add minecraft server

2024-08-08 18:39:46 +01:00 · 2024-08-08 18:39:46 +01:00 · aca8be0cbb
parent 3c80a0d20a
commit aca8be0cbb
2 changed files with 124 additions and 0 deletions
--- a/hosts/hetzner-arm/containers/minecraft/minecraft.nix
+++ b/hosts/hetzner-arm/containers/minecraft/minecraft.nix
@ -0,0 +1,123 @@
+{
+  self,
+  tree,
+  lib,
+  inputs,
+  config,
+  pkgs,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
+in {
+  containers.minecraft = {
+    autoStart = true;
+
+    specialArgs = {
+      inherit inputs;
+      inherit tree;
+      inherit self;
+    };
+
+    config = {...}: {
+      nixpkgs.pkgs = pkgs;
+
+      imports = with tree; [
+        presets.nixos.containerBase
+      ];
+
+      networking.firewall = {
+        enable = mkForce false;
+      };
+
+      users.users.minecraft = {
+        description = "Minecraft server service user";
+        home = "/var/lib/minecraft";
+        createHome = true;
+        isSystemUser = true;
+        group = "minecraft";
+      };
+      users.groups.minecraft = {};
+
+      systemd.sockets.minecraft-server = {
+        bindsTo = ["minecraft-server.service"];
+        socketConfig = {
+          ListenFIFO = "/run/minecraft-server.stdin";
+          SocketMode = "0660";
+          SocketUser = "minecraft";
+          SocketGroup = "minecraft";
+          RemoveOnStop = true;
+          FlushPending = true;
+        };
+      };
+
+      systemd.sockets.minecraft-server = {
+        bindsTo = ["minecraft-server.service"];
+        socketConfig = {
+          ListenFIFO = "/run/minecraft-server.stdin";
+          SocketMode = "0660";
+          SocketUser = "minecraft";
+          SocketGroup = "minecraft";
+          RemoveOnStop = true;
+          FlushPending = true;
+        };
+      };
+
+      systemd.services.minecraft-server = let
+        stopScript = pkgs.writeShellScript "minecraft-server-stop" ''
+          echo stop > /run/minecraft-server.stdin
+
+          while kill -0 "$1" 2> /dev/null; do
+            sleep 1s
+          done
+        '';
+      in {
+        description = "Minecraft Server Service";
+        wantedBy = ["multi-user.target"];
+        requires = ["minecraft-server.socket"];
+        after = ["network.target" "minecraft-server.socket"];
+
+        serviceConfig = {
+          ExecStart = "${jdk8.jre}/bin/java -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -Xmx4096M -Xms2048M -jar forge-1.4.7-6.6.2.534-universal.jar nogui";
+          ExecStop = "${stopScript} $MAINPID";
+          Restart = "always";
+          User = "minecraft";
+          WorkingDirectory = "/var/lib/minecraft";
+
+          StandardInput = "socket";
+          StandardOutput = "journal";
+          StandardError = "journal";
+
+          # Hardening
+          CapabilityBoundingSet = [""];
+          DeviceAllow = [""];
+          LockPersonality = true;
+          PrivateDevices = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "invisible";
+          RestrictAddressFamilies = ["AF_INET" "AF_INET6"];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          SystemCallArchitectures = "native";
+          UMask = "0077";
+        };
+      };
+
+      home-manager.users.root.home.stateVersion = "24.05";
+      system.stateVersion = "24.05";
+    };
+  };
+
+  networking.firewall = {
+    allowedUDPPorts = [25565];
+    allowedTCPPorts = [25565];
+  };
+}
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -18,6 +18,7 @@ in {
      "storage"
      "mail"
      "jellyfin"
+      "minecraft"
    ] (name: ./containers + "/${name}/${name}.nix"))

    (with hosts.hetzner-arm.profiles; [