drasl: init - minecraft auth server (unmojang)

machines/gerd.nix

@@ -28,6 +28,7 @@
     ./gerd/services/uptime-kuma.nix
     ./gerd/services/rallly
     ./gerd/services/notify
+    ./gerd/services/drasl.nix
 
     ./gerd/services/monitoring
   ];

machines/gerd/services/drasl.nix

@@ -0,0 +1,105 @@
+{ config, ... }:
+
+let
+  sources = import ./../../../shared/sources;
+
+  flake-compat = sources.flake-compat;
+  drasl = import flake-compat { src = sources.drasl; };
+
+  svc_domain = "drasl.${config.mine.shared.settings.domain}";
+  port = 25585;
+
+  draslOIDCName = "Authelia";
+in {
+  imports = [
+    drasl.defaultNix.nixosModules.drasl
+  ];
+
+  services.drasl = {
+    enable = true;
+
+    settings = {
+      ApplicationOwner = config.mine.shared.settings.brand;
+      Domain = svc_domain;
+      BaseURL = "https://${svc_domain}";
+
+      ListenAddress = "localhost:${builtins.toString port}";
+
+      CreateNewPlayer.Allow = true;
+      RegistrationNewPlayer.Allow = true;
+      AllowPasswordLogin = false;
+
+      RegistrationOIDC = [{
+        Name = draslOIDCName;
+        Issuer = "https://${config.mine.shared.settings.authelia.domain}";
+        ClientID = "drasl";
+        # ClientSecret = "<gotten-from-env>";
+        PKCE = true;
+        RequireInvite = false;
+        AllowChoosingPlayerName = true;
+      }];
+    };
+  };
+
+  # secrets
+  systemd.services.drasl.serviceConfig.EnvironmentFile = config.age.secrets.drasl-env.path;
+  systemd.services.drasl.restartTriggers = [ config.age.secrets.drasl-env.path ]; # unsure if this works
+
+  # setup for oidc
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
+    client_id = "drasl";
+    client_name = "Drasl";
+    client_secret = "$pbkdf2-sha512$310000$x8USzEVE/HW7/tiYtgTFaA$POg.0gZuWfHTuO0Z2Dd1GZ.T2813IAG.nWnwOarHGBz7aCGI1rdRoaS7gZ9V6bnTWWiFL/lqk5NFoqdZn94neg";
+    consent_mode = "implicit";
+    redirect_uris = [ "${config.services.drasl.settings.BaseURL}/web/oidc-callback/${draslOIDCName}" ];
+    scopes = [
+      "openid"
+      "profile"
+      "email"
+    ];
+  }];
+
+  # nginx
+  services.nginx.virtualHosts."${svc_domain}" = let
+    httpListenOn = "http://localhost:${builtins.toString port}";
+  in config.mine.shared.lib.authelia.mkProtectedWebsite {
+    forceSSL = true;
+    enableACME = true;
+    
+    locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
+      proxyPass = httpListenOn;
+    };
+
+    # needed for clients to auth
+    locations."/authlib-injector".proxyPass = httpListenOn;
+
+    # needed for server to auth
+    locations."/auth".proxyPass = httpListenOn;
+    locations."/account".proxyPass = httpListenOn;
+    locations."/session".proxyPass = httpListenOn;
+    locations."/services".proxyPass = httpListenOn;
+
+    # skins
+    locations."/web/texture".proxyPass = httpListenOn;
+  };
+
+  # persistence
+  environment.persistence.root.directories = [
+    { directory = "/var/lib/private/drasl"; mode = "0700"; }
+  ];
+
+  # meta
+  mine.shared.meta.drasl = rec {
+    name = "Drasl";
+    description = ''Yggdrasil-compatible API server for Minecraft'';
+    url = "https://${svc_domain}";
+
+    package = let
+      pkg = config.services.drasl.package;
+    in {
+      name = pkg.pname;
+      version = pkg.version;
+      meta = pkg.meta;
+    };
+  };
+}

secrets/default.nix

@@ -66,6 +66,9 @@
 
     # grafana
     grafana-authelia-secret.file = ./grafana/authelia-secret.age;
+
+    # drasl
+    drasl-env.file = ./drasl/env.age;
   };
 
   users.groups.secrets-lldap-bind-user-pass = {};

secrets/drasl/authelia-secret.age

@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg ebgFyJS5wy6KlYd+FCwIr8E8f9BGXVS+buEXS/+h0xE
+VsUaM8sZzvhBidHvmhlf8VBEHTWmY1+R/5gKF3BWQyA
+-> X25519 zKGYd4fUcN0WOm29enxa9sdu2IASPyjZ2RMpH8AAMAA
+tbZofRRRnTKaKwI5GBw3gf0gvIsWcH3mv8jr4v9Okd4
+-> ssh-ed25519 n8n9DQ u2gNkt7dggt++rZGevmIKVjX73M9v04opNq2YuAynD8
+7YHtRXzVmD1LQeJtcWnSsKKUAL/DKTxfGDFUTC+nNMM
+-> ssh-ed25519 BTp6UA fESw3HOP8rvsUgeDKm+BCT5h5HnMbzjlrzU6en6mfGo
+Bz0BOmOgDz3wrSaHz7eDe1Y70dpzuRLOdjALmCN14UA
+--- vDJkQ31TTcesjWK6t5LNIjPQp3d10i2NRU1lITQDZEI
+%ü~Òf¶éÁѲ¿qÓ?Gk…ÉF±<46>þç±yª<79>Çâ7ÛÜ“(»¾<<3C>U±åE¯ãH%,ð¹@o€½¤c
+ìd“Áö=?zS†ÛPŒl¯þµ~…JÌôVØ[JúŽ;”-ßþvfHÙ¢©ô•

secrets/secrets.nix

@@ -76,4 +76,7 @@ in
 
   # grafana
   "grafana/authelia-secret.age".publicKeys = defaultAccess;
+
+  # drasl
+  "drasl/env.age".publicKeys = defaultAccess;
 }

shared/patches/drasl-flakes-nix-add-option-package.patch

@@ -0,0 +1,24 @@
+diff --git a/flake.nix b/flake.nix
+index f6cfa25..68358a8 100644
+--- a/flake.nix
++++ b/flake.nix
+@@ -101,6 +101,7 @@
+       in {
+         options.services.drasl = {
+           enable = mkEnableOption (lib.mdDoc ''drasl'');
++	  package = mkPackageOption { drasl = self.defaultPackage.${pkgs.system}; } "drasl" {};
+           settings = mkOption {
+             type = format.type;
+             default = {};
+@@ -115,10 +116,9 @@
+             wantedBy = ["multi-user.target"];
+ 
+             serviceConfig = let
+-              pkg = self.defaultPackage.${pkgs.system};
+               config = format.generate "config.toml" cfg.settings;
+             in {
+-              ExecStart = "${pkg}/bin/drasl -config ${config}";
++              ExecStart = "${cfg.package}/bin/drasl -config ${config}";
+               DynamicUser = true;
+               StateDirectory = "drasl";
+               Restart = "always";

shared/patches/drasl-registration-oidc-env.patch

@@ -0,0 +1,14 @@
+diff --git a/config.go b/config.go
+index 24e17b5..11194e6 100644
+--- a/config.go
++++ b/config.go
+@@ -393,6 +393,9 @@ func CleanConfig(config *Config) error {
+ 			return fmt.Errorf("Duplicate RegistrationOIDC Name: %s", oidcConfig.Name)
+ 		}
+ 		oidcNames.Add(oidcConfig.Name)
++		envkey := fmt.Sprintf("DRASL_REGISTRATION_OIDC_%s_CLIENT_SECRET", strings.ToUpper(oidcConfig.Name))
++		envvalue := strings.TrimSpace(Getenv(envkey, oidcConfig.ClientSecret))
++		oidcConfig.ClientSecret = envvalue
+ 		oidcConfig.Issuer, err = cleanURL(
+ 			fmt.Sprintf("RegistrationOIDC %s Issuer", oidcConfig.Name),
+ 			mo.Some("https://idm.example.com/oauth2/openid/drasl"),

shared/sources/default.nix

@@ -20,4 +20,14 @@ in sources // {
       # })
     ];
   };
+
+  drasl = pkgs.applyPatches {
+    src = sources.drasl;
+    name = "drasl-patched";
+    patches = [
+      ./../patches/drasl-flakes-nix-add-option-package.patch
+      ./../patches/drasl-registration-oidc-env.patch
+      
+    ];
+  };
 }

shared/sources/sources.json

@@ -23,6 +23,25 @@
         "url": "https://github.com/nix-community/disko/archive/19c1140419c4f1cdf88ad4c1cfb6605597628940.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
+    "drasl": {
+        "sha256": "08fxv66qx5a8q52ci0hw2yvxx14a3mdsds5i79brxc1hilxiaksw",
+        "type": "tarball",
+        "url": "https://github.com/unmojang/drasl/archive/v3.0.0.tar.gz",
+        "url_template": "https://github.com/unmojang/drasl/archive/<version>.tar.gz",
+        "version": "v3.0.0"
+    },
+    "flake-compat": {
+        "branch": "master",
+        "description": null,
+        "homepage": null,
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "sha256": "19d2z6xsvpxm184m41qrpi1bplilwipgnzv9jy17fgw421785q1m",
+        "type": "tarball",
+        "url": "https://github.com/edolstra/flake-compat/archive/ff81ac966bb2cae68946d5ed5fc4994f96d0ffec.tar.gz",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+    },
     "impermanence": {
         "branch": "master",
         "description": "Modules to help you handle persistent state on systems with ephemeral root storage [maintainer=@talyz]",