WIP: feat: Add minecraft server

Flake lock file updates:

• Updated input 'disko':
    'github:nix-community/disko/ec7c109a4f794fce09aad87239eab7f66540b888' (2025-05-15)
  → 'github:nix-community/disko/df522e787fdffc4f32ed3e1fca9ed0968a384d62' (2025-05-20)
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/b965e4c283060415956ccd39eee4ca34a6a56cf8' (2025-05-16)
  → 'github:nixos/nixpkgs/c3ee76c437067f1ae09d6e530df46a3f80977992' (2025-05-24)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/e93ee1d900ad264d65e9701a5c6f895683433386' (2025-05-05)
  → 'github:Mic92/sops-nix/8d215e1c981be3aa37e47aeabd4e61bb069548fd' (2025-05-18)

configuration/default.nix

@@ -13,6 +13,7 @@
     "${modulesPath}/profiles/minimal.nix"
     (import ../modules)
 
+    ./services/authelia.nix
     ./services/backups.nix
     ./services/battery-manager.nix
     ./services/conduit
@@ -21,6 +22,7 @@
     ./services/gitea.nix
     ./services/immich.nix
     ./services/metrics
+    ./services/minecraft.nix
     ./services/nextcloud.nix
     ./services/webserver.nix
     ./services/wireguard.nix
@@ -63,8 +65,6 @@
         8448
         # starbound
         21025
-        # Minecraft
-        25565
 
         config.services.coturn.listening-port
         config.services.coturn.tls-listening-port
@@ -73,9 +73,6 @@
       ];
 
       allowedUDPPorts = [
-        # More minecraft
-        25565
-
         config.services.coturn.listening-port
         config.services.coturn.tls-listening-port
         config.services.coturn.alt-listening-port

configuration/services/authelia.nix

@@ -0,0 +1,44 @@
+{ config, ... }:
+{
+  services.authelia.instances.tlaternet = {
+    enable = true;
+
+    settings = {
+      default_2fa_method = "totp";
+      headers.csp_template = todo!();
+
+      authentication_backend.ldap = {
+
+      };
+
+      totp = {
+        issuer = "tlater.net";
+      };
+
+      webauthn = {
+        # enable_passkey_login = true; ?
+        display_name = "tlater.net";
+      };
+
+      duo_api.disable = true;
+
+      telemetry.metrics.enabled = true;
+    };
+
+    secrets = {
+      storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
+      jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
+    };
+  };
+
+  services.lldap = {
+    enable = true;
+    settings = {
+      ldap_user_email = "admin@tlater.net";
+
+      ldap_base_dn = "dc=tlater,dc=net";
+
+      database_url = "postgres:///lldap";
+    };
+  };
+}

configuration/services/conduit/default.nix

@@ -1,6 +1,5 @@
 {
   pkgs,
-  flake-inputs,
   config,
   lib,
   ...
@@ -21,7 +20,7 @@ in
   services = {
     matrix-conduit = {
       enable = true;
-      package = flake-inputs.continuwuity.packages.${pkgs.system}.default;
+      package = pkgs.matrix-continuwuity;
       settings.global = {
         address = "127.0.0.1";
         server_name = domain;

configuration/services/conduit/matrix-hookshot.nix

@@ -29,16 +29,29 @@ let
     };
 
     # Encryption support
-    extraSettings = {
-      "de.sorunome.msc2409.push_ephemeral" = true;
-      push_ephemeral = true;
-      "org.matrix.msc3202" = true;
-    };
+    # TODO(tlater): Enable when
+    # https://github.com/matrix-org/matrix-hookshot/issues/1060 is
+    # fixed
+    # extraSettings = {
+    #   "de.sorunome.msc2409.push_ephemeral" = true;
+    #   push_ephemeral = true;
+    #   "org.matrix.msc3202" = true;
+    # };
 
     runtimeRegistration = "${cfg.registrationFile}";
   };
 in
 {
+  # users = {
+  #   users.matrix-hookshot = {
+  #     home = "/run/matrix-hookshot";
+  #     group = "matrix-hookshot";
+  #     isSystemUser = true;
+  #   };
+
+  #   groups.matrix-hookshot = { };
+  # };
+
   systemd.services.matrix-hookshot = {
     serviceConfig = {
       Type = lib.mkForce "exec";
@@ -49,6 +62,7 @@ in
       # Some library in matrix-hookshot wants a home directory
       Environment = [ "HOME=/run/matrix-hookshot" ];
 
+      # User = "matrix-hookshot";
       DynamicUser = true;
       StateDirectory = "matrix-hookshot";
       RuntimeDirectory = "matrix-hookshot";
@@ -62,7 +76,11 @@ in
       ProtectKernelModules = true;
       ProtectKernelLogs = true;
       ProtectControlGroups = true;
-      RestrictAddressFamilies = [ "AF_INET AF_INET6" ];
+      RestrictAddressFamilies = [
+        # "AF_UNIX"
+        "AF_INET"
+        "AF_INET6"
+      ];
       LockPersonality = true;
       RestrictRealtime = true;
       ProtectProc = "invisible";
@@ -71,6 +89,11 @@ in
     };
   };
 
+  # services.redis.servers.matrix-hookshot = {
+  #   enable = true;
+  #   user = "matrix-hookshot";
+  # };
+
   services.matrix-hookshot = {
     enable = true;
 
@@ -89,6 +112,8 @@ in
 
       bot.displayname = "Hookshot";
 
+      # cache.redisUri = "redis://${config.services.redis.servers.matrix-hookshot.unixSocket}";
+
       generic = {
         enabled = true;
         outbound = false;
@@ -98,7 +123,10 @@ in
         allowJsTransformationFunctions = true;
       };
 
-      encryption.storagePath = "/var/lib/matrix-hookshot/cryptostore";
+      # TODO(tlater): Enable when
+      # https://github.com/matrix-org/matrix-hookshot/issues/1060 is
+      # fixed
+      # encryption.storagePath = "/var/lib/matrix-hookshot/cryptostore";
 
       permissions = [
         {

configuration/services/foundryvtt.nix

@@ -18,7 +18,7 @@ in
       minifyStaticFiles = true;
       proxySSL = true;
       proxyPort = 443;
-      package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_11;
+      package = flake-inputs.foundryvtt.packages.${pkgs.system}.foundryvtt_13;
     };
 
     nginx.virtualHosts."${domain}" =

configuration/services/metrics/grafana.nix

@@ -1,9 +1,4 @@
-{
-  pkgs,
-  config,
-  flake-inputs,
-  ...
-}:
+{ pkgs, config, ... }:
 let
   domain = "metrics.${config.services.nginx.domain}";
 in
@@ -35,7 +30,7 @@ in
 
     declarativePlugins = [
       pkgs.grafanaPlugins.victoriametrics-metrics-datasource
-      flake-inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.grafanaPlugins.victoriametrics-logs-datasource
+      pkgs.grafanaPlugins.victoriametrics-logs-datasource
     ];
 
     provision = {

configuration/services/metrics/victoriametrics.nix

@@ -9,6 +9,10 @@ in
     extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];
 
     scrapeConfigs = {
+      authelia = {
+        targets = [ "127.0.0.1:9959" ];
+      };
+
       forgejo = {
         targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ];
         extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;

configuration/services/minecraft.nix

@@ -0,0 +1,83 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+{
+  services.minecraft-server = {
+    enable = true;
+    eula = true;
+    # jvmOpts are set using a file for forge
+    # jvmOpts = "-Xmx8G -Xms8G";
+    openFirewall = true;
+
+    declarative = true;
+
+    whitelist = {
+      tlater = "140d177a-966f-41b8-a4c0-e305babd291b";
+      romino25 = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c";
+      lasi25 = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4";
+    };
+
+    serverProperties = {
+      allow-flight = true;
+      difficulty = "hard";
+      motd = "tlater.net";
+      spawn-protection = 1;
+      white-list = true;
+      enable-query = true;
+      enable-status = true;
+
+      # Allows the server to write chunks without hogging the main
+      # thread...
+      sync-chunk-writes = false;
+      # Disables chat reporting, because we don't need any of that
+      # drama on a lil' friends-only server.
+      enforce-secure-profile = false;
+    };
+
+    package = pkgs.writeShellApplication {
+      name = "minecraft-server";
+      runtimeInputs = with pkgs; [ jdk17_headless ];
+
+      text = ''
+        exec /var/lib/minecraft/run.sh $@
+      '';
+    };
+  };
+
+  systemd.services.minecraft-server = {
+    path = with pkgs; [ jdk17_headless ];
+
+    # Since we read from our own HTTP server, we need to wait for it
+    # to be up
+    after = [ "nginx.service" ];
+
+    serviceConfig = {
+      # Use packwiz to install mods
+      ExecStartPre = [
+        "${pkgs.jdk17_headless}/bin/java -jar ${config.services.minecraft-server.dataDir}/packwiz-installer-bootstrap.jar -g -s server 'https://minecraft.${config.services.nginx.domain}/cobblemon-pack/pack.toml'"
+      ];
+      # Forge requires some bonus JVM options, which they include in a
+      # little `run.sh` script
+      ExecStart = lib.mkForce "${config.services.minecraft-server.dataDir}/run.sh --nogui";
+    };
+  };
+
+  systemd.tmpfiles.settings."10-minecraft" = {
+    "/srv/minecraft".d = {
+      user = "nginx";
+      group = "minecraft";
+      mode = "0775";
+    };
+  };
+
+  services.nginx.virtualHosts."minecraft.${config.services.nginx.domain}" = {
+    forceSSL = true;
+    useACMEHost = "tlater.net";
+    enableHSTS = true;
+
+    root = "/srv/minecraft";
+  };
+}

configuration/services/nextcloud.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  nextcloud = pkgs.nextcloud30;
+  nextcloud = pkgs.nextcloud31;
   hostName = "nextcloud.${config.services.nginx.domain}";
 in
 {
@@ -19,10 +19,10 @@ in
           packageOverrides = _: prev: {
             extensions = prev.extensions // {
               pgsql = prev.extensions.pgsql.overrideAttrs (_: {
-                configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package}" ];
+                configureFlags = [ "--with-pgsql=${lib.getDev config.services.postgresql.package.pg_config}" ];
               });
               pdo_pgsql = prev.extensions.pdo_pgsql.overrideAttrs (_: {
-                configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package}" ];
+                configureFlags = [ "--with-pdo-pgsql=${lib.getDev config.services.postgresql.package.pg_config}" ];
               });
             };
           };

configuration/services/postgres.nix

@@ -25,6 +25,10 @@
         name = "nextcloud";
         ensureDBOwnership = true;
       }
+      {
+        name = "lldap";
+        ensureDBOwnership = true;
+      }
     ];
 
     ensureDatabases = [

configuration/sops.nix

@@ -3,6 +3,9 @@
     defaultSopsFile = ../keys/production.yaml;
 
     secrets = {
+      "authelia/storage-encryption-key" = { };
+      "authelia/jwt-secret" = { };
+
       "battery-manager/email" = { };
 
       "battery-manager/password" = { };

flake.nix

@@ -2,12 +2,7 @@
   description = "tlater.net host configuration";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11-small";
-    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
-    continuwuity = {
-      url = "git+https://forgejo.ellis.link/continuwuation/continuwuity.git?ref=refs/tags/v0.5.0-rc.5";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05-small";
     disko = {
       url = "github:nix-community/disko";
       inputs.nixpkgs.follows = "nixpkgs";

keys/staging.yaml

@@ -1,3 +1,6 @@
+authelia:
+    storage-encryption-key: ENC[AES256_GCM,data:J42pTSYI/5s=,iv:BfXT8FkVp1qubn32fhoeXPn8ZZhSqHLxkDLJ3WJ88To=,tag:Bz9AGodTY8vacu4d8jSXyA==,type:str]
+    jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
 porkbun:
     api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
     secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
@@ -37,8 +40,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2025-02-07T17:43:24Z"
-    mac: ENC[AES256_GCM,data:akmD/bfgeTyFzW1quvM16cdj0fC6+CbJ8WyX9173H11yKGxvE1USQYcErpl1SHOx9Jk8LVb7f+MsUm2fjQF1MEq6xaWI74jem12lZ9CGXFaTL7e87JvfbK7pV+aKpxSBBNFyJgbYm30ibdUwxwKmNVfPb1e0HT9qwenvoV7RobM=,iv:mKqOW0ULXL711uczUbRf9NPo6uPTQoS/IbR46S+JID4=,tag:vE6NYzYLbQHDImov1XGTcg==,type:str]
+    lastmodified: "2025-05-23T22:56:39Z"
+    mac: ENC[AES256_GCM,data:lTwuWYMhZtKe/904EFiVOH2YRqW7Y0Bae+14x5cCdRIH7NORRXLdJkcO2X0vq8uXDi4MRAauLHUp5gAr+kM0ygKQHQnIOPo/8+hZKIdZt1jgUVBj4wh+6D+kVTIsekizPIf9L3m0hH701LqpQ0EvYjGYiHoKx/WxrK9u1hmDVCk=,iv:yCibsageq+8TO01U7Ej8hgpFeWPLPp+JrlvpocvXHBE=,tag:Qy6ZjBdNHhlXDCwaF8sHWQ==,type:str]
     pgp:
         - created_at: "2025-01-21T17:55:30Z"
           enc: |-
@@ -76,4 +79,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4

modules/crowdsec/default.nix

@@ -247,10 +247,7 @@ in
             online_client = {
               # By default, we don't let crowdsec phone home, since
               # this is usually within NixOS users' concerns.
-              #
-              # TODO: Enable when this option becomes available
-              # (1.6.4, current nixpkgs-unstable)
-              # sharing = lib.mkDefault false;
+              sharing = lib.mkDefault false;
               credentials_path = cfg.centralApiCredentials;
             };
           };