From c6748381760e3dc5fc7b280402a487043e666718 Mon Sep 17 00:00:00 2001
From: Kenneth <kenneth@nym.sh>
Date: Tue, 30 Dec 2025 17:58:31 +0000
Subject: [PATCH] tshock version 5.2.4

---
 .github/workflows/build-and-push.yml | 68 ++++++++++++++++++++++++
 .gitignore                           | 15 ++++++
 Dockerfile                           | 62 ++++++++++++++++++++++
 README.md                            | 79 ++++++++++++++++++++++++++++
 4 files changed, 224 insertions(+)
 create mode 100644 .github/workflows/build-and-push.yml
 create mode 100644 .gitignore
 create mode 100644 Dockerfile
 create mode 100644 README.md

diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml
new file mode 100644
index 0000000..bb920ea
--- /dev/null
+++ b/.github/workflows/build-and-push.yml
@@ -0,0 +1,68 @@
+name: Build and push Docker image
+
+on:
+  push:
+    tags:
+      - "v*"
+  pull_request:
+    branches: [ "main" ]
+  workflow_dispatch: {}
+
+env:
+  REGISTRY: cr.nym.sh
+  # Default image path: cr.nym.sh/<owner>/tshock
+  IMAGE_NAME: cr.nym.sh/${{ github.repository_owner }}/tshock
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Only log in (and push) when not a PR from a fork.
+      - name: Log in to registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.IMAGE_NAME }}
+          tags: |
+            # When you push a git tag like v5.2.4 -> publish "5.2.4"
+            type=semver,pattern={{version}}
+            # latest for main branch
+            type=raw,value=latest,enable={{is_default_branch}}
+            # short sha tag for traceability
+            type=sha,format=short
+
+      - name: Build (and push)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            TSHOCK_VERSION=5.2.4
+            TERRARIA_VERSION=1.4.4.9
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..5393fb7
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,15 @@
+# OS / editor
+.DS_Store
+.idea/
+.vscode/
+
+# Local server data (if you don't want to commit it)
+data/
+worlds/
+
+# Logs
+*.log
+
+# Terraform / misc
+*.tfstate
+*.tfstate.*
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..e960921
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,62 @@
+# syntax=docker/dockerfile:1.6
+#
+# TShock v5.2.4 for Terraria 1.4.4.9 (Linux amd64/arm64)
+# - Pulls the official release asset from GitHub and extracts it
+# - Runs as a non-root user
+# - Persists runtime data under /data
+#
+
+FROM mcr.microsoft.com/dotnet/runtime:6.0-bookworm-slim
+
+ARG TSHOCK_VERSION=5.2.4
+ARG TERRARIA_VERSION=1.4.4.9
+ARG TARGETARCH
+ENV \
+  TSHOCK_VERSION="${TSHOCK_VERSION}" \
+  TERRARIA_VERSION="${TERRARIA_VERSION}" \
+  TSHOCK_DIR="/opt/tshock" \
+  DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+      ca-certificates \
+      curl \
+      unzip \
+      tar \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create non-root user and directories
+RUN useradd -m -u 10001 -s /usr/sbin/nologin tshock \
+  && mkdir -p "${TSHOCK_DIR}" /data \
+  && chown -R tshock:tshock "${TSHOCK_DIR}" /data
+
+WORKDIR /tmp
+
+# Download the correct TShock release asset for the platform and extract it.
+RUN set -eux; \
+    case "${TARGETARCH}" in \
+      amd64) ASSET_ARCH="amd64" ;; \
+      arm64) ASSET_ARCH="arm64" ;; \
+      *) echo "Unsupported TARGETARCH: ${TARGETARCH}"; exit 1 ;; \
+    esac; \
+    ASSET="TShock-${TSHOCK_VERSION}-for-Terraria-${TERRARIA_VERSION}-linux-${ASSET_ARCH}-Release.zip"; \
+    URL="https://github.com/Pryaxis/TShock/releases/download/v${TSHOCK_VERSION}/${ASSET}"; \
+    echo "Downloading ${URL}"; \
+    curl -fL --retry 5 --retry-delay 2 -o tshock.zip "${URL}"; \
+    unzip -q tshock.zip; \
+    # Release zip contains a tar; extract the first .tar found.
+    TAR="$(ls -1 *.tar | head -n 1)"; \
+    test -n "${TAR}"; \
+    tar -xf "${TAR}" -C "${TSHOCK_DIR}"; \
+    rm -rf /tmp/*; \
+    chmod +x "${TSHOCK_DIR}/TShock.Server" "${TSHOCK_DIR}/TShock.Installer" || true; \
+    chown -R tshock:tshock "${TSHOCK_DIR}"
+
+# Persist server data (worlds/config/db/logs/etc). Bind-mount /data in compose.
+VOLUME ["/data"]
+
+EXPOSE 7777/tcp
+
+USER tshock
+WORKDIR /data
+
+ENTRYPOINT ["/opt/tshock/TShock.Server"]
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..83c7b3c
--- /dev/null
+++ b/README.md
@@ -0,0 +1,79 @@
+# tshock-docker
+
+Docker image + Compose scaffolding for **TShock v5.2.4** (Terraria **1.4.4.9**), plus a GitHub Actions workflow that builds and pushes to a custom registry (**cr.nym.sh**).
+
+## Repo layout
+
+- `Dockerfile` — builds the image by downloading the official TShock release asset
+- `docker-compose.yml` — example: **shared** `./worlds` + **separate** per-server state under `./data/worldX`
+- `.github/workflows/build-and-push.yml` — CI to build + push images to your registry
+
+---
+
+## Local build
+
+```bash
+docker build -t tshock:5.2.4 .
+```
+
+## Local run (two worlds, separate state)
+
+```bash
+mkdir -p worlds data/world1 data/world2
+docker compose up world1   # first-time interactive prompts, Ctrl+C when done
+docker compose up world2   # first-time interactive prompts, Ctrl+C when done
+docker compose up -d
+```
+
+Players connect to:
+- `host:7777` → world1
+- `host:7778` → world2
+
+---
+
+## CI: push to cr.nym.sh
+
+### 1) Create GitHub repo secrets
+
+In your GitHub repo settings:
+
+- `CRNYM_REGISTRY_USERNAME`
+- `CRNYM_REGISTRY_PASSWORD`
+
+These should be credentials that can push to your registry.
+
+### 2) Set image name (optional)
+
+By default the workflow pushes to:
+
+`cr.nym.sh/<github-owner>/tshock`
+
+If you want a different path/name, edit `IMAGE_NAME` in the workflow.
+
+### 3) Triggering
+
+The workflow runs on:
+
+- pushes to `main`
+- git tags like `v5.2.4` (recommended: tag releases)
+- manual runs (workflow_dispatch)
+- a weekly scheduled rebuild (useful for base image security updates)
+
+---
+
+## Tag strategy
+
+- `latest` on default branch (`main`)
+- `vX.Y.Z` tag pushes also publish `X.Y.Z`
+- also publishes a short SHA tag for traceability
+
+---
+
+## Notes / gotchas
+
+- Don’t run two servers pointed at the **same** `.wld` file at once.
+- Keeping `./worlds` shared is fine as long as each server uses a different world file.
+- On Linux, if the container can’t write to your bind mounts, you may need:
+  ```bash
+  sudo chown -R 10001:10001 worlds data
+  ```