From a1e1272ebb33cbceace541874b5d5b6f3f6d0c6a Mon Sep 17 00:00:00 2001
From: Lyes Saadi <dev@lyes.eu>
Date: Mon, 16 Mar 2026 15:54:29 +0100
Subject: [PATCH] Adding a minecraft server

---
 hosts/zora/default.nix            |  1 +
 modules/server/README.md          |  1 +
 modules/server/midona/default.nix | 77 +++++++++++++++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 modules/server/midona/default.nix

diff --git a/hosts/zora/default.nix b/hosts/zora/default.nix
index 6d3d543..beac76d 100644
--- a/hosts/zora/default.nix
+++ b/hosts/zora/default.nix
@@ -26,6 +26,7 @@
       ../../modules/server/link
       ../../modules/server/maistro
       ../../modules/server/mikau
+      ../../modules/server/midona
       ../../modules/server/nayru
       ../../modules/server/taf
       ../../modules/server/tetra
diff --git a/modules/server/README.md b/modules/server/README.md
index f9df551..20e23fd 100644
--- a/modules/server/README.md
+++ b/modules/server/README.md
@@ -8,6 +8,7 @@
 - `link` : Kanidm (`auth.lyes.eu`)
 - `maistro` : Incus
 - `mikau` : Jellyfin (`media.lyes.eu`)
+- `midona` : Gate Minecraft Server Proxy
 - `mogma` : VPN NetNS Configuration
 - `nayru` : Komga/Manga (`manga.lyes.eu`)
 - `taf` : Mail (`taf.lyes.eu`/`mail.lyes.eu`)
diff --git a/modules/server/midona/default.nix b/modules/server/midona/default.nix
new file mode 100644
index 0000000..5e66478
--- /dev/null
+++ b/modules/server/midona/default.nix
@@ -0,0 +1,77 @@
+{ lib, pkgs, ... }:
+
+let
+  config = lib.toFile "config.yml" ''
+    config:
+      lite:
+        enabled: true
+        routes:
+          - host: stepson.minecraft.minish.link
+            backend: 10.0.100.80:25565
+  '';
+in
+{
+  environment.systemPackages = with pkgs; [ gate ];
+
+  systemd.services.gate = {
+    description = "Gate Minecraft Proxy";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network.target" ];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.gate}/bin/gate --config ${config}";
+      Restart = "always";
+
+      # StandardInput = "socket";
+      # StandardOutput = "journal";
+      # StandardError = "journal";
+
+      # Hardening
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      LockPersonality = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+    };
+  };
+
+  services.nginx.streamConfig = ''
+    server {
+      listen 24454;
+      proxy_pass 10.0.100.80:24454;
+    }
+    server {
+      listen 24454 udp;
+      proxy_pass 10.0.100.80:24454;
+    }
+  '';
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      25565
+      24454 # Simple Voice Chat stepson
+    ];
+    allowedUDPPorts = [
+      25565
+      24454 # Simple Voice Chat stepson
+    ];
+  };
+}