drasl: init - minecraft auth server (unmojang)

2025-04-06 23:16:36 +02:00 · 2025-04-06 23:16:36 +02:00 · 4436f3918b
commit 4436f3918b
parent 9a87a9e132
10 changed files with 191 additions and 0 deletions
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@ -28,6 +28,7 @@
    ./gerd/services/uptime-kuma.nix
    ./gerd/services/rallly
    ./gerd/services/notify
+    ./gerd/services/drasl.nix

    ./gerd/services/monitoring
  ];
--- a/machines/gerd/services/drasl.nix
+++ b/machines/gerd/services/drasl.nix
@ -0,0 +1,105 @@
+{ config, ... }:
+
+let
+  sources = import ./../../../shared/sources;
+
+  flake-compat = sources.flake-compat;
+  drasl = import flake-compat { src = sources.drasl; };
+
+  svc_domain = "drasl.${config.mine.shared.settings.domain}";
+  port = 25585;
+
+  draslOIDCName = "Authelia";
+in {
+  imports = [
+    drasl.defaultNix.nixosModules.drasl
+  ];
+
+  services.drasl = {
+    enable = true;
+
+    settings = {
+      ApplicationOwner = config.mine.shared.settings.brand;
+      Domain = svc_domain;
+      BaseURL = "https://${svc_domain}";
+
+      ListenAddress = "localhost:${builtins.toString port}";
+
+      CreateNewPlayer.Allow = true;
+      RegistrationNewPlayer.Allow = true;
+      AllowPasswordLogin = false;
+
+      RegistrationOIDC = [{
+        Name = draslOIDCName;
+        Issuer = "https://${config.mine.shared.settings.authelia.domain}";
+        ClientID = "drasl";
+        # ClientSecret = "<gotten-from-env>";
+        PKCE = true;
+        RequireInvite = false;
+        AllowChoosingPlayerName = true;
+      }];
+    };
+  };
+
+  # secrets
+  systemd.services.drasl.serviceConfig.EnvironmentFile = config.age.secrets.drasl-env.path;
+  systemd.services.drasl.restartTriggers = [ config.age.secrets.drasl-env.path ]; # unsure if this works
+
+  # setup for oidc
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
+    client_id = "drasl";
+    client_name = "Drasl";
+    client_secret = "$pbkdf2-sha512$310000$x8USzEVE/HW7/tiYtgTFaA$POg.0gZuWfHTuO0Z2Dd1GZ.T2813IAG.nWnwOarHGBz7aCGI1rdRoaS7gZ9V6bnTWWiFL/lqk5NFoqdZn94neg";
+    consent_mode = "implicit";
+    redirect_uris = [ "${config.services.drasl.settings.BaseURL}/web/oidc-callback/${draslOIDCName}" ];
+    scopes = [
+      "openid"
+      "profile"
+      "email"
+    ];
+  }];
+
+  # nginx
+  services.nginx.virtualHosts."${svc_domain}" = let
+    httpListenOn = "http://localhost:${builtins.toString port}";
+  in config.mine.shared.lib.authelia.mkProtectedWebsite {
+    forceSSL = true;
+    enableACME = true;
+    
+    locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
+      proxyPass = httpListenOn;
+    };
+
+    # needed for clients to auth
+    locations."/authlib-injector".proxyPass = httpListenOn;
+
+    # needed for server to auth
+    locations."/auth".proxyPass = httpListenOn;
+    locations."/account".proxyPass = httpListenOn;
+    locations."/session".proxyPass = httpListenOn;
+    locations."/services".proxyPass = httpListenOn;
+
+    # skins
+    locations."/web/texture".proxyPass = httpListenOn;
+  };
+
+  # persistence
+  environment.persistence.root.directories = [
+    { directory = "/var/lib/private/drasl"; mode = "0700"; }
+  ];
+
+  # meta
+  mine.shared.meta.drasl = rec {
+    name = "Drasl";
+    description = ''Yggdrasil-compatible API server for Minecraft'';
+    url = "https://${svc_domain}";
+
+    package = let
+      pkg = config.services.drasl.package;
+    in {
+      name = pkg.pname;
+      version = pkg.version;
+      meta = pkg.meta;
+    };
+  };
+}