{ config, pkgs, lib, ... }: let sources = import ./../../../shared/sources; flake-compat = sources.flake-compat; drasl = import flake-compat { src = sources.drasl; }; svc_domain = "drasl.${config.mine.shared.settings.domain}"; port = 25585; draslOIDCName = "Authelia"; in { imports = [ drasl.defaultNix.nixosModules.drasl ]; services.drasl = { enable = true; settings = { ApplicationOwner = config.mine.shared.settings.brand; Domain = svc_domain; BaseURL = "https://${svc_domain}"; ListenAddress = "localhost:${builtins.toString port}"; # all ldap admins in group `drasl-admin` are default admins here DefaultAdmins = config.mine.shared.lib.ldap.mkScope (lconfig: llib: let admins = lib.forEach ( lib.filter (v: lib.elem lconfig.groups.drasl_admin (v.groups or [])) (lib.attrValues lconfig.provision.users) ) (v: v.mail); in admins); # allow importing players ImportExistingPlayer = { Allow = true; Nickname = "Mojang"; AccountURL = "https://api.mojang.com"; SessionURL = "https://sessionserver.mojang.com"; SetSkinURL = "https://www.minecraft.net/msaprofile/mygames/editskin"; RequireSkinVerification = false; # TODO: should maybe be changed to true in the future }; RegistrationExistingPlayer.Allow = true; # only allow loging using OIDC CreateNewPlayer.Allow = true; RegistrationNewPlayer.Allow = true; AllowPasswordLogin = false; # configure OIDC RegistrationOIDC = [{ Name = draslOIDCName; Issuer = "https://${config.mine.shared.settings.authelia.domain}"; ClientID = "drasl"; # ClientSecret = ""; PKCE = true; RequireInvite = false; AllowChoosingPlayerName = true; }]; }; }; # secrets systemd.services.drasl.serviceConfig.EnvironmentFile = config.age.secrets.drasl-env.path; systemd.services.drasl.restartTriggers = [ config.age.secrets.drasl-env.path ]; # unsure if this works # setup for oidc services.authelia.instances.main.settings.identity_providers.oidc.clients = [{ client_id = "drasl"; client_name = "Drasl"; client_secret = "$pbkdf2-sha512$310000$x8USzEVE/HW7/tiYtgTFaA$POg.0gZuWfHTuO0Z2Dd1GZ.T2813IAG.nWnwOarHGBz7aCGI1rdRoaS7gZ9V6bnTWWiFL/lqk5NFoqdZn94neg"; consent_mode = "implicit"; redirect_uris = [ "${config.services.drasl.settings.BaseURL}/web/oidc-callback/${draslOIDCName}" ]; scopes = [ "openid" "profile" "email" ]; }]; # nginx services.nginx.virtualHosts."${svc_domain}" = let httpListenOn = "http://localhost:${builtins.toString port}"; in config.mine.shared.lib.authelia.mkProtectedWebsite { forceSSL = true; enableACME = true; locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation { proxyPass = httpListenOn; }; # needed for clients to auth locations."/authlib-injector".proxyPass = httpListenOn; # needed for server to auth locations."/auth".proxyPass = httpListenOn; locations."/account".proxyPass = httpListenOn; locations."/session".proxyPass = httpListenOn; locations."/services".proxyPass = httpListenOn; # skins locations."/web/texture".proxyPass = httpListenOn; }; # persistence environment.persistence.root.directories = [ { directory = "/var/lib/private/drasl"; mode = "0700"; } ]; # meta mine.shared.meta.drasl = rec { name = "Drasl"; description = '' Yggdrasil-compatible API server for Minecraft, which can be used instead of the official Minecraft authentication server. This means that we do not require Mojangs servers, to authenticate with any server managed by ${config.mine.shared.settings.brand}. It is possible to login with OIDC on Drasl, and then import your Mojang player into Drasl. ''; url = "https://${svc_domain}"; package = let pkg = config.services.drasl.package; in { name = pkg.pname; version = pkg.version; meta = with lib; { description = "Yggdrasil-compatible API server for Minecraft"; license = lib.licenses.gpl3Only; homepage = "https://github.com/unmojang/drasl"; platforms = platforms.all; }; }; }; # TODO(eyJhb): this should not be placed here mine.shared.meta.minecraft = rec { name = "Minecraft"; description = ''We're running a vanilla Minecraft hosted externally by a member''; url = "mcvanilla.${config.mine.shared.settings.domain}"; package = let pkg = pkgs.minecraft-server; in { name = pkg.pname; version = "1.21.5"; meta = pkg.meta; }; }; }