Files
ulicraft-server-v1/plan/03-drasl.md
Oier Bravo Urtasun cfd60131fb fix(landing): https + correct subdomains, drop dead CA-cert step
The guest landing page advertised http:// service URLs (mixed-content on the
https origin) and the wrong packwiz subdomain:
- authUrl / authlibUrl: http -> https
- packwizUrl: http://packwiz. -> https://pack.  (correct vhost)
- serverAddress: mc. -> apex (connect to ${BASE_DOMAIN}:25565)
- remove caCertUrl + the "trust the local CA" join step (airgap-only, /ca.crt
  no longer exists) and its en/es/eu i18n strings + type.

Also fix the stale http BaseURL example in plan/03-drasl.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 02:56:59 +02:00

2.1 KiB

Drasl — self-hosted auth (Yggdrasil + skins)

Summary

Self-hosted, Yggdrasil-compatible auth + skin server. Drop-in Mojang replacement via authlib-injector. Image: unmojang/drasl:latest. Reached only through Caddy at auth.ulicraft.net; no host port.

OIDC/Keycloak is OUT for now — drasl runs in password-login mode (AllowPasswordLogin = true). Admin + guests register with a username/password on the drasl web UI. Re-introducing Keycloak OIDC later is a future task.

Config is TOML only (no env var support). So config.toml is rendered from config.toml.tmpl by tooling/render-config.sh to inject BASE_DOMAIN.

config.toml.tmpl (key fields)

BaseURL       = "https://auth.${BASE_DOMAIN}"   # public scheme is HTTPS (nginx TLS)
Domain        = "auth.${BASE_DOMAIN}"
ListenAddress = "0.0.0.0:25585"          # internal; Caddy proxies
DefaultAdminUsernames = ["admin"]

AllowPasswordLogin = true

[ApplicationOwner]
# ...

# OIDC block intentionally omitted for now (no Keycloak).
# [[RegistrationOIDC]]  ← future

Critical gotchas (carry-over)

  • 1.21+ secure profile: drasl SignPublicKeys = false MUST pair with server ENFORCE_SECURE_PROFILE=FALSE. Linked — both or neither.
  • authlib endpoint = BaseURL + /authlib-injectorhttp://auth.ulicraft.net/authlib-injector. Must match on server and client. Network alias makes this identical inside/outside the stack.
  • Domain affects skins — if wrong, authlib clients may not see skins.

Tasks

  • Create drasl/config/config.toml.tmpl (password-login, no OIDC block)
  • Set BaseURL/Domain to auth.${BASE_DOMAIN}, ListenAddress 0.0.0.0:25585
  • Set SignPublicKeys = false
  • Wire render-config.shdrasl/config/config.toml (gitignored)
  • Remove drasl host port from compose (internal only)
  • Update compose: drasl on mcnet, no 25585:25585 publish
  • Bootstrap admin account on first run; create guest accounts
  • Verify authlib endpoint responds through Caddy
  • Future: re-add [[RegistrationOIDC]] Keycloak block + secret file