fricloud/server-configs
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
server-configs/machines/gerd/services/drasl.nix

153 lines
4.7 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
let
sources = import ./../../../shared/sources;
flake-compat = sources.flake-compat;
drasl = import flake-compat { src = sources.drasl; };
svc_domain = "drasl.${config.mine.shared.settings.domain}";
port = 25585;
draslOIDCName = "Authelia";
in {
imports = [
drasl.defaultNix.nixosModules.drasl
];
services.drasl = {
enable = true;
settings = {
ApplicationOwner = config.mine.shared.settings.brand;
Domain = svc_domain;
BaseURL = "https://${svc_domain}";
ListenAddress = "localhost:${builtins.toString port}";
# all ldap admins in group `drasl-admin` are default admins here
DefaultAdmins = config.mine.shared.lib.ldap.mkScope (lconfig: llib: let
admins = lib.forEach (
lib.filter
(v: lib.elem lconfig.groups.drasl_admin (v.groups or []))
(lib.attrValues lconfig.provision.users)
) (v: v.mail);
in admins);
# allow importing players
ImportExistingPlayer = {
Allow = true;
Nickname = "Mojang";
AccountURL = "https://api.mojang.com";
SessionURL = "https://sessionserver.mojang.com";
SetSkinURL = "https://www.minecraft.net/msaprofile/mygames/editskin";
RequireSkinVerification = false; # TODO: should maybe be changed to true in the future
};
RegistrationExistingPlayer.Allow = true;
# only allow loging using OIDC
CreateNewPlayer.Allow = true;
RegistrationNewPlayer.Allow = true;
AllowPasswordLogin = false;
# configure OIDC
RegistrationOIDC = [{
Name = draslOIDCName;
Issuer = "https://${config.mine.shared.settings.authelia.domain}";
ClientID = "drasl";
# ClientSecret = "<gotten-from-env>";
PKCE = true;
RequireInvite = false;
AllowChoosingPlayerName = true;
}];
};
};
# secrets
systemd.services.drasl.serviceConfig.EnvironmentFile = config.age.secrets.drasl-env.path;
systemd.services.drasl.restartTriggers = [ config.age.secrets.drasl-env.path ]; # unsure if this works
# setup for oidc
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
client_id = "drasl";
client_name = "Drasl";
client_secret = "$pbkdf2-sha512$310000$x8USzEVE/HW7/tiYtgTFaA$POg.0gZuWfHTuO0Z2Dd1GZ.T2813IAG.nWnwOarHGBz7aCGI1rdRoaS7gZ9V6bnTWWiFL/lqk5NFoqdZn94neg";
consent_mode = "implicit";
redirect_uris = [ "${config.services.drasl.settings.BaseURL}/web/oidc-callback/${draslOIDCName}" ];
scopes = [
"openid"
"profile"
"email"
];
}];
# nginx
services.nginx.virtualHosts."${svc_domain}" = let
httpListenOn = "http://localhost:${builtins.toString port}";
in config.mine.shared.lib.authelia.mkProtectedWebsite {
forceSSL = true;
enableACME = true;
locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
proxyPass = httpListenOn;
};
# needed for clients to auth
locations."/authlib-injector".proxyPass = httpListenOn;
# needed for server to auth
locations."/auth".proxyPass = httpListenOn;
locations."/account".proxyPass = httpListenOn;
locations."/session".proxyPass = httpListenOn;
locations."/services".proxyPass = httpListenOn;
# skins
locations."/web/texture".proxyPass = httpListenOn;
};
# persistence
environment.persistence.root.directories = [
{ directory = "/var/lib/private/drasl"; mode = "0700"; }
];
# meta
mine.shared.meta.drasl = rec {
name = "Drasl";
description = ''
Yggdrasil-compatible API server for Minecraft, which can be used instead of the official Minecraft authentication server.
This means that we do not require Mojangs servers, to authenticate with any server managed by ${config.mine.shared.settings.brand}.
It is possible to login with OIDC on Drasl, and then import your Mojang player into Drasl.
'';
url = "https://${svc_domain}";
package = let
pkg = config.services.drasl.package;
in {
name = pkg.pname;
version = pkg.version;
meta = with lib; {
description = "Yggdrasil-compatible API server for Minecraft";
license = lib.licenses.gpl3Only;
homepage = "https://github.com/unmojang/drasl";
platforms = platforms.all;
};
};
};
# TODO(eyJhb): this should not be placed here
mine.shared.meta.minecraft = rec {
name = "Minecraft";
description = ''We're running a vanilla Minecraft hosted externally by a member'';
url = "mcvanilla.${config.mine.shared.settings.domain}";
package = let
pkg = pkgs.minecraft-server;
in {
name = pkg.pname;
version = "1.21.5";
meta = pkg.meta;
};
};
}
Reference in a new issue View git blame Copy permalink