A
Admincraftโ€ข3mo ago
Deathpacito

Github setup for hiring configurators?

Intention Hi, I am running my server off the Ptero panel. I have heard around here a while back that one way to allow configurators to modify ymls without getting access to the entire server backend is to have your server files on Github somehow. The benefits would also be the ability to track what exactly they changed. Does anyone have an idea how this can be achieved? Reasoning Currently I want to hire people to help work on my server as I don't have the time to monitor it due to IRL stuff, but I am worried about getting my plugins leaked to leak sites if I hire any random configurators to help. Plugins like LPX or ItemsAdder are quite strict about leaks and will void your license. Plugins like MythicMobs and MythicDungeons are very configuration heavy and will need access to perms in game (Not a problem) and backend access to the plugins folder (May be a problem). I would like to enable people to only modify the files required as well as track what they changed.
39 Replies
Admincraft Meta
Admincraft Metaโ€ข3mo ago
Thanks for asking your question!
Make sure to provide as much helpful information as possible such as logs/what you tried and what your exact issue is
Make sure to mark solved when issue is solved!!!
/close !close !solved !answered
Requested by .deathpacito#0
Deathpacito
DeathpacitoOPโ€ข3mo ago
This is an example of what I mean (I think?) but there were no instructions on how it is done https://discord.com/channels/348681414260293634/1125717634407735447
AeonRemnant
AeonRemnantโ€ข3mo ago
WHY HELLO! I am the GitOps person around these parts! Yeah but that's what you want, GitOps. Drive your config through Github branches. You could have main and dev, spin up a dev network and have a few scripts to import and overwrite config from your repo when you make a merge. There are tools designed for this in Kubernetes like ArgoCD and Flux, you can look for some in awesome-sysadmin and awesome-selfhosted, your keywords are CI/CD, GitOps, DevOps, Continuous Integration. If you can't find anything specific, writing a little Go program for it isn't too complex.
AeonRemnant
AeonRemnantโ€ข3mo ago
Actually here, this one is popular, maybe you could adapt it. https://www.drone.io/
Drone CI โ€“ Automate Software Testing and Delivery
Drone is a self-service Continuous Delivery platform for busy development teams
Deathpacito
DeathpacitoOPโ€ข3mo ago
SO IT WAS YOU I knew someone was talking about it
AeonRemnant
AeonRemnantโ€ข3mo ago
I'm the Kube guy, of course I'm also the CI/CD guy. :LUL:
Ashank
Ashankโ€ข3mo ago
Or just do the easy thing and run a git repo inside of ur plugins folder + gitignore *.jar On startup git pull inside of ur folder Easiest setup worldwide Or just setup a git in the root dir and gitignore everything that u don't want Git pull on startup Super easy!
QarthO
QarthOโ€ข3mo ago
Keep in mind if u do that all ur plugin data will be on GitHub including configs that have ur dbโ€™s credentials because its just standard in the Minecraft community to store credentials in plain text (still find it funny we donโ€™t have a better system) And private repos arenโ€™t always as private as u think so take the necessary precautions. Having some kind of build pipeline as a middle man that can populate some variables like credentials that way u can keep those private is the better choice Also be careful any file that might store ipโ€™s or other sensitive data (like essentials does)
๐๐ข๐ช๐ฎ๐š๐ญ๐ž๐ซ๐ง๐ข๐จ๐ง๐ฌ
I always wondered the same. Probably because that would require an interface of sorts to input the credentials and given that those will still be stored on the filesystem, even if they're encrypted, the encryption key has to be somewhere in the plugin. To help with the OP question, probably what Ice King mentioned would work if you also gitignore the files that contain credentials. Most plugins have the credentials in a separate file, or one that doesn't have that much to configure. However I think using this setup makes it extremely time consuming to actually test the configurations unless there's a dev environment the configurators can push their changes to. Which leaves us with the original answer the YAML Enjoyer mentioned
Deathpacito
DeathpacitoOPโ€ข3mo ago
Tbvh so much of what he said sounds like Greek to me, i'm not sure how to start
๐๐ข๐ช๐ฎ๐š๐ญ๐ž๐ซ๐ง๐ข๐จ๐ง๐ฌ
Oh, then you can start simple with the git repo Ice King mentioned, adding plugins and everything confidential into .gitignore, no need to complicate yourself
Ashank
Ashankโ€ข3mo ago
Ice king ๐Ÿ’€๐Ÿ˜ญ๐Ÿ˜ญ Nahh I cannot believe ppl calling me by nick now Anyway off topic
QarthO
QarthOโ€ข3mo ago
- create a private repo with ur root server directory - add world file, and any file that has sensitive data to the .gitignore and ur good. - only share the repo with people u trust. *anytime any sensitive data gets upload, (ie. db password), remove it from git, cycle the credentials - extra step is the build pipelines to automate it. where it gets complicated and u can get more insight by asking @AeonRemnant . there might be simpler (and free) options with just using github action
Ashank
Ashankโ€ข3mo ago
If only there was an independent git pull on ptero u could run That'd be an interesting plugin to make tbh
Ashank
Ashankโ€ข3mo ago
If you have root access it'd be easy, and u can reload plugin configs easily
๐๐ข๐ช๐ฎ๐š๐ญ๐ž๐ซ๐ง๐ข๐จ๐ง๐ฌ
Srry, I haven't interacted here until very recently, I don't know anyone ๐Ÿ˜… and I didn't want to ping you since some people find it annoying
Ashank
Ashankโ€ข3mo ago
Bahh nws
AeonRemnant
AeonRemnantโ€ข3mo ago
I mean we can use Vault.
Ashank
Ashankโ€ข3mo ago
store things in .envs!
QarthO
QarthOโ€ข3mo ago
.envs are still plain text
SilentBot
SilentBotโ€ข3mo ago
You don't commit .env files They also wouldn't be replaced when you clone the updated configs
AeonRemnant
AeonRemnantโ€ข3mo ago
This is why you use Vault. Or Infisical if Hashicorp isnโ€™t your style.
SilentBot
SilentBotโ€ข3mo ago
overcomplicates the setup if they were solely using a github repo and a clone step before running their server just have a .env file which is manually deployed for a testing environment
AeonRemnant
AeonRemnantโ€ข3mo ago
I mean sure but if you actually want to do it properly as this post is asking for, you use Vault. Really itโ€™s not that complex. Just env variables and a pipeline. Nice and simple.
SilentBot
SilentBotโ€ข3mo ago
"I am running my server off the Ptero panel"
AeonRemnant
AeonRemnantโ€ข3mo ago
Letโ€™s be completely real, if youโ€™re using Ptero for this rn then GitOps will replace that for you if you do it properly.
SilentBot
SilentBotโ€ข3mo ago
I know it's not bad if you have the setup for it But they do not currently have it, and my response wasn't in relation to your kube solution anyway
AeonRemnant
AeonRemnantโ€ข3mo ago
Imo the way forward is Infisical, Drone, Compose, and Kestra. No need for Kube.
SilentBot
SilentBotโ€ข3mo ago
or a ptero container image which does git clone with a deployment key and local .env file ยฏ\_(ใƒ„)_/ยฏ
AeonRemnant
AeonRemnantโ€ข3mo ago
To be clear itโ€™ll work, but tbh just learn CI. Itโ€™ll save you so much time being able to use CI.
Deathpacito
DeathpacitoOPโ€ข3mo ago
I'm self hosting so I have full control over the machine
Ashank
Ashankโ€ข3mo ago
Cool, so setup GH actions to do a command in ur machine or ftp upload overwrite Anyway, do the kube method if u want it to be good
Deathpacito
DeathpacitoOPโ€ข3mo ago
Aeon just said there is no need for Kube so now i'm confused ๐Ÿฅน
AeonRemnant
AeonRemnantโ€ข3mo ago
GitOps isn't a purely Kube thing, don't do the Kube method if you don't need Kube, do the GitOps method if you need GitOps. And GitOps done properly? It's CI/CD pipelines with secrets management. That's proper GitOps.
Ashank
Ashankโ€ข3mo ago
mb didnt read
Deathpacito
DeathpacitoOPโ€ข3mo ago
So in summary, if I am selfhosting and using the Ptero panel, the idiotproof setup is using GitOps to manage the yml files and the benefits are: 1. Tracability of edits 2. Speed of updating and reloading server (No long delay) 3. Security of plugin jars (People cannot download them once you blacklist them) Am I correct?
AeonRemnant
AeonRemnantโ€ข3mo ago
You missed some benefits and drawbacks. The benefits: 1. No config drift as you have a way to keep edits stable and safe across replicated workloads 2. RBAC (Role Based Access Control) to keep the files safe, you can give certain repos to certain staff members with certain permissions. 3. Unified mechanism to deploy 4. Version control, so long as you take a backup of the things that arenโ€™t ephemeral nonsense you canโ€™t fuck things up forever. The drawbacks: 1. Complexity, GitOps is great but thereโ€™s a reason itโ€™s most often seen in DevOps 2. Project scope 3. Teaching people how it works
๐๐ข๐ช๐ฎ๐š๐ญ๐ž๐ซ๐ง๐ข๐จ๐ง๐ฌ
And, if the project is small, probably a single git repo is enough, adding confidential files to gitignore ofc. This avoids complexity in case the project doesnโ€™t need it

Did you find this page helpful?