WIP: feat: Add minecraft server

configuration/default.nix

@@ -20,6 +20,7 @@
     ./services/foundryvtt.nix
     ./services/gitea.nix
     ./services/metrics
+    ./services/minecraft.nix
     ./services/nextcloud.nix
     ./services/webserver.nix
     ./services/wireguard.nix
@@ -62,8 +63,6 @@
         8448
         # starbound
         21025
-        # Minecraft
-        25565
 
         config.services.coturn.listening-port
         config.services.coturn.tls-listening-port
@@ -72,9 +71,6 @@
       ];
 
       allowedUDPPorts = [
-        # More minecraft
-        25565
-
         config.services.coturn.listening-port
         config.services.coturn.tls-listening-port
         config.services.coturn.alt-listening-port

configuration/services/minecraft.nix

@@ -0,0 +1,83 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+{
+  services.minecraft-server = {
+    enable = true;
+    eula = true;
+    # jvmOpts are set using a file for forge
+    # jvmOpts = "-Xmx8G -Xms8G";
+    openFirewall = true;
+
+    declarative = true;
+
+    whitelist = {
+      tlater = "140d177a-966f-41b8-a4c0-e305babd291b";
+      romino25 = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c";
+      lasi25 = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4";
+    };
+
+    serverProperties = {
+      allow-flight = true;
+      difficulty = "hard";
+      motd = "tlater.net";
+      spawn-protection = 1;
+      white-list = true;
+      enable-query = true;
+      enable-status = true;
+
+      # Allows the server to write chunks without hogging the main
+      # thread...
+      sync-chunk-writes = false;
+      # Disables chat reporting, because we don't need any of that
+      # drama on a lil' friends-only server.
+      enforce-secure-profile = false;
+    };
+
+    package = pkgs.writeShellApplication {
+      name = "minecraft-server";
+      runtimeInputs = with pkgs; [ jdk17_headless ];
+
+      text = ''
+        exec /var/lib/minecraft/run.sh $@
+      '';
+    };
+  };
+
+  systemd.services.minecraft-server = {
+    path = with pkgs; [ jdk17_headless ];
+
+    # Since we read from our own HTTP server, we need to wait for it
+    # to be up
+    after = [ "nginx.service" ];
+
+    serviceConfig = {
+      # Use packwiz to install mods
+      ExecStartPre = [
+        "${pkgs.jdk17_headless}/bin/java -jar ${config.services.minecraft-server.dataDir}/packwiz-installer-bootstrap.jar -g -s server 'https://minecraft.${config.services.nginx.domain}/cobblemon-pack/pack.toml'"
+      ];
+      # Forge requires some bonus JVM options, which they include in a
+      # little `run.sh` script
+      ExecStart = lib.mkForce "${config.services.minecraft-server.dataDir}/run.sh --nogui";
+    };
+  };
+
+  systemd.tmpfiles.settings."10-minecraft" = {
+    "/srv/minecraft".d = {
+      user = "nginx";
+      group = "minecraft";
+      mode = "0775";
+    };
+  };
+
+  services.nginx.virtualHosts."minecraft.${config.services.nginx.domain}" = {
+    forceSSL = true;
+    useACMEHost = "tlater.net";
+    enableHSTS = true;
+
+    root = "/srv/minecraft";
+  };
+}