hosts/minecraft: init

2025-12-10 00:43:56 -05:00 · 2024-08-16 15:07:55 -04:00 · 2024-08-16 15:07:55 -04:00 · 779b3e7cb6
commit 779b3e7cb6
parent dadadeed31
7 changed files with 260 additions and 3 deletions
--- a/disko/minecraft.nix
+++ b/disko/minecraft.nix
@ -0,0 +1,34 @@
 _: {
  disk = {
    main = {
      device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_51056934";
      type = "disk";
      content = {
        type = "gpt";
        partitions = {
          boot = {
            size = "1M";
            type = "EF02";
          };
          ESP = {
            size = "512M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
            };
          };
          root = {
            size = "100%";
            content = {
              type = "filesystem";
              format = "xfs";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
 }
--- a/hosts/minecraft/main.nix
+++ b/hosts/minecraft/main.nix
@ -0,0 +1,99 @@
 {
  modulesPath,
  pkgs,
  lib,
  ...
 }:
 {
  local = {
    hardware = {
      gpuAcceleration.disable = true;
      sound.disable = true;
    };
    bootConfig.disable = true;
    sops.disable = true;
  };
  imports = [
    "${modulesPath}/profiles/qemu-guest.nix"
    "${modulesPath}/profiles/minimal.nix"
  ];
  environment.noXlibs = false;
  services.qemuGuest.enable = true;
  environment.systemPackages = [ pkgs.neovim ];
  users = {
    mutableUsers = false;
    users.root = {
      hashedPassword = "!";
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILZKIp3iObuxEUPx1dsMiN3vyMaMQb0N1gKJY78TtRxd"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILpYY2uw0OH1Re+3BkYFlxn0O/D8ryqByJB/ljefooNc"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJWbwkFJmRBgyWyWU+w3ksZ+KuFw9uXJN3PwqqE7Z/i8"
      ];
    };
  };
  services.openssh = {
    enable = true;
    hostKeys = lib.mkForce [
      {
        path = "/etc/ssh/ssh_host_ed25519_key";
        type = "ed25519";
      }
    ];
    settings.PermitRootLogin = "prohibit-password";
  };
  networking = {
    hostName = "minecraft";
    useNetworkd = false;
    useDHCP = false;
  };
  systemd.network = {
    enable = true;
    networks.default = {
      DHCP = "yes";
      name = "en*";
    };
  };
  boot = {
    loader = {
      efi = {
        canTouchEfiVariables = true;
        efiSysMountPoint = "/boot"; # ← use the same mount point here.
      };
      grub = {
        enable = true;
        configurationLimit = 10;
      };
    };
    kernelPackages = pkgs.linuxPackages_latest;
    initrd = {
      systemd.enable = true;
      availableKernelModules = [
        "ahci"
        "xhci_pci"
        "virtio_pci"
        "virtio_scsi"
        "sd_mod"
        "sr_mod"
      ];
    };
  };
  ###
  i18n.defaultLocale = "en_US.UTF-8";
  time.timeZone = "America/New_York";
  ###
  documentation.info.enable = false;
  documentation.nixos.enable = false;
  programs.command-not-found.enable = false;
  programs.nano.enable = false;
  ###
  nixpkgs.hostPlatform = "x86_64-linux";
  system.stateVersion = "24.11";
 }
--- a/hosts/minecraft/server.nix
+++ b/hosts/minecraft/server.nix
@ -0,0 +1,85 @@
 { lib, self' }:
 {
  networking.firewall.allowedTCPPorts = [
    25565
    25575
  ];
  users = {
    users.minecraft = {
      home = "/minecraft";
      createHome = true;
      isSystemUser = true;
      group = "minecraft";
    };
    groups.minecraft = { };
  };
  systemd.services.minecraft-server = {
    description = "Minecraft";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    script = ''
      ${lib.getExe self'.packages.fabric} \
        -Xms6G \
        -Xmx6G \
        -XX:+UseG1GC \
        -XX:+ParallelRefProcEnabled \
        -XX:MaxGCPauseMillis=200 \
        -XX:+UnlockExperimentalVMOptions \
        -XX:+DisableExplicitGC \
        -XX:+AlwaysPreTouch \
        -XX:G1NewSizePercent=30 \
        -XX:G1MaxNewSizePercent=40 \
        -XX:G1HeapRegionSize=8M \
        -XX:G1ReservePercent=20 \
        -XX:G1HeapWastePercent=5 \
        -XX:G1MixedGCCountTarget=4 \
        -XX:InitiatingHeapOccupancyPercent=15 \
        -XX:G1MixedGCLiveThresholdPercent=90 \
        -XX:G1RSetUpdatingPauseTimePercent=5 \
        -XX:SurvivorRatio=32 \
        -XX:+PerfDisableSharedMem \
        -XX:MaxTenuringThreshold=1 \
        -Dusing.aikars.flags=https://mcflags.emc.gs-Daikars.new.flags=true \
    '';
    serviceConfig = {
      Restart = "always";
      User = "minecraft";
      WorkingDirectory = "/minecraft";
      StandardInput = "journal";
      StandardOutput = "journal";
      StandardError = "journal";
      # Hardening
      CapabilityBoundingSet = [ "" ];
      DeviceAllow = [ "" ];
      LockPersonality = true;
      PrivateDevices = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      RestrictAddressFamilies = [
        "AF_INET"
        "AF_INET6"
      ];
      RestrictNamespaces = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      SystemCallArchitectures = "native";
      UMask = "0077";
    };
    preStart = ''
      echo "eula=true" > eula.txt
    '';
  };
 }
--- a/modules/misc.nix
+++ b/modules/misc.nix
@ -40,7 +40,12 @@
    programs.mtr.enable = true; # ping and traceroute
    services.openssh = {
      enable = true;
-      hostKeys = lib.mkForce [ ];
+      hostKeys = lib.mkForce [
        {
          path = "/etc/ssh/ssh_host_ed25519_key";
          type = "ed25519";
        }
      ];
      settings = {
        PermitRootLogin = lib.mkDefault "no";
        PasswordAuthentication = false;
--- a/outputs.nix
+++ b/outputs.nix
@ -8,6 +8,7 @@ lib.gerg-utils (s: unstable.legacyPackages.${s}) {
    "gerg-desktop"
    "media-laptop"
    "iso"
    "minecraft"
  ];
  nixosModules = lib.mkModules "${self}/modules";
@ -15,6 +16,7 @@ lib.gerg-utils (s: unstable.legacyPackages.${s}) {
  diskoConfigurations = lib.mkDisko [
    "gerg-desktop"
    "media-laptop"
    "minecraft"
  ];
  formatter = pkgs: inputs.self.packages.${pkgs.stdenv.system}.lint;
--- a/packages/fabric/package.nix
+++ b/packages/fabric/package.nix
@ -0,0 +1,32 @@
 {
  lib,
  stdenvNoCC,
  fetchurl,
  makeBinaryWrapper,
  jre,
 }:
 stdenvNoCC.mkDerivation {
  name = "fabric";
  src = fetchurl {
    url = "https://meta.fabricmc.net/v2/versions/loader/1.20.1/0.16.2/1.0.1/server/jar";
    hash = "sha256-1Qk7qDdC70lkeduCyzhPcKfoSrcCmTbVD1Yi9lEDjEk=";
  };
  dontUnpack = true;
  installPhase = ''
    runHook preInstall
    install -D $src $out/share/papermc/papermc.jar
    makeWrapper ${lib.getExe jre} "$out/bin/fabric" \
      --append-flags "-jar $out/share/papermc/papermc.jar nogui"
    runHook postInstall
  '';
  nativeBuildInputs = [ makeBinaryWrapper ];
  meta.mainProgram = "fabric";
 }
--- a/packages/papermc/package.nix
+++ b/packages/papermc/package.nix
@ -8,7 +8,7 @@
 stdenvNoCC.mkDerivation (finalAttrs: {
  pname = "papermc";
-  version = "1.20.1.83";
+  version = "1.20.1.196";
  src =
    let
@ -17,7 +17,7 @@ stdenvNoCC.mkDerivation (finalAttrs: {
    in
    fetchurl {
      url = "https://papermc.io/api/v2/projects/paper/versions/${mcVersion}/builds/${buildNum}/downloads/paper-${mcVersion}-${buildNum}.jar";
-      hash = "sha256-HQpc3MOXa1wkXqgm9ciQj04FUIyuupnYiu+2RZ/sXE4=";
+      hash = "sha256-I0qbMgmBAMb8EWZk1k42zNtYtbZJrw+AvMywiwJV6uo=";
    };
  installPhase = ''