nickheyer · Wolfhound905 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026 · Feb 10, 2026
diff --git a/buf.lock b/buf.lock
@@ -1,2 +1,6 @@
 # Generated by buf. DO NOT EDIT.
 version: v2
+deps:
+  - name: buf.build/googleapis/googleapis
+    commit: 004180b77378443887d3b55cabc00384
+    digest: b5:e8f475fe3330f31f5fd86ac689093bcd274e19611a09db91f41d637cb9197881ce89882b94d13a58738e53c91c6e4bae7dc1feba85f590164c975a89e25115dc
diff --git a/internal/docker/client.go b/internal/docker/client.go
@@ -9,6 +9,7 @@ import (
 	"maps"
 	"net/http"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"reflect"
 	"strings"
@@ -333,18 +334,78 @@ func ApplyOverrides(overrides *v1.DockerOverrides, config *container.Config, hos
 	}
 }
 
+// generateInitWrapper creates a bash wrapper script that runs init commands before the original entrypoint
+func (c *Client) generateInitWrapper(ctx context.Context, initCommands []string, originalEntrypoint []string) (string, error) {
+	if len(initCommands) == 0 {
+		return "", nil
+	}
+
+	c.log.Info("Generating init wrapper script with %d commands", len(initCommands))
+
+	// Create wrapper script content
+	script := "#!/bin/bash\n"
+	script += "set -e  # Exit on first error\n"
+	script += "set -o pipefail  # Catch errors in pipes\n\n"
+	script += "echo '[DiscoPanel] Starting init commands...'\n\n"
+
+	// Add each init command with logging
+	for i, cmd := range initCommands {
+		script += fmt.Sprintf("echo '[DiscoPanel] Init command %d/%d: Running...'\n", i+1, len(initCommands))
+		script += fmt.Sprintf("%s\n", cmd)
+		script += fmt.Sprintf("echo '[DiscoPanel] Init command %d/%d: SUCCESS'\n\n", i+1, len(initCommands))
+	}
+
+	script += "echo '[DiscoPanel] All init commands completed successfully'\n"
+	script += "echo '[DiscoPanel] Starting original entrypoint...'\n\n"
+
+	// Exec original entrypoint (replaces shell process)
+	if len(originalEntrypoint) > 0 {
+		// Properly quote and escape arguments
+		entrypointCmd := "exec"
+		for _, part := range originalEntrypoint {
+			// Escape single quotes in the argument
+			escaped := strings.ReplaceAll(part, "'", "'\"'\"'")
+			entrypointCmd += fmt.Sprintf(" '%s'", escaped)
+		}
+		script += entrypointCmd + "\n"
+	} else {
+		script += "# No original entrypoint specified\n"
+		script += "exec /bin/bash\n"
+	}
+
+	return script, nil
+}
+
 func (c *Client) CreateContainer(ctx context.Context, server *models.Server, serverConfig *models.ServerConfig) (string, error) {
 	// Use server's DockerImage if specified, otherwise determine based on version and loader
 	var imageName string
+	var isLocalImage bool
 	if server.DockerImage != "" {
-		imageName = "itzg/minecraft-server:" + server.DockerImage
+		// Check if DockerImage is a full image reference (contains "/") or a local image
+		if strings.Contains(server.DockerImage, "/") {
+			// It's a full image reference (e.g., "my-registry.com/image:tag"), use as-is
+			imageName = server.DockerImage
+			c.log.Debug("Using full image reference: %s", imageName)
+		} else if c.imageExistsLocally(ctx, server.DockerImage) {
+			// It's a local image (e.g., "minecraft-with-git:latest"), use as-is
+			imageName = server.DockerImage
+			isLocalImage = true
+			c.log.Info("Using local image: %s", imageName)
+		} else {
+			// It's just a tag (e.g., "java21"), prepend the default itzg image
+			imageName = "itzg/minecraft-server:" + server.DockerImage
+			c.log.Debug("Using itzg image with tag: %s", imageName)
+		}
 	} else {
 		imageName = getDockerImage(server.ModLoader, server.MCVersion)
+		c.log.Debug("Using optimal docker tag: %s", imageName)
 	}
 
-	// Try pulling latest
-	if err := c.pullImage(ctx, imageName); err != nil {
-		return "", fmt.Errorf("failed to pull image: %w", err)
+	// Only pull if it's not a local image
+	if !isLocalImage {
+		if err := c.pullImage(ctx, imageName); err != nil {
+			return "", fmt.Errorf("failed to pull image: %w", err)
+		}
 	}
 
 	// Build environment variables
@@ -456,6 +517,55 @@ func (c *Client) CreateContainer(ctx context.Context, server *models.Server, ser
 	// Apply docker overrides
 	ApplyOverrides(server.DockerOverrides, config, hostConfig)
 
+	// Handle init commands wrapper - if init_commands are present
+	if server.DockerOverrides != nil && len(server.DockerOverrides.InitCommands) > 0 {
+		c.log.Info("Server %s has init commands, generating wrapper script", server.ID)
+
+		// Determine original entrypoint
+		originalEntrypoint := config.Entrypoint
+		if len(originalEntrypoint) == 0 {
+			// If no entrypoint specified, Docker will use image default
+			// Try to get it from the image inspection
+			imageInspect, err := c.docker.ImageInspect(ctx, imageName)
+			if err == nil && len(imageInspect.Config.Entrypoint) > 0 {
+				originalEntrypoint = imageInspect.Config.Entrypoint
+				c.log.Debug("Retrieved image entrypoint: %v", originalEntrypoint)
+			} else {
+				// Fallback for itzg/minecraft-server (known default)
+				originalEntrypoint = []string{"/start"}
+				c.log.Debug("Using fallback entrypoint for itzg/minecraft-server: /start")
+			}
+		}
+
+		// Generate wrapper script
+		scriptContent, err := c.generateInitWrapper(ctx, server.DockerOverrides.InitCommands, originalEntrypoint)
+		if err != nil {
+			return "", fmt.Errorf("failed to generate init wrapper: %w", err)
+		}
+
+		// Create script file in server's data directory
+		scriptPath := filepath.Join(server.DataPath, ".discopanel-init.sh")
+		if err := os.WriteFile(scriptPath, []byte(scriptContent), 0755); err != nil {
+			return "", fmt.Errorf("failed to write init wrapper script: %w", err)
+		}
+
+		c.log.Info("Wrote init wrapper script to %s", scriptPath)
+
+		// Mount the script into the container (read-only)
+		hostConfig.Mounts = append(hostConfig.Mounts, mount.Mount{
+			Type:     mount.TypeBind,
+			Source:   scriptPath,
+			Target:   "/discopanel-init.sh",
+			ReadOnly: true,
+		})
+
+		// Override entrypoint to use our wrapper
+		config.Entrypoint = []string{"/bin/bash", "/discopanel-init.sh"}
+
+		c.log.Info("[AUDIT] Generated init wrapper for server %s with %d commands",
+			server.ID, len(server.DockerOverrides.InitCommands))
+	}
+
 	// Network configuration
 	networkConfig := &network.NetworkingConfig{}
 	if c.config.NetworkName != "" && hostConfig.NetworkMode == "" {
@@ -765,6 +875,83 @@ func (c *Client) GetDockerImages() []DockerImageTag {
 	return activeImages
 }
 
+// parseImageReference splits an image reference into repository and tag
+// Returns normalized image name with tag (defaults to "latest" if not specified)
+func parseImageReference(imageStr string) (string, error) {
+	imageStr = strings.TrimSpace(imageStr)
+	if imageStr == "" {
+		return "", fmt.Errorf("image name cannot be empty")
+	}
+
+	// Check for invalid characters
+	if strings.ContainsAny(imageStr, " \t\n") {
+		return "", fmt.Errorf("image name contains invalid whitespace")
+	}
+
+	// If no tag specified, add :latest
+	if !strings.Contains(imageStr, ":") {
+		return imageStr + ":latest", nil
+	}
+
+	return imageStr, nil
+}
+
+// imageExistsLocally checks if a Docker image exists in the local Docker daemon
+func (c *Client) imageExistsLocally(ctx context.Context, imageName string) bool {
+	// Use the Docker API client for more reliable local image detection
+	_, err := c.docker.ImageInspect(ctx, imageName)
+	exists := err == nil
+	c.log.Debug("imageExistsLocally check for '%s': exists=%v, err=%v", imageName, exists, err)
+	return exists
+}
+
+// ValidateImageExists checks if a Docker image exists locally or on accessible registries
+// First checks for local images using docker image inspect, then falls back to docker manifest inspect for remote images
+func (c *Client) ValidateImageExists(ctx context.Context, imageName string) error {
+	// Parse and normalize the image reference
+	normalizedImage, err := parseImageReference(imageName)
+	if err != nil {
+		return err
+	}
+
+	// First try to check if it's a local image using docker image inspect
+	cmd := exec.CommandContext(ctx, "docker", "image", "inspect", normalizedImage)
+	var stdout, stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	err = cmd.Run()
+	if err == nil {
+		// Image exists locally
+		return nil
+	}
+
+	// Not found locally, try remote registries using docker manifest inspect
+	cmd = exec.CommandContext(ctx, "docker", "manifest", "inspect", normalizedImage)
+	stdout.Reset()
+	stderr.Reset()
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+
+	err = cmd.Run()
+	if err != nil {
+		// More descriptive error messages based on error output
+		errStr := stderr.String() + " " + stdout.String()
+		if strings.Contains(errStr, "no such manifest") || strings.Contains(errStr, "not found") {
+			return fmt.Errorf("image '%s' not found locally or on Docker Hub or accessible registries", normalizedImage)
+		}
+		if strings.Contains(errStr, "unauthorized") || strings.Contains(errStr, "forbidden") {
+			return fmt.Errorf("access denied to image '%s' - may require authentication", normalizedImage)
+		}
+		if strings.Contains(errStr, "connection refused") || strings.Contains(errStr, "network") {
+			return fmt.Errorf("cannot reach Docker daemon or registry: %w", err)
+		}
+		return fmt.Errorf("failed to validate image '%s': %w", normalizedImage, err)
+	}
+
+	return nil
+}
+
 func getDockerImage(loader models.ModLoader, mcVersion string) string {
 	_ = loader
 	// itzg/minecraft-server supports all mod loaders through environment variables

diff --git a/internal/rpc/services/minecraft.go b/internal/rpc/services/minecraft.go
@@ -2,6 +2,7 @@ package services
 
 import (
 	"context"
+	"strings"
 
 	"connectrpc.com/connect"
 	storage "github.com/nickheyer/discopanel/internal/db"
@@ -139,3 +140,28 @@ func (s *MinecraftService) GetDockerImages(ctx context.Context, req *connect.Req
 		Images: protoImages,
 	}), nil
 }
+
+// ValidateDockerImage validates a custom Docker image
+func (s *MinecraftService) ValidateDockerImage(ctx context.Context, req *connect.Request[v1.ValidateDockerImageRequest]) (*connect.Response[v1.ValidateDockerImageResponse], error) {
+	imageName := req.Msg.GetImage()
+
+	// Validate image exists
+	err := s.docker.ValidateImageExists(ctx, imageName)
+	if err != nil {
+		return connect.NewResponse(&v1.ValidateDockerImageResponse{
+			Valid: false,
+			Error: err.Error(),
+		}), nil
+	}
+
+	// Parse the image reference to get normalized name
+	normalizedImage := imageName
+	if !strings.Contains(imageName, ":") {
+		normalizedImage = imageName + ":latest"
+	}
+
+	return connect.NewResponse(&v1.ValidateDockerImageResponse{
+		Valid:             true,
+		NormalizedImage:   normalizedImage,
+	}), nil
+}
diff --git a/internal/rpc/services/server.go b/internal/rpc/services/server.go
@@ -14,6 +14,7 @@ import (
 
 	"connectrpc.com/connect"
 	"github.com/google/uuid"
+	"github.com/nickheyer/discopanel/internal/auth"
 	"github.com/nickheyer/discopanel/internal/config"
 	storage "github.com/nickheyer/discopanel/internal/db"
 	"github.com/nickheyer/discopanel/internal/docker"
@@ -384,6 +385,34 @@ func (s *ServerService) CreateServer(ctx context.Context, req *connect.Request[v
 		return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("name and MC version are required"))
 	}
 
+	// Validate init commands - admin only, requires auth enabled
+	if msg.DockerOverrides != nil && len(msg.DockerOverrides.InitCommands) > 0 {
+		authConfig, _, err := s.store.GetAuthConfig(ctx)
+		if err == nil && !authConfig.Enabled {
+			return nil, connect.NewError(connect.CodeInvalidArgument,
+				fmt.Errorf("authentication must be enabled to use init commands"))
+		}
+
+		user := auth.GetUserFromContext(ctx)
+		if user == nil || user.Role != storage.RoleAdmin {
+			return nil, connect.NewError(connect.CodePermissionDenied,
+				fmt.Errorf("only administrators can configure init commands"))
+		}
+
+		// Audit log: Init commands configured during creation
+		s.log.Info("[AUDIT] User %s (%s) configured %d init commands for new server '%s'",
+			user.Username, user.ID, len(msg.DockerOverrides.InitCommands), msg.Name)
+
+		// Log each command (truncated for security)
+		for i, cmd := range msg.DockerOverrides.InitCommands {
+			cmdPreview := cmd
+			if len(cmdPreview) > 100 {
+				cmdPreview = cmdPreview[:100] + "..."
+			}
+			s.log.Info("[AUDIT]   Init command %d: %s", i+1, cmdPreview)
+		}
+	}
+
 	// Handle proxy configuration
 	proxyHostname := msg.ProxyHostname
 	proxyListenerID := msg.ProxyListenerId
@@ -854,10 +883,60 @@ func (s *ServerService) UpdateServer(ctx context.Context, req *connect.Request[v
 		needsRecreation = true
 	}
 
-	// Handle docker overrides update
+	// Handle docker overrides update with init commands validation
 	if msg.DockerOverrides != nil {
+		// Check if init commands changed
+		oldInitCommands := []string{}
+		if server.DockerOverrides != nil {
+			oldInitCommands = server.DockerOverrides.InitCommands
+		}
+		newInitCommands := msg.DockerOverrides.InitCommands
+
+		// Compare init commands
+		commandsChanged := len(oldInitCommands) != len(newInitCommands)
+		if !commandsChanged {
+			for i := range oldInitCommands {
+				if oldInitCommands[i] != newInitCommands[i] {
+					commandsChanged = true
+					break
+				}
+			}
+		}
+
+		// Validate init commands if changed - admin only, requires auth enabled
+		if commandsChanged && len(newInitCommands) > 0 {
+			authConfig, _, err := s.store.GetAuthConfig(ctx)
+			if err == nil && !authConfig.Enabled {
+				return nil, connect.NewError(connect.CodeInvalidArgument,
+					fmt.Errorf("authentication must be enabled to use init commands"))
+			}
+
+			user := auth.GetUserFromContext(ctx)
+			if user == nil || user.Role != storage.RoleAdmin {
+				return nil, connect.NewError(connect.CodePermissionDenied,
+					fmt.Errorf("only administrators can configure init commands"))
+			}
+
+			// Audit log: Init commands modified
+			s.log.Info("[AUDIT] User %s (%s) modified init commands for server '%s' (ID: %s)",
+				user.Username, user.ID, server.Name, server.ID)
+			s.log.Info("[AUDIT]   Previous: %d commands, New: %d commands",
+				len(oldInitCommands), len(newInitCommands))
+
+			// Log new commands
+			for i, cmd := range newInitCommands {
+				cmdPreview := cmd
+				if len(cmdPreview) > 100 {
+					cmdPreview = cmdPreview[:100] + "..."
+				}
+				s.log.Info("[AUDIT]   New init command %d: %s", i+1, cmdPreview)
+			}
+		}
+
 		server.DockerOverrides = msg.DockerOverrides
-		needsRecreation = true
+		if commandsChanged || len(msg.DockerOverrides.InitCommands) > 0 {
+			needsRecreation = true
+		}
 	}
 
 	// Handle modpack version update

diff --git a/proto/discopanel/v1/common.proto b/proto/discopanel/v1/common.proto
@@ -147,6 +147,7 @@ message DockerOverrides {
   string working_dir = 17; // Working directory inside container
   repeated string entrypoint = 18; // Override default entrypoint
   repeated string command = 19; // Override default command
+  repeated string init_commands = 20; // Bash commands to run before entrypoint (ADMIN ONLY)
 }
 
 // TCP proxy listener endpoint