## Add a Minecraft monitor
Uptime Kuma 1.x ships a built-in **Minecraft Server** monitor type. It uses the
Server List Ping protocol (the same ping the vanilla multiplayer list uses):
unauthenticated, so it works fine with `ONLINE_MODE=FALSE` /
`ENFORCE_SECURE_PROFILE=FALSE`. It reports latency, online/max players, and MOTD.
1. Open `https://status.${BASE_DOMAIN}` and log in (admin account created on
first run).
2. **+ Add New Monitor**.
3. **Monitor Type**: `Minecraft Server`.
4. Fill in one of the two probe targets below.
5. **Heartbeat Interval**: `60` s (fine for a friends' server).
6. **Retries**: `2`, **Retry Interval**: `30` s — avoids flapping on a GC pause.
7. **Save**.
### Two targets — add both
| Monitor | Server | Port | What it proves |
|---|---|---|---|
| `MC (internal)` | `minecraft` | `25565` | The server process is up and accepting pings inside `mcnet`. |
| `MC (public)` | `mc.${BASE_DOMAIN}` | `25565` | The full path works: DNS → host firewall → docker port publish → server. |
The **public** monitor is the one that catches "I can't connect" outages —
firewall, DNS, or an unpublished port all show red here while the internal
monitor stays green. Run both to tell *server down* apart from *path broken*.
> Internal `minecraft` resolves because uptime-kuma is on `mcnet` (the container
> name is the hostname). It is **not** routed through caddy — caddy only fronts
> HTTP vhosts, and MC is raw TCP. Do not point the monitor at `caddy` or any
> `status.` alias.
## Notes
- The Minecraft monitor pings TCP `25565`; it does **not** check Simple Voice
Chat (`24454/udp`). Add a separate **TCP Port** monitor against UDP if you want
voice coverage — but Kuma's TCP monitor is TCP-only, so UDP voice has no clean
probe; rely on the player report instead.
- Put both MC monitors on the public **status page**
(Settings → Status Pages) so guests can self-check before pinging you.
- Optional companion HTTP monitors for the web stack:
`https://auth.${BASE_DOMAIN}`, `https://distribution.${BASE_DOMAIN}`,
`https://${BASE_DOMAIN}`, `https://files.${BASE_DOMAIN}` — a red
`distribution.` here explains client mod-mismatch join failures.
> **An HTTP monitor cannot see an SPA break.** It asserts "the server returned
> 200", which is a much weaker claim than "the app works". `files.` (Filestash)
> proved this on 2026-07-14: a bad `general.host` made every client-side redirect
> resolve to `http://https://files…`, so the site was unusable in every browser
> while `/` kept returning 200 and the monitor stayed **green**. If you want a
> monitor with teeth on a JS app, use Kuma's **Keyword** type against a string
> the *rendered* page must contain, and don't read green as "users can log in".

View File

@@ -1,132 +0,0 @@
# Full client air-gap — DNS + TLS transparent mirror
## Summary
Goal: a guest laptop with **zero internet** can install + launch the modded
instance entirely from the LAN. The chosen architecture is a **transparent
mirror**: dnsmasq points the real upstream hostnames at our host, Caddy serves
byte-exact copies of the files at the same paths, and `tls internal` mints certs
those hostnames validate against (guests trust the Caddy root CA once).
The launcher is **unmodified** — it requests the real Mojang/Prism/NeoForge URLs;
DNS just resolves them to us. This is cleaner than rewriting Prism-format
metadata, and it makes the `10-assets-mirror.md` "Assets Server" field
**redundant** (the launcher hits the real resources host, which now resolves to
the LAN). `10` is kept as the lighter objects-only alternative.
## Decision record
- **TLS for LAN party = Caddy `tls internal`** (not step-ca). Zero extra infra;
Caddy is the local CA. step-ca stays a future-homelab reminder (see `02-caddy`
open item). Guests import the Caddy root CA once.
- **Full air-gap chosen** over pre-seed.
## Hosts to mirror (NeoForge 1.21.1 instance)
| Host | Serves | Notes |
|---|---|---|
| `meta.prismlauncher.org` | Prism-format component meta (MC, LWJGL, NeoForge) | path `/v1/...` |
| `piston-meta.mojang.com` | version manifest + version json | |
| `piston-data.mojang.com` | client.jar, asset index, some objects | |
| `libraries.minecraft.net` | vanilla MC libraries (maven layout) | |
| `maven.neoforged.net` | NeoForge libraries | more mavens may appear → capture catches them |
| `resources.download.minecraft.net` | asset objects (~400 MB+) | the bulk |
**Not mirrored — auth runtime** (`session.minecraft.net`, `textures.minecraft.net`,
`api.mojang.com`, `sessionserver.mojang.com`): these are redirected to **drasl**
by the authlib-injector account already; leave them to drasl.
## How it works
```
guest laptop (LAN DNS = our dnsmasq, trusts Caddy root CA)
│ resolves meta.prismlauncher.org, libraries.minecraft.net, … → HOST_LAN_IP
dnsmasq ── spoof A-records ──► Caddy (tls internal, cert per host)
└─ static file_server, byte-exact path mirror
```
### dnsmasq (extends 01)
Add explicit spoof records alongside the `*.${BASE_DOMAIN}` wildcard:
```
address=/meta.prismlauncher.org/${HOST_LAN_IP}
address=/piston-meta.mojang.com/${HOST_LAN_IP}
address=/piston-data.mojang.com/${HOST_LAN_IP}
address=/libraries.minecraft.net/${HOST_LAN_IP}
address=/maven.neoforged.net/${HOST_LAN_IP}
address=/resources.download.minecraft.net/${HOST_LAN_IP}
```
> Only effective while the guest uses our dnsmasq as resolver. Fully reversible —
> off-LAN the real hosts resolve normally. Keep this list in sync with whatever
> the capture step (below) actually observed.
### Caddy (extends 02)
One vhost per spoofed host, each rooted at its mirror tree, all `tls internal`:
```
piston-data.mojang.com, libraries.minecraft.net, resources.download.minecraft.net,
meta.prismlauncher.org, piston-meta.mojang.com, maven.neoforged.net {
tls internal
root * /srv/mirror/{host}
file_server
}
```
(Practically: a small snippet per host, or Caddy on-demand TLS + a path-routed
`map`. Keep explicit per-host for clarity.) Add each as a **network alias** on
Caddy too, so the `minecraft`/tooling containers resolve them internally.
Mount `./mirror/upstream/<host>:/srv/mirror/<host>:ro`.
## Capture (the actual work) — `tooling/mirror-airgap.sh`
Byte-exact mirroring needs the exact URL set. Capture it once, online:
1. **Record**: launch the instance once with the launcher pointed at a logging
forward-proxy (mitmproxy `--mode reverse`/transparent, or even Caddy as a
logging reverse proxy). Collect every requested absolute URL.
2. **Fetch**: for each URL, download to `mirror/upstream/<host>/<path>`,
preserving path exactly. Verify SHA1 where the source json provides it
(libraries, assets). Halt on mismatch.
3. **Assets shortcut**: the objects (resources.download…) can be filled directly
from the asset index (same logic as `10-assets-mirror.md`) without proxy
capture — reuse that loop into `mirror/upstream/resources.download.minecraft.net/<2hex>/<hash>`.
4. **Verify offline**: re-run a launch on a second machine with internet cut and
DNS set to our dnsmasq + CA trusted. Fix any 404 → missing URL → add to fetch.
> Cautious by design: the proxy-capture enumerates whatever hosts/paths are *truly*
> hit (incl. unforeseen maven mirrors), so the mirror is complete rather than
> guessed. Re-capture if MC/NeoForge versions change.
## Guest one-time setup (offline)
1. Set laptop DNS → our dnsmasq (LAN IP). (Often via DHCP/router, or manual.)
2. Import the **Caddy root CA** into the OS/browser trust store.
3. Install Fjord, add authlib-injector account (`auth.${BASE_DOMAIN}`), import pack,
launch. All downloads resolve to the LAN mirror.
No launcher API-field overrides needed in this architecture.
## Open / reminders
- [ ] **Reminder (kept):** graduate `tls internal` → step-ca for the persistent
homelab; revisit cert distribution then.
- [ ] Confirm exact `meta.prismlauncher.org` path layout Fjord requests (fork may
pin a different meta host/version).
- [ ] Verify Caddy `tls internal` certs validate in Fjord's Qt network stack with
the root CA imported (no extra pinning).
- [ ] mitmproxy vs Caddy-log for the capture step — pick one.
- [ ] CA-trust UX per OS (Windows/macOS/Linux) — document for guests.
## Tasks
- [ ] Write `tooling/mirror-airgap.sh` (capture + fetch + sha1 verify + offline re-test)
- [ ] Add spoof `address=` lines to `dnsmasq/dnsmasq.conf.tmpl` (01)
- [ ] Add per-host `tls internal` vhosts + network aliases + mounts to Caddy (02)
- [ ] Export Caddy root CA; build a guest CA-import mini-guide (link from landing page)
- [ ] Run capture online for MC 1.21.1 + NeoForge 21.1.x; populate `mirror/upstream/`
- [ ] Offline acceptance test on a clean machine (internet cut, LAN DNS, CA trusted)
- [ ] `.gitignore` already covers `mirror/`
```

View File

@@ -1,59 +1,75 @@
# Build order — one commit per task
Dependency-ordered. Each numbered item = one git commit. `main` currently has
**zero commits**; item 0 is the baseline. Operational steps (pre-bake, capture,
acceptance test) need internet/hardware and are NOT commits — marked `[ops]`.
Dependency-ordered. Each numbered item = one git commit. Operational steps
(prep, acceptance test) need internet/hardware and are NOT commits — marked
`[ops]`.
> Commit message convention: Conventional Commits, scope = service. Footer:
> `Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>`.
> `Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>`.
## Phase 0 — baseline
0. `chore: baseline scaffolding`existing untracked tree (CLAUDE.md, plan/,
current docker-compose.yml, extras/, .gitignore, .env.example).
0. `chore: baseline scaffolding`CLAUDE.md, plan/, docker-compose.yml,
runtime/, .gitignore, .env.example.
## Phase 1 — config foundation
1. `feat(env): add BASE_DOMAIN + HOST_LAN_IP to .env.example`
2. `feat(tooling): add render-config.sh (envsubst, halt on unset var)`
1. `feat(env): add BASE_DOMAIN + RCON_PASSWORD + CADDY_* to .env.example`
2. `feat(tooling): add render-config.sh (envsubst BASE_DOMAIN, halt on unset)`
## Phase 2 — DNS + ingress (no app yet, but the backbone)
3. `feat(dnsmasq): add dnsmasq.conf.tmpl (wildcard *.BASE_DOMAIN)`
4. `feat(caddy): add Caddyfile (apex + auth + packwiz vhosts)`
5. `feat(compose): add dnsmasq + caddy services + network aliases`
## Phase 2 — ingress (caddy internal router)
3. `feat(caddy): add conf.d snippets (00-core auth+pack, 10-static apex+launcher)`
4. `feat(compose): add caddy service (127.0.0.1:CADDY_HTTP_PORT) + network aliases`
## Phase 3 — auth
6. `feat(drasl): add config.toml.tmpl (password login, SignPublicKeys=false)`
7. `refactor(compose): drasl internal-only behind caddy; authlib URL → auth.`
5. `feat(drasl): add config.toml.tmpl (password login, SignPublicKeys=false)`
6. `refactor(compose): drasl internal-only behind caddy; authlib URL → auth.`
## Phase 4 — modpack
8. `feat(pack): packwiz init + initial mod curation`
9. `feat(tooling): add mirror-mods.sh (vendor jars + rewrite .pw.toml URLs)`
10. `refactor(compose): minecraft via PACKWIZ_URL; extras→runtime`
7. `feat(pack): packwiz init + initial mod curation`
8. `feat(tooling): add render-pack.sh + add-custom-mod.sh`
9. `refactor(compose): minecraft via PACKWIZ_URL`
## Phase 5 — landing
11. `feat(landing): Astro+TS onboarding site → www/` (files already drafted)
12. `chore(landing): wire logo + .gitignore for www/ + build output`
10. `feat(landing): Astro+TS onboarding site → www/`
11. `chore(landing): wire logo + .gitignore for www/`
11b. `feat(landing): /register page → Drasl API (B1) + REGISTRATION_MODE flag`
(CORS/RateLimit/RegistrationNewPlayer in drasl config.toml.tmpl; see
`16-landing-registration.md`).
## Phase 6 — launcher distribution
13. `feat(tooling): add fetch-launcher.sh (all platforms + stable symlinks)`
12. `feat(tooling): add fetch-launcher.sh (all platforms + stable symlinks)`
## Phase 7 — full client air-gap (chosen path, plan/11)
14. `feat(tooling): add mirror-airgap.sh (capture + fetch + sha1 verify)`
15. `feat(dnsmasq): add air-gap spoof records for upstream hosts`
16. `feat(caddy): add tls internal vhosts for upstream mirror hosts`
## Phase 7 — extra services
13. `feat(avatar): add nmsr service (Drasl-backed) + 40-avatar.caddy`
14. `feat(status): add uptime-kuma service + 50-status.caddy`
15. `feat(distribution): add 30-distribution.caddy (static, another repo)`
## Phase 8 — backups + orchestration
17. `feat(compose): add mc-backup service (RCON, 6h)`
18. `feat(tooling): add build-stack.sh orchestrator`
## Phase 8 — backups
16. `feat(compose): add mc-backup service (RCON, 6h)`
## Phase 9 — operational (no commits)
- [ops] Run `build-stack.sh --prep` online: render configs, build landing,
mirror mods, mirror air-gap, fetch launcher, **pre-bake** server volume.
- [ops] Offline acceptance test: clean machine, internet cut, LAN DNS = dnsmasq,
Caddy CA trusted → install Fjord, import pack, join.
- [ops] If green: tag `v1-lan-ready`.
## Phase 9 — production ingress / TLS
17. `feat(nginx): add ulicraft-caddy.conf.tmpl + render-nginx.sh`
18. `feat(tls): add issue-letsencrypt.sh (OVH DNS-01) + LE env block`
## Phase 11 — file share (DONE, 2026-07-14)
19. `feat(files): add Filestash player file share at files.${BASE_DOMAIN}`
compose service (digest-pinned) + `60-files.caddy` + nginx vhost (2g uploads,
`/admin` rate limit) + `filestash/config.json.tmpl` rendered `:ro` +
`FILES_*` env block. One shared htpasswd login, writable. See `20-files.md`.
- [ops] `files` added to `LE_SUBDOMAINS``issue-letsencrypt.sh`, then
`render-nginx.sh --install` (a new subdomain needs BOTH; `update-all.sh`
does not touch host nginx).
## Phase 10 — operational (no commits)
- [ops] Prep online (once): `tooling/render-config.sh`, build landing
(`cd landing && set -a && . ../.env && set +a && pnpm run build` — sources
`.env` so `BASE_DOMAIN` + `REGISTRATION_MODE` bake into the static output),
`tooling/fetch-launcher.sh`, fetch authlib-injector into `runtime/`.
- [ops] TLS: `tooling/issue-letsencrypt.sh`, then
`tooling/render-nginx.sh --install`.
- [ops] Bring up: `docker compose up -d --build`.
- [ops] Acceptance: install Fjord, add drasl account, import pack, join.
- [ops] If green: tag `v1-ready`.
## Notes
- Items 35 can be smoke-tested (`docker compose up dnsmasq caddy`) before later
phases exist — Caddy serves a 404/landing, dnsmasq resolves.
- Items 1416 depend on a working online launch to capture the URL set first.
- Bring-up is a single command — no run modes, no override compose files.
- Each commit should leave the tree in a non-broken state (compose still parses).

View File

@@ -1,65 +0,0 @@
# DNS strategy + run modes
How names resolve and which layers come up. Supersedes the "dnsmasq is core"
assumption in `01-dnsmasq.md`.
## Domain: `.lan`, not `.local`
`BASE_DOMAIN=ulicraft.lan` by default. `.local` is intercepted by mDNS on
macOS/Linux and does **not** resolve through a normal unicast DNS server
(that was the `DNS_PROBE_FINISHED_NXDOMAIN`). Use `.local` only with the mDNS
path below.
## Run modes — `tooling/build-stack.sh --up <mode>`
| Mode | Compose layers | Use |
|---|---|---|
| `online` | base + static | internet present; landing + launcher; no mirror |
| `airgap` | base + static + mirror | no internet; full asset mirror on `:443` (default) |
| `core` | base | debugging |
Base = drasl, minecraft, mc-backup, caddy(auth+packwiz). `static` = apex landing +
launcher + `/ca.crt`. `mirror` = upstream spoof vhosts (`tls internal`) + `:443` +
caddy aliases. `--up` prints the DNS records for the chosen mode.
## DNS: your own party server (primary)
You run the party DNS. Generate records with `tooling/dns-records.sh <mode>`:
- `online` → service names (`${BASE_DOMAIN}`, `auth.`, `packwiz.`, `mc.`) → `HOST_LAN_IP`
- `airgap` → the above **plus** the spoofed upstreams (`meta.prismlauncher.org`,
`piston-meta`/`piston-data.mojang.com`, `libraries.minecraft.net`,
`maven.neoforged.net`, `resources.download.minecraft.net`) → `HOST_LAN_IP`
Output formats: plain, `/etc/hosts`, BIND zone, dnsmasq `address=`, plus the
Minecraft SRV line. Minecraft needs no port (`mc.${BASE_DOMAIN}` defaults to 25565).
## Optional resolver layers
- **dnsmasq** (`docker-compose.dnsmasq.yml`) — turnkey DNS if you don't run your
own. Binds `${HOST_LAN_IP}:53`. Serves the rendered `dnsmasq/dnsmasq.conf`
(wildcard + airgap spoofs).
- **mDNS / Avahi** (`docker-compose.avahi.yml`, `ENABLE_MDNS=true`) — zero-config
`.local` for guests (macOS/Linux native; Windows needs Bonjour). See below.
## mDNS path (ENABLE_MDNS=true + BASE_DOMAIN=*.local)
The `avahi` container publishes the service names to the **host's** avahi-daemon
over its D-Bus socket (it does NOT run its own daemon — that collides with the
host on `:5353`).
Requirements / gotchas (build-stack warns on these):
- host runs `avahi-daemon`; `/run/dbus/system_bus_socket` mounted in.
- `security_opt: apparmor=unconfined` on the container (docker-default AppArmor
blocks the D-Bus publish).
- multi-interface hosts (e.g. many docker bridges) → avahi self-collides
("Local name collision"); set `allow-interfaces=<lan-nic>` in
`/etc/avahi/avahi-daemon.conf`.
- mDNS resolves **only** `.local`, so it cannot serve the air-gap upstream
spoofs (real public hostnames) — those always need real DNS.
## Status (tested 2026-05-24)
- `.lan` + own-DNS path: verified end-to-end (apex/auth/packwiz/ca.crt/mirror
all 200, minecraft healthy).
- mDNS publish mechanism: verified reaching host avahi; full green-light blocked
on this dev box only by its 38 docker bridges (allow-interfaces fixes it).

View File

@@ -7,40 +7,111 @@ Production host for the Ulicraft stack.
| Host | `cochi` (SSH alias) |
| Path | `/home/ubuntu/mc/ulicraft-server-v1` |
| Branch | `main` |
| Run mode | `online` (compose files: `docker-compose.yml` + `docker-compose.static.yml`) |
| Auth | Drasl (base stack — no Blessing Skin override) |
| Restart | **hard** (`compose down``build-stack.sh --up`) — brief full downtime |
| Compose | single `docker-compose.yml` (no overrides) |
| Auth | Drasl (password login) |
| Ingress | host nginx (Let's Encrypt TLS) → caddy → services (see 15-letsencrypt.md) |
| Restart | **hard** (`compose down``compose up --build`) — brief full downtime |
## Routine redeploy
```bash
ssh cochi
cd /home/ubuntu/mc/ulicraft-server-v1
git pull --ff-only
# hard restart: tear the stack down, then bring it back up (renders configs first)
docker compose -f docker-compose.yml -f docker-compose.static.yml down --remove-orphans
tooling/build-stack.sh --up online
```
`update-all.sh` (repo root) is the **single source of truth** for the post-pull
build + restart steps. Run it AFTER a `git pull` (it never pulls or pushes).
Strict halt on any error — never a partial deploy.
Or as a one-shot from your workstation:
Two modes:
- `./update-all.sh`**rolling**: `docker compose up -d --build`, then restart
ONLY the services whose mounted inputs changed since a pre-run snapshot
(drasl/nmsr on a config re-render, minecraft on a mod change). Minimal
downtime. Does **not** detect caddy static-conf (`caddy/conf.d/*.caddy`)
changes — apply those with a **recreate**, not a reload/restart (see gotcha
below): `docker compose up -d --force-recreate caddy` (no world downtime), or
`--hard` for a full redeploy.
> **Caddy conf bind mounts are inode-pinned — recreate, don't reload.** Each
> `caddy/conf.d/*.caddy` is a *single-file* bind mount, which Docker pins to
> the host file's inode at container creation. `git pull` rewrites a tracked
> file via atomic rename = a NEW inode, so the running container keeps the OLD
> config. `docker compose restart caddy` and `caddy reload` reuse the same
> container → same stale inode → no effect. Only re-creating the container
> (`up -d --force-recreate caddy`, or the `--hard` down/up) re-resolves the
> mount. Verify: `docker compose exec caddy cat /etc/caddy/conf.d/<file>`.
- `./update-all.sh --hard` — `docker compose down --remove-orphans && up -d
--build`. Full restart (Minecraft world downtime); picks up everything.
One-shot full redeploy from your workstation (the `deploy` skill does exactly
this):
```bash
ssh cochi 'set -e
cd /home/ubuntu/mc/ulicraft-server-v1
git pull --ff-only
docker compose -f docker-compose.yml -f docker-compose.static.yml down --remove-orphans
tooling/build-stack.sh --up online'
tooling/fetch-authlib.sh # ensure authlib jar (rarely changes; NOT in update-all)
./update-all.sh --hard'
```
`build-stack.sh --up online` runs preflight (checks `.env`), `render-config.sh`
(which renders configs + `render-pack.sh` for the packwiz pack), then
`docker compose ... up -d` with the online file set.
Everyday landing/config tweak (no world downtime):
```bash
ssh cochi 'cd /home/ubuntu/mc/ulicraft-server-v1 && git pull --ff-only && ./update-all.sh'
```
> **Same inode trap for `filestash/config.json`.** It is a single-file bind mount
> *and* it is re-rendered on every `update-all.sh` run, so a **rolling** update
> after any `FILES_*` change (rotating the shared password, flipping
> `FILES_AUTH`) leaves filestash reading the stale inode. Apply with
> `docker compose up -d --force-recreate filestash`. `--hard` is unaffected.
> Also: never run `docker compose up` on the host without rendering first — a
> missing `filestash/config.json` makes Docker create a **directory** at that
> path. See `plan/20-files.md`.
Steps `update-all.sh` runs, in order: `render-config.sh` (drasl/nmsr/filestash
from `.env`; halts on a bad `REGISTRATION_MODE`, a bad `FILES_AUTH`, or a
`FILES_PASSWORD_HASH` in a format the htpasswd plugin can't verify) →
`sync-server-mods.sh` (mirror the
`both`/`server` subset from `mods-sides.json` out of `$DISTRIBUTION_WEB_ROOT`
into `./server-mods`) → `build-modlist.py` (regen landing `mods.json` + logos;
**run under `python>=3.11`** — cochi's default `python3` is 3.10, but
`python3.11` is installed and the script auto-selects it) → landing `pnpm build`
(sources nvm + `.env`, never `npm`) → docker compose. `$DISTRIBUTION_WEB_ROOT`
must resolve on the host (it also backs the caddy `distribution.` mount).
### Landing site + mod list (generated, not in git)
Both the static site `www/` AND the landing `mods.json` are gitignored — a `git
pull` never updates them. `update-all.sh` regenerates both every run
(`mods.json` via `build-modlist.py`, `www/` via `pnpm build`). A flag-only
`REGISTRATION_MODE` change just needs a rolling `./update-all.sh`: it rebuilds
`www/` (bakes the invite-field on/off) and restarts `drasl` only if
`render-config.sh` changed its config (Drasl's `RequireInvite`/CORS/RateLimit) —
no world downtime.
## Host-local divergence on `cochi` — RESOLVED (verified 2026-07-14)
**There are no longer any tracked modifications on the host.** `git diff HEAD`
is empty; `git pull --ff-only` fast-forwards cleanly (confirmed on the filestash
deploy). The old divergence — `docker-compose.yml` forced `http`→`https`,
`landing/package.json`, `landing/pnpm-workspace.yaml` — has been converged into
the repo. The stashpullpop dance previously documented here is **no longer
needed**.
What remains on the host is **untracked only**, so it never blocks a pull:
- `dnsmasq/`, `caddy/caddy-root-ca.crt` — internal DNS + private CA so containers
resolve/trust `https://auth.` etc. Host-local infra, deliberately not in git.
- `pack/` — **stale leftover** from the packwiz era (packwiz was removed; see
`04-mods.md`). Nothing reads it. Safe to delete.
Still true, and worth keeping: never `git reset --hard` or discard on the host
without confirming first, and re-check `git status` there before any deploy that
touches tracked files — a *new* host-local edit would reintroduce the abort.
## What survives a hard restart
Named volumes persist — world and auth data are safe:
- `mc_data` — world + installed NeoForge/mods
- `drasl_state` — Drasl accounts/skins
- `kuma_data` — Uptime Kuma config/history
- `backups/` — mc-backup snapshots
`down` removes **containers**, not volumes. Players are disconnected during the
@@ -49,22 +120,35 @@ restart (a few minutes); they reconnect once `minecraft` is healthy again.
## Prerequisites (one-time, on `cochi`)
- SSH access as the `cochi` alias.
- `.env` present and complete: `BASE_DOMAIN`, `HOST_LAN_IP`, `RCON_PASSWORD`
(`render-config.sh` halts on any unset var, even in online mode).
- Docker + compose plugin, `packwiz`, `envsubst`, `git`.
- **First deploy only** — heavy online prep (fetch launcher, pre-bake the server
volume, etc.):
```bash
tooling/build-stack.sh --prep
```
Not needed for routine redeploys; `--up` alone re-syncs the pack and configs.
- `.env` present and complete: `BASE_DOMAIN`, `RCON_PASSWORD`, `CADDY_HTTP_PORT`,
`CADDY_HTTP_BIND`, `DISTRIBUTION_WEB_ROOT`, `REGISTRATION_MODE` (`invite`|`open`,
defaults `invite`), the `FILES_*` block (`plan/20-files.md`), and the Let's
Encrypt block. `render-config.sh` halts on an unset `BASE_DOMAIN`, an invalid
`REGISTRATION_MODE`/`FILES_AUTH`, or a `FILES_PASSWORD_HASH` the htpasswd
plugin can't verify.
> **A missing `FILES_*` var takes the WHOLE stack down, not just filestash.**
> The compose service uses `${FILES_DATA_DIR:?}` / `${FILES_LOCAL_SECRET:?}`
> guards, and compose fails the entire file on an unset required var — so
> `up` starts *nothing*, and a `--hard` deploy has already run `down`. Check
> `.env` on the host **before** deploying a commit that adds a guarded service.
- Docker + compose plugin, `envsubst`, `jq` (used by `sync-server-mods.sh`;
falls back to `python3` if absent), `git`.
- Host nginx + Let's Encrypt certs installed once — see `15-letsencrypt.md`.
- **First deploy only** — online prep (build landing, fetch launcher, fetch
authlib into `runtime/`). Not needed for routine redeploys.
## Verify
```bash
docker compose -f docker-compose.yml -f docker-compose.static.yml ps
docker compose -f docker-compose.yml -f docker-compose.static.yml logs -f minecraft # watch for "Done"
curl -fsS "http://auth.$(grep '^BASE_DOMAIN=' .env | cut -d= -f2)/" >/dev/null && echo "auth ok"
docker compose ps # caddy drasl minecraft mc-backup nmsr mc-status uptime-kuma filestash
# self-hosted live status feed (plan/15-mc-status.md):
curl -fsS "https://$(grep '^BASE_DOMAIN=' .env | cut -d= -f2)/api/mcstatus/v2/status/java/$(grep '^BASE_DOMAIN=' .env | cut -d= -f2)" | jq .online
# server ready — match the full marker, not a bare "Done" (that also hits mod-load lines)
docker compose logs -f minecraft | grep -m1 'Done ([0-9.]*s)! For help'
curl -fsS "https://auth.$(grep '^BASE_DOMAIN=' .env | cut -d= -f2)/" >/dev/null && echo "auth ok"
# files. — 200 = live; anonymous API must be REFUSED (auth is on)
curl -s -o /dev/null -w 'files: %{http_code}\n' "https://files.$(grep '^BASE_DOMAIN=' .env | cut -d= -f2)/"
curl -s -H 'X-Requested-With: XmlHttpRequest' "https://files.$(grep '^BASE_DOMAIN=' .env | cut -d= -f2)/api/session" # want "Not authorised"
```
## Rollback
@@ -72,15 +156,14 @@ curl -fsS "http://auth.$(grep '^BASE_DOMAIN=' .env | cut -d= -f2)/" >/dev/null &
```bash
git log --oneline -5 # find the last-good commit
git checkout <sha> # or: git reset --hard <sha>
docker compose -f docker-compose.yml -f docker-compose.static.yml down --remove-orphans
tooling/build-stack.sh --up online
docker compose down --remove-orphans
docker compose up -d --build
```
## Notes
- **Online mode needs internet** on `cochi` at restart (no air-gap mirror): the
server installs NeoForge + mods over the network. For an internet-less deploy,
switch to `airgap` (needs `--prep` first) — see `plan/13-dns-and-run-modes.md`.
- Switching to the **Blessing Skin** auth variant changes the file set to
`-f docker-compose.yml -f docker-compose.blessingskin.yml` (see
`plan/03b-blessing-skin.md`); update the `down`/`up` commands accordingly.
- Production needs internet on `cochi` at restart: the server installs/re-syncs
NeoForge + mods over the network.
- All ingress goes through host nginx → caddy. After a redeploy, nginx config is
unchanged; only re-run `tooling/render-nginx.sh --install` if `BASE_DOMAIN` /
`CADDY_HTTP_PORT` changed (see `15-letsencrypt.md`).

View File

@@ -0,0 +1,123 @@
# Drasl Web UI Customization
> How far you can reskin Drasl's web frontend, and what it costs.
> Source repo: <https://github.com/unmojang/drasl> · config docs:
> <https://github.com/unmojang/drasl/blob/master/doc/configuration.md>
## TL;DR
Drasl has **no theme/plugin system**. You get three tiers, increasing effort:
1. **Config knobs** (runtime, trivial) — rename instance, toggle footer / 3D bg.
2. **Static-asset override** (mount, easy) — swap `style.css`, `logo.svg`, `icon.png`.
3. **Template / fork** (build, heavy) — edit `view/*.tmpl`, rebuild the image.
For a "very noob-friendly UI" the realistic win is **tier 2** (reskin CSS + logo)
plus a **dead-simple guide page on the landing site** that walks guests through
register → login → upload skin, screenshots included. Drasl's own pages stay the
backend; the landing page is where you make it friendly.
---
## Tier 1 — Config knobs (config.toml)
Live in `drasl/config/config.toml.tmpl`. Already rendered into the container at
`/etc/drasl/config.toml`. No rebuild — just `docker compose restart drasl`.
| Option | Default | Effect |
|--------|---------|--------|
| `InstanceName` | `"Drasl"` | Site name shown in header/title. Set to `"Ulicraft Accounts"`. |
| `ApplicationOwner` | `"Anonymous"` | Owner label (already `"Ulicraft"`). |
| `EnableBackgroundEffect` | `true` | 3D animated background. Off = cleaner/faster. |
| `EnableFooter` | `true` | Footer block. |
| `EnableWebFrontEnd` | `true` | Master switch for the whole web UI. |
Low effort, low ceiling. Does **not** change layout, colors, or copy.
---
## Tier 2 — Static-asset override (CSS + logo) ← recommended
Drasl serves static files from **`DataDirectory`** (default `/usr/share/drasl`).
The shipped assets live in the image's `public/`:
- `style.css` — primary stylesheet (all colors/spacing/theme)
- `logo.svg` — header logo
- `icon.png` — favicon
- `openid-logo.svg` — OIDC button icon (unused here, no OIDC)
### Plan
1. Pull the upstream `style.css` as a baseline:
<https://raw.githubusercontent.com/unmojang/drasl/master/public/style.css>
2. Create `drasl/public/` in this repo. Drop in your edited `style.css`,
`logo.svg`, `icon.png`.
3. Bind-mount over the container's asset dir in `docker-compose.yml`:
```yaml
drasl:
volumes:
- ./drasl/config:/etc/drasl:ro
- ./drasl/public:/usr/share/drasl/public:ro # <-- add
- drasl_state:/var/lib/drasl
```
⚠ **Verify the exact in-container path first** — assets may sit at
`/usr/share/drasl/public/` or directly under `/usr/share/drasl/`. Check:
```bash
docker compose exec drasl sh -c 'find /usr/share/drasl -name style.css'
```
Mount to match whatever that prints. Mount the *directory*, not the single
file, so the logo/icon ride along.
4. `docker compose up -d drasl`. Hard-refresh browser (CSS cache).
Ceiling: full restyle of existing pages — colors, fonts, button sizes, hide
clutter, big friendly upload button. Cannot add/remove page elements or reword
text (that's the templates → tier 3).
---
## Tier 3 — Templates / fork (heavy)
Page structure + copy live in Go templates `view/*.tmpl`, **embedded into the
binary at build time** (Go `embed.FS`) — not overridable by mounting. Files:
```
root.tmpl user.tmpl player.tmpl registration.tmpl
complete-registration.tmpl challenge.tmpl admin.tmpl
layout.tmpl header.tmpl footer.tmpl error.tmpl
```
To change them you must **fork + rebuild**:
1. Fork `unmojang/drasl`.
2. Edit `view/*.tmpl` (reword, restructure, add help text/links).
3. Build a custom image, push to your registry (or build locally).
4. Point `image:` in compose at your fork.
Maintenance cost: you now track upstream and rebase on releases. Only worth it
if tier 2 + landing-page guide aren't enough.
Alternative to forking: **build a thin custom frontend** that talks to Drasl's
HTTP API (see `api.go`) for the one flow guests care about (login + skin
upload), hosted at e.g. `${BASE_DOMAIN}/skins`. More code, but total UI control
and no upstream coupling. Overkill for 410 friends.
---
## Recommended path for Ulicraft
1. **Tier 1**: `InstanceName = "Ulicraft Accounts"`, decide on bg/footer.
2. **Tier 2**: reskin `style.css` to match the landing page, swap logo + favicon.
3. **Landing-page guide**: add a `/skins` (or `/help`) page on the apex landing
site — numbered steps + screenshots: register at `auth.`, log in, upload skin,
done. This is what actually makes it noob-friendly; Drasl stays the plumbing.
4. Skip tier 3 unless a specific page is confusing enough to justify a fork.
## Related
- Skin/cape config flags: see `plan/03-drasl.md` and CLAUDE.md gotchas.
- `AllowTextureFromURL = true` lets guests paste a skin URL (e.g. from a skin
site) instead of uploading a file — friendlier for non-technical users.

Some files were not shown because too many files have changed in this diff Show More