wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity

minecraft-server: adjust for velocity, use template unit, ditch screen and use fifo systemd socket for input

Browse source 
it actually works now, don't know why terminal multiplexers give an error even with pty access but this setup is better overall anyway
This commit is contained in:
wo2wz 2025-12-11 11:43:39 -05:00
parent 0150c8fb49
commit 76ff79019c
1 changed files with 165 additions and 148 deletions
Download patch file Download diff file Expand all files Collapse all files

313
modules/nixos/services/gameserver/minecraft-server.nix
View file

@ -2,11 +2,6 @@
{ {
networking.firewall = {
allowedTCPPorts = [ 10000 ];
allowedUDPPorts = [ 10000 ];
};
users = { users = {
users.minecraft = { users.minecraft = {
group = "minecraft"; group = "minecraft";
@ -18,155 +13,177 @@
groups.minecraft = {}; groups.minecraft = {};
}; };
environment.systemPackages = [ environment.etc."minecraft/java21_args".text = ''
# to control the interactive server console --add-modules=jdk.incubator.vector
pkgs.screen -XX:+UseG1GC
-XX:MaxGCPauseMillis=200
-XX:+UnlockExperimentalVMOptions
-XX:+UnlockDiagnosticVMOptions
-XX:+DisableExplicitGC
-XX:+AlwaysPreTouch
-XX:G1NewSizePercent=28
-XX:G1MaxNewSizePercent=50
-XX:G1HeapRegionSize=16M
-XX:G1ReservePercent=15
-XX:G1MixedGCCountTarget=3
-XX:InitiatingHeapOccupancyPercent=20
-XX:G1MixedGCLiveThresholdPercent=90
-XX:SurvivorRatio=32
-XX:G1HeapWastePercent=5
-XX:MaxTenuringThreshold=1
-XX:+PerfDisableSharedMem
-XX:G1SATBBufferEnqueueingThresholdPercent=30
-XX:G1ConcMarkStepDurationMillis=5
-XX:G1RSetUpdatingPauseTimePercent=0
-XX:+UseNUMA
-XX:-DontCompileHugeMethods
-XX:MaxNodeLimit=240000
-XX:NodeLimitFudgeFactor=8000
-XX:ReservedCodeCacheSize=400M
-XX:NonNMethodCodeHeapSize=12M
-XX:ProfiledCodeHeapSize=194M
-XX:NonProfiledCodeHeapSize=194M
-XX:NmethodSweepActivity=1
-XX:+UseFastUnorderedTimeStamps
-XX:+UseCriticalJavaThreadPriority
-XX:AllocatePrefetchStyle=3
-XX:+AlwaysActAsServerClassMachine
-XX:+UseTransparentHugePages
-XX:LargePageSizeInBytes=2M
-XX:+UseLargePages
-XX:+EagerJVMCI
-XX:+UseStringDeduplication
-XX:+UseAES
-XX:+UseAESIntrinsics
-XX:+UseFMA
-XX:+UseLoopPredicate
-XX:+RangeCheckElimination
-XX:+OptimizeStringConcat
-XX:+UseCompressedOops
-XX:+UseThreadPriorities
-XX:+OmitStackTraceInFastThrow
-XX:+RewriteBytecodes
-XX:+RewriteFrequentPairs
-XX:+UseFPUForSpilling
-XX:+UseFastStosb
-XX:+UseNewLongLShift
-XX:+UseVectorCmov
-XX:+UseXMMForArrayCopy
-XX:+UseXmmI2D
-XX:+UseXmmI2F
-XX:+UseXmmLoadAndClearUpper
-XX:+UseXmmRegToRegMoveAll
-XX:+EliminateLocks
-XX:+DoEscapeAnalysis
-XX:+AlignVector
-XX:+OptimizeFill
-XX:+EnableVectorSupport
-XX:+UseCharacterCompareIntrinsics
-XX:+UseCopySignIntrinsic
-XX:+UseVectorStubs
-XX:UseAVX=2
-XX:UseSSE=4
-XX:+UseFastJNIAccessors
-XX:+UseInlineCaches
-XX:+SegmentedCodeCache
-Djdk.nio.maxCachedBufferSize=262144
-Djdk.graal.UsePriorityInlining=true
-Djdk.graal.Vectorization=true
-Djdk.graal.OptDuplication=true
-Djdk.graal.DetectInvertedLoopsAsCounted=true
-Djdk.graal.LoopInversion=true
-Djdk.graal.VectorizeHashes=true
-Djdk.graal.EnterprisePartialUnroll=true
-Djdk.graal.VectorizeSIMD=true
-Djdk.graal.StripMineNonCountedLoops=true
-Djdk.graal.SpeculativeGuardMovement=true
-Djdk.graal.TuneInlinerExploration=1
-Djdk.graal.LoopRotation=true
-Djdk.graal.CompilerConfiguration=enterprise
'';
pkgs.graalvmPackages.graalvm-oracle_17 systemd = {
inputs.nixpkgs-pin.legacyPackages.${pkgs.stdenv.hostPlatform.system}.graalvm-ce targets.multi-user.wants = [
]; "minecraft@countries.service"
"minecraft@monifactory.service"
];
environment.etc = { sockets."minecraft@" = {
"minecraft/java21_args".text = '' partOf = [ "minecraft@%i.service" ];
-Xmx8G socketConfig = {
-Xms8G SocketUser = "minecraft";
--add-modules=jdk.incubator.vector SocketGroup = "minecraft";
-XX:+UseG1GC SocketMode = "0600";
-XX:MaxGCPauseMillis=200
-XX:+UnlockExperimentalVMOptions
-XX:+UnlockDiagnosticVMOptions
-XX:+DisableExplicitGC
-XX:+AlwaysPreTouch
-XX:G1NewSizePercent=28
-XX:G1MaxNewSizePercent=50
-XX:G1HeapRegionSize=16M
-XX:G1ReservePercent=15
-XX:G1MixedGCCountTarget=3
-XX:InitiatingHeapOccupancyPercent=20
-XX:G1MixedGCLiveThresholdPercent=90
-XX:SurvivorRatio=32
-XX:G1HeapWastePercent=5
-XX:MaxTenuringThreshold=1
-XX:+PerfDisableSharedMem
-XX:G1SATBBufferEnqueueingThresholdPercent=30
-XX:G1ConcMarkStepDurationMillis=5
-XX:G1RSetUpdatingPauseTimePercent=0
-XX:+UseNUMA
-XX:-DontCompileHugeMethods
-XX:MaxNodeLimit=240000
-XX:NodeLimitFudgeFactor=8000
-XX:ReservedCodeCacheSize=400M
-XX:NonNMethodCodeHeapSize=12M
-XX:ProfiledCodeHeapSize=194M
-XX:NonProfiledCodeHeapSize=194M
-XX:NmethodSweepActivity=1
-XX:+UseFastUnorderedTimeStamps
-XX:+UseCriticalJavaThreadPriority
-XX:AllocatePrefetchStyle=3
-XX:+AlwaysActAsServerClassMachine
-XX:+UseTransparentHugePages
-XX:LargePageSizeInBytes=2M
-XX:+UseLargePages
-XX:+EagerJVMCI
-XX:+UseStringDeduplication
-XX:+UseAES
-XX:+UseAESIntrinsics
-XX:+UseFMA
-XX:+UseLoopPredicate
-XX:+RangeCheckElimination
-XX:+OptimizeStringConcat
-XX:+UseCompressedOops
-XX:+UseThreadPriorities
-XX:+OmitStackTraceInFastThrow
-XX:+RewriteBytecodes
-XX:+RewriteFrequentPairs
-XX:+UseFPUForSpilling
-XX:+UseFastStosb
-XX:+UseNewLongLShift
-XX:+UseVectorCmov
-XX:+UseXMMForArrayCopy
-XX:+UseXmmI2D
-XX:+UseXmmI2F
-XX:+UseXmmLoadAndClearUpper
-XX:+UseXmmRegToRegMoveAll
-XX:+EliminateLocks
-XX:+DoEscapeAnalysis
-XX:+AlignVector
-XX:+OptimizeFill
-XX:+EnableVectorSupport
-XX:+UseCharacterCompareIntrinsics
-XX:+UseCopySignIntrinsic
-XX:+UseVectorStubs
-XX:UseAVX=2
-XX:UseSSE=4
-XX:+UseFastJNIAccessors
-XX:+UseInlineCaches
-XX:+SegmentedCodeCache
-Djdk.nio.maxCachedBufferSize=262144
-Djdk.graal.UsePriorityInlining=true
-Djdk.graal.Vectorization=true
-Djdk.graal.OptDuplication=true
-Djdk.graal.DetectInvertedLoopsAsCounted=true
-Djdk.graal.LoopInversion=true
-Djdk.graal.VectorizeHashes=true
-Djdk.graal.EnterprisePartialUnroll=true
-Djdk.graal.VectorizeSIMD=true
-Djdk.graal.StripMineNonCountedLoops=true
-Djdk.graal.SpeculativeGuardMovement=true
-Djdk.graal.TuneInlinerExploration=1
-Djdk.graal.LoopRotation=true
-Djdk.graal.CompilerConfiguration=enterprise
'';
};
systemd.services.minecraft = { ListenFIFO = "%t/minecraft-%i.stdin";
description = "Minecraft Java Edition server"; RemoveOnStop = true;
wants = [ "network-online.target" ]; };
after = [ "network-online.target" ]; };
path = [ pkgs.screen ]; services."minecraft@" = {
script = "screen -dmS minecraft -- ${lib.getExe inputs.nixpkgs-pin.legacyPackages.${pkgs.stdenv.hostPlatform.system}.graalvm-ce} @/etc/minecraft/java21_args -jar server.jar nogui"; description = "Minecraft Java Edition server for %i";
wants = [ "network-online.target" "velocity.service" ];
after = [ "network-online.target" "velocity.service" ];
serviceConfig = { environment = {
User = "minecraft"; JAVA_17_PATH = lib.getExe pkgs.graalvmPackages.graalvm-oracle_17;
Group = "minecraft"; JAVA_21_PATH = lib.getExe inputs.nixpkgs-pin.legacyPackages.${pkgs.stdenv.hostPlatform.system}.graalvm-ce;
WorkingDirectory = "/var/lib/minecraft/vanilla"; };
Type = "forking";
Restart = "on-failure";
TimerSlackNSec = "5ms";
# very necessary and sane hardening for a private minecraft server serviceConfig = {
CapabilityBoundingSet = [ "" ]; User = "minecraft";
DeviceAllow = [ "" ]; Group = "minecraft";
DevicePolicy = "strict"; StateDirectory = "minecraft/%i";
LockPersonality = true; StateDirectoryMode = "0700";
MemoryDenyWriteExecute = true; WorkingDirectory = "%S/minecraft/%i";
NoNewPrivileges = true;
PrivateDevices = true; ExecStart = "${lib.getExe pkgs.bash} run.sh";
PrivateTmp = true;
PrivateUsers = true; Type = "exec";
ProcSubset = "pid"; Restart = "always";
ProtectClock = true; # minecraft responds to SIGINT to stop the server
ProtectControlGroups = true; KillSignal = "SIGINT";
ProtectHome = true; # minecraft sends exit code 130 when stopped
ProtectHostname = true; SuccessExitStatus = 130;
ProtectKernelLogs = true;
ProtectKernelModules = true; # use socket for stdin to send commands
ProtectKernelTunables = true; Sockets = "minecraft@%i.socket";
ProtectProc = "invisible"; StandardInput = "socket";
ProtectSystem = "strict"; StandardOutput = "journal";
RemoveIPC = true; StandardError = "journal";
RestrictAddressFamilies = [
"AF_INET" # hardening
"AF_INET6" CapabilityBoundingSet = [ "" ];
"AF_UNIX" DeviceAllow = [ "" ];
]; DevicePolicy = "strict";
RestrictNamespaces = true; LockPersonality = true;
RestrictRealtime = true; NoNewPrivileges = true;
RestrictSUIDSGID = true; PrivateDevices = true;
SystemCallArchitectures = "native"; PrivateTmp = true;
SystemCallFilter = [ "@system-service" ]; PrivateUsers = true;
UMask = "0027"; ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
RemoveIPC = true;
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
SystemCallFilter = [ "@system-service" ];
UMask = "0077";
};
}; };
}; };
} }