wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity

velocity: init

Browse source
This commit is contained in:
wo2wz 2025-12-11 11:40:06 -05:00
parent a8d0455b99
commit 0150c8fb49
3 changed files with 176 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

1
modules/nixos/services/gameserver/default.nix
View file

@ -5,5 +5,6 @@
./minecraft-server.nix
./restic.nix
./sops.nix
./velocity.nix
];
}

171
modules/nixos/services/gameserver/velocity.nix Normal file
View file

@ -0,0 +1,171 @@
{ inputs, config, pkgs, ... }:
{
users.groups.velocity-secret.members = [
"velocity"
"minecraft"
];
sops.secrets."velocity/forwarding.secret" = {
owner = "velocity";
group = "velocity-secret";
mode = "440";
};
networking.firewall = {
allowedTCPPorts = [ 10000 ];
allowedUDPPorts = [
10000
19132 # for geyser
];
};
users = {
users.velocity = {
group = "velocity";
isSystemUser = true;
home = "/var/lib/velocity";
createHome = true;
};
groups.velocity = {};
};
environment.etc."velocity/velocity.toml".source = pkgs.writers.writeTOML "velocity.toml" {
config-version = "2.7";
bind = "0.0.0.0:10000";
motd = "if you see this the server is not working";
show-max-players = 2147483647;
online-mode = true;
force-key-authentication = false;
prevent-client-proxy-connections = false;
player-info-forwarding-mode = "modern";
forwarding-secret-file = config.sops.secrets."velocity/forwarding.secret".path;
announce-forge = false;
kick-existing-players = false;
ping-passthrough = "ALL";
sample-players-in-ping = false;
enable-player-address-logging = true;
servers = {
monifactory = "127.0.0.1:10001";
countries = "127.0.0.1:10002";
try = [
"monifactory"
"countries"
];
};
forced-hosts = {
"moni.mc.wo2wz.fyi" = [ "monifactory" ];
"countries.mc.wo2wz.fyi" = [ "countries" ];
};
advanced = {
compression-threshold = 256;
compression-level = -1;
connection-timeout = 5000;
read-timeout = 30000;
haproxy-protocol = false;
tcp-fast-open = true;
bungee-plugin-message-channel = true;
show-ping-requests = false;
failover-on-unexpected-server-disconnect = true;
announce-proxy-commands = true;
log-command-executions = false;
log-player-connections = true;
accepts-transfers = false;
enable-reuse-port = false;
login-ratelimit = 3000;
command-rate-limit = 50;
forward-commands-if-rate-limited = true;
kick-after-rate-limited-commands = 0;
tab-complete-rate-limit = 10;
kick-after-rate-limited-tab-completes = 0;
};
query = {
enabled = false;
port = 25565;
map = "Velocity";
show-plugins = false;
};
};
systemd.services.velocity = {
description = "Velocity proxy for Minecraft servers";
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
path = [ inputs.nixpkgs-pin.legacyPackages.${pkgs.stdenv.hostPlatform.system}.graalvm-ce ];
script = ''
java \
-Xmx1G -Xms1G -XX:+UseG1GC -XX:G1HeapRegionSize=4M -XX:+UnlockExperimentalVMOptions -XX:+ParallelRefProcEnabled -XX:+AlwaysPreTouch -XX:MaxInlineLevel=15 \
-Dvelocity.max-known-packs=264 \
-jar ${pkgs.velocity}/share/velocity/velocity.jar
'';
serviceConfig = {
User = "velocity";
Group = "velocity";
StateDirectory = "velocity";
StateDirectoryMode = "0700";
WorkingDirectory = "%S/velocity";
Type = "exec";
Restart = "always";
# hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
DevicePolicy = "strict";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" ];
UMask = "0077";
};
};
}