feat(access): minecraft

2026-02-09 12:29:19 -08:00 · 2024-09-19 13:49:04 -07:00 · 2024-09-19 13:49:04 -07:00 · f3b8f606b8
commit f3b8f606b8
parent 75b123776b
9 changed files with 55 additions and 17 deletions
--- a/nixos/access/gensokyo.nix
+++ b/nixos/access/gensokyo.nix
@ -5,9 +5,11 @@
  pkgs,
  ...
 }: let
-  inherit (lib.modules) mkMerge mkAfter;
+  inherit (lib.modules) mkMerge mkAfter mkDefault;
  inherit (lib.strings) escapeRegex;
  inherit (gensokyo-zone.lib) domain;
+  inherit (config.services) nginx;
+  minecraftBackups = "${config.kyuuto.dataDir}/minecraft/simplebackups";
 in {
  services.nginx.virtualHosts.gensokyoZone = {
    serverName = domain;
@ -23,6 +25,20 @@ in {
          }
        ];
      };
+      "/minecraft/backups" = {
+        root = pkgs.linkFarm "genso-minecraft-backups" [
+          {
+            name = "minecraft/backups";
+            path = minecraftBackups;
+          }
+        ];
+        extraConfig = ''
+          gzip off;
+          autoindex on;
+          auth_basic "private";
+          auth_basic_user_file ${config.sops.secrets.access-web-htpasswd.path};
+        '';
+      };
      "/.well-known/webfinger" = let
        # https://www.rfc-editor.org/rfc/rfc7033#section-3.1
        oidc = {
@ -57,4 +73,11 @@ in {
      };
    };
  };
+  systemd.services.nginx.serviceConfig.BindReadOnlyPaths = [
+    minecraftBackups
+  ];
+  sops.secrets.access-web-htpasswd = {
+    sopsFile = mkDefault ../secrets/access.yaml;
+    owner = nginx.user;
+  };
 }
--- a/nixos/kyuuto/mount.nix
+++ b/nixos/kyuuto/mount.nix
@ -9,6 +9,10 @@
  inherit (lib.attrsets) listToAttrs nameValuePair;
  inherit (config.services.steam) accountSwitch beatsaber;
  cfg = config.kyuuto;
+  mapId = id:
+    if config.proxmoxLXC.privileged or true
+    then 100000 + id
+    else id;
 in {
  options.kyuuto = with lib.types; {
    setup = mkEnableOption "directory and permission setup";
@ -32,6 +36,10 @@ in {
      type = path;
      default = cfg.libraryDir + "/games";
    };
+    dataDir = mkOption {
+      type = path;
+      default = "/mnt/kyuuto-data";
+    };
    gameLibraries = mkOption {
      type = listOf str;
      default = ["PC"];
@ -98,6 +106,10 @@ in {
          ${cfg.libraryDir + "/movies"} = leaf;
          ${cfg.libraryDir + "/software"} = leaf;
          ${cfg.libraryDir + "/books"} = leaf;
+          ${cfg.dataDir + "/minecraft/simplebackups"} = leaf // {
+            owner = toString (mapId 913); # minecraft-bedrock uid
+            group = "admin";
+          };
          ${cfg.gameLibraryDir} = shared;
        }
        (listToAttrs (
@ -123,10 +135,6 @@ in {
    };

    users = let
-      mapId = id:
-        if config.proxmoxLXC.privileged or true
-        then 100000 + id
-        else id;
      mkDummyUsers = {
        name,
        group ? name,
--- a/nixos/minecraft/katsink.nix
+++ b/nixos/minecraft/katsink.nix
@ -25,13 +25,13 @@ in {
        root = config.rootDir + "/minecraft/katsink";
        path = mkDefault cfg.dataDir;
      };
+      # TODO: serviceConfig.ExecStart = mkForce [ "${pkgs.runtimeShell} ${cfg.dataDir}/run.sh" ]; for imperative updates ?
    };
    sockets.minecraft-katsink-server = {
      socketConfig.SocketGroup = "admin";
    };
  };
  networking.firewall = mkIf cfg.enable {
-    interfaces.tailscale0.allowedTCPPorts = [cfg.port];
    interfaces.local.allowedTCPPorts = [cfg.port];
  };
 }
--- a/nixos/secrets/access.yaml
+++ b/nixos/secrets/access.yaml
@ -1,4 +1,5 @@
 access-peeps-nft-connieallure: ENC[AES256_GCM,data:K+Mjtc/23sseniuQg9GyklMkvRh2VZFFQHGsw6MWMYgpriX6KI3o0V+0upoxrXzDHtNE/Hp/OHE=,iv:Oo0fIUHkXFeQA6jyyTCInsQYM9x7B9ZbkAyBQSt86Xk=,tag:v87P8BXfvqJcn9qKUM0CQw==,type:str]
+access-web-htpasswd: ENC[AES256_GCM,data:whmIMgMrw8Us8VoUsoE3WmIX3EHWChuTOMgwPFqin4gAwydefBr93J8S2MBj78iweX18jT+F+Zgs0zERYPybMXo8y2orM/fPD6pgafm4nKQHRQARpyB9v2HcJ7q5hK0S/2qFB83wZ52OKlwWWRXJuJP+NPcJBQSmr19tAu99JA==,iv:eP48z2rYqVK1juefM2H34ft9YmXEFMqD0SwlpTRpdAY=,tag:bln/5tvgj5LiBoO0XRSFuQ==,type:str]
 sops:
    shamir_threshold: 1
    kms: []
@ -114,8 +115,8 @@ sops:
            ZUIxR09QTEM1RVN4MkI3NjkrUVg0am8KV6Q6RqJj9GGDG0gcpS2crPP07W6B8qOB
            dwjE9Efx+NaA4xKtt/cd2S/YUiMwj97qgOLYIseHAuxnbVIm6PNB7g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-01T16:50:29Z"
-    mac: ENC[AES256_GCM,data:humfCS9LaB0pcAObLZH+8huTED1/eW6ZtR7PVZ33JPrTJhc9ttorbsfsVPGjsd52I0RT4cNNk9iRDGSqNvgCP+BdvOyILDRA0kxKvF3XLX76Iw0v5jWlPBUts0Hi5ch9Mzn5abN/w3E/5D7z1OMQN11kroJtVpnQMdPDza/qK4g=,iv:UNHN2BYkC0AShqtB7gRLIBYqYwASqVbYhA2RC1dSWYE=,tag:Qo/1LczVrlTHFvWkCG3GIw==,type:str]
+    lastmodified: "2024-09-19T23:41:25Z"
+    mac: ENC[AES256_GCM,data:ZZyOf4N1qJ61XsxMp/oL8K+6fU3edDz6oFdFZP80Ej0KazdY54fH93Xq5QXjzOZAQif9PSizmSRqIibVHaBC2OfZRMf8RfWky8V5dEauiGHuncyPQyyirFARWOWtzPfbA6AhCcd+mEWzsppuR6K3X7NPMraKna1DXAJ97I5zkPk=,iv:+m9NAXKD8sLeLxA8pcSCpHUDs4HYgjiCGQYLRvrrAx4=,tag:AqBcJgRWV9tfhgrPnNnD1A==,type:str]
    pgp:
        - created_at: "2024-09-17T02:19:48Z"
          enc: |-
@ -153,4 +154,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: 65BD3044771CB6FB
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0