diff --git a/nixos/configurations/metis/default.nix b/nixos/configurations/metis/default.nix index ee030b1..8944053 100644 --- a/nixos/configurations/metis/default.nix +++ b/nixos/configurations/metis/default.nix @@ -7,8 +7,13 @@ { imports = [ ./wireguard.nix + ./minecraft + ./hardware-configuration.nix ]; - nixpkgs.hostPlatform = "x86_64-linux"; + + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + nix.registry.sys = { from = { type = "indirect"; id = "sys"; }; flake = inputs.nixpkgs-stable; @@ -19,15 +24,13 @@ services.clash = { enable = true; rule.enable = true; - rule.enableTUN = true; }; + services.dae.enable = true; + inclyc.user.enable = true; inclyc.user.zsh = true; - # Proxmox-VE container, running LXC - boot.isContainer = true; - networking.hostName = "metis"; networking.dhcpcd.enable = false; @@ -37,13 +40,13 @@ systemd.network.enable = true; systemd.network.networks = { - "20-eth0@if72" = { - matchConfig.Name = "eth0@if72"; + "enp6s18" = { + matchConfig.Name = "enp6s18"; networkConfig = { DHCP = "no"; Address = "192.168.31.6/24"; Gateway = "192.168.31.1"; - DNS = "159.226.39.1"; + DNS = "223.5.5.5"; }; }; }; diff --git a/nixos/configurations/metis/hardware-configuration.nix b/nixos/configurations/metis/hardware-configuration.nix new file mode 100644 index 0000000..3b65a27 --- /dev/null +++ b/nixos/configurations/metis/hardware-configuration.nix @@ -0,0 +1,51 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + zramSwap.enable = true; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/30f213a7-0d61-4053-9e50-e02f43c16d38"; + fsType = "btrfs"; + options = [ "subvol=root" "compress=zstd" ]; + }; + + fileSystems."/home" = + { device = "/dev/disk/by-uuid/30f213a7-0d61-4053-9e50-e02f43c16d38"; + fsType = "btrfs"; + options = [ "subvol=home" "compress=zstd" ]; + }; + + fileSystems."/nix" = + { device = "/dev/disk/by-uuid/30f213a7-0d61-4053-9e50-e02f43c16d38"; + fsType = "btrfs"; + options = [ "subvol=nix" "compress=zstd" "noatime" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/B094-B461"; + fsType = "vfat"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nixos/configurations/metis/minecraft/default.nix b/nixos/configurations/metis/minecraft/default.nix new file mode 100644 index 0000000..5f83dd9 --- /dev/null +++ b/nixos/configurations/metis/minecraft/default.nix @@ -0,0 +1,13 @@ +{ pkgs, ... }: +{ + imports = [ + ./msd.nix + ]; + + lib.pkgs = { + authlib-injector = pkgs.fetchurl { + url = "https://github.com/yushijinhun/authlib-injector/releases/download/v1.2.4/authlib-injector-1.2.4.jar"; + hash = "sha256-eVsnbLQIVe0E3H/KvCptFQ3kYAtUKHWmUi5l9rJbyp8="; + }; + }; +} diff --git a/nixos/configurations/metis/minecraft/msd.nix b/nixos/configurations/metis/minecraft/msd.nix new file mode 100644 index 0000000..641990d --- /dev/null +++ b/nixos/configurations/metis/minecraft/msd.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: +let + name = "modernskyblock"; + serviceName = "minecraft-${name}"; + directory = "minecraft/${name}"; + stdin = "/run/${directory}/stdin"; + + # https://github.com/NixOS/nixpkgs/blob/6e62521155cd3b4cdf6b49ecacf63db2a0cacc73/nixos/modules/services/games/minecraft-server.nix#L25C3-L34C1 + stopScript = pkgs.writeShellScript "minecraft-server-stop" '' + echo stop > ${stdin} + + # Wait for the PID of the minecraft server to disappear before + # returning, so systemd doesn't attempt to SIGKILL it. + while kill -0 "$1" 2> /dev/null; do + sleep 1s + done + ''; + +in +{ + systemd.services.${serviceName} = { + after = [ "systemd-networkd-wait-online.service" ]; + description = "Minecraft Server (Modern Skyblock 3: Departed)"; + requires = [ "${serviceName}.socket" ]; + serviceConfig = rec { + Type = "simple"; + DynamicUser = true; + StateDirectory = directory; + WorkingDirectory = "%S/${directory}"; + ExecStart = "${pkgs.jdk8}/bin/java -Xmx32G -Xms32G -javaagent:${config.lib.pkgs.authlib-injector}=https://hitmc.cc/api/yggdrasil -jar forge-1.12.2-14.23.5.2808-universal.jar nogui"; + ExecStop = "${stopScript} $MAINPID"; + Restart = "always"; + StandardInput = "socket"; + StandardOutput = "journal"; + StandardError = "journal"; + }; + }; + + systemd.sockets.${serviceName} = { + description = "Socket for the Minecraft Server (Modern Skyblock 3: Departed)"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenFIFO = stdin; + RemoveOnStop = true; + FlushPending = true; + }; + }; +} diff --git a/nixos/modules/clash/default.nix b/nixos/modules/clash/default.nix index 6d99110..161c5d2 100644 --- a/nixos/modules/clash/default.nix +++ b/nixos/modules/clash/default.nix @@ -27,7 +27,6 @@ in }; rule = { enable = mkEnableOption "clash rule generation"; - enableTUN = mkEnableOption "TUN interface"; }; }; config = lib.mkMerge [ @@ -46,9 +45,11 @@ in + " -d ${cfg.configDirectory}" + " -f %d/config.yaml"; Restart = "on-failure"; - CapabilityBoundingSet = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ]; - AmbientCapabilities = CapabilityBoundingSet; - DeviceAllowed = [ "/dev/net/tun" ]; + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; ProtectSystem = "strict"; ProtectHome = "yes"; ProtectHostname = "yes"; @@ -57,8 +58,13 @@ in ProtectKernelModules = "yes"; ProtectKernelLogs = "yes"; ProtectControlGroups = "yes"; - ProtectProc = "yes"; + ProtectProc = "invisible"; LockPersonality = "yes"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; }; }; }) @@ -107,13 +113,7 @@ in sops.templates."clash-config.yaml".content = builtins.readFile ./rule.yaml + '' proxy-groups: ${builtins.toJSON proxyGroups} proxy-providers: ${builtins.toJSON proxyProviders} - '' + (lib.optionalString cfg.rule.enableTUN '' - tun: - enable: true - stack: system - auto-route: true - auto-detect-interface: true - ''); + ''; } )) ];