{ flake, ... }: let inherit (flake.config.people) user0; inherit (flake.config.services) instances; serviceCfg = instances.minecraft; hostCfg = instances.web; world = "world0"; in { microvm.vms = { "${serviceCfg.name}-${world}" = { autostart = true; restartIfChanged = true; config = { system.stateVersion = "24.05"; time.timeZone = "America/Winnipeg"; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; services = { minecraft-server = { enable = true; eula = true; openFirewall = true; declarative = true; serverProperties = { "rcon.password" = "/etc/${serviceCfg.name}-secrets/${world}"; allow-flight = false; allow-nether = true; difficulty = 2; enable-command-block = false; enable-rcon = true; enable-status = true; force-gamemode = true; gamemode = 0; generate-structures = true; hardcore = false; hide-online-players = false; level-name = "Brix on Nix"; level-seed = "9064150133272194"; max-players = 10; max-world-size = 64000000; motd = "A cool Minecraft server powered by NixOS"; online-mode = true; pvp = true; server-ip = hostCfg.localhost.address1; server-port = serviceCfg.ports.port0; spawn-animals = true; spawn-monsters = true; spawn-npcs = true; spawn-protection = 16; view-distance = 32; white-list = true; }; whitelist = { Hefty_Chungus = "b75a9816-d408-4c54-b226-385b59ea1cb3"; Hefty_Chungus_Jr = "c3bf8cac-e953-4ea4-ae5f-7acb92a51a85"; EclipseMoon01 = "adef4af7-d8c6-4627-b492-e990ea1bb993"; Fallaryn = "d8baa117-ab58-4b07-92a5-48fb1978eb49"; }; }; openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; }; }; }; networking.firewall.allowedTCPPorts = [ 22 # SSH serviceCfg.ports.port0 ]; systemd = { services = { "${serviceCfg.name}-copy-secrets" = { description = "Copy secrets from virtiofs to local filesystem"; before = [ "minecraft-server.service" ]; requiredBy = [ "minecraft-server.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' mkdir -p /etc/${serviceCfg.name}-secrets cp /run/secrets/${world} /etc/${serviceCfg.name}-secrets/${world} chmod 755 /etc/${serviceCfg.name}-secrets chmod 644 /etc/${serviceCfg.name}-secrets/* ''; }; }; network = { enable = true; networks."20-lan" = { matchConfig.Name = "enp0s5"; addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; routes = [ { Destination = "${hostCfg.localhost.address1}/0"; Gateway = serviceCfg.interface.gate; } ]; dns = [ "1.1.1.1" "8.8.8.8" ]; }; }; tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; microvm = { vcpu = 6; mem = 1024 * 8; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = serviceCfg.interface.id; mac = serviceCfg.interface.mac; } { type = "user"; id = serviceCfg.interface.idUser; mac = serviceCfg.interface.macUser; } ]; forwardPorts = [ { from = "host"; host.port = serviceCfg.interface.ssh; guest.port = 22; } ]; shares = [ { mountPoint = "/nix/.ro-store"; proto = "virtiofs"; source = "/nix/store"; tag = "read_only_nix_store"; } { mountPoint = "/var/lib/${serviceCfg.name}"; proto = "virtiofs"; source = serviceCfg.mntPaths.path0; tag = "${serviceCfg.name}_data"; } { mountPoint = "/run/secrets"; proto = "virtiofs"; source = "/run/secrets/${serviceCfg.name}"; tag = "host_secrets"; } ]; }; }; }; }; systemd = { tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" ]; }; sops.secrets = { "${serviceCfg.name}/${world}" = { owner = "root"; mode = "0600"; }; }; networking.firewall.allowedTCPPorts = [ serviceCfg.ports.port0 ]; }