Github setup for hiring configurators?
Intention
Hi, I am running my server off the Ptero panel. I have heard around here a while back that one way to allow configurators to modify ymls without getting access to the entire server backend is to have your server files on Github somehow. The benefits would also be the ability to track what exactly they changed. Does anyone have an idea how this can be achieved?
Reasoning
Currently I want to hire people to help work on my server as I don't have the time to monitor it due to IRL stuff, but I am worried about getting my plugins leaked to leak sites if I hire any random configurators to help. Plugins like LPX or ItemsAdder are quite strict about leaks and will void your license.
Plugins like MythicMobs and MythicDungeons are very configuration heavy and will need access to perms in game (Not a problem) and backend access to the plugins folder (May be a problem). I would like to enable people to only modify the files required as well as track what they changed.
39 Replies
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close
!close
!solved
!answered
Requested by .deathpacito#0
This is an example of what I mean (I think?) but there were no instructions on how it is done https://discord.com/channels/348681414260293634/1125717634407735447
WHY HELLO! I am the GitOps person around these parts!
Yeah but that's what you want, GitOps.
Drive your config through Github branches.
You could have
main and dev, spin up a dev network and have a few scripts to import and overwrite config from your repo when you make a merge.
There are tools designed for this in Kubernetes like ArgoCD and Flux, you can look for some in awesome-sysadmin and awesome-selfhosted, your keywords are CI/CD, GitOps, DevOps, Continuous Integration.
If you can't find anything specific, writing a little Go program for it isn't too complex.Actually here, this one is popular, maybe you could adapt it.
https://www.drone.io/
Drone CI – Automate Software Testing and Delivery
Drone is a self-service Continuous Delivery platform for busy development teams
SO IT WAS YOU
I knew someone was talking about it
I'm the Kube guy, of course I'm also the CI/CD guy. :LUL:
Or just do the easy thing and run a git repo inside of ur plugins folder + gitignore *.jar
On startup git pull inside of ur folder
Easiest setup worldwide
Or just setup a git in the root dir and gitignore everything that u don't want
Git pull on startup
Super easy!
Keep in mind if u do that all ur plugin data will be on GitHub including configs that have ur db’s credentials because its just standard in the Minecraft community to store credentials in plain text (still find it funny we don’t have a better system)
And private repos aren’t always as private as u think
so take the necessary precautions. Having some kind of build pipeline as a middle man that can populate some variables like credentials that way u can keep those private is the better choice
Also be careful any file that might store ip’s or other sensitive data (like essentials does)
I always wondered the same.
Probably because that would require an interface of sorts to input the credentials and given that those will still be stored on the filesystem, even if they're encrypted, the encryption key has to be somewhere in the plugin.
To help with the OP question, probably what Ice King mentioned would work if you also gitignore the files that contain credentials.
Most plugins have the credentials in a separate file, or one that doesn't have that much to configure.
However I think using this setup makes it extremely time consuming to actually test the configurations unless there's a dev environment the configurators can push their changes to.
Which leaves us with the original answer the YAML Enjoyer mentioned
Tbvh so much of what he said sounds like Greek to me, i'm not sure how to start
Oh, then you can start simple with the git repo Ice King mentioned, adding plugins and everything confidential into
.gitignore, no need to complicate yourselfIce king 💀😭😭
Nahh
I cannot believe ppl calling me by nick now
Anyway off topic
- create a private repo with ur root server directory
- add world file, and any file that has sensitive data to the .gitignore
and ur good.
- only share the repo with people u trust.
*anytime any sensitive data gets upload, (ie. db password), remove it from git, cycle the credentials
- extra step is the build pipelines to automate it. where it gets complicated and u can get more insight by asking @AeonRemnant . there might be simpler (and free) options with just using github action
If only there was an independent git pull on ptero u could run
That'd be an interesting plugin to make tbh
could use something like this https://github.com/marketplace/actions/ftp-upload-action or https://github.com/marketplace/actions/sftp-upload
If you have root access it'd be easy, and u can reload plugin configs easily
Srry, I haven't interacted here until very recently, I don't know anyone 😅 and I didn't want to ping you since some people find it annoying
Bahh nws
I mean we can use Vault.
store things in .envs!
.envs are still plain text
You don't commit .env files
They also wouldn't be replaced when you clone the updated configs
This is why you use Vault.
Or Infisical if Hashicorp isn’t your style.
overcomplicates the setup if they were solely using a github repo and a clone step before running their server
just have a .env file which is manually deployed for a testing environment
I mean sure but if you actually want to do it properly as this post is asking for, you use Vault.
Really it’s not that complex. Just env variables and a pipeline. Nice and simple.
"I am running my server off the Ptero panel"
Let’s be completely real, if you’re using Ptero for this rn then GitOps will replace that for you if you do it properly.
I know it's not bad if you have the setup for it
But they do not currently have it, and my response wasn't in relation to your kube solution anyway
Imo the way forward is Infisical, Drone, Compose, and Kestra.
No need for Kube.
or a ptero container image which does
git clone with a deployment key and local .env file ¯\_(ツ)_/¯To be clear it’ll work, but tbh just learn CI.
It’ll save you so much time being able to use CI.
I'm self hosting so I have full control over the machine
Cool, so setup GH actions to do a command in ur machine or ftp upload overwrite
Anyway, do the kube method if u want it to be good
Aeon just said there is no need for Kube so now i'm confused 🥹
GitOps isn't a purely Kube thing, don't do the Kube method if you don't need Kube, do the GitOps method if you need GitOps.
And GitOps done properly? It's CI/CD pipelines with secrets management. That's proper GitOps.
mb
didnt read
So in summary, if I am selfhosting and using the Ptero panel, the idiotproof setup is using GitOps to manage the yml files and the benefits are:
1. Tracability of edits
2. Speed of updating and reloading server (No long delay)
3. Security of plugin jars (People cannot download them once you blacklist them)
Am I correct?
You missed some benefits and drawbacks.
The benefits:
1. No config drift as you have a way to keep edits stable and safe across replicated workloads
2. RBAC (Role Based Access Control) to keep the files safe, you can give certain repos to certain staff members with certain permissions.
3. Unified mechanism to deploy
4. Version control, so long as you take a backup of the things that aren’t ephemeral nonsense you can’t fuck things up forever.
The drawbacks:
1. Complexity, GitOps is great but there’s a reason it’s most often seen in DevOps
2. Project scope
3. Teaching people how it works
And, if the project is small, probably a single git repo is enough, adding confidential files to gitignore ofc.
This avoids complexity in case the project doesn’t need it