105 lines
2.9 KiB
Nix
105 lines
2.9 KiB
Nix
{ config, ... }:
|
|
|
|
let
|
|
sources = import ./../../../shared/sources;
|
|
|
|
flake-compat = sources.flake-compat;
|
|
drasl = import flake-compat { src = sources.drasl; };
|
|
|
|
svc_domain = "drasl.${config.mine.shared.settings.domain}";
|
|
port = 25585;
|
|
|
|
draslOIDCName = "Authelia";
|
|
in {
|
|
imports = [
|
|
drasl.defaultNix.nixosModules.drasl
|
|
];
|
|
|
|
services.drasl = {
|
|
enable = true;
|
|
|
|
settings = {
|
|
ApplicationOwner = config.mine.shared.settings.brand;
|
|
Domain = svc_domain;
|
|
BaseURL = "https://${svc_domain}";
|
|
|
|
ListenAddress = "localhost:${builtins.toString port}";
|
|
|
|
CreateNewPlayer.Allow = true;
|
|
RegistrationNewPlayer.Allow = true;
|
|
AllowPasswordLogin = false;
|
|
|
|
RegistrationOIDC = [{
|
|
Name = draslOIDCName;
|
|
Issuer = "https://${config.mine.shared.settings.authelia.domain}";
|
|
ClientID = "drasl";
|
|
# ClientSecret = "<gotten-from-env>";
|
|
PKCE = true;
|
|
RequireInvite = false;
|
|
AllowChoosingPlayerName = true;
|
|
}];
|
|
};
|
|
};
|
|
|
|
# secrets
|
|
systemd.services.drasl.serviceConfig.EnvironmentFile = config.age.secrets.drasl-env.path;
|
|
systemd.services.drasl.restartTriggers = [ config.age.secrets.drasl-env.path ]; # unsure if this works
|
|
|
|
# setup for oidc
|
|
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
|
|
client_id = "drasl";
|
|
client_name = "Drasl";
|
|
client_secret = "$pbkdf2-sha512$310000$x8USzEVE/HW7/tiYtgTFaA$POg.0gZuWfHTuO0Z2Dd1GZ.T2813IAG.nWnwOarHGBz7aCGI1rdRoaS7gZ9V6bnTWWiFL/lqk5NFoqdZn94neg";
|
|
consent_mode = "implicit";
|
|
redirect_uris = [ "${config.services.drasl.settings.BaseURL}/web/oidc-callback/${draslOIDCName}" ];
|
|
scopes = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
}];
|
|
|
|
# nginx
|
|
services.nginx.virtualHosts."${svc_domain}" = let
|
|
httpListenOn = "http://localhost:${builtins.toString port}";
|
|
in config.mine.shared.lib.authelia.mkProtectedWebsite {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
|
|
locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
|
|
proxyPass = httpListenOn;
|
|
};
|
|
|
|
# needed for clients to auth
|
|
locations."/authlib-injector".proxyPass = httpListenOn;
|
|
|
|
# needed for server to auth
|
|
locations."/auth".proxyPass = httpListenOn;
|
|
locations."/account".proxyPass = httpListenOn;
|
|
locations."/session".proxyPass = httpListenOn;
|
|
locations."/services".proxyPass = httpListenOn;
|
|
|
|
# skins
|
|
locations."/web/texture".proxyPass = httpListenOn;
|
|
};
|
|
|
|
# persistence
|
|
environment.persistence.root.directories = [
|
|
{ directory = "/var/lib/private/drasl"; mode = "0700"; }
|
|
];
|
|
|
|
# meta
|
|
mine.shared.meta.drasl = rec {
|
|
name = "Drasl";
|
|
description = ''Yggdrasil-compatible API server for Minecraft'';
|
|
url = "https://${svc_domain}";
|
|
|
|
package = let
|
|
pkg = config.services.drasl.package;
|
|
in {
|
|
name = pkg.pname;
|
|
version = pkg.version;
|
|
meta = pkg.meta;
|
|
};
|
|
};
|
|
}
|