factorio: stash factorio.com server token in SSM + flip server-settings.json visibility to public #78

Closed
opened 2026-05-23 20:54:38 +00:00 by coilysiren · 1 comment
Owner

Originally filed by @coilysiren on 2026-05-01T11:14:22Z - https://github.com/coilysiren/infrastructure/issues/82

Goal

Flip server-settings.json from visibility: { "public": false, "lan": true } to visibility: { "public": true, "lan": true } so the Sirens factorio server announces itself to the matchmaker (multiplayer.factorio.com).

Why this didn't happen at server bringup

For visibility.public: true, the server has to authenticate against factorio.com using a username + token pair from a factorio.com account that owns the DLC. The expectation per https://github.com/coilysiren/infrastructure/issues/77#issuecomment-4358830085 was to:

  • Stash the token in SSM at /factorio/server_token (SecureString)
  • Pull it at unit-start time the same way Eco's API tokens are pulled (mirrors infrastructure/src/eco.py:10)
  • Reference username + token in server-settings.json

When the server got brought up on 2026-05-01, the credentials had not yet landed. The server was started with visibility: { "public": false, "lan": true } so the server could come up cleanly without credentials. Whitelist enforcement is on, so reachability is not the same thing as joinability.

Action

  1. coily aws ssm put-parameter --name /factorio/server_token --type SecureString --value <token> (pre-authorized in SSM.md)
  2. Add a wrapper to factorio-server-start.sh that pulls /factorio/server_token at start time and writes it into a runtime-only copy of server-settings.json (do not write the resolved token back to the persistent file).
  3. Edit server-settings.json: set username = the factorio.com handle, set token = __FROM_SSM__ placeholder, flip visibility.public to true.
  4. Restart factorio-server.
  5. Verify the server appears on multiplayer.factorio.com.

Done when

  • Server appears in the public matchmaker lobby with name "Sirens Factorio"
  • Joining via lobby (not direct IP) works for a whitelisted player
  • Token is in SSM, never in git, never in /home/kai/Steam/.../server-settings.json on disk

Tracking from: #77

_Originally filed by @coilysiren on 2026-05-01T11:14:22Z - [https://github.com/coilysiren/infrastructure/issues/82](https://github.com/coilysiren/infrastructure/issues/82)_ ## Goal Flip `server-settings.json` from `visibility: { "public": false, "lan": true }` to `visibility: { "public": true, "lan": true }` so the Sirens factorio server announces itself to the matchmaker (multiplayer.factorio.com). ## Why this didn't happen at server bringup For `visibility.public: true`, the server has to authenticate against factorio.com using a `username` + `token` pair from a factorio.com account that owns the DLC. The expectation per https://github.com/coilysiren/infrastructure/issues/77#issuecomment-4358830085 was to: - Stash the token in SSM at `/factorio/server_token` (SecureString) - Pull it at unit-start time the same way Eco's API tokens are pulled (mirrors `infrastructure/src/eco.py:10`) - Reference `username` + `token` in `server-settings.json` When the server got brought up on 2026-05-01, the credentials had not yet landed. The server was started with `visibility: { "public": false, "lan": true }` so the server could come up cleanly without credentials. Whitelist enforcement is on, so reachability is not the same thing as joinability. ## Action 1. `coily aws ssm put-parameter --name /factorio/server_token --type SecureString --value <token>` (pre-authorized in [SSM.md](../coilyco-ai/SSM.md)) 2. Add a wrapper to `factorio-server-start.sh` that pulls `/factorio/server_token` at start time and writes it into a runtime-only copy of `server-settings.json` (do not write the resolved token back to the persistent file). 3. Edit `server-settings.json`: set `username` = the factorio.com handle, set `token` = `__FROM_SSM__` placeholder, flip `visibility.public` to `true`. 4. Restart factorio-server. 5. Verify the server appears on `multiplayer.factorio.com`. ## Done when - [ ] Server appears in the public matchmaker lobby with name "Sirens Factorio" - [ ] Joining via lobby (not direct IP) works for a whitelisted player - [ ] Token is in SSM, never in git, never in `/home/kai/Steam/.../server-settings.json` on disk Tracking from: #77
Author
Owner

Iceboxed in the 2026-05-29 backlog burn-down: factorio public visibility flip, hobby toy. Reopen anytime if it becomes real.

Iceboxed in the 2026-05-29 backlog burn-down: factorio public visibility flip, hobby toy. Reopen anytime if it becomes real.
Sign in to join this conversation.
No description provided.