From 4436f3918bc03f77fea1adfeef090d7a0a2fd79e Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Sun, 6 Apr 2025 23:16:36 +0200
Subject: [PATCH] drasl: init - minecraft auth server (unmojang)

---
 machines/gerd.nix                             |   1 +
 machines/gerd/services/drasl.nix              | 105 ++++++++++++++++++
 secrets/default.nix                           |   3 +
 secrets/drasl/authelia-secret.age             |  12 ++
 secrets/drasl/env.age                         | Bin 0 -> 650 bytes
 secrets/secrets.nix                           |   3 +
 .../drasl-flakes-nix-add-option-package.patch |  24 ++++
 .../patches/drasl-registration-oidc-env.patch |  14 +++
 shared/sources/default.nix                    |  10 ++
 shared/sources/sources.json                   |  19 ++++
 10 files changed, 191 insertions(+)
 create mode 100644 machines/gerd/services/drasl.nix
 create mode 100644 secrets/drasl/authelia-secret.age
 create mode 100644 secrets/drasl/env.age
 create mode 100644 shared/patches/drasl-flakes-nix-add-option-package.patch
 create mode 100644 shared/patches/drasl-registration-oidc-env.patch

diff --git a/machines/gerd.nix b/machines/gerd.nix
index 2c9f463..434eb25 100644
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@@ -28,6 +28,7 @@
     ./gerd/services/uptime-kuma.nix
     ./gerd/services/rallly
     ./gerd/services/notify
+    ./gerd/services/drasl.nix
 
     ./gerd/services/monitoring
   ];
diff --git a/machines/gerd/services/drasl.nix b/machines/gerd/services/drasl.nix
new file mode 100644
index 0000000..dbfdf9c
--- /dev/null
+++ b/machines/gerd/services/drasl.nix
@@ -0,0 +1,105 @@
+{ config, ... }:
+
+let
+  sources = import ./../../../shared/sources;
+
+  flake-compat = sources.flake-compat;
+  drasl = import flake-compat { src = sources.drasl; };
+
+  svc_domain = "drasl.${config.mine.shared.settings.domain}";
+  port = 25585;
+
+  draslOIDCName = "Authelia";
+in {
+  imports = [
+    drasl.defaultNix.nixosModules.drasl
+  ];
+
+  services.drasl = {
+    enable = true;
+
+    settings = {
+      ApplicationOwner = config.mine.shared.settings.brand;
+      Domain = svc_domain;
+      BaseURL = "https://${svc_domain}";
+
+      ListenAddress = "localhost:${builtins.toString port}";
+
+      CreateNewPlayer.Allow = true;
+      RegistrationNewPlayer.Allow = true;
+      AllowPasswordLogin = false;
+
+      RegistrationOIDC = [{
+        Name = draslOIDCName;
+        Issuer = "https://${config.mine.shared.settings.authelia.domain}";
+        ClientID = "drasl";
+        # ClientSecret = "<gotten-from-env>";
+        PKCE = true;
+        RequireInvite = false;
+        AllowChoosingPlayerName = true;
+      }];
+    };
+  };
+
+  # secrets
+  systemd.services.drasl.serviceConfig.EnvironmentFile = config.age.secrets.drasl-env.path;
+  systemd.services.drasl.restartTriggers = [ config.age.secrets.drasl-env.path ]; # unsure if this works
+
+  # setup for oidc
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
+    client_id = "drasl";
+    client_name = "Drasl";
+    client_secret = "$pbkdf2-sha512$310000$x8USzEVE/HW7/tiYtgTFaA$POg.0gZuWfHTuO0Z2Dd1GZ.T2813IAG.nWnwOarHGBz7aCGI1rdRoaS7gZ9V6bnTWWiFL/lqk5NFoqdZn94neg";
+    consent_mode = "implicit";
+    redirect_uris = [ "${config.services.drasl.settings.BaseURL}/web/oidc-callback/${draslOIDCName}" ];
+    scopes = [
+      "openid"
+      "profile"
+      "email"
+    ];
+  }];
+
+  # nginx
+  services.nginx.virtualHosts."${svc_domain}" = let
+    httpListenOn = "http://localhost:${builtins.toString port}";
+  in config.mine.shared.lib.authelia.mkProtectedWebsite {
+    forceSSL = true;
+    enableACME = true;
+    
+    locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
+      proxyPass = httpListenOn;
+    };
+
+    # needed for clients to auth
+    locations."/authlib-injector".proxyPass = httpListenOn;
+
+    # needed for server to auth
+    locations."/auth".proxyPass = httpListenOn;
+    locations."/account".proxyPass = httpListenOn;
+    locations."/session".proxyPass = httpListenOn;
+    locations."/services".proxyPass = httpListenOn;
+
+    # skins
+    locations."/web/texture".proxyPass = httpListenOn;
+  };
+
+  # persistence
+  environment.persistence.root.directories = [
+    { directory = "/var/lib/private/drasl"; mode = "0700"; }
+  ];
+
+  # meta
+  mine.shared.meta.drasl = rec {
+    name = "Drasl";
+    description = ''Yggdrasil-compatible API server for Minecraft'';
+    url = "https://${svc_domain}";
+
+    package = let
+      pkg = config.services.drasl.package;
+    in {
+      name = pkg.pname;
+      version = pkg.version;
+      meta = pkg.meta;
+    };
+  };
+}
diff --git a/secrets/default.nix b/secrets/default.nix
index 23e56f8..af50e42 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -66,6 +66,9 @@
 
     # grafana
     grafana-authelia-secret.file = ./grafana/authelia-secret.age;
+
+    # drasl
+    drasl-env.file = ./drasl/env.age;
   };
 
   users.groups.secrets-lldap-bind-user-pass = {};
diff --git a/secrets/drasl/authelia-secret.age b/secrets/drasl/authelia-secret.age
new file mode 100644
index 0000000..67f64a0
--- /dev/null
+++ b/secrets/drasl/authelia-secret.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg ebgFyJS5wy6KlYd+FCwIr8E8f9BGXVS+buEXS/+h0xE
+VsUaM8sZzvhBidHvmhlf8VBEHTWmY1+R/5gKF3BWQyA
+-> X25519 zKGYd4fUcN0WOm29enxa9sdu2IASPyjZ2RMpH8AAMAA
+tbZofRRRnTKaKwI5GBw3gf0gvIsWcH3mv8jr4v9Okd4
+-> ssh-ed25519 n8n9DQ u2gNkt7dggt++rZGevmIKVjX73M9v04opNq2YuAynD8
+7YHtRXzVmD1LQeJtcWnSsKKUAL/DKTxfGDFUTC+nNMM
+-> ssh-ed25519 BTp6UA fESw3HOP8rvsUgeDKm+BCT5h5HnMbzjlrzU6en6mfGo
+Bz0BOmOgDz3wrSaHz7eDe1Y70dpzuRLOdjALmCN14UA
+--- vDJkQ31TTcesjWK6t5LNIjPQp3d10i2NRU1lITQDZEI
+%�~�f���Ѳ�q�?Gk��F����y����7�ܓ(��<�U��E��H%,�@o���c
+�d���=?zS��P�l���~�J��V�[J��;�-��vfH�����
\ No newline at end of file
diff --git a/secrets/drasl/env.age b/secrets/drasl/env.age
new file mode 100644
index 0000000000000000000000000000000000000000..27d28a9e07731aef88dc98592a95099f886e9604
GIT binary patch
literal 650
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+40eeqOjjsyO))q3
zboU9YEG$f^aw#bYa}F;sFmZ|sPIY%r^40b!ig0p`%G541aO5g+^(-mNH4KZ)HA&BN
ztV(uwch4y*2n{OmagT8E$T4!U2&=U83d~6i4FuU10kO!_q%y3qxKO{au)@zPIoZ*|
zL*Fd5yu>2eF|4pSCD%_ovAC+zFEukD(3LAoKQcGhr6|8NC^N9sCDh5-IWfoB+*RK+
zFTKnuAlb_(JFq;Z%FNT-%ok(>vVZa{@+@5f72H#+N<vG#U7T}^Q*!gFG76$H9JQUQ
zQd1p$P5djv(uy;KGSfY(ydyKxxqNdC6D!R9D=hLeOdYc-G9xWag0)=(B3%pv{j1#5
zGXgXGeM{4V41>ZV(QR`IDKHClR4_0P^iRq62@i8MH;nN2^)^aR3#crObj`GIORfq{
zi_#AX%`ww2G)#B)<q9p!F-;H9&-F+#Es8QUN-^;E@d$VH$Vtjg_N?&AED9_zDTwqe
zxAZnL;nLOBRWR31&2^5<N-8xqD|RpU2?+PdHcqX~H!{pKwDilj2rbVuG%C+aGb_s}
z=F+ZByZBf>j$sNj`)M`x+O|I)CBpY)d_?x7wHiC~m8_`waP;JI?&T+C%V!iWcxfl?
zZk>GguYc5cp5*<9=C{wWv-{-uU){8I(!IF~_k9H83ZCDz&p5Sk`GKRWEv9T=d+~+B
z6|F62ws&m2>*u`KwS2kzjZM3<l9k^pzTgxUnr~t(ynEG@$eBJGf*eP*GZxnVaoD)v
L`?Kux50(J{sGsU|

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 06414b1..d0a2734 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -76,4 +76,7 @@ in
 
   # grafana
   "grafana/authelia-secret.age".publicKeys = defaultAccess;
+
+  # drasl
+  "drasl/env.age".publicKeys = defaultAccess;
 }
diff --git a/shared/patches/drasl-flakes-nix-add-option-package.patch b/shared/patches/drasl-flakes-nix-add-option-package.patch
new file mode 100644
index 0000000..ce1bee9
--- /dev/null
+++ b/shared/patches/drasl-flakes-nix-add-option-package.patch
@@ -0,0 +1,24 @@
+diff --git a/flake.nix b/flake.nix
+index f6cfa25..68358a8 100644
+--- a/flake.nix
++++ b/flake.nix
+@@ -101,6 +101,7 @@
+       in {
+         options.services.drasl = {
+           enable = mkEnableOption (lib.mdDoc ''drasl'');
++	  package = mkPackageOption { drasl = self.defaultPackage.${pkgs.system}; } "drasl" {};
+           settings = mkOption {
+             type = format.type;
+             default = {};
+@@ -115,10 +116,9 @@
+             wantedBy = ["multi-user.target"];
+ 
+             serviceConfig = let
+-              pkg = self.defaultPackage.${pkgs.system};
+               config = format.generate "config.toml" cfg.settings;
+             in {
+-              ExecStart = "${pkg}/bin/drasl -config ${config}";
++              ExecStart = "${cfg.package}/bin/drasl -config ${config}";
+               DynamicUser = true;
+               StateDirectory = "drasl";
+               Restart = "always";
diff --git a/shared/patches/drasl-registration-oidc-env.patch b/shared/patches/drasl-registration-oidc-env.patch
new file mode 100644
index 0000000..d393109
--- /dev/null
+++ b/shared/patches/drasl-registration-oidc-env.patch
@@ -0,0 +1,14 @@
+diff --git a/config.go b/config.go
+index 24e17b5..11194e6 100644
+--- a/config.go
++++ b/config.go
+@@ -393,6 +393,9 @@ func CleanConfig(config *Config) error {
+ 			return fmt.Errorf("Duplicate RegistrationOIDC Name: %s", oidcConfig.Name)
+ 		}
+ 		oidcNames.Add(oidcConfig.Name)
++		envkey := fmt.Sprintf("DRASL_REGISTRATION_OIDC_%s_CLIENT_SECRET", strings.ToUpper(oidcConfig.Name))
++		envvalue := strings.TrimSpace(Getenv(envkey, oidcConfig.ClientSecret))
++		oidcConfig.ClientSecret = envvalue
+ 		oidcConfig.Issuer, err = cleanURL(
+ 			fmt.Sprintf("RegistrationOIDC %s Issuer", oidcConfig.Name),
+ 			mo.Some("https://idm.example.com/oauth2/openid/drasl"),
diff --git a/shared/sources/default.nix b/shared/sources/default.nix
index cef1cbe..25c0e05 100644
--- a/shared/sources/default.nix
+++ b/shared/sources/default.nix
@@ -20,4 +20,14 @@ in sources // {
       # })
     ];
   };
+
+  drasl = pkgs.applyPatches {
+    src = sources.drasl;
+    name = "drasl-patched";
+    patches = [
+      ./../patches/drasl-flakes-nix-add-option-package.patch
+      ./../patches/drasl-registration-oidc-env.patch
+      
+    ];
+  };
 }
diff --git a/shared/sources/sources.json b/shared/sources/sources.json
index a3f3b7f..abdf907 100644
--- a/shared/sources/sources.json
+++ b/shared/sources/sources.json
@@ -23,6 +23,25 @@
         "url": "https://github.com/nix-community/disko/archive/19c1140419c4f1cdf88ad4c1cfb6605597628940.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
+    "drasl": {
+        "sha256": "08fxv66qx5a8q52ci0hw2yvxx14a3mdsds5i79brxc1hilxiaksw",
+        "type": "tarball",
+        "url": "https://github.com/unmojang/drasl/archive/v3.0.0.tar.gz",
+        "url_template": "https://github.com/unmojang/drasl/archive/<version>.tar.gz",
+        "version": "v3.0.0"
+    },
+    "flake-compat": {
+        "branch": "master",
+        "description": null,
+        "homepage": null,
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "sha256": "19d2z6xsvpxm184m41qrpi1bplilwipgnzv9jy17fgw421785q1m",
+        "type": "tarball",
+        "url": "https://github.com/edolstra/flake-compat/archive/ff81ac966bb2cae68946d5ed5fc4994f96d0ffec.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
     "impermanence": {
         "branch": "master",
         "description": "Modules to help you handle persistent state on systems with ephemeral root storage [maintainer=@talyz]",