diff --git a/modules/nixos/services/gameserver/default.nix b/modules/nixos/services/gameserver/default.nix index 9ca7870..f106cdc 100644 --- a/modules/nixos/services/gameserver/default.nix +++ b/modules/nixos/services/gameserver/default.nix @@ -5,5 +5,6 @@ ./minecraft-server.nix ./restic.nix ./sops.nix + ./velocity.nix ]; } \ No newline at end of file diff --git a/modules/nixos/services/gameserver/velocity.nix b/modules/nixos/services/gameserver/velocity.nix new file mode 100644 index 0000000..98c6c62 --- /dev/null +++ b/modules/nixos/services/gameserver/velocity.nix @@ -0,0 +1,171 @@ +{ inputs, config, pkgs, ... }: + +{ + users.groups.velocity-secret.members = [ + "velocity" + "minecraft" + ]; + sops.secrets."velocity/forwarding.secret" = { + owner = "velocity"; + group = "velocity-secret"; + mode = "440"; + }; + + networking.firewall = { + allowedTCPPorts = [ 10000 ]; + allowedUDPPorts = [ + 10000 + 19132 # for geyser + ]; + }; + + users = { + users.velocity = { + group = "velocity"; + isSystemUser = true; + + home = "/var/lib/velocity"; + createHome = true; + }; + groups.velocity = {}; + }; + + environment.etc."velocity/velocity.toml".source = pkgs.writers.writeTOML "velocity.toml" { + config-version = "2.7"; + + bind = "0.0.0.0:10000"; + + motd = "if you see this the server is not working"; + show-max-players = 2147483647; + + online-mode = true; + force-key-authentication = false; + + prevent-client-proxy-connections = false; + + player-info-forwarding-mode = "modern"; + forwarding-secret-file = config.sops.secrets."velocity/forwarding.secret".path; + + announce-forge = false; + + kick-existing-players = false; + + ping-passthrough = "ALL"; + sample-players-in-ping = false; + + enable-player-address-logging = true; + + servers = { + monifactory = "127.0.0.1:10001"; + countries = "127.0.0.1:10002"; + + try = [ + "monifactory" + "countries" + ]; + }; + + forced-hosts = { + "moni.mc.wo2wz.fyi" = [ "monifactory" ]; + "countries.mc.wo2wz.fyi" = [ "countries" ]; + }; + + advanced = { + compression-threshold = 256; + compression-level = -1; + + connection-timeout = 5000; + read-timeout = 30000; + + haproxy-protocol = false; + tcp-fast-open = true; + + bungee-plugin-message-channel = true; + + show-ping-requests = false; + + failover-on-unexpected-server-disconnect = true; + + announce-proxy-commands = true; + + log-command-executions = false; + log-player-connections = true; + + accepts-transfers = false; + + enable-reuse-port = false; + + login-ratelimit = 3000; + command-rate-limit = 50; + forward-commands-if-rate-limited = true; + kick-after-rate-limited-commands = 0; + tab-complete-rate-limit = 10; + kick-after-rate-limited-tab-completes = 0; + }; + + query = { + enabled = false; + port = 25565; + map = "Velocity"; + show-plugins = false; + }; + }; + + systemd.services.velocity = { + description = "Velocity proxy for Minecraft servers"; + wantedBy = [ "multi-user.target" ]; + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + path = [ inputs.nixpkgs-pin.legacyPackages.${pkgs.stdenv.hostPlatform.system}.graalvm-ce ]; + script = '' + java \ + -Xmx1G -Xms1G -XX:+UseG1GC -XX:G1HeapRegionSize=4M -XX:+UnlockExperimentalVMOptions -XX:+ParallelRefProcEnabled -XX:+AlwaysPreTouch -XX:MaxInlineLevel=15 \ + -Dvelocity.max-known-packs=264 \ + -jar ${pkgs.velocity}/share/velocity/velocity.jar + ''; + + serviceConfig = { + User = "velocity"; + Group = "velocity"; + StateDirectory = "velocity"; + StateDirectoryMode = "0700"; + WorkingDirectory = "%S/velocity"; + + Type = "exec"; + Restart = "always"; + + # hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + DevicePolicy = "strict"; + LockPersonality = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProcSubset = "pid"; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_UNIX" + ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ "@system-service" ]; + UMask = "0077"; + }; + }; +} \ No newline at end of file diff --git a/secrets/gutterman.yaml b/secrets/gutterman.yaml index aabcaee..7845bdb 100644 --- a/secrets/gutterman.yaml +++ b/secrets/gutterman.yaml @@ -1,6 +1,8 @@ restic: password: ENC[AES256_GCM,data:XQHv85l9cRNmJVknIhNuj7+o5oRvot7rtKdtXY0xO58=,iv:mwV373WSqMxh6ATYPnl4Qcxdim0uCVj/ooXFsturY9c=,tag:a/wCIsMQPVq5+jPf2QVZVA==,type:str] rest-auth.env: ENC[AES256_GCM,data:O6ujHcZuN2qi4oDknqjNKXtWIil2AIgkeNqhTDWr2XfKxVKeiNEz8cW0a5gXXmqicS0+KHwv32fITN6mA2t4hgJgFItMkAj9dVrnhTFX9UmrV+6qIGZVg+e1L6ZBdFxYJcrughepfvMVT01lG/DU1TJ/aDbK,iv:683BKhhcJOfKR4zu50fGit01bAChooCjt0zpcyJzmAQ=,tag:3ymmH4PU9+Q+J3TmJgZ2YA==,type:str] +velocity: + forwarding.secret: ENC[AES256_GCM,data:8tLoHwV8FLX6GMR9uZSzJOc/fCWIiRyfgZtfyvjGzDo=,iv:MXkS/HDMdRdbZHHWTYA+hcXbxkSEMeBHPOA67awsqtM=,tag:ovU9I2gEfIB8lw/RiTguWw==,type:str] sops: age: - recipient: age1t3n08lsemjmflt8nw2je4cr62g8e6evpxsakhcgtzhgp6rmn7u6s29lnpa @@ -12,7 +14,7 @@ sops: UFR2UTJWSHJGcGFIV25Wb1B5U1ZCalkKapZc3gwAVsVyStau64dSYuperbTvw73c EKfjlFriowQ6V5MUewoV1OaXx4SW2ExzccnhMXE6UdpoDGRZkNGk6Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-23T02:29:47Z" - mac: ENC[AES256_GCM,data:NRcaylRx2paVuCO5IahZzgfnwghOZLC2GeIkZDqj9427Een1aopQU0BuQsoiwZWWC1o0ZSN9KkOTnR+2ExVFcJfzqx3n6pguHZ7pCs23OdnQK8hvs0aVn1obrkWGo4jWDCVUQT859J5QGbKxVCJ03dhkFLRknH3+09IcBZUQG2Y=,iv:IwGiSqyttNYWUSKwd/FYvpcXcbqvtRkRfoKtkNtMtk8=,tag:JDGfrvgfxiFCzlL78WdNlQ==,type:str] + lastmodified: "2025-12-02T17:20:47Z" + mac: ENC[AES256_GCM,data:vs3UxmNlHbZIJFubaqB4M39V+0uOTB7kBH5n4COv2MmGX+ZWHHvsj8Wa9Hr8aHoySCtzgKohB4SQAyQ+abYzaEuczBmtmKAwjxs8+c3B02IHib4iRxJkXAssNKuHmfkxj3HekVmxidvnqHVhJBKzMTX72nldZOBMvPJOQ+HXgKM=,iv:Yl/6ky7ldxbr79+O+h0JvndrP0Jwlr1jrfouLUFISK4=,tag:9RaWHAhFNhIRF2XYaAFf8g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0