From 3663be34607ffa7ea7cb5f8cbef0562cf5020a99 Mon Sep 17 00:00:00 2001
From: niten <niten@sea.fudo.org>
Date: Fri, 2 Dec 2022 08:49:52 -0800
Subject: [PATCH] Grafana now has a 'settings' submap

---
 lib/fudo/grafana.nix       | 46 ++++++++++++++++++++------------------
 lib/fudo/minecraft-clj.nix | 45 ++++++++++++++++++++-----------------
 2 files changed, 49 insertions(+), 42 deletions(-)

diff --git a/lib/fudo/grafana.nix b/lib/fudo/grafana.nix
index 47bf840..447fd9a 100644
--- a/lib/fudo/grafana.nix
+++ b/lib/fudo/grafana.nix
@@ -1,6 +1,6 @@
 # NOTE: this assumes that postgres is running locally.
 
-{ config, lib, pkgs, ... } @ toplevel:
+{ config, lib, pkgs, ... }@toplevel:
 
 with lib;
 let
@@ -92,8 +92,10 @@ in {
 
       email = mkOption {
         type = str;
-        description = "Address from which mail will be sent (i.e. 'from' address).";
-        default = "${toplevel.config.fudo.grafana.smtp.username}@${domain-name}";
+        description =
+          "Address from which mail will be sent (i.e. 'from' address).";
+        default =
+          "${toplevel.config.fudo.grafana.smtp.username}@${domain-name}";
       };
 
       domain = mkOption {
@@ -138,13 +140,14 @@ in {
 
     secret-key-file = mkOption {
       type = str;
-      description = "Path to a file containing the server's secret key, used for signatures.";
+      description =
+        "Path to a file containing the server's secret key, used for signatures.";
     };
 
     datasources = mkOption {
       type = attrsOf (submodule datasourceOpts);
       description = "A list of datasources supplied to Grafana.";
-      default = {};
+      default = { };
     };
 
     state-directory = mkOption {
@@ -158,11 +161,9 @@ in {
 
   config = mkIf cfg.enable {
     systemd = {
-      tmpfiles.rules = let
-        grafana-user = config.systemd.services.grafana.serviceConfig.User;
-      in [
-        "d ${cfg.state-directory} 0700 ${grafana-user} - - -"
-      ];
+      tmpfiles.rules =
+        let grafana-user = config.systemd.services.grafana.serviceConfig.User;
+        in [ "d ${cfg.state-directory} 0700 ${grafana-user} - - -" ];
 
       services.grafana.serviceConfig = {
         EnvironmentFile = host-secrets.grafana-environment-file.target-file;
@@ -172,7 +173,7 @@ in {
     fudo.secrets.host-secrets.${hostname}.grafana-environment-file = {
       source-file = pkgs.writeText "grafana.env" ''
         ${optionalString (cfg.ldap != null)
-          ''GRAFANA_LDAP_BIND_PASSWD="${cfg.ldap.bind-passwd}"''}
+        ''GRAFANA_LDAP_BIND_PASSWD="${cfg.ldap.bind-passwd}"''}
       '';
       target-file = "/run/metrics/grafana/auth-bind.passwd";
       user = config.systemd.services.grafana.serviceConfig.User;
@@ -186,8 +187,8 @@ in {
 
         virtualHosts = {
           "${cfg.hostname}" = {
-            enableACME = ! cfg.private-network;
-            forceSSL = ! cfg.private-network;
+            enableACME = !cfg.private-network;
+            forceSSL = !cfg.private-network;
             locations."/".proxyPass = "http://127.0.0.1:3000";
           };
         };
@@ -200,8 +201,7 @@ in {
         protocol = "http";
         port = 3000;
         domain = cfg.hostname;
-        rootUrl = let
-          scheme = if cfg.private-network then "http" else "https";
+        rootUrl = let scheme = if cfg.private-network then "http" else "https";
         in "${scheme}://${cfg.hostname}/";
         dataDir = cfg.state-directory;
 
@@ -210,13 +210,15 @@ in {
           secretKeyFile = cfg.secret-key-file;
         };
 
-        smtp = {
-          enable = true;
-          # TODO: create system user as necessary
-          fromAddress = "${cfg.smtp.username}@${cfg.smtp.domain}";
-          host = "${cfg.smtp.hostname}:25";
-          user = cfg.smtp.username;
-          passwordFile = cfg.smtp.password-file;
+        settings = {
+          smtp = {
+            enable = true;
+            # TODO: create system user as necessary
+            fromAddress = "${cfg.smtp.username}@${cfg.smtp.domain}";
+            host = "${cfg.smtp.hostname}:25";
+            user = cfg.smtp.username;
+            passwordFile = cfg.smtp.password-file;
+          };
         };
 
         extraOptions = mkIf (cfg.ldap != null) (let
diff --git a/lib/fudo/minecraft-clj.nix b/lib/fudo/minecraft-clj.nix
index c7c2cf7..17f7b83 100644
--- a/lib/fudo/minecraft-clj.nix
+++ b/lib/fudo/minecraft-clj.nix
@@ -202,6 +202,8 @@ in {
       groups."${cfg.group}" = { members = [ cfg.user ]; };
     };
 
+    networking.firewall.allowedTCPPorts = [ 25555 ];
+
     systemd = {
       tmpfiles.rules = map (worldOpts:
         "d ${worldStateDir worldOpts} 0700 ${cfg.user} ${cfg.group} - -")
@@ -212,13 +214,13 @@ in {
           sanitizedName = sanitizeName worldOpts.world-name;
           serverName = "minecraft-clj-${sanitizedName}";
           stateDir = worldStateDir worldOpts;
-          startScript = let
+
+          preStartScript = let
             admins-file = pkgs.writeText "${sanitizedName}-ops.txt"
               (concatStringsSep "\n" cfg.admins);
             props-file = genPropsFile worldOpts;
             eula-file =
               pkgs.writeText "mc-${sanitizedName}-eula.txt" "eula=true";
-
           in pkgs.writeShellScript "mc-initialize-${sanitizedName}.sh" ''
             cp -f ${admins-file} ${stateDir}/ops.txt
             cp -f ${props-file} ${stateDir}/server.properties
@@ -228,6 +230,15 @@ in {
             chmod u+w ${stateDir}/server.properties
           '';
 
+          startScript = let
+            mem = "${toString worldOpts.allocated-memory}G";
+            memFlags = [ "-Xms${mem}" "-Xmx${mem}" ];
+            flags = commonFlags ++ memFlags
+              ++ (optionals (worldOpts.allocated-memory >= 12) highMemFlags);
+            flagStr = concatStringsSep " " flags;
+          in pkgs.writeShellScript "mc-start-${sanitized-Name}.sh"
+          "${pkgs.papermc}/bin/minecraft-server ${flagStr}";
+
         in nameValuePair serverName {
           enable = worldOpts.enable;
           description =
@@ -238,27 +249,21 @@ in {
             User = cfg.user;
             Group = cfg.group;
             WorkingDirectory = stateDir;
-            ExecStartPre = "${startScript}";
-            ExecStart = let
-              mem = "${toString worldOpts.allocated-memory}G";
-              memFlags = [ "-Xms${mem}" "-Xmx${mem}" ];
-              flags = commonFlags ++ memFlags
-                ++ (optionals (worldOpts.allocated-memory >= 12) highMemFlags);
-              flagStr = concatStringsSep " " flags;
-            in "${pkgs.papermc}/bin/minecraft-server ${flagStr}";
+            ExecStartPre = "${preStartScript}";
+            ExecStart = "${startScript}";
 
             Restart = "always";
-            # NoNewPrivileges = true;
+            NoNewPrivileges = true;
             # PrivateTmp = true;
-            # PrivateDevices = true;
-            # ProtectSystem = "strict";
-            # ProtectHome = true;
-            # ProtectControlGroups = true;
-            # ProtectKernelModules = true;
-            # ProtectKernelTunables = true;
-            # RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
-            # RestrictRealtime = true;
-            # RestrictNamespaces = true;
+            PrivateDevices = true;
+            ProtectSystem = "strict";
+            ProtectHome = true;
+            ProtectControlGroups = true;
+            ProtectKernelModules = true;
+            ProtectKernelTunables = true;
+            RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+            RestrictRealtime = true;
+            RestrictNamespaces = true;
             ReadWritePaths = [ cfg.state-directory ];
           };
         }) cfg.worlds;