# Drasl config — password-login mode (NO Keycloak/OIDC for now). # TOML only (drasl has no env support). Rendered by tooling/render-config.sh # -> drasl/config/config.toml (gitignored). Substitutes ${BASE_DOMAIN} and # ${REGISTRATION_REQUIRE_INVITE} (derived from REGISTRATION_MODE in .env). # Reached only via Caddy at auth.${BASE_DOMAIN}; drasl has no published host port. # Public scheme is HTTPS — the host nginx terminates TLS in front of caddy. # Drasl builds absolute URLs (textures, authlib-injector API location) from this; # an http:// value triggers mixed-content + broken login on the https origin. BaseURL = "https://auth.${BASE_DOMAIN}" Domain = "auth.${BASE_DOMAIN}" ListenAddress = "0.0.0.0:25585" # internal; Caddy reverse-proxies to it DefaultAdmins = ["admin"] # Password login: admin + guests register a username/password on the web UI. AllowPasswordLogin = true # 1.21+ secure-profile fix: MUST pair with server ENFORCE_SECURE_PROFILE=FALSE. # Both or neither — mixed auth breaks on MC 1.21+ with SignPublicKeys = true. SignPublicKeys = false # Free-text owner label shown in the web UI (a string, not a table). ApplicationOwner = "Ulicraft" # CORS: the landing register/account form (served from the apex) calls the # Drasl API from the browser. Without this the API has NO CORS headers and the # browser blocks every cross-origin call. Scope to the apex only — never "*", # which would let any site script the auth API. Echo backfills AllowMethods # (incl. PATCH/DELETE) and reflects requested headers (Content-Type/Authorization). # MUST stay top-level (before any [Section]) — under a table it parses as # .CORSAllowOrigins and drasl ignores it (silent: no CORS headers). CORSAllowOrigins = ["https://${BASE_DOMAIN}"] # New-account registration (username+password). RequireInvite is derived from # REGISTRATION_MODE in .env by render-config.sh: invite -> true, open -> false. # When true, non-admin callers (web UI + landing register form) must supply a # valid invite code; admins bypass. Mint codes via POST /drasl/api/v2/invites # with an admin api token. [RegistrationNewPlayer] Allow = true RequireInvite = ${REGISTRATION_REQUIRE_INVITE} # Rate limit the now public-facing API (anonymous POST /users etc). Token # bucket; admins are exempt. Conservative for a 4-10 player server. [RateLimit] RequestsPerSecond = 5 Burst = 10 # OIDC block intentionally omitted for now (no Keycloak). # [[RegistrationOIDC]] <- future task