s8n/minecraft-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
28 commits 1 branch 0 tags 4.9 MiB
Commit graph

5 commits

Author SHA1 Message Date
s8n
3336f52142 redact: scrub leaked Minecraft secrets from public repo 
Replaced literal values with env-var placeholders (${RCON_PASSWORD},
${MGMT_SECRET}, ${MC_RCON_PASSWORD}) across server.properties,
.rcon-cli.env, docker-compose.yml(s), backup scripts, and AUDIT-2026-05-07.md.

Affected secrets:
- Paper management-server-secret (HIGH; mitigated by management-server-enabled=false)
- RCON password '*redacted*' (MEDIUM; bound to 127.0.0.1)
- MC_RCON_PASSWORD backup-pipeline default fallback (MEDIUM; same blast radius)

WARNING: HEAD redaction only — values remain in git history. Treat as
compromised and rotate (closes F-17 audit-finding's deferred TODO).
Originals backed up to private s8n/secrets/minecraft-server/.
 2026-05-08 15:36:20 +01:00
s8n
2d9c8db2dc audit P0 quick-wins: H2 container hardening, H3 Xmx tuning, H1 staged 
H2 (F-06): cap_drop ALL + minimum cap_add (CHOWN, SETUID, SETGID, FOWNER),
no-new-privileges, deploy.resources.limits.pids=4096. compose config valid.
DAC_OVERRIDE deliberately omitted; re-add only if entrypoint chown fails.

H3 (F-05): Xmx 16384M -> 14336M, MEMORY_SIZE 16G -> 14G. Leaves ~3.5G
headroom for off-heap inside the unchanged 18G container limit. Host has
no spare RAM to raise the cap (other workloads).

H1 (F-02): server-wide gamerule keepInventory true planned but RCON path
for gamerule is broken (F-16) so it's deferred to operator in-game on next
op session. Documented in INTERIM-MITIGATIONS.md with a clear revert
trigger (when AuthLimbo F1+F2+F4 ship).

H4: pre-edit compose backed up to docker-compose.yml.bak-2026-05-07-before-H2H3
(deployed and repo). Restore commands in INTERIM-MITIGATIONS.md.

Live restart deferred: 2 players online (s8n actively restoring YOU500's
gear via /give). H2/H3 go live on next compose recreate.
 2026-05-07 17:51:58 +01:00
s8n-ru
c2974ff599 live config snapshot: shop + auction + ranks + tab restyle 
- Add EzShop + AuctionHouse plugin configs
- ProAntiTab whitelist now includes /shop /ah /balance /msg etc
- TAB groups.yml: customtabname=&7%player%, prefix/suffix no trailing space
- TAB config.yml: yellow-number=&e%statistic_minutes_played%
  (with trailing space), header=racked.ru, footer=tps/ping/coords/etc
- LP groups recreated to match OG: adventurer/settler/lord/baron/
  viscount/earl/marquess/duke (prefix); dev/moderator/admin/owner
  (suffix). Owner inherits duke. s8n + YOU500 opped.
- Login bug squashed via custom auth-limbo plugin (separate repo)
 2026-05-01 11:44:19 +01:00
s8n-ru
6487adaf71 compose: REMOVE_OLD_MODS_EXCLUDE -> AuthLimbo*.jar (plugin renamed) 2026-04-30 19:19:29 +01:00
s8n-ru
0dad38e02e Initial commit: racked.ru Minecraft server config snapshot 
Captures live config state of nullstone Purpur 1.21.11 server:
- docker-compose.yml (itzg/minecraft-server image, MODRINTH_PROJECTS + PLUGINS lists)
- All plugin configs under live-server/plugins/ (no DBs, no jars, no world data)
- Server core: bukkit.yml, spigot.yml, purpur.yml, paper-global.yml, paper-world-defaults.yml, server.properties

Excluded via .gitignore:
- World data (world/, world_nether/, world_the_end/, auth_limbo/)
- Sensitive: AuthMe DB (password hashes), Lands DB, CoreProtect DB, Essentials userdata
- Jars (auto-fetched), logs, caches, .paper-remapped
 2026-04-30 18:33:38 +01:00