nixos-config/hosts/work/containers.nix

{
  slash,
  pkgs,
  username,
  ...
}:

let
  kickstartServer =
    let
      libsrcds = pkgs.stdenv.mkDerivation {
        name = "libsrcds";
        src = pkgs.fetchFromGitHub {
          owner = "km-clay";
          repo = "sourceds-libraries";
          rev = "08d12c91af664ffd103482ae1a24714222bef2df";
          hash = "sha256-EFXBhqZEkBNpYjNuG7oTZLgfjqM5G+nLb7e/qeN1Tvw=";
        };
        installPhase = ''
          mkdir -p $out/lib
          cp ./* $out/lib
        '';
      };
      startTf2Server = pkgs.writeShellScript "start-srv.sh" ''
        set -euo pipefail
        export HOME=/home/tf2
        export LD_LIBRARY_PATH=/usr/lib:/usr/lib32
        mkdir -p "$HOME/tf2server"
        mkdir -p "$HOME/tf2server"

        steamcmd +force_install_dir "$HOME/tf2server" \
           +login anonymous \
           +app_update 232250 validate \
           +quit

        cd "$HOME/tf2server"

        ln -sf "$HOME/.steam/steam/linux64" "$HOME/.steam/sdk64"
        ln -sf "$HOME/.steam/steam/linux32" "$HOME/.steam/sdk32"

        exec ./srcds_run -game tf -console -port 25565 +map cp_dustbowl \
             +ip 10.233.1.2 -norestart \
             +sv_setsteamaccount 8862FD4B30F401036B8AAC6A7FE6B123
      '';
    in
    pkgs.buildFHSEnv {
      name = "srcds-env";
      targetPkgs =
        pkgs: with pkgs; [
          steamcmd
          glibc
          zlib
          curl
          libuuid
          openssl
          libnl
          libsrcds

          # Optional: link compat
          stdenv.cc.cc.lib
        ];
      multiPkgs =
        pkgs: with pkgs.pkgsi686Linux; [
          glibc
          zlib
          ncurses5
          libuuid
          alsa-lib
          libxcrypt-legacy
          gcc
        ];
      multiArch = true;
      runScript = "${startTf2Server}";

    };
in
{
  networking = {
    nat = {
      enable = true;
      internalInterfaces = [ "ve-+" ];
      externalInterface = "enp8s0";
    };
  };
  containers.tf2server = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "10.233.1.1";
    localAddress = "10.233.1.2";
    config = {
      imports = [ ];
      nixpkgs.config.allowUnfree = true;

      services.openssh.enable = true;
      users.users.root.password = "root"; # For quick login, remove in prod

      environment.systemPackages = with pkgs; [
        steamcmd
        steam-run
        coreutils
        wget
        unzip
        bash
        nix
        coreutils
        vim
      ];

      users.users.tf2server = {
        isNormalUser = true;
        initialPassword = "1234";
        shell = pkgs.bash;
        extraGroups = [ "wheel" ];
      };

      systemd.services.tf2server = {
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          ExecStart = "${kickstartServer}/bin/srcds-env";
        };
      };

      nix.settings.experimental-features = [
        "nix-command"
        "flakes"
      ];

      # Optional: open ports on the container
      networking.firewall.allowedTCPPorts = [ 25565 ];
      networking.firewall.allowedUDPPorts = [
        25565
        27005
        27015
        27020
      ];

      system.stateVersion = "25.11"; # or your NixOS version
    };
  };
}