diff --git a/configs/easyauth-extended.conf b/configs/easyauth-extended.conf new file mode 100644 index 0000000..21a7934 --- /dev/null +++ b/configs/easyauth-extended.conf @@ -0,0 +1,67 @@ +## ## +## EasyAuth ## +## Extended Configuration ## +## ## + +# Block everything for unauthenticated players +allow-chat = false +allow-commands = false +allowed-commands = [] +allow-movement = false +allow-block-interaction = false +allow-entity-interaction = false +allow-block-breaking = false +allow-entity-attacking = false +allow-item-dropping = false +allow-item-moving = false +allow-item-using = false + +# Hide inventory while not logged in +hide-inventory = true + +# Unauthenticated players are invulnerable and ignored by mobs +player-invulnerable = true +player-ignored = true + +# Rate limit teleportation for unauthed players +teleportation-timeout-ms = 20 + +# Command aliases +aliases { + # /l for /login + login = true + # /reg for /register + register = true +} + +# Try to rescue players stuck in portals +try-portal-rescue = true + +# Password length limits +min-password-length = 6 +max-password-length = 128 + +# Username validation +username-regexp = "^[a-zA-Z]{1,16}$" + +# No Floodgate +floodgate-bypass-regex = false + +# Prevent same-name kicks +prevent-another-location-kick = true + +# Don't force offline UUIDs (already in offline mode) +forced-offline-uuid = false + +# Don't skip auth +skip-all-auth-checks = false + +# Disallow case-insensitive duplicate usernames +allow-case-insensitive-username = false + +# Prompt to authenticate every 10 seconds +authentication-prompt-interval = 10 + +# Log registration and login events +log-player-registration = true +log-player-login = true diff --git a/configs/easyauth-main.conf b/configs/easyauth-main.conf new file mode 100644 index 0000000..47384a8 --- /dev/null +++ b/configs/easyauth-main.conf @@ -0,0 +1,51 @@ +## ## +## EasyAuth ## +## Main Configuration ## +## ## + +# Don't auto-login players with Microsoft accounts — treat everyone the same +premium-auto-login = false + +# All players are offline players +offline-by-default = true + +# No Bedrock auto-login +floodgate-auto-login = false + +# Session timeout: 24 hours (if they reconnect within this time, no re-login needed) +session-timeout = 86400 + +# Max login attempts before kick +max-login-tries = 3 + +# 5 minutes to authenticate before being kicked +kick-timeout = 300 + +# 2 minutes before they can rejoin after being kicked for failed attempts +reset-login-attempts-timeout = 120 + +# Registration is disabled for players — admin-only via `auth register ` +# With enable-global-password=true and single-use-global-password=false, +# the /register command is disabled. Players can only /login with a password set by admin. +enable-global-password = true +single-use-global-password = false + +# Hide player coordinates during auth (teleport to spawn) +hide-player-coords = true + +# Hide unauthenticated players from everyone (requires Vanish mod) +vanish-until-auth = true + +# Auth spawn location — players teleported here until authenticated +world-spawn { + dimension = "minecraft:overworld" + x = -1965 + y = 167 + z = 1109 + yaw = 0 + pitch = 0 +} + +debug = false + +config-version = 2 diff --git a/flake.nix b/flake.nix index 877b947..e4b46e2 100644 --- a/flake.nix +++ b/flake.nix @@ -23,6 +23,18 @@ mcLogs = pkgs.writeShellScriptBin "mc-logs" '' ssh root@compsigh-minecraft "docker logs --tail ''${1:-100} -f minecraft" ''; + mcRegister = pkgs.writeShellScriptBin "mc-register" '' + set -euo pipefail + USERNAME="''${1:?Usage: mc-register }" + PASSWORD="''${2:?Usage: mc-register }" + ssh root@compsigh-minecraft "docker exec minecraft rcon-cli auth register $USERNAME $PASSWORD" + ''; + mcUpdatePassword = pkgs.writeShellScriptBin "mc-update-password" '' + set -euo pipefail + USERNAME="''${1:?Usage: mc-update-password }" + PASSWORD="''${2:?Usage: mc-update-password }" + ssh root@compsigh-minecraft "docker exec minecraft rcon-cli auth update $USERNAME $PASSWORD" + ''; bootstrap = pkgs.writeShellScriptBin "mc-bootstrap" '' set -euo pipefail IP="''${1:?Usage: mc-bootstrap }" @@ -70,6 +82,8 @@ deploy bootstrap mcLogs + mcRegister + mcUpdatePassword pkgs.nh inputs.agenix.packages.${system}.default ]; diff --git a/modules/minecraft.nix b/modules/minecraft.nix index fa8d41b..3656099 100644 --- a/modules/minecraft.nix +++ b/modules/minecraft.nix @@ -16,6 +16,11 @@ let "threadtweak" "crashexploitfixer" + # Authentication & skins + "easyauth" + "fabrictailor" + "vanish" + # Anti-cheat "anti-xray" "grimac" @@ -109,10 +114,9 @@ in SIMULATION_DISTANCE = "10"; SPAWN_PROTECTION = "0"; ALLOW_FLIGHT = "TRUE"; - ENABLE_WHITELIST = "TRUE"; - ENFORCE_WHITELIST = "TRUE"; - WHITELIST = "jetpham"; - OPS = "jetpham"; + ENABLE_WHITELIST = "FALSE"; + ENFORCE_WHITELIST = "FALSE"; + ONLINE_MODE = "FALSE"; MOTD = "meet cool people \\u00A76\\u0026\\u0026\\u00A7r build cool things"; OVERRIDE_ICON = "TRUE"; REMOVE_OLD_MODS = "TRUE"; @@ -151,6 +155,9 @@ in cp ${../server-icon.png} ${mcDataDir}/server-icon.png mkdir -p ${mcDataDir}/config cp ${../configs/anti-xray.toml} ${mcDataDir}/config/anti-xray.toml + mkdir -p ${mcDataDir}/config/EasyAuth + cp ${../configs/easyauth-main.conf} ${mcDataDir}/config/EasyAuth/main.conf + cp ${../configs/easyauth-extended.conf} ${mcDataDir}/config/EasyAuth/extended.conf ''; }; };