wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity

velocity: init

Browse source
This commit is contained in:
wo2wz 2025-12-11 11:40:06 -05:00
parent a8d0455b99
commit 0150c8fb49
3 changed files with 176 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/nixos/services/gameserver/default.nix
View file

@ -5,5 +5,6 @@
./minecraft-server.nix
./restic.nix
./sops.nix
./velocity.nix
];
}

171
modules/nixos/services/gameserver/velocity.nix Normal file
View file

@ -0,0 +1,171 @@
{ inputs, config, pkgs, ... }:
{
users.groups.velocity-secret.members = [
"velocity"
"minecraft"
];
sops.secrets."velocity/forwarding.secret" = {
owner = "velocity";
group = "velocity-secret";
mode = "440";
};
networking.firewall = {
allowedTCPPorts = [ 10000 ];
allowedUDPPorts = [
10000
19132 # for geyser
];
};
users = {
users.velocity = {
group = "velocity";
isSystemUser = true;
home = "/var/lib/velocity";
createHome = true;
};
groups.velocity = {};
};
environment.etc."velocity/velocity.toml".source = pkgs.writers.writeTOML "velocity.toml" {
config-version = "2.7";
bind = "0.0.0.0:10000";
motd = "if you see this the server is not working";
show-max-players = 2147483647;
online-mode = true;
force-key-authentication = false;
prevent-client-proxy-connections = false;
player-info-forwarding-mode = "modern";
forwarding-secret-file = config.sops.secrets."velocity/forwarding.secret".path;
announce-forge = false;
kick-existing-players = false;
ping-passthrough = "ALL";
sample-players-in-ping = false;
enable-player-address-logging = true;
servers = {
monifactory = "127.0.0.1:10001";
countries = "127.0.0.1:10002";
try = [
"monifactory"
"countries"
];
};
forced-hosts = {
"moni.mc.wo2wz.fyi" = [ "monifactory" ];
"countries.mc.wo2wz.fyi" = [ "countries" ];
};
advanced = {
compression-threshold = 256;
compression-level = -1;
connection-timeout = 5000;
read-timeout = 30000;
haproxy-protocol = false;
tcp-fast-open = true;
bungee-plugin-message-channel = true;
show-ping-requests = false;
failover-on-unexpected-server-disconnect = true;
announce-proxy-commands = true;
log-command-executions = false;
log-player-connections = true;
accepts-transfers = false;
enable-reuse-port = false;
login-ratelimit = 3000;
command-rate-limit = 50;
forward-commands-if-rate-limited = true;
kick-after-rate-limited-commands = 0;
tab-complete-rate-limit = 10;
kick-after-rate-limited-tab-completes = 0;
};
query = {
enabled = false;
port = 25565;
map = "Velocity";
show-plugins = false;
};
};
systemd.services.velocity = {
description = "Velocity proxy for Minecraft servers";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
path = [ inputs.nixpkgs-pin.legacyPackages.${pkgs.stdenv.hostPlatform.system}.graalvm-ce ];
script = ''
java \
-Xmx1G -Xms1G -XX:+UseG1GC -XX:G1HeapRegionSize=4M -XX:+UnlockExperimentalVMOptions -XX:+ParallelRefProcEnabled -XX:+AlwaysPreTouch -XX:MaxInlineLevel=15 \
-Dvelocity.max-known-packs=264 \
-jar ${pkgs.velocity}/share/velocity/velocity.jar
'';
serviceConfig = {
User = "velocity";
Group = "velocity";
StateDirectory = "velocity";
StateDirectoryMode = "0700";
WorkingDirectory = "%S/velocity";
Type = "exec";
Restart = "always";
# hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
DevicePolicy = "strict";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" ];
UMask = "0077";
};
};
}

6
secrets/gutterman.yaml
View file

@ -1,6 +1,8 @@
restic:
password: ENC[AES256_GCM,data:XQHv85l9cRNmJVknIhNuj7+o5oRvot7rtKdtXY0xO58=,iv:mwV373WSqMxh6ATYPnl4Qcxdim0uCVj/ooXFsturY9c=,tag:a/wCIsMQPVq5+jPf2QVZVA==,type:str]
rest-auth.env: ENC[AES256_GCM,data:O6ujHcZuN2qi4oDknqjNKXtWIil2AIgkeNqhTDWr2XfKxVKeiNEz8cW0a5gXXmqicS0+KHwv32fITN6mA2t4hgJgFItMkAj9dVrnhTFX9UmrV+6qIGZVg+e1L6ZBdFxYJcrughepfvMVT01lG/DU1TJ/aDbK,iv:683BKhhcJOfKR4zu50fGit01bAChooCjt0zpcyJzmAQ=,tag:3ymmH4PU9+Q+J3TmJgZ2YA==,type:str]
velocity:
forwarding.secret: ENC[AES256_GCM,data:8tLoHwV8FLX6GMR9uZSzJOc/fCWIiRyfgZtfyvjGzDo=,iv:MXkS/HDMdRdbZHHWTYA+hcXbxkSEMeBHPOA67awsqtM=,tag:ovU9I2gEfIB8lw/RiTguWw==,type:str]
sops:
age:
- recipient: age1t3n08lsemjmflt8nw2je4cr62g8e6evpxsakhcgtzhgp6rmn7u6s29lnpa
@ -12,7 +14,7 @@ sops:
UFR2UTJWSHJGcGFIV25Wb1B5U1ZCalkKapZc3gwAVsVyStau64dSYuperbTvw73c
EKfjlFriowQ6V5MUewoV1OaXx4SW2ExzccnhMXE6UdpoDGRZkNGk6Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-23T02:29:47Z"
mac: ENC[AES256_GCM,data:NRcaylRx2paVuCO5IahZzgfnwghOZLC2GeIkZDqj9427Een1aopQU0BuQsoiwZWWC1o0ZSN9KkOTnR+2ExVFcJfzqx3n6pguHZ7pCs23OdnQK8hvs0aVn1obrkWGo4jWDCVUQT859J5QGbKxVCJ03dhkFLRknH3+09IcBZUQG2Y=,iv:IwGiSqyttNYWUSKwd/FYvpcXcbqvtRkRfoKtkNtMtk8=,tag:JDGfrvgfxiFCzlL78WdNlQ==,type:str]
lastmodified: "2025-12-02T17:20:47Z"
mac: ENC[AES256_GCM,data:vs3UxmNlHbZIJFubaqB4M39V+0uOTB7kBH5n4COv2MmGX+ZWHHvsj8Wa9Hr8aHoySCtzgKohB4SQAyQ+abYzaEuczBmtmKAwjxs8+c3B02IHib4iRxJkXAssNKuHmfkxj3HekVmxidvnqHVhJBKzMTX72nldZOBMvPJOQ+HXgKM=,iv:Yl/6ky7ldxbr79+O+h0JvndrP0Jwlr1jrfouLUFISK4=,tag:9RaWHAhFNhIRF2XYaAFf8g==,type:str]
unencrypted_suffix: _unencrypted
version: 3.11.0