velocity: init

modules/nixos/services/gameserver/default.nix

@@ -5,5 +5,6 @@
     ./minecraft-server.nix
     ./restic.nix
     ./sops.nix
+    ./velocity.nix
   ];
 }

modules/nixos/services/gameserver/velocity.nix

@@ -0,0 +1,171 @@
+{ inputs, config, pkgs, ... }:
+
+{
+  users.groups.velocity-secret.members = [
+    "velocity"
+    "minecraft"
+  ];
+  sops.secrets."velocity/forwarding.secret" = {
+    owner = "velocity";
+    group = "velocity-secret";
+    mode = "440";
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 10000 ];
+    allowedUDPPorts = [
+      10000
+      19132 # for geyser
+    ];
+  };
+
+  users = {
+    users.velocity = {
+      group = "velocity";
+      isSystemUser = true;
+
+      home = "/var/lib/velocity";
+      createHome = true;
+    };
+    groups.velocity = {};
+  };
+
+  environment.etc."velocity/velocity.toml".source = pkgs.writers.writeTOML "velocity.toml" {
+    config-version = "2.7";
+
+    bind = "0.0.0.0:10000";
+
+    motd = "if you see this the server is not working";
+    show-max-players = 2147483647;
+
+    online-mode = true;
+    force-key-authentication = false;
+
+    prevent-client-proxy-connections = false;
+
+    player-info-forwarding-mode = "modern";
+    forwarding-secret-file = config.sops.secrets."velocity/forwarding.secret".path;
+
+    announce-forge = false;
+
+    kick-existing-players = false;
+
+    ping-passthrough = "ALL";
+    sample-players-in-ping = false;
+
+    enable-player-address-logging = true;
+
+    servers = {
+      monifactory = "127.0.0.1:10001";
+      countries = "127.0.0.1:10002";
+
+      try = [
+        "monifactory"
+        "countries"
+      ];
+    };
+
+    forced-hosts = {
+      "moni.mc.wo2wz.fyi" = [ "monifactory" ];
+      "countries.mc.wo2wz.fyi" = [ "countries" ];
+    };
+    
+    advanced = {
+      compression-threshold = 256;
+      compression-level = -1;
+
+      connection-timeout = 5000;
+      read-timeout = 30000;
+
+      haproxy-protocol = false;
+      tcp-fast-open = true;
+
+      bungee-plugin-message-channel = true;
+
+      show-ping-requests = false;
+
+      failover-on-unexpected-server-disconnect = true;
+
+      announce-proxy-commands = true;
+
+      log-command-executions = false;
+      log-player-connections = true;
+
+      accepts-transfers = false;
+
+      enable-reuse-port = false;
+
+      login-ratelimit = 3000;
+      command-rate-limit = 50;
+      forward-commands-if-rate-limited = true;
+      kick-after-rate-limited-commands = 0;
+      tab-complete-rate-limit = 10;
+      kick-after-rate-limited-tab-completes = 0;
+    };
+
+    query = {
+      enabled = false;
+      port = 25565;
+      map = "Velocity";
+      show-plugins = false;
+    };
+  };
+
+  systemd.services.velocity = {
+    description = "Velocity proxy for Minecraft servers";
+    wantedBy = [ "multi-user.target" ];
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+
+    path = [ inputs.nixpkgs-pin.legacyPackages.${pkgs.stdenv.hostPlatform.system}.graalvm-ce ];
+    script = ''
+      java \
+      -Xmx1G -Xms1G -XX:+UseG1GC -XX:G1HeapRegionSize=4M -XX:+UnlockExperimentalVMOptions -XX:+ParallelRefProcEnabled -XX:+AlwaysPreTouch -XX:MaxInlineLevel=15 \
+      -Dvelocity.max-known-packs=264 \
+      -jar ${pkgs.velocity}/share/velocity/velocity.jar
+    '';
+
+    serviceConfig = {
+      User = "velocity";
+      Group = "velocity";
+      StateDirectory = "velocity";
+      StateDirectoryMode = "0700";
+      WorkingDirectory = "%S/velocity";
+
+      Type = "exec";
+      Restart = "always";
+
+      # hardening
+      CapabilityBoundingSet = [ "" ];
+      DeviceAllow = [ "" ];
+      DevicePolicy = "strict";
+      LockPersonality = true;
+      NoNewPrivileges = true;
+      PrivateDevices = true;
+      PrivateTmp = true;
+      PrivateUsers = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectControlGroups = true;
+      ProtectHome = true;
+      ProtectHostname = true;
+      ProtectKernelLogs = true;
+      ProtectKernelModules = true;
+      ProtectKernelTunables = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      RemoveIPC = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_UNIX"
+      ];
+      RestrictNamespaces = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      SystemCallArchitectures = "native";
+      SystemCallFilter = [ "@system-service" ];
+      UMask = "0077";
+    };
+  };
+}

secrets/gutterman.yaml

@@ -1,6 +1,8 @@
 restic:
     password: ENC[AES256_GCM,data:XQHv85l9cRNmJVknIhNuj7+o5oRvot7rtKdtXY0xO58=,iv:mwV373WSqMxh6ATYPnl4Qcxdim0uCVj/ooXFsturY9c=,tag:a/wCIsMQPVq5+jPf2QVZVA==,type:str]
     rest-auth.env: ENC[AES256_GCM,data:O6ujHcZuN2qi4oDknqjNKXtWIil2AIgkeNqhTDWr2XfKxVKeiNEz8cW0a5gXXmqicS0+KHwv32fITN6mA2t4hgJgFItMkAj9dVrnhTFX9UmrV+6qIGZVg+e1L6ZBdFxYJcrughepfvMVT01lG/DU1TJ/aDbK,iv:683BKhhcJOfKR4zu50fGit01bAChooCjt0zpcyJzmAQ=,tag:3ymmH4PU9+Q+J3TmJgZ2YA==,type:str]
+velocity:
+    forwarding.secret: ENC[AES256_GCM,data:8tLoHwV8FLX6GMR9uZSzJOc/fCWIiRyfgZtfyvjGzDo=,iv:MXkS/HDMdRdbZHHWTYA+hcXbxkSEMeBHPOA67awsqtM=,tag:ovU9I2gEfIB8lw/RiTguWw==,type:str]
 sops:
     age:
         - recipient: age1t3n08lsemjmflt8nw2je4cr62g8e6evpxsakhcgtzhgp6rmn7u6s29lnpa
@@ -12,7 +14,7 @@ sops:
             UFR2UTJWSHJGcGFIV25Wb1B5U1ZCalkKapZc3gwAVsVyStau64dSYuperbTvw73c
             EKfjlFriowQ6V5MUewoV1OaXx4SW2ExzccnhMXE6UdpoDGRZkNGk6Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-23T02:29:47Z"
+    lastmodified: "2025-12-02T17:20:47Z"
-    mac: ENC[AES256_GCM,data:NRcaylRx2paVuCO5IahZzgfnwghOZLC2GeIkZDqj9427Een1aopQU0BuQsoiwZWWC1o0ZSN9KkOTnR+2ExVFcJfzqx3n6pguHZ7pCs23OdnQK8hvs0aVn1obrkWGo4jWDCVUQT859J5QGbKxVCJ03dhkFLRknH3+09IcBZUQG2Y=,iv:IwGiSqyttNYWUSKwd/FYvpcXcbqvtRkRfoKtkNtMtk8=,tag:JDGfrvgfxiFCzlL78WdNlQ==,type:str]
+    mac: ENC[AES256_GCM,data:vs3UxmNlHbZIJFubaqB4M39V+0uOTB7kBH5n4COv2MmGX+ZWHHvsj8Wa9Hr8aHoySCtzgKohB4SQAyQ+abYzaEuczBmtmKAwjxs8+c3B02IHib4iRxJkXAssNKuHmfkxj3HekVmxidvnqHVhJBKzMTX72nldZOBMvPJOQ+HXgKM=,iv:Yl/6ky7ldxbr79+O+h0JvndrP0Jwlr1jrfouLUFISK4=,tag:9RaWHAhFNhIRF2XYaAFf8g==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0