hosts/minecraft: init

hosts/minecraft/main.nix

@@ -0,0 +1,99 @@
+{
+  modulesPath,
+  pkgs,
+  lib,
+  ...
+}:
+{
+  local = {
+    hardware = {
+      gpuAcceleration.disable = true;
+      sound.disable = true;
+    };
+    bootConfig.disable = true;
+    sops.disable = true;
+  };
+  imports = [
+    "${modulesPath}/profiles/qemu-guest.nix"
+    "${modulesPath}/profiles/minimal.nix"
+  ];
+  environment.noXlibs = false;
+
+  services.qemuGuest.enable = true;
+
+  environment.systemPackages = [ pkgs.neovim ];
+
+  users = {
+    mutableUsers = false;
+    users.root = {
+      hashedPassword = "!";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZKIp3iObuxEUPx1dsMiN3vyMaMQb0N1gKJY78TtRxd"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpYY2uw0OH1Re+3BkYFlxn0O/D8ryqByJB/ljefooNc"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJWbwkFJmRBgyWyWU+w3ksZ+KuFw9uXJN3PwqqE7Z/i8"
+      ];
+    };
+  };
+
+  services.openssh = {
+    enable = true;
+    hostKeys = lib.mkForce [
+      {
+        path = "/etc/ssh/ssh_host_ed25519_key";
+        type = "ed25519";
+      }
+    ];
+    settings.PermitRootLogin = "prohibit-password";
+  };
+
+  networking = {
+    hostName = "minecraft";
+    useNetworkd = false;
+    useDHCP = false;
+  };
+
+  systemd.network = {
+    enable = true;
+    networks.default = {
+      DHCP = "yes";
+      name = "en*";
+    };
+  };
+
+  boot = {
+    loader = {
+      efi = {
+        canTouchEfiVariables = true;
+        efiSysMountPoint = "/boot"; # ← use the same mount point here.
+      };
+      grub = {
+        enable = true;
+        configurationLimit = 10;
+      };
+    };
+    kernelPackages = pkgs.linuxPackages_latest;
+    initrd = {
+      systemd.enable = true;
+      availableKernelModules = [
+        "ahci"
+        "xhci_pci"
+        "virtio_pci"
+        "virtio_scsi"
+        "sd_mod"
+        "sr_mod"
+      ];
+    };
+  };
+
+  ###
+  i18n.defaultLocale = "en_US.UTF-8";
+  time.timeZone = "America/New_York";
+  ###
+  documentation.info.enable = false;
+  documentation.nixos.enable = false;
+  programs.command-not-found.enable = false;
+  programs.nano.enable = false;
+  ###
+  nixpkgs.hostPlatform = "x86_64-linux";
+  system.stateVersion = "24.11";
+}

hosts/minecraft/server.nix

@@ -0,0 +1,85 @@
+{ lib, self' }:
+{
+  networking.firewall.allowedTCPPorts = [
+    25565
+    25575
+  ];
+
+  users = {
+    users.minecraft = {
+      home = "/minecraft";
+      createHome = true;
+      isSystemUser = true;
+      group = "minecraft";
+    };
+    groups.minecraft = { };
+  };
+
+  systemd.services.minecraft-server = {
+    description = "Minecraft";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+    script = ''
+      ${lib.getExe self'.packages.fabric} \
+        -Xms6G \
+        -Xmx6G \
+        -XX:+UseG1GC \
+        -XX:+ParallelRefProcEnabled \
+        -XX:MaxGCPauseMillis=200 \
+        -XX:+UnlockExperimentalVMOptions \
+        -XX:+DisableExplicitGC \
+        -XX:+AlwaysPreTouch \
+        -XX:G1NewSizePercent=30 \
+        -XX:G1MaxNewSizePercent=40 \
+        -XX:G1HeapRegionSize=8M \
+        -XX:G1ReservePercent=20 \
+        -XX:G1HeapWastePercent=5 \
+        -XX:G1MixedGCCountTarget=4 \
+        -XX:InitiatingHeapOccupancyPercent=15 \
+        -XX:G1MixedGCLiveThresholdPercent=90 \
+        -XX:G1RSetUpdatingPauseTimePercent=5 \
+        -XX:SurvivorRatio=32 \
+        -XX:+PerfDisableSharedMem \
+        -XX:MaxTenuringThreshold=1 \
+        -Dusing.aikars.flags=https://mcflags.emc.gs-Daikars.new.flags=true \
+    '';
+
+    serviceConfig = {
+      Restart = "always";
+      User = "minecraft";
+      WorkingDirectory = "/minecraft";
+
+      StandardInput = "journal";
+      StandardOutput = "journal";
+      StandardError = "journal";
+
+      # Hardening
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+    };
+    preStart = ''
+      echo "eula=true" > eula.txt
+    '';
+  };
+}