diff --git a/config/services/minecraft.nix b/config/services/minecraft.nix
index 032a0965..dd9d99eb 100644
--- a/config/services/minecraft.nix
+++ b/config/services/minecraft.nix
@@ -1,4 +1,4 @@
-{ ... }: {
+{ config, ... }: {
   imports = [
     ../../modules/minecraft/server.nix
     ../../modules/minecraft/luckperms.nix
@@ -57,6 +57,24 @@
       config = {
         enable-ops = false;
       };
+      groups = {
+        admin = {
+          name = "admin";
+          permissions = [
+            "*"
+          ];
+          prefixes = [
+            {
+              "&d@" = {
+                priority = 0;
+              };
+            }
+          ];
+        };
+      };
     };
   };
+  networking.firewall.allowedTCPPorts = [
+    config.services.minecraft.properties.server-port
+  ];
 }
diff --git a/modules/minecraft/luckperms.nix b/modules/minecraft/luckperms.nix
index 5c5bfb9f..d5392eaf 100644
--- a/modules/minecraft/luckperms.nix
+++ b/modules/minecraft/luckperms.nix
@@ -5,9 +5,17 @@ let
   cfg = config.services.minecraft.luckperms;
   opt = options.services.minecraft.luckperms;
   luckperms-yml = pkgs.writeText "luckperms.yml" (generators.toYAML { } cfg.config);
+  groups = builtins.mapAttrs (name: value: pkgs.writeText "${name}.yml" (generators.toYAML { } value)) cfg.groups;
+  permCopy = builtins.map
+    (group: ''
+      cat ${groups.${group}} > plugins/LuckPerms/yaml-storage/groups/${group}.yml
+    '')
+    (builtins.attrNames groups);
   startScript = pkgs.writeScript "luckperms" ''
     mkdir -p plugins/LuckPerms
     cat ${luckperms-yml} > plugins/LuckPerms/config.yml
+    mkdir -p plugins/LuckPerms/yaml-storage/groups/
+    ${builtins.toString permCopy}
   '';
 in
 {
@@ -295,6 +303,29 @@ in
         description = "Resolve command selectors";
       };
     };
+    groups = mkOption {
+      default = {
+        default = {
+          name = "default";
+        };
+      };
+      type = types.attrsOf (types.submodule {
+        options = {
+          name = mkOption {
+            type = types.str;
+          };
+          permissions = mkOption {
+            default = [ ];
+            type = types.listOf types.str;
+          };
+          prefixes = mkOption {
+            default = [ ];
+            type = types.listOf (types.attrsOf types.anything);
+          };
+        };
+      });
+      description = "Group configuration";
+    };
   };
   config = mkIf cfg.enable {
     services.minecraft.plugins = [{
diff --git a/zones/chir.rs.nix b/zones/chir.rs.nix
index 98af92a1..dd279a12 100644
--- a/zones/chir.rs.nix
+++ b/zones/chir.rs.nix
@@ -92,7 +92,7 @@ let
     SOA = {
       nameServer = "ns2.darkkirb.de.";
       adminEmail = "lotte@chir.rs";
-      serial = 3;
+      serial = 4;
     };
     NS = [
       "ns2.darkkirb.de."
@@ -165,6 +165,7 @@ let
       api = createZone { };
       git = createZone { };
       mail = createZone { };
+      mc = createZone { };
 
       int = delegateTo [
         "ns2.darkkirb.de."