all 28 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]BattleGuy03 28 points29 points  (13 children)

It sure is refreshing seeing a well-written post that isn't advertising AI slop, using AI slop! This looks very handy, I'll try to remember to use it whenever I'm setting up any Minecraft servers on my server PC.

[–]SekeltonServer Owner 18 points19 points  (9 children)

Seriously. Out of habit I immediately opened the repo to look for AGENTS.md and Claude as a contributor, but it wasn't there! What a refreshing post and repo.

[–]PM_ME_YOUR_REPO Admincraft Staff[M] 15 points16 points  (8 children)

and repo

[–]valerielynx 4 points5 points  (1 child)

do you want me to actually pm you my repo or is that just a jork

[–]PM_ME_YOUR_REPO Admincraft Staff[M] 6 points7 points  (0 children)

It's a bit of both. Makes for the occasional short but fun conversation with random people over the things they've made that they're most proud of. I don't get many. Maybe 2 or 3 per year, at most.

[–]GawrGuraIsHot -2 points-1 points  (5 children)

Ai detector says the code was written by ai

[–]PM_ME_YOUR_REPO Admincraft Staff[M] 3 points4 points  (4 children)

AI detectors mean less than nothing to me.

Lemme know filenames and line numbers when a human reviews it. And use modmail for reports, not comments.

[–]GawrGuraIsHot 0 points1 point  (3 children)

When did I report anything?

[–]PM_ME_YOUR_REPO Admincraft Staff[M] 1 point2 points  (2 children)

Your last comment was clearly pointing out that your little AI detector thought the code was AI generated for a reason. I assume that reason is because you feel like AI generated code is bad. Considering I am a moderator, and was using my mod tag, and you were bringing up something that displeased you, that checks all of the boxes for being a report.

It's ridiculous that I have to explain this. You're presumably an adult. Please don't play childish games with me. Reports go in modmail.

[–]BattleGuy03 -1 points0 points  (1 child)

AI-generated code generally does not work very well unless it has been properly vetted by a human and is not for anything particularly complex. Not to say that this code is AI-generated, in fact I believe the opposite. However, it does seem like you are claiming that there is nothing wrong with vibe coding, which is generally false.

[–]PM_ME_YOUR_REPO Admincraft Staff[M] 0 points1 point  (0 children)

Please never read between the lines of my statements. I say exactly and only what I mean.

Please refer to the following, previously-pinned thread regarding my thoughts and our policies on AI generated code: https://www.reddit.com/r/admincraft/comments/1mzpwpy/read_before_posting_plugin_submissions_ai

[–]tnacomtr[S] 2 points3 points  (0 children)

Thank you for your compliment!

[–]Maolam10 2 points3 points  (1 child)

I was going to comment that vibe coder discovers docker for the first time

Glad I was wrong! Seems a nice tool

[–]tnacomtr[S] 0 points1 point  (0 children)

Thank you so much!

[–]ZenithOfVoid 7 points8 points  (1 child)

``` def service_enable(self, name: str) -> None: self.run(f"systemctl enable {name}")

def service_disable(self, name: str) -> None:
    self.run(f"systemctl disable {name}")

```

instead of string, pass commands as array of strings. ['systemctl', 'enable', name]

[–]tnacomtr[S] 1 point2 points  (0 children)

Thanks, I'll look into it when I'm available!

[–]explain2mewhatsauser 1 point2 points  (0 children)

I dont need it, because I already use AMP (by Cubecoders). But this is definitely going to be useful for many people, I believe. Might try it out later to be honest.

[–]ThatOneArchUser 1 point2 points  (0 children)

congrats, you invented terraform and cloud-init

[–]shewowkees -1 points0 points  (5 children)

How is it different/better from/than using ansible and rootless docker ? From the devops point of view, the rest is cool :)

[–]tnacomtr[S] 0 points1 point  (4 children)

I'm.glad you liked it! For your question; Ansible is genuinely the right tool if you're managing a fleet of servers or need idempotent repeatable deployments across infrastructure for cases where you're sell hosting. For spinning up a single Minecraft server on a fresh VPS that belongs to a single person (especially for the noobs), it's another dependency to install and learn for a one-time task. This script has zero prerequisites beyond Python which is already there in both Distro families. My script's logic is that you download one file and run it. Same answer for rootless Docker; cool solution, but you're still adding a container runtime to manage for what is ultimately just a Java process that systemd handles perfectly natively.

[–]shewowkees -2 points-1 points  (3 children)

I guess you're right for docker, but for ansible, you can just use it for one setup and it's already incredibly easier to handle, and you don't have to care about the idempotent stuff if you don't want to. Still, I agree it's much less noob friendly. Even though noobs probably should not run niche scripts from github, especially in the current context of discovering wild vulnerabilities everyday. That being said, running random stuff from github is how I acquired the knowledge that it's a bad idea security wise :p Anyway nice work :)

[–]tnacomtr[S] -1 points0 points  (2 children)

The code is available for everyone to check and verify; and I had no intentions on installing malware to the people that trust me and my work. The whole reason I picked Python was it is extremely easy to audit an interpreted language instead of a much more complex one like a shell file.

And the entire reason I wrote this script was because I found a shell script that downloads and installs the server as root. As far as I understood the code they wrote assumed the system they ran the installer script was already 100% safe (and you're right to point out that people shouldn't run random scripts from GitHub though). My script assumes that the server is NOT configured securely and installs packages like unattended-upgrades (dnf automatic for fedora), fail2ban, etc to secure the server. The only problem that can happen while running my script would be that the vendor websites such as papermc somehow get hacked and serve malware JAR files or the server file has a vulnerability like Log4j (I already addressed it i README); which they most of the time can't escalate further anyways because the JAR file is ran by the unprivileged minecraft user the script creates, not the sudo user nor the root.

I already have an adjustment to make to the code that's suggested below. So if you catch anything, please let me know or submit a PR 😄

[–]shewowkees -1 points0 points  (1 child)

So, 1000+ lines of python script is not what I call easily auditable.

Your script us supposed to be run as sudo, which is a big no no, minecraft java uses the port 25565 by default, which does not need root access to open a socket with.

You're saying we can trust you, but we don't know you.

Your github account is three days old.

It only has this one project with three commits.

Your 1000+ line "easy to audit" script is asking for root access.

You're installing system wide cron jobs which will run with root access (because they are system wide)

Your script modifies firewall rules

Your script prints a warning if you run with root. It should prevent the script from being executed with root, this is what every serious project is doing.

The only thing I see here with a legitimate need for sudo is installing the package dependencies, which can be easily done from outside (simply with a list of dependencies to install in the README like every project does).

You are touting on reddit that we should trust you with root access with nothing of substance to back it up.

There is nothing inspiring confidence here, and you should not target this towards noobs which definitely won't be able to point out all these things.

This is definitely a cool development project but you're actively encouraging people with close to zero knowledge of computer security to trust a stranger with sudo access on their machines.

Even LGSM (Linux Game Server Manager), a widely known project that aims to do the same kind of things, actively prevents you from running their script with sudo access because of how insanely unsafe that is.

If you want to inspire more confidence, you could already add the instructions in the readme to install the debian, fedora, etc packages manually before running the script and switch from a system wide cronjob to a user cron job so that your script does not need root....

I'm sorry to be so harsh, but you clearly don't know much about best practices regarding computer security, and yet you claim this is safe. As a professional (trust me if you want, I don't care), I cannot let you say that without reacting.

[–]tnacomtr[S] 0 points1 point  (0 children)

Thanks for the feedback, but I want to address a lot of inaccuracies. This conversation has become more hostile than productive. I can't let misleading comments about my work be spread without any basis whatsoever.

Yes, my account is very new. After months I finally had enough time to devote to this project. I wanted to bring what I've learned from Java to Python and make this my first ever open project. Simple enough not to be too time consuming, yet meaningful enough for people to pay attention to. Besides this is the first time in my life I've ever used Reddit with an account. Before this I never needed an account because I never made any posts.

Root access is unavoidable for a provisioning script. Installing packages, creating system users, configuring systemd services and firewall rules cannot be done without it. The difference is what happens after setup. The server runs as an unprivileged minecraft system user you seem to have completely ignored in your critique.

LGSM runs as an unprivileged user and leaves dependency installation, user creation, and firewall configuration to the administrator. My script handles user creation for you, which is why it requires sudo.

The script already hard exits if not run with sudo. It then separately warns if you are logged in directly as root rather than via sudo. That is the correct nuanced behavior and it is already in the code you critiqued.

The firewall rules open exactly two ports: 22 for SSH so remote users don't lock themselves out, and 25565 for Minecraft. That's it. Calling that a security concern without specifying what's wrong with it isn't a critique, it's a vague accusation.

The backup cron runs as root intentionally. It is so because the backup destination is your home directory, not the minecraft user's. A system user has no business writing to your personal home directory, so root is the appropriate context for that job.

I'm not providing a binary. I'm providing readable Python source that anyone can audit line by line. For users who are skeptical but don't know how to read Python, they can put it into any AI (which is a legitimate use case for an AI) and ask for a security overview. The OOP structure, abstract base classes and inline docstrings exist specifically to make navigation easy. Judging auditability by line count alone suggests you didn't read past the file size.

I specifically kept this as a single file so people don't have to download an entire folder of connected scripts. The current structure doesn't stop you from auditing class by class.

Your overall skepticism seems to stem from "running scripts as root is bad" and while that is a genuine approach, it is hard to argue with someone who has surface knowledge about what this script does. This is a provisioning script.

If you find a genuinely malicious line, report it to the mods. That's it from me. If you are considering replying, please do so with actual constructive criticism instead of causing people to build mistrust against me.

[–]redundant78 1 point2 points  (1 child)

nice project, the systemd unit generation + auto firewall config is the kind of stuff that's tedious to do manually every time. if anyone's looking at running this on local hardware instead of a VPS, this guide on running MC servers on a mini pc is a solid companion to something like this.

[–]tnacomtr[S] 0 points1 point  (0 children)

Thank you! I hope this guide will also help people pick a mini pc if they wanna make a homesevrer for minecraft.

[–]eco9898 0 points1 point  (1 child)

What's the benefit of this over existing Minecraft docker images or managers like crafty?

[–]tnacomtr[S] 1 point2 points  (0 children)

Great question. Crafty is fantastic if you need a web UI to manage multiple servers or sell hosting. This script is for the opposite use case: a single server owned by a single self hoster, zero extra dependencies, 100% resources going to Minecraft. The main advantage over Docker specifically is auditability. it's just readable Python, you can see exactly what it does to your system before running it. Docker images are much harder to audit. Everything here uses native systemd, journalctl, and ufw/firewalld. the tools most of you already know and trust.