From 113888b22b5211895b79051f9f92bb5845c0c2ee Mon Sep 17 00:00:00 2001 From: Jet Pham Date: Sat, 14 Mar 2026 14:28:27 -0700 Subject: [PATCH 1/4] feat: add terms and privacy page --- privacy.txt | 45 +++++++++++++++++++++++++++++++++++++++++++++ terms.txt | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 privacy.txt create mode 100644 terms.txt diff --git a/privacy.txt b/privacy.txt new file mode 100644 index 0000000..6c39b2a --- /dev/null +++ b/privacy.txt @@ -0,0 +1,45 @@ +compsigh Minecraft — Privacy Policy + +Last updated: 2026-03-14 + +1. What We Collect + - Minecraft username and UUID (required to join the server) + - Discord username and user ID (used for chat bridging and admin + commands) + - Chat messages sent in-game and in the bridged Discord channel + (relayed between platforms in real time) + - In-game actions (block placement, breakage, chest access, etc.) + logged by the Ledger mod for grief prevention + - Server logs (connection IPs, join/leave times, errors) + +2. How Data Is Used + - Chat messages are bridged between Minecraft and Discord and are + visible in both platforms. + - Action logs are used solely for grief investigation and rollback. + - Server logs are used for debugging and moderation. + - Admin Discord user IDs are stored in the bot configuration to + control who can run server commands from Discord. + +3. Data Storage + - World data and action logs are stored on the server and backed up + to Backblaze B2 cloud storage. + - Chat messages are stored by Discord per their own retention + policies. The server does not independently archive chat. + - Server logs are stored on the server and rotate automatically. + +4. Data Sharing + We do not sell, share, or provide your data to any third party. + Backblaze B2 is used solely for encrypted backup storage. + +5. Data Retention + - World backups are retained per our Backblaze B2 lifecycle policy. + - Server logs are retained for up to 30 days. + - In-game action logs persist in the world data indefinitely. + +6. Your Rights + You may request to see what data we have about you or ask for its + deletion by contacting a server admin on Discord. Deleting your + data may require removing you from the whitelist. + +7. Contact + For privacy questions, reach out to a server admin on Discord. diff --git a/terms.txt b/terms.txt new file mode 100644 index 0000000..dcbde9b --- /dev/null +++ b/terms.txt @@ -0,0 +1,32 @@ +compsigh Minecraft — Terms of Service + +Last updated: 2026-03-14 + +1. Acceptance + By joining the compsigh Minecraft server or interacting with the + compsigh Minecraft Discord bot, you agree to these terms and the + compsigh Code of Conduct: https://compsigh.club/docs/code-of-conduct + +2. Minecraft Server Rules + In addition to the compsigh Code of Conduct: + - No griefing, cheating, or exploiting. + - Server admins reserve the right to ban players at their discretion. + +3. Access + The server is whitelist-only. Access may be granted or revoked at + any time without notice. + +4. Availability + The server is provided as-is with no uptime guarantees. It may go + offline for maintenance, updates, or any other reason. + +5. Data + See our Privacy Policy for details on what data is collected and how + it is used. + +6. Changes + These terms may be updated at any time. Continued use of the server + constitutes acceptance of any changes. + +7. Contact + For questions, reach out to a server admin on Discord. From 7576c1636e00f588952d3c738679725d682be44c Mon Sep 17 00:00:00 2001 From: Jet Pham Date: Sat, 14 Mar 2026 14:28:27 -0700 Subject: [PATCH 2/4] feat: add sead and icon and mod changes --- agenix.nix | 6 ++++++ modules/caddy.nix | 2 ++ modules/discord.nix | 6 ++++++ modules/minecraft.nix | 28 +++++++++++++++++++++++----- secrets/minecraft-seed.age | Bin 0 -> 367 bytes secrets/secrets.nix | 1 + server-icon.png | Bin 0 -> 601 bytes 7 files changed, 38 insertions(+), 5 deletions(-) create mode 100644 secrets/minecraft-seed.age create mode 100644 server-icon.png diff --git a/agenix.nix b/agenix.nix index c0aba61..0c70114 100644 --- a/agenix.nix +++ b/agenix.nix @@ -38,4 +38,10 @@ group = "grafana"; mode = "0400"; }; + + age.secrets.minecraft-seed = { + file = ./secrets/minecraft-seed.age; + owner = "root"; + mode = "0400"; + }; } diff --git a/modules/caddy.nix b/modules/caddy.nix index 5d240dc..6c26b2c 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -12,6 +12,8 @@ in # minecraft.compsigh.club → redirect to git repo "${domain}" = { extraConfig = '' + redir /terms ${gitRepo}/blob/main/terms.txt permanent + redir /privacy ${gitRepo}/blob/main/privacy.txt permanent redir ${gitRepo} permanent ''; }; diff --git a/modules/discord.nix b/modules/discord.nix index 59ffa8d..6ed876b 100644 --- a/modules/discord.nix +++ b/modules/discord.nix @@ -27,11 +27,17 @@ in "channelId": "1482486447591391285", "consoleLogChannelId": "1482487413153464330", "useWebhook": true, + "updateChannelTopic": true, + "channelTopicUpdateInterval": 300000, + "allowedMentions": ["users", "roles"], + "broadcastPlayerCommandExecution": false, "announceServerStartStop": true, "announcePlayerJoinLeave": true, "announceDeathMessages": true, "announceAdvancements": true, "broadcastChatMessages": true, + "notifyUpdates": false, + "mentionAdminsForUpdates": false, "adminsIds": [ "1008533670426050704", "839601350865584158", diff --git a/modules/minecraft.nix b/modules/minecraft.nix index 034d2b9..6770ba6 100644 --- a/modules/minecraft.nix +++ b/modules/minecraft.nix @@ -51,10 +51,12 @@ let # QoL "oneplayersleep" "netherportalfix" + "blossomlib" + "blossomtpa" + "double-shulker-shell-drops" + "afkplus" # Moderation - "luckperms" - "banhammer" "ledger" "styled-chat" @@ -103,15 +105,19 @@ in MEMORY = "2560M"; MAX_PLAYERS = "10"; DIFFICULTY = "hard"; + PVP = "FALSE"; VIEW_DISTANCE = "10"; SIMULATION_DISTANCE = "10"; ENABLE_WHITELIST = "TRUE"; ENFORCE_WHITELIST = "TRUE"; WHITELIST = "jetpham"; - MOTD = "meet cool people \\u0026\\u0026 build cool things"; + OPS = "jetpham"; + MOTD = "meet cool people \\u00A7e\\u0026\\u0026\\u00A7r build cool things"; + OVERRIDE_ICON = "TRUE"; MODRINTH_PROJECTS = modrinthMods; JVM_XX_OPTS = jvmFlags; }; + environmentFiles = [ "/run/minecraft-seed.env" ]; extraOptions = [ "--memory=3g" "--cpus=2" @@ -126,14 +132,26 @@ in "d ${mcDataDir} 0755 root root -" ]; - # Copy Chunky config (concurrency: 1 for background generation) + # Write seed env file and copy mod configs before container starts systemd.services.minecraft-mod-configs = { - description = "Copy mod configs into Minecraft data volume"; + description = "Set up mod configs and seed for Minecraft container"; wantedBy = [ "multi-user.target" ]; before = [ "docker-minecraft.service" ]; + after = [ "agenix.service" ]; serviceConfig = { Type = "oneshot"; ExecStart = pkgs.writeShellScript "setup-mod-configs" '' + set -euo pipefail + + # Write seed from agenix secret + SEED=$(cat ${config.age.secrets.minecraft-seed.path}) + printf 'SEED=%s\n' "$SEED" > /run/minecraft-seed.env + chmod 600 /run/minecraft-seed.env + + # Server icon + cp ${../server-icon.png} ${mcDataDir}/server-icon.png + + # Mod configs mkdir -p ${mcDataDir}/plugins/Chunky cp ${../configs/chunky.yml} ${mcDataDir}/plugins/Chunky/config.yml diff --git a/secrets/minecraft-seed.age b/secrets/minecraft-seed.age new file mode 100644 index 0000000000000000000000000000000000000000..450536e87bc17db0eea0b9908846eab2a6c50cab GIT binary patch literal 367 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT)@XjbHb5ux9EDfk~ zN(u`1PcI2gjqoY0@-j^ebdNB1PP8lt^)(7gDRVOOElAHaDCaWvD9?5`3@LUliYzFK zbSh7^Oiwn>F}1Wz&2qJ{aEkPCPEI!oa!&C!_e8fXDzn@?v0TA1qQoyJrz||tEhNRm zGuvC=upIV#x5%s(tOD3Ytl$I&7w)Ze%$)3UTQJvT!?!^k+& zRo^&A+te?^BErWgBBjDLvCzyr)R9Y9S689HusAB&I78b}KgGEyrK&8X$RgFZJ?582CcdY*$(zM#;!E@s!kN$VNONs9{PMp&CPLa2J(b)=yJ^Wt-=56TP0|29- BhL`{V literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 699f013..6047b84 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -9,4 +9,5 @@ in "b2-application-key.age".publicKeys = [ server admin ]; "grafana-admin-password.age".publicKeys = [ server admin ]; "grafana-secret-key.age".publicKeys = [ server admin ]; + "minecraft-seed.age".publicKeys = [ server admin ]; } diff --git a/server-icon.png b/server-icon.png new file mode 100644 index 0000000000000000000000000000000000000000..f7a6e7d5035a68fa3f06a1cb4e702b206ed2e055 GIT binary patch literal 601 zcmeAS@N?(olHy`uVBq!ia0y~yU~m9o4rT@hhPm4t-!L#RC?tCX`7$t6sWC7#v@kII zVqjosc)`F>YQVtoDuIE)Y6b&?c)^@qfi?^b41obYA+Bt!tf3~X_j?&@d|A#mGOf;L zF7aTw-^1vj&Z;WTYNEjEqQyEli8kMmT*&6 zJ2ln}2bP%$%>V!YXUQ(Tz`(%3nB?v5B2}9H#E5}`fwRCPvY3H^TNs2H8D`CqU|?Wi zFY)wsWq-xYC&nszr8M9)0|SFRdP{kVo554k%5t!u7RtZ+seSepaHj`Br`X)xFj*R09}u% zm60JtkM>$2aRvs4GoCJvArXh)PV?kzHV|Mrx$ph&|Ms)8I;Y97Ym4j21&JT-S$UXa z>s^!juAYQDi=HcTsy*Oeu3Hzbzbk?5mPPxX<+G}835PCV)J@>btYwY5zM=7v0W-(0 zw(YD}@7`~0m-OAxzGp?^s Date: Sat, 14 Mar 2026 14:28:27 -0700 Subject: [PATCH 3/4] feat: add bootstrap config for initial ssh configuation --- configuration.nix | 10 ---------- flake.nix | 45 ++++++++++++++++++++++++++++++++------------- 2 files changed, 32 insertions(+), 23 deletions(-) diff --git a/configuration.nix b/configuration.nix index 960006b..df9f72c 100644 --- a/configuration.nix +++ b/configuration.nix @@ -42,16 +42,6 @@ htop tmux rsync - - (writeShellScriptBin "mc-whitelist" '' - docker exec minecraft rcon-cli whitelist add "$1" - '') - (writeShellScriptBin "mc-cmd" '' - docker exec minecraft rcon-cli "$@" - '') - (writeShellScriptBin "mc-logs" '' - docker logs --tail "''${1:-100}" -f minecraft - '') ]; users.users.root.openssh.authorizedKeys.keys = [ diff --git a/flake.nix b/flake.nix index 1056b73..877b947 100644 --- a/flake.nix +++ b/flake.nix @@ -17,19 +17,25 @@ let system = "x86_64-linux"; pkgs = nixpkgs.legacyPackages.${system}; - serverHost = "root@compsigh-minecraft"; - deploy = pkgs.writeShellScriptBin "nhs" '' nh os switch --hostname compsigh-minecraft --target-host root@compsigh-minecraft path:. "$@" ''; - mcWhitelist = pkgs.writeShellScriptBin "mc-whitelist" '' - ssh ${serverHost} "docker exec minecraft rcon-cli whitelist add $1" - ''; - mcCmd = pkgs.writeShellScriptBin "mc-cmd" '' - ssh ${serverHost} "docker exec minecraft rcon-cli $*" - ''; mcLogs = pkgs.writeShellScriptBin "mc-logs" '' - ssh ${serverHost} "docker logs --tail ''${1:-100} -f minecraft" + ssh root@compsigh-minecraft "docker logs --tail ''${1:-100} -f minecraft" + ''; + bootstrap = pkgs.writeShellScriptBin "mc-bootstrap" '' + set -euo pipefail + IP="''${1:?Usage: mc-bootstrap }" + echo "==> Installing NixOS (bootstrap config with port 22 open)..." + nix run github:nix-community/nixos-anywhere -- --flake path:.#compsigh-minecraft-bootstrap "root@$IP" + echo "" + echo "==> Removing old host key..." + ssh-keygen -R "$IP" + echo "" + echo "==> Fetching new server host key..." + echo "Run: ssh root@$IP cat /etc/ssh/ssh_host_ed25519_key.pub" + echo "Then update secrets/secrets.nix with the new key and run: agenix -r" + echo "Then run: nhs" ''; in { @@ -44,11 +50,25 @@ ]; }; + # Bootstrap config: opens port 22 on public interface for initial setup + nixosConfigurations.compsigh-minecraft-bootstrap = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { inherit inputs; }; + modules = [ + disko.nixosModules.disko + inputs.agenix.nixosModules.default + ./disk-config.nix + ./configuration.nix + { + networking.firewall.allowedTCPPorts = [ 22 ]; + } + ]; + }; + devShells.${system}.default = pkgs.mkShell { packages = [ deploy - mcWhitelist - mcCmd + bootstrap mcLogs pkgs.nh inputs.agenix.packages.${system}.default @@ -56,9 +76,8 @@ shellHook = '' echo "compsigh minecraft server" + echo " mc-bootstrap — first-time install (mc-bootstrap )" echo " nhs — deploy to server" - echo " mc-whitelist — add a player (mc-whitelist PlayerName)" - echo " mc-cmd — run rcon command (mc-cmd whitelist list)" echo " mc-logs — tail server logs" echo " agenix — manage secrets" ''; From bbf4473659b7de60560045ea226f49def2ac5934 Mon Sep 17 00:00:00 2001 From: Jet Date: Sat, 14 Mar 2026 18:33:50 -0700 Subject: [PATCH 4/4] fix: fix qemu for using hetzner --- configuration.nix | 3 ++- modules/hardening.nix | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/configuration.nix b/configuration.nix index df9f72c..ee25c38 100644 --- a/configuration.nix +++ b/configuration.nix @@ -1,7 +1,8 @@ -{ config, pkgs, inputs, ... }: +{ config, pkgs, inputs, modulesPath, ... }: { imports = [ + (modulesPath + "/profiles/qemu-guest.nix") ./agenix.nix ./modules/minecraft.nix ./modules/hardening.nix diff --git a/modules/hardening.nix b/modules/hardening.nix index 9967e54..9233354 100644 --- a/modules/hardening.nix +++ b/modules/hardening.nix @@ -7,6 +7,7 @@ allowedTCPPorts = [ 80 443 25565 ]; # Caddy HTTP/HTTPS + Minecraft allowedUDPPorts = [ 24454 ]; # Simple Voice Chat trustedInterfaces = [ "tailscale0" ]; # Full access over Tailscale (SSH, etc.) + checkReversePath = "loose"; # Required for Tailscale logRefusedConnections = true; };