From 3ba7f68e59cd7f635c752b4ef3c755d536eee619 Mon Sep 17 00:00:00 2001
From: Gerg-L <GregLeyda@proton.me>
Date: Sun, 5 Mar 2023 00:23:27 -0500
Subject: [PATCH] setup minecraft server container

---
 systems/gerg-desktop/containers.nix | 110 ++++++++++++++++++++++++++++
 systems/gerg-desktop/default.nix    |  10 ++-
 2 files changed, 117 insertions(+), 3 deletions(-)
 create mode 100644 systems/gerg-desktop/containers.nix

diff --git a/systems/gerg-desktop/containers.nix b/systems/gerg-desktop/containers.nix
new file mode 100644
index 0000000..9fa3aff
--- /dev/null
+++ b/systems/gerg-desktop/containers.nix
@@ -0,0 +1,110 @@
+_: {...}: {
+  networking = {
+    firewall = {
+      #     allowedUDPPorts = [25565];
+      #     allowedTCPPorts = [25565];
+    };
+  };
+
+  containers."minecraft" = {
+    privateNetwork = true;
+    hostBridge = "bridge0";
+    localAddress = "192.168.1.10/24";
+    localAddress6 = "2605:59c8:2500:5394::ffff/64";
+    bindMounts."/mnt/minecraft" = {
+      mountPoint = "/minecraft";
+      hostPath = "/mnt/minecraft";
+      isReadOnly = false;
+    };
+
+    config = {pkgs, ...}: let
+      stopScript = pkgs.writeShellScript "minecraft-server-stop" ''
+        echo stop > /run/minecraft-server.stdin
+        # Wait for the PID of the minecraft server to disappear before
+        # returning, so systemd doesn't attempt to SIGKILL it.
+        while kill -0 "$1" 2> /dev/null; do
+          sleep 1s
+        done
+      '';
+    in {
+      nixpkgs.config.allowUnfree = true;
+      environment.systemPackages = [pkgs.neovim];
+      networking = {
+        defaultGateway = "192.168.1.1";
+        nameservers = ["1.1.1.1" "1.0.0.1"];
+        firewall = {
+          allowedUDPPorts = [25565];
+          allowedTCPPorts = [25565];
+        };
+      };
+
+      system.stateVersion = "23.05";
+      users.users.minecraft = {
+        description = "Minecraft server service user";
+        home = "/minecraft";
+        createHome = true;
+        isSystemUser = true;
+        group = "minecraft";
+      };
+      users.groups.minecraft = {};
+
+      systemd.sockets.minecraft-server = {
+        bindsTo = ["minecraft-server.service"];
+        socketConfig = {
+          ListenFIFO = "/run/minecraft-server.stdin";
+          SocketMode = "0660";
+          SocketUser = "minecraft";
+          SocketGroup = "minecraft";
+          RemoveOnStop = true;
+          FlushPending = true;
+        };
+      };
+
+      systemd.services.minecraft-server = {
+        enable = true;
+        description = "Minecraft Server Service";
+        wantedBy = ["multi-user.target"];
+        requires = ["minecraft-server.socket"];
+        after = ["network.target" "minecraft-server.socket"];
+
+        serviceConfig = {
+          ExecStart = "${pkgs.papermc}/bin/minecraft-server -Xms8G -Xmx8G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
+          ExecStop = "${stopScript} $MAINPID";
+          Restart = "always";
+          User = "minecraft";
+          WorkingDirectory = "/minecraft";
+
+          StandardInput = "socket";
+          StandardOutput = "journal";
+          StandardError = "journal";
+
+          # Hardening
+          CapabilityBoundingSet = [""];
+          DeviceAllow = [""];
+          LockPersonality = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          UMask = "0077";
+        };
+        preStart = ''
+          echo "eula=true" > eula.txt
+
+        '';
+      };
+    };
+  };
+}
diff --git a/systems/gerg-desktop/default.nix b/systems/gerg-desktop/default.nix
index 0dadb83..a5ebf3c 100644
--- a/systems/gerg-desktop/default.nix
+++ b/systems/gerg-desktop/default.nix
@@ -11,6 +11,7 @@ inputs: {
     (import ./spicetify.nix inputs)
     #(import ./mining.nix inputs)
     (import ./zfs inputs)
+    (import ./containers.nix inputs)
   ];
   system.stateVersion = "23.05";
 
@@ -50,9 +51,6 @@ inputs: {
   networking = {
     hostName = "gerg-desktop";
     hostId = "288b56db";
-    useDHCP = false;
-    dhcpcd.enable = false;
-    networkmanager.enable = false;
     nameservers = ["1.1.1.1" "1.0.0.1"];
     defaultGateway = "192.168.1.1";
     interfaces = {
@@ -68,9 +66,15 @@ inputs: {
             prefixLength = 24;
           }
         ];
+        ipv6.addresses = [
+          #         {
+          #           prefixLength = 64;
+          #         }
+        ];
       };
     };
     bridges."bridge0".interfaces = ["eth0"];
+    firewall.enable = true;
   };
   #user managment
   users = {