-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathminecraft-server.nix
80 lines (74 loc) · 2.19 KB
/
minecraft-server.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
{ config, pkgs, ... }:
let
dataDir = "/opt/minecraft";
stdinFIFO = "/run/minecraft.stdin";
in {
users.users.minecraft = {
isSystemUser = true;
group = "minecraft";
home = dataDir;
# createHome = true;
};
users.groups.minecraft = {};
users.users.josh.extraGroups = [ "minecraft" ];
networking.firewall = {
allowedTCPPorts = [ 25565 ];
allowedUDPPorts = [ 25565 ];
};
systemd.sockets.minecraft = {
bindsTo = [ "minecraft.service" ];
socketConfig = {
ListenFIFO = stdinFIFO;
SocketMode = "0660";
SocketUser = "minecraft";
SocketGroup = "minecraft";
RemoveOnStop = true;
FlushPending = true;
};
};
systemd.services.minecraft = {
description = "Minecraft Server";
wantedBy = [ "multi-user.target" ];
requires = [ "minecraft.socket" ];
wants = ["network-online.target"];
after = ["network-online.target" "minecraft.socket" ];
serviceConfig = {
ExecStart = "${pkgs.jdk}/bin/java -server -Xms512M -Xmx4096M -jar server.jar nogui";
ExecStop = pkgs.writeShellScript "minecraft-server-stop" ''
echo stop > ${stdinFIFO}
# Wait for the PID of the minecraft server to disappear before
# returning, so systemd doesn't attempt to SIGKILL it.
while kill -0 "$MAINPID" 2> /dev/null; do
sleep 1s
done
'';
Restart = "always";
User = "minecraft";
WorkingDirectory = dataDir;
StandardInput = "socket";
StandardOutput = "journal";
StandardError = "journal";
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
PrivateDevices = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
SystemCallArchitectures = "native";
UMask = "0077";
};
};
}