diff options
Diffstat (limited to 'nixos/modules/services/games')
| -rw-r--r-- | nixos/modules/services/games/asf.nix | 236 | ||||
| -rw-r--r-- | nixos/modules/services/games/crossfire-server.nix | 179 | ||||
| -rw-r--r-- | nixos/modules/services/games/deliantra-server.nix | 172 | ||||
| -rw-r--r-- | nixos/modules/services/games/factorio.nix | 268 | ||||
| -rw-r--r-- | nixos/modules/services/games/freeciv.nix | 187 | ||||
| -rw-r--r-- | nixos/modules/services/games/minecraft-server.nix | 257 | ||||
| -rw-r--r-- | nixos/modules/services/games/minetest-server.nix | 107 | ||||
| -rw-r--r-- | nixos/modules/services/games/openarena.nix | 56 | ||||
| -rw-r--r-- | nixos/modules/services/games/quake3-server.nix | 112 | ||||
| -rw-r--r-- | nixos/modules/services/games/teeworlds.nix | 119 | ||||
| -rw-r--r-- | nixos/modules/services/games/terraria.nix | 169 |
11 files changed, 1862 insertions, 0 deletions
diff --git a/nixos/modules/services/games/asf.nix b/nixos/modules/services/games/asf.nix new file mode 100644 index 00000000000..ea2bfd40fff --- /dev/null +++ b/nixos/modules/services/games/asf.nix @@ -0,0 +1,236 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.archisteamfarm; + + format = pkgs.formats.json { }; + + asf-config = format.generate "ASF.json" (cfg.settings // { + # we disable it because ASF cannot update itself anyways + # and nixos takes care of restarting the service + # is in theory not needed as this is already the default for default builds + UpdateChannel = 0; + Headless = true; + }); + + ipc-config = format.generate "IPC.config" cfg.ipcSettings; + + mkBot = n: c: + format.generate "${n}.json" (c.settings // { + SteamLogin = if c.username == "" then n else c.username; + SteamPassword = c.passwordFile; + # sets the password format to file (https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Security#file) + PasswordFormat = 4; + Enabled = c.enabled; + }); +in +{ + options.services.archisteamfarm = { + enable = mkOption { + type = types.bool; + description = '' + If enabled, starts the ArchisSteamFarm service. + For configuring the SteamGuard token you will need to use the web-ui, which is enabled by default over on 127.0.0.1:1242. + You cannot configure ASF in any way outside of nix, since all the config files get wiped on restart and replaced with the programatically set ones by nix. + ''; + default = false; + }; + + web-ui = mkOption { + type = types.submodule { + options = { + enable = mkEnableOption + "Wheter to start the web-ui. This is the preferred way of configuring things such as the steam guard token"; + + package = mkOption { + type = types.package; + default = pkgs.ArchiSteamFarm.ui; + description = + "Web-UI package to use. Contents must be in lib/dist."; + }; + }; + }; + default = { + enable = true; + package = pkgs.ArchiSteamFarm.ui; + }; + example = { + enable = false; + }; + description = "The Web-UI hosted on 127.0.0.1:1242."; + }; + + package = mkOption { + type = types.package; + default = pkgs.ArchiSteamFarm; + description = + "Package to use. Should always be the latest version, for security reasons, since this module uses very new features and to not get out of sync with the Steam API."; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/asf"; + description = '' + The ASF home directory used to store all data. + If left as the default value this directory will automatically be created before the ASF server starts, otherwise the sysadmin is responsible for ensuring the directory exists with appropriate ownership and permissions.''; + }; + + settings = mkOption { + type = format.type; + description = '' + The ASF.json file, all the options are documented <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#global-config">here</link>. + Do note that `AutoRestart` and `UpdateChannel` is always to `false` +respectively `0` because NixOS takes care of updating everything. + `Headless` is also always set to `true` because there is no way to provide inputs via a systemd service. + You should try to keep ASF up to date since upstream does not provide support for anything but the latest version and you're exposing yourself to all kinds of issues - as is outlined <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#updateperiod">here</link>. + ''; + example = { + Statistics = false; + }; + default = { }; + }; + + ipcSettings = mkOption { + type = format.type; + description = '' + Settings to write to IPC.config. + All options can be found <link xlink:href="https://github.com/JustArchiNET/ArchiSteamFarm/wiki/IPC#custom-configuration">here</link>. + ''; + example = { + Kestrel = { + Endpoints = { + HTTP = { + Url = "http://*:1242"; + }; + }; + }; + }; + default = { }; + }; + + bots = mkOption { + type = types.attrsOf (types.submodule { + options = { + username = mkOption { + type = types.str; + description = + "Name of the user to log in. Default is attribute name."; + default = ""; + }; + passwordFile = mkOption { + type = types.path; + description = + "Path to a file containig the password. The file must be readable by the <literal>asf</literal> user/group."; + }; + enabled = mkOption { + type = types.bool; + default = true; + description = "Whether to enable the bot on startup."; + }; + settings = mkOption { + type = types.attrs; + description = + "Additional settings that are documented <link xlink:href=\"https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Configuration#bot-config\">here</link>."; + default = { }; + }; + }; + }); + description = '' + Bots name and configuration. + ''; + example = { + exampleBot = { + username = "alice"; + passwordFile = "/var/lib/asf/secrets/password"; + settings = { SteamParentalCode = "1234"; }; + }; + }; + default = { }; + }; + }; + + config = mkIf cfg.enable { + + users = { + users.asf = { + home = cfg.dataDir; + isSystemUser = true; + group = "asf"; + description = "Archis-Steam-Farm service user"; + }; + groups.asf = { }; + }; + + systemd.services = { + asf = { + description = "Archis-Steam-Farm Service"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = mkMerge [ + (mkIf (cfg.dataDir == "/var/lib/asf") { StateDirectory = "asf"; }) + { + User = "asf"; + Group = "asf"; + WorkingDirectory = cfg.dataDir; + Type = "simple"; + ExecStart = + "${cfg.package}/bin/ArchiSteamFarm --path ${cfg.dataDir} --process-required --no-restart --service --no-config-migrate"; + + # mostly copied from the default systemd service + PrivateTmp = true; + LockPersonality = true; + PrivateDevices = true; + PrivateIPC = true; + PrivateMounts = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + ProtectSystem = "full"; + RemoveIPC = true; + RestrictAddressFamilies = "AF_INET AF_INET6"; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + } + ]; + + preStart = '' + mkdir -p config + rm -f www + rm -f config/{*.json,*.config} + + ln -s ${asf-config} config/ASF.json + + ${strings.optionalString (cfg.ipcSettings != {}) '' + ln -s ${ipc-config} config/IPC.config + ''} + + ln -s ${pkgs.runCommandLocal "ASF-bots" {} '' + mkdir -p $out/lib/asf/bots + for i in ${strings.concatStringsSep " " (lists.map (x: "${getName x},${x}") (attrsets.mapAttrsToList mkBot cfg.bots))}; do IFS=","; + set -- $i + ln -s $2 $out/lib/asf/bots/$1 + done + ''}/lib/asf/bots/* config/ + + ${strings.optionalString cfg.web-ui.enable '' + ln -s ${cfg.web-ui.package}/lib/dist www + ''} + ''; + }; + }; + }; + + meta = { + buildDocsInSandbox = false; + maintainers = with maintainers; [ lom ]; + }; +} diff --git a/nixos/modules/services/games/crossfire-server.nix b/nixos/modules/services/games/crossfire-server.nix new file mode 100644 index 00000000000..a33025e0c3e --- /dev/null +++ b/nixos/modules/services/games/crossfire-server.nix @@ -0,0 +1,179 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.crossfire-server; + serverPort = 13327; +in { + options.services.crossfire-server = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, the Crossfire game server will be started at boot. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.crossfire-server; + defaultText = literalExpression "pkgs.crossfire-server"; + description = '' + The package to use for the Crossfire server (and map/arch data, if you + don't change dataDir). + ''; + }; + + dataDir = mkOption { + type = types.str; + default = "${cfg.package}/share/crossfire"; + defaultText = literalExpression ''"''${config.services.crossfire.package}/share/crossfire"''; + description = '' + Where to load readonly data from -- maps, archetypes, treasure tables, + and the like. If you plan to edit the data on the live server (rather + than overlaying the crossfire-maps and crossfire-arch packages and + nixos-rebuilding), point this somewhere read-write and copy the data + there before starting the server. + ''; + }; + + stateDir = mkOption { + type = types.str; + default = "/var/lib/crossfire"; + description = '' + Where to store runtime data (save files, persistent items, etc). + + If left at the default, this will be automatically created on server + startup if it does not already exist. If changed, it is the admin's + responsibility to make sure that the directory exists and is writeable + by the `crossfire` user. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall for the server. + ''; + }; + + configFiles = mkOption { + type = types.attrsOf types.str; + description = '' + Text to append to the corresponding configuration files. Note that the + files given in the example are *not* the complete set of files available + to customize; look in /etc/crossfire after enabling the server to see + the available files, and read the comments in each file for detailed + documentation on the format and what settings are available. + + Note that the motd, rules, and news files, if configured here, will + overwrite the example files that come with the server, rather than being + appended to them as the other configuration files are. + ''; + example = literalExpression '' + { + dm_file = ''' + admin:secret_password:localhost + jane:xyzzy:* + '''; + ban_file = ''' + # Bob is a jerk + bob@* + # So is everyone on 192.168.86.255/24 + *@192.168.86. + '''; + metaserver2 = ''' + metaserver2_notification on + localhostname crossfire.example.net + '''; + motd = "Welcome to CrossFire!"; + news = "No news yet."; + rules = "Don't be a jerk."; + settings = ''' + # be nicer to newbies and harsher to experienced players + balanced_stat_loss true + # don't let players pick up and use admin-created items + real_wiz false + '''; + } + ''; + default = {}; + }; + }; + + config = mkIf cfg.enable { + users.users.crossfire = { + description = "Crossfire server daemon user"; + home = cfg.stateDir; + createHome = false; + isSystemUser = true; + group = "crossfire"; + }; + users.groups.crossfire = {}; + + # Merge the cfg.configFiles setting with the default files shipped with + # Crossfire. + # For most files this consists of reading ${crossfire}/etc/crossfire/${name} + # and appending the user setting to it; the motd, news, and rules are handled + # specially, with user-provided values completely replacing the original. + environment.etc = lib.attrsets.mapAttrs' + (name: value: lib.attrsets.nameValuePair "crossfire/${name}" { + mode = "0644"; + text = + (optionalString (!elem name ["motd" "news" "rules"]) + (fileContents "${cfg.package}/etc/crossfire/${name}")) + + "\n${value}"; + }) ({ + ban_file = ""; + dm_file = ""; + exp_table = ""; + forbid = ""; + metaserver2 = ""; + motd = (fileContents "${cfg.package}/etc/crossfire/motd"); + news = (fileContents "${cfg.package}/etc/crossfire/news"); + rules = (fileContents "${cfg.package}/etc/crossfire/rules"); + settings = ""; + stat_bonus = ""; + } // cfg.configFiles); + + systemd.services.crossfire-server = { + description = "Crossfire Server Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = mkMerge [ + { + ExecStart = "${cfg.package}/bin/crossfire-server -conf /etc/crossfire -local '${cfg.stateDir}' -data '${cfg.dataDir}'"; + Restart = "always"; + User = "crossfire"; + Group = "crossfire"; + WorkingDirectory = cfg.stateDir; + } + (mkIf (cfg.stateDir == "/var/lib/crossfire") { + StateDirectory = "crossfire"; + }) + ]; + + # The crossfire server needs access to a bunch of files at runtime that + # are not created automatically at server startup; they're meant to be + # installed in $PREFIX/var/crossfire by `make install`. And those files + # need to be writeable, so we can't just point at the ones in the nix + # store. Instead we take the approach of copying them out of the store + # on first run. If `bookarch` already exists, we assume the rest of the + # files do as well, and copy nothing -- otherwise we risk ovewriting + # server state information every time the server is upgraded. + preStart = '' + if [ ! -e "${cfg.stateDir}"/bookarch ]; then + ${pkgs.rsync}/bin/rsync -a --chmod=u=rwX,go=rX \ + "${cfg.package}/var/crossfire/" "${cfg.stateDir}/" + fi + ''; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ serverPort ]; + }; + }; +} diff --git a/nixos/modules/services/games/deliantra-server.nix b/nixos/modules/services/games/deliantra-server.nix new file mode 100644 index 00000000000..b7011f4c354 --- /dev/null +++ b/nixos/modules/services/games/deliantra-server.nix @@ -0,0 +1,172 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.deliantra-server; + serverPort = 13327; +in { + options.services.deliantra-server = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, the Deliantra game server will be started at boot. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.deliantra-server; + defaultText = literalExpression "pkgs.deliantra-server"; + description = '' + The package to use for the Deliantra server (and map/arch data, if you + don't change dataDir). + ''; + }; + + dataDir = mkOption { + type = types.str; + default = "${pkgs.deliantra-data}"; + defaultText = literalExpression ''"''${pkgs.deliantra-data}"''; + description = '' + Where to store readonly data (maps, archetypes, sprites, etc). + Note that if you plan to use the live map editor (rather than editing + the maps offline and then nixos-rebuilding), THIS MUST BE WRITEABLE -- + copy the deliantra-data someplace writeable (say, + /var/lib/deliantra/data) and update this option accordingly. + ''; + }; + + stateDir = mkOption { + type = types.str; + default = "/var/lib/deliantra"; + description = '' + Where to store runtime data (save files, persistent items, etc). + + If left at the default, this will be automatically created on server + startup if it does not already exist. If changed, it is the admin's + responsibility to make sure that the directory exists and is writeable + by the `crossfire` user. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall for the server. + ''; + }; + + configFiles = mkOption { + type = types.attrsOf types.str; + description = '' + Contents of the server configuration files. These will be appended to + the example configurations the server comes with and overwrite any + default settings defined therein. + + The example here is not comprehensive. See the files in + /etc/deliantra-server after enabling this module for full documentation. + ''; + example = literalExpression '' + { + dm_file = ''' + admin:secret_password:localhost + jane:xyzzy:* + '''; + motd = "Welcome to Deliantra!"; + settings = ''' + # Settings for game mechanics. + stat_loss_on_death true + armor_max_enchant 7 + '''; + config = ''' + # Settings for the server daemon. + hiscore_url https://deliantra.example.net/scores/ + max_map_reset 86400 + '''; + } + ''; + default = { + motd = ""; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.deliantra = { + description = "Deliantra server daemon user"; + home = cfg.stateDir; + createHome = false; + isSystemUser = true; + group = "deliantra"; + }; + users.groups.deliantra = {}; + + # Merge the cfg.configFiles setting with the default files shipped with + # Deliantra. + # For most files this consists of reading + # ${deliantra}/etc/deliantra-server/${name} and appending the user setting + # to it. + environment.etc = lib.attrsets.mapAttrs' + (name: value: lib.attrsets.nameValuePair "deliantra-server/${name}" { + mode = "0644"; + text = + # Deliantra doesn't come with a motd file, but respects it if present + # in /etc. + (optionalString (name != "motd") + (fileContents "${cfg.package}/etc/deliantra-server/${name}")) + + "\n${value}"; + }) ({ + motd = ""; + settings = ""; + config = ""; + dm_file = ""; + } // cfg.configFiles); + + systemd.services.deliantra-server = { + description = "Deliantra Server Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + environment = { + DELIANTRA_DATADIR="${cfg.dataDir}"; + DELIANTRA_LOCALDIR="${cfg.stateDir}"; + DELIANTRA_CONFDIR="/etc/deliantra-server"; + }; + + serviceConfig = mkMerge [ + { + ExecStart = "${cfg.package}/bin/deliantra-server"; + Restart = "always"; + User = "deliantra"; + Group = "deliantra"; + WorkingDirectory = cfg.stateDir; + } + (mkIf (cfg.stateDir == "/var/lib/deliantra") { + StateDirectory = "deliantra"; + }) + ]; + + # The deliantra server needs access to a bunch of files at runtime that + # are not created automatically at server startup; they're meant to be + # installed in $PREFIX/var/deliantra-server by `make install`. And those + # files need to be writeable, so we can't just point at the ones in the + # nix store. Instead we take the approach of copying them out of the store + # on first run. If `bookarch` already exists, we assume the rest of the + # files do as well, and copy nothing -- otherwise we risk ovewriting + # server state information every time the server is upgraded. + preStart = '' + if [ ! -e "${cfg.stateDir}"/bookarch ]; then + ${pkgs.rsync}/bin/rsync -a --chmod=u=rwX,go=rX \ + "${cfg.package}/var/deliantra-server/" "${cfg.stateDir}/" + fi + ''; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ serverPort ]; + }; + }; +} diff --git a/nixos/modules/services/games/factorio.nix b/nixos/modules/services/games/factorio.nix new file mode 100644 index 00000000000..96fcd6d2c8b --- /dev/null +++ b/nixos/modules/services/games/factorio.nix @@ -0,0 +1,268 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.factorio; + name = "Factorio"; + stateDir = "/var/lib/${cfg.stateDirName}"; + mkSavePath = name: "${stateDir}/saves/${name}.zip"; + configFile = pkgs.writeText "factorio.conf" '' + use-system-read-write-data-directories=true + [path] + read-data=${cfg.package}/share/factorio/data + write-data=${stateDir} + ''; + serverSettings = { + name = cfg.game-name; + description = cfg.description; + visibility = { + public = cfg.public; + lan = cfg.lan; + }; + username = cfg.username; + password = cfg.password; + token = cfg.token; + game_password = cfg.game-password; + require_user_verification = cfg.requireUserVerification; + max_upload_in_kilobytes_per_second = 0; + minimum_latency_in_ticks = 0; + ignore_player_limit_for_returning_players = false; + allow_commands = "admins-only"; + autosave_interval = cfg.autosave-interval; + autosave_slots = 5; + afk_autokick_interval = 0; + auto_pause = true; + only_admins_can_pause_the_game = true; + autosave_only_on_server = true; + non_blocking_saving = cfg.nonBlockingSaving; + } // cfg.extraSettings; + serverSettingsFile = pkgs.writeText "server-settings.json" (builtins.toJSON (filterAttrsRecursive (n: v: v != null) serverSettings)); + serverAdminsFile = pkgs.writeText "server-adminlist.json" (builtins.toJSON cfg.admins); + modDir = pkgs.factorio-utils.mkModDirDrv cfg.mods; +in +{ + options = { + services.factorio = { + enable = mkEnableOption name; + port = mkOption { + type = types.int; + default = 34197; + description = '' + The port to which the service should bind. + ''; + }; + + admins = mkOption { + type = types.listOf types.str; + default = []; + example = [ "username" ]; + description = '' + List of player names which will be admin. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to automatically open the specified UDP port in the firewall. + ''; + }; + saveName = mkOption { + type = types.str; + default = "default"; + description = '' + The name of the savegame that will be used by the server. + + When not present in /var/lib/''${config.services.factorio.stateDirName}/saves, + a new map with default settings will be generated before starting the service. + ''; + }; + # TODO Add more individual settings as nixos-options? + # TODO XXX The server tries to copy a newly created config file over the old one + # on shutdown, but fails, because it's in the nix store. When is this needed? + # Can an admin set options in-game and expect to have them persisted? + configFile = mkOption { + type = types.path; + default = configFile; + defaultText = literalExpression "configFile"; + description = '' + The server's configuration file. + + The default file generated by this module contains lines essential to + the server's operation. Use its contents as a basis for any + customizations. + ''; + }; + stateDirName = mkOption { + type = types.str; + default = "factorio"; + description = '' + Name of the directory under /var/lib holding the server's data. + + The configuration and map will be stored here. + ''; + }; + mods = mkOption { + type = types.listOf types.package; + default = []; + description = '' + Mods the server should install and activate. + + The derivations in this list must "build" the mod by simply copying + the .zip, named correctly, into the output directory. Eventually, + there will be a way to pull in the most up-to-date list of + derivations via nixos-channel. Until then, this is for experts only. + ''; + }; + game-name = mkOption { + type = types.nullOr types.str; + default = "Factorio Game"; + description = '' + Name of the game as it will appear in the game listing. + ''; + }; + description = mkOption { + type = types.nullOr types.str; + default = ""; + description = '' + Description of the game that will appear in the listing. + ''; + }; + extraSettings = mkOption { + type = types.attrs; + default = {}; + example = { admins = [ "username" ];}; + description = '' + Extra game configuration that will go into server-settings.json + ''; + }; + public = mkOption { + type = types.bool; + default = false; + description = '' + Game will be published on the official Factorio matching server. + ''; + }; + lan = mkOption { + type = types.bool; + default = false; + description = '' + Game will be broadcast on LAN. + ''; + }; + username = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Your factorio.com login credentials. Required for games with visibility public. + ''; + }; + package = mkOption { + type = types.package; + default = pkgs.factorio-headless; + defaultText = literalExpression "pkgs.factorio-headless"; + example = literalExpression "pkgs.factorio-headless-experimental"; + description = '' + Factorio version to use. This defaults to the stable channel. + ''; + }; + password = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Your factorio.com login credentials. Required for games with visibility public. + ''; + }; + token = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Authentication token. May be used instead of 'password' above. + ''; + }; + game-password = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Game password. + ''; + }; + requireUserVerification = mkOption { + type = types.bool; + default = true; + description = '' + When set to true, the server will only allow clients that have a valid factorio.com account. + ''; + }; + autosave-interval = mkOption { + type = types.nullOr types.int; + default = null; + example = 10; + description = '' + Autosave interval in minutes. + ''; + }; + nonBlockingSaving = mkOption { + type = types.bool; + default = false; + description = '' + Highly experimental feature, enable only at your own risk of losing your saves. + On UNIX systems, server will fork itself to create an autosave. + Autosaving on connected Windows clients will be disabled regardless of autosave_only_on_server option. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.services.factorio = { + description = "Factorio headless server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + preStart = toString [ + "test -e ${stateDir}/saves/${cfg.saveName}.zip" + "||" + "${cfg.package}/bin/factorio" + "--config=${cfg.configFile}" + "--create=${mkSavePath cfg.saveName}" + (optionalString (cfg.mods != []) "--mod-directory=${modDir}") + ]; + + serviceConfig = { + Restart = "always"; + KillSignal = "SIGINT"; + DynamicUser = true; + StateDirectory = cfg.stateDirName; + UMask = "0007"; + ExecStart = toString [ + "${cfg.package}/bin/factorio" + "--config=${cfg.configFile}" + "--port=${toString cfg.port}" + "--start-server=${mkSavePath cfg.saveName}" + "--server-settings=${serverSettingsFile}" + (optionalString (cfg.mods != []) "--mod-directory=${modDir}") + (optionalString (cfg.admins != []) "--server-adminlist=${serverAdminsFile}") + ]; + + # Sandboxing + NoNewPrivileges = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectSystem = "strict"; + ProtectHome = true; + ProtectControlGroups = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ]; + RestrictRealtime = true; + RestrictNamespaces = true; + MemoryDenyWriteExecute = true; + }; + }; + + networking.firewall.allowedUDPPorts = if cfg.openFirewall then [ cfg.port ] else []; + }; +} diff --git a/nixos/modules/services/games/freeciv.nix b/nixos/modules/services/games/freeciv.nix new file mode 100644 index 00000000000..4923891a617 --- /dev/null +++ b/nixos/modules/services/games/freeciv.nix @@ -0,0 +1,187 @@ +{ config, lib, pkgs, ... }: +with lib; +let + cfg = config.services.freeciv; + inherit (config.users) groups; + rootDir = "/run/freeciv"; + argsFormat = { + type = with lib.types; let + valueType = nullOr (oneOf [ + bool int float str + (listOf valueType) + ]) // { + description = "freeciv-server params"; + }; + in valueType; + generate = name: value: + let mkParam = k: v: + if v == null then [] + else if isBool v then if v then [("--"+k)] else [] + else [("--"+k) v]; + mkParams = k: v: map (mkParam k) (if isList v then v else [v]); + in escapeShellArgs (concatLists (concatLists (mapAttrsToList mkParams value))); + }; +in +{ + options = { + services.freeciv = { + enable = mkEnableOption ''freeciv''; + settings = mkOption { + description = '' + Parameters of freeciv-server. + ''; + default = {}; + type = types.submodule { + freeformType = argsFormat.type; + options.Announce = mkOption { + type = types.enum ["IPv4" "IPv6" "none"]; + default = "none"; + description = "Announce game in LAN using given protocol."; + }; + options.auth = mkEnableOption "server authentication"; + options.Database = mkOption { + type = types.nullOr types.str; + apply = pkgs.writeText "auth.conf"; + default = '' + [fcdb] + backend="sqlite" + database="/var/lib/freeciv/auth.sqlite" + ''; + description = "Enable database connection with given configuration."; + }; + options.debug = mkOption { + type = types.ints.between 0 3; + default = 0; + description = "Set debug log level."; + }; + options.exit-on-end = mkEnableOption "exit instead of restarting when a game ends."; + options.Guests = mkEnableOption "guests to login if auth is enabled"; + options.Newusers = mkEnableOption "new users to login if auth is enabled"; + options.port = mkOption { + type = types.port; + default = 5556; + description = "Listen for clients on given port"; + }; + options.quitidle = mkOption { + type = types.nullOr types.int; + default = null; + description = "Quit if no players for given time in seconds."; + }; + options.read = mkOption { + type = types.lines; + apply = v: pkgs.writeTextDir "read.serv" v + "/read"; + default = '' + /fcdb lua sqlite_createdb() + ''; + description = "Startup script."; + }; + options.saves = mkOption { + type = types.nullOr types.str; + default = "/var/lib/freeciv/saves/"; + description = '' + Save games to given directory, + a sub-directory named after the starting date of the service + will me inserted to preserve older saves. + ''; + }; + }; + }; + openFirewall = mkEnableOption "opening the firewall for the port listening for clients"; + }; + }; + config = mkIf cfg.enable { + users.groups.freeciv = {}; + # Use with: + # journalctl -u freeciv.service -f -o cat & + # cat >/run/freeciv.stdin + # load saves/2020-11-14_05-22-27/freeciv-T0005-Y-3750-interrupted.sav.bz2 + systemd.sockets.freeciv = { + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenFIFO = "/run/freeciv.stdin"; + SocketGroup = groups.freeciv.name; + SocketMode = "660"; + RemoveOnStop = true; + }; + }; + systemd.services.freeciv = { + description = "Freeciv Service"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + environment.HOME = "/var/lib/freeciv"; + serviceConfig = { + Restart = "on-failure"; + RestartSec = "5s"; + StandardInput = "fd:freeciv.socket"; + StandardOutput = "journal"; + StandardError = "journal"; + ExecStart = pkgs.writeShellScript "freeciv-server" ('' + set -eux + savedir=$(date +%Y-%m-%d_%H-%M-%S) + '' + "${pkgs.freeciv}/bin/freeciv-server" + + " " + optionalString (cfg.settings.saves != null) + (concatStringsSep " " [ "--saves" "${escapeShellArg cfg.settings.saves}/$savedir" ]) + + " " + argsFormat.generate "freeciv-server" (cfg.settings // { saves = null; })); + DynamicUser = true; + # Create rootDir in the host's mount namespace. + RuntimeDirectory = [(baseNameOf rootDir)]; + RuntimeDirectoryMode = "755"; + StateDirectory = [ "freeciv" ]; + WorkingDirectory = "/var/lib/freeciv"; + # Avoid mounting rootDir in the own rootDir of ExecStart='s mount namespace. + InaccessiblePaths = ["-+${rootDir}"]; + # This is for BindPaths= and BindReadOnlyPaths= + # to allow traversal of directories they create in RootDirectory=. + UMask = "0066"; + RootDirectory = rootDir; + RootDirectoryStartOnly = true; + MountAPIVFS = true; + BindReadOnlyPaths = [ + builtins.storeDir + "/etc" + "/run" + ]; + # The following options are only for optimizing: + # systemd-analyze security freeciv + AmbientCapabilities = ""; + CapabilityBoundingSet = ""; + # ProtectClock= adds DeviceAllow=char-rtc r + DeviceAllow = ""; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateMounts = true; + PrivateNetwork = mkDefault false; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RemoveIPC = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallFilter = [ + "@system-service" + # Groups in @system-service which do not contain a syscall listed by: + # perf stat -x, 2>perf.log -e 'syscalls:sys_enter_*' freeciv-server + # in tests, and seem likely not necessary for freeciv-server. + "~@aio" "~@chown" "~@ipc" "~@keyring" "~@memlock" + "~@resources" "~@setuid" "~@sync" "~@timer" + ]; + SystemCallArchitectures = "native"; + SystemCallErrorNumber = "EPERM"; + }; + }; + networking.firewall = mkIf cfg.openFirewall + { allowedTCPPorts = [ cfg.settings.port ]; }; + }; + meta.maintainers = with lib.maintainers; [ julm ]; +} diff --git a/nixos/modules/services/games/minecraft-server.nix b/nixos/modules/services/games/minecraft-server.nix new file mode 100644 index 00000000000..5bb8eff5762 --- /dev/null +++ b/nixos/modules/services/games/minecraft-server.nix @@ -0,0 +1,257 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.minecraft-server; + + # We don't allow eula=false anyways + eulaFile = builtins.toFile "eula.txt" '' + # eula.txt managed by NixOS Configuration + eula=true + ''; + + whitelistFile = pkgs.writeText "whitelist.json" + (builtins.toJSON + (mapAttrsToList (n: v: { name = n; uuid = v; }) cfg.whitelist)); + + cfgToString = v: if builtins.isBool v then boolToString v else toString v; + + serverPropertiesFile = pkgs.writeText "server.properties" ('' + # server.properties managed by NixOS configuration + '' + concatStringsSep "\n" (mapAttrsToList + (n: v: "${n}=${cfgToString v}") cfg.serverProperties)); + + + # To be able to open the firewall, we need to read out port values in the + # server properties, but fall back to the defaults when those don't exist. + # These defaults are from https://minecraft.gamepedia.com/Server.properties#Java_Edition_3 + defaultServerPort = 25565; + + serverPort = cfg.serverProperties.server-port or defaultServerPort; + + rconPort = if cfg.serverProperties.enable-rcon or false + then cfg.serverProperties."rcon.port" or 25575 + else null; + + queryPort = if cfg.serverProperties.enable-query or false + then cfg.serverProperties."query.port" or 25565 + else null; + +in { + options = { + services.minecraft-server = { + + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, start a Minecraft Server. The server + data will be loaded from and saved to + <option>services.minecraft-server.dataDir</option>. + ''; + }; + + declarative = mkOption { + type = types.bool; + default = false; + description = '' + Whether to use a declarative Minecraft server configuration. + Only if set to <literal>true</literal>, the options + <option>services.minecraft-server.whitelist</option> and + <option>services.minecraft-server.serverProperties</option> will be + applied. + ''; + }; + + eula = mkOption { + type = types.bool; + default = false; + description = '' + Whether you agree to + <link xlink:href="https://account.mojang.com/documents/minecraft_eula"> + Mojangs EULA</link>. This option must be set to + <literal>true</literal> to run Minecraft server. + ''; + }; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/minecraft"; + description = '' + Directory to store Minecraft database and other state/data files. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Whether to open ports in the firewall for the server. + ''; + }; + + whitelist = mkOption { + type = let + minecraftUUID = types.strMatching + "[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}" // { + description = "Minecraft UUID"; + }; + in types.attrsOf minecraftUUID; + default = {}; + description = '' + Whitelisted players, only has an effect when + <option>services.minecraft-server.declarative</option> is + <literal>true</literal> and the whitelist is enabled + via <option>services.minecraft-server.serverProperties</option> by + setting <literal>white-list</literal> to <literal>true</literal>. + This is a mapping from Minecraft usernames to UUIDs. + You can use <link xlink:href="https://mcuuid.net/"/> to get a + Minecraft UUID for a username. + ''; + example = literalExpression '' + { + username1 = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"; + username2 = "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy"; + }; + ''; + }; + + serverProperties = mkOption { + type = with types; attrsOf (oneOf [ bool int str ]); + default = {}; + example = literalExpression '' + { + server-port = 43000; + difficulty = 3; + gamemode = 1; + max-players = 5; + motd = "NixOS Minecraft server!"; + white-list = true; + enable-rcon = true; + "rcon.password" = "hunter2"; + } + ''; + description = '' + Minecraft server properties for the server.properties file. Only has + an effect when <option>services.minecraft-server.declarative</option> + is set to <literal>true</literal>. See + <link xlink:href="https://minecraft.gamepedia.com/Server.properties#Java_Edition_3"/> + for documentation on these values. + ''; + }; + + package = mkOption { + type = types.package; + default = pkgs.minecraft-server; + defaultText = literalExpression "pkgs.minecraft-server"; + example = literalExpression "pkgs.minecraft-server_1_12_2"; + description = "Version of minecraft-server to run."; + }; + + jvmOpts = mkOption { + type = types.separatedString " "; + default = "-Xmx2048M -Xms2048M"; + # Example options from https://minecraft.gamepedia.com/Tutorials/Server_startup_script + example = "-Xmx2048M -Xms4092M -XX:+UseG1GC -XX:+CMSIncrementalPacing " + + "-XX:+CMSClassUnloadingEnabled -XX:ParallelGCThreads=2 " + + "-XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10"; + description = "JVM options for the Minecraft server."; + }; + }; + }; + + config = mkIf cfg.enable { + + users.users.minecraft = { + description = "Minecraft server service user"; + home = cfg.dataDir; + createHome = true; + isSystemUser = true; + group = "minecraft"; + }; + users.groups.minecraft = {}; + + systemd.services.minecraft-server = { + description = "Minecraft Server Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + ExecStart = "${cfg.package}/bin/minecraft-server ${cfg.jvmOpts}"; + Restart = "always"; + User = "minecraft"; + WorkingDirectory = cfg.dataDir; + # Hardening + CapabilityBoundingSet = [ "" ]; + DeviceAllow = [ "" ]; + LockPersonality = true; + PrivateDevices = true; + PrivateTmp = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "invisible"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + UMask = "0077"; + }; + + preStart = '' + ln -sf ${eulaFile} eula.txt + '' + (if cfg.declarative then '' + + if [ -e .declarative ]; then + + # Was declarative before, no need to back up anything + ln -sf ${whitelistFile} whitelist.json + cp -f ${serverPropertiesFile} server.properties + + else + + # Declarative for the first time, backup stateful files + ln -sb --suffix=.stateful ${whitelistFile} whitelist.json + cp -b --suffix=.stateful ${serverPropertiesFile} server.properties + + # server.properties must have write permissions, because every time + # the server starts it first parses the file and then regenerates it.. + chmod +w server.properties + echo "Autogenerated file that signifies that this server configuration is managed declaratively by NixOS" \ + > .declarative + + fi + '' else '' + if [ -e .declarative ]; then + rm .declarative + fi + ''); + }; + + networking.firewall = mkIf cfg.openFirewall (if cfg.declarative then { + allowedUDPPorts = [ serverPort ]; + allowedTCPPorts = [ serverPort ] + ++ optional (queryPort != null) queryPort + ++ optional (rconPort != null) rconPort; + } else { + allowedUDPPorts = [ defaultServerPort ]; + allowedTCPPorts = [ defaultServerPort ]; + }); + + assertions = [ + { assertion = cfg.eula; + message = "You must agree to Mojangs EULA to run minecraft-server." + + " Read https://account.mojang.com/documents/minecraft_eula and" + + " set `services.minecraft-server.eula` to `true` if you agree."; + } + ]; + + }; +} diff --git a/nixos/modules/services/games/minetest-server.nix b/nixos/modules/services/games/minetest-server.nix new file mode 100644 index 00000000000..2111c970d4f --- /dev/null +++ b/nixos/modules/services/games/minetest-server.nix @@ -0,0 +1,107 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.minetest-server; + flag = val: name: if val != null then "--${name} ${toString val} " else ""; + flags = [ + (flag cfg.gameId "gameid") + (flag cfg.world "world") + (flag cfg.configPath "config") + (flag cfg.logPath "logfile") + (flag cfg.port "port") + ]; +in +{ + options = { + services.minetest-server = { + enable = mkOption { + type = types.bool; + default = false; + description = "If enabled, starts a Minetest Server."; + }; + + gameId = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Id of the game to use. To list available games run + `minetestserver --gameid list`. + + If only one game exists, this option can be null. + ''; + }; + + world = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Name of the world to use. To list available worlds run + `minetestserver --world list`. + + If only one world exists, this option can be null. + ''; + }; + + configPath = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to the config to use. + + If set to null, the config of the running user will be used: + `~/.minetest/minetest.conf`. + ''; + }; + + logPath = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + Path to logfile for logging. + + If set to null, logging will be output to stdout which means + all output will be catched by systemd. + ''; + }; + + port = mkOption { + type = types.nullOr types.int; + default = null; + description = '' + Port number to bind to. + + If set to null, the default 30000 will be used. + ''; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.minetest = { + description = "Minetest Server Service user"; + home = "/var/lib/minetest"; + createHome = true; + uid = config.ids.uids.minetest; + group = "minetest"; + }; + users.groups.minetest.gid = config.ids.gids.minetest; + + systemd.services.minetest-server = { + description = "Minetest Server Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig.Restart = "always"; + serviceConfig.User = "minetest"; + serviceConfig.Group = "minetest"; + + script = '' + cd /var/lib/minetest + + exec ${pkgs.minetest}/bin/minetest --server ${concatStrings flags} + ''; + }; + }; +} diff --git a/nixos/modules/services/games/openarena.nix b/nixos/modules/services/games/openarena.nix new file mode 100644 index 00000000000..9c441e98b20 --- /dev/null +++ b/nixos/modules/services/games/openarena.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.openarena; +in +{ + options = { + services.openarena = { + enable = mkEnableOption "OpenArena"; + + openPorts = mkOption { + type = types.bool; + default = false; + description = "Whether to open firewall ports for OpenArena"; + }; + + extraFlags = mkOption { + type = types.listOf types.str; + default = []; + description = "Extra flags to pass to <command>oa_ded</command>"; + example = [ + "+set dedicated 2" + "+set sv_hostname 'My NixOS OpenArena Server'" + # Load a map. Mandatory for clients to be able to connect. + "+map oa_dm1" + ]; + }; + }; + }; + + config = mkIf cfg.enable { + networking.firewall = mkIf cfg.openPorts { + allowedUDPPorts = [ 27960 ]; + }; + + systemd.services.openarena = { + description = "OpenArena"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + StateDirectory = "openarena"; + ExecStart = "${pkgs.openarena}/bin/oa_ded +set fs_basepath ${pkgs.openarena}/openarena-0.8.8 +set fs_homepath /var/lib/openarena ${concatStringsSep " " cfg.extraFlags}"; + Restart = "on-failure"; + + # Hardening + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + PrivateDevices = true; + }; + }; + }; +} diff --git a/nixos/modules/services/games/quake3-server.nix b/nixos/modules/services/games/quake3-server.nix new file mode 100644 index 00000000000..175af4a8382 --- /dev/null +++ b/nixos/modules/services/games/quake3-server.nix @@ -0,0 +1,112 @@ +{ config, pkgs, lib, ... }: +with lib; + +let + cfg = config.services.quake3-server; + configFile = pkgs.writeText "q3ds-extra.cfg" '' + set net_port ${builtins.toString cfg.port} + + ${cfg.extraConfig} + ''; + defaultBaseq3 = pkgs.requireFile rec { + name = "baseq3"; + hashMode = "recursive"; + sha256 = "5dd8ee09eabd45e80450f31d7a8b69b846f59738726929298d8a813ce5725ed3"; + message = '' + Unfortunately, we cannot download ${name} automatically. + Please purchase a legitimate copy of Quake 3 and change into the installation directory. + + You can either add all relevant files to the nix-store like this: + mkdir /tmp/baseq3 + cp baseq3/pak*.pk3 /tmp/baseq3 + nix-store --add-fixed sha256 --recursive /tmp/baseq3 + + Alternatively you can set services.quake3-server.baseq3 to a path and copy the baseq3 directory into + $services.quake3-server.baseq3/.q3a/ + ''; + }; + home = pkgs.runCommand "quake3-home" {} '' + mkdir -p $out/.q3a/baseq3 + + for file in ${cfg.baseq3}/*; do + ln -s $file $out/.q3a/baseq3/$(basename $file) + done + + ln -s ${configFile} $out/.q3a/baseq3/nix.cfg + ''; +in { + options = { + services.quake3-server = { + enable = mkEnableOption "Quake 3 dedicated server"; + + port = mkOption { + type = types.port; + default = 27960; + description = '' + UDP Port the server should listen on. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = '' + Open the firewall. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = ""; + example = '' + seta rconPassword "superSecret" // sets RCON password for remote console + seta sv_hostname "My Quake 3 server" // name that appears in server list + ''; + description = '' + Extra configuration options. Note that options changed via RCON will not be persisted. To list all possible + options, use "cvarlist 1" via RCON. + ''; + }; + + baseq3 = mkOption { + type = types.either types.package types.path; + default = defaultBaseq3; + defaultText = literalDocBook "Manually downloaded Quake 3 installation directory."; + example = "/var/lib/q3ds"; + description = '' + Path to the baseq3 files (pak*.pk3). If this is on the nix store (type = package) all .pk3 files should be saved + in the top-level directory. If this is on another filesystem (e.g /var/lib/baseq3) the .pk3 files are searched in + $baseq3/.q3a/baseq3/ + ''; + }; + }; + }; + + config = let + baseq3InStore = builtins.typeOf cfg.baseq3 == "set"; + in mkIf cfg.enable { + networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ cfg.port ]; + + systemd.services.q3ds = { + description = "Quake 3 dedicated server"; + wantedBy = [ "multi-user.target" ]; + after = [ "networking.target" ]; + + environment.HOME = if baseq3InStore then home else cfg.baseq3; + + serviceConfig = with lib; { + Restart = "always"; + DynamicUser = true; + WorkingDirectory = home; + + # It is possible to alter configuration files via RCON. To ensure reproducibility we have to prevent this + ReadOnlyPaths = if baseq3InStore then home else cfg.baseq3; + ExecStartPre = optionalString (!baseq3InStore) "+${pkgs.coreutils}/bin/cp ${configFile} ${cfg.baseq3}/.q3a/baseq3/nix.cfg"; + + ExecStart = "${pkgs.ioquake3}/ioq3ded.x86_64 +exec nix.cfg"; + }; + }; + }; + + meta.maintainers = with maintainers; [ f4814n ]; +} diff --git a/nixos/modules/services/games/teeworlds.nix b/nixos/modules/services/games/teeworlds.nix new file mode 100644 index 00000000000..babf989c98c --- /dev/null +++ b/nixos/modules/services/games/teeworlds.nix @@ -0,0 +1,119 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.teeworlds; + register = cfg.register; + + teeworldsConf = pkgs.writeText "teeworlds.cfg" '' + sv_port ${toString cfg.port} + sv_register ${if cfg.register then "1" else "0"} + ${optionalString (cfg.name != null) "sv_name ${cfg.name}"} + ${optionalString (cfg.motd != null) "sv_motd ${cfg.motd}"} + ${optionalString (cfg.password != null) "password ${cfg.password}"} + ${optionalString (cfg.rconPassword != null) "sv_rcon_password ${cfg.rconPassword}"} + ${concatStringsSep "\n" cfg.extraOptions} + ''; + +in +{ + options = { + services.teeworlds = { + enable = mkEnableOption "Teeworlds Server"; + + openPorts = mkOption { + type = types.bool; + default = false; + description = "Whether to open firewall ports for Teeworlds"; + }; + + name = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Name of the server. Defaults to 'unnamed server'. + ''; + }; + + register = mkOption { + type = types.bool; + example = true; + default = false; + description = '' + Whether the server registers as public server in the global server list. This is disabled by default because of privacy. + ''; + }; + + motd = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Set the server message of the day text. + ''; + }; + + password = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Password to connect to the server. + ''; + }; + + rconPassword = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Password to access the remote console. If not set, a randomly generated one is displayed in the server log. + ''; + }; + + port = mkOption { + type = types.int; + default = 8303; + description = '' + Port the server will listen on. + ''; + }; + + extraOptions = mkOption { + type = types.listOf types.str; + default = []; + description = '' + Extra configuration lines for the <filename>teeworlds.cfg</filename>. See <link xlink:href="https://www.teeworlds.com/?page=docs&wiki=server_settings">Teeworlds Documentation</link>. + ''; + example = [ "sv_map dm1" "sv_gametype dm" ]; + }; + }; + }; + + config = mkIf cfg.enable { + networking.firewall = mkIf cfg.openPorts { + allowedUDPPorts = [ cfg.port ]; + }; + + systemd.services.teeworlds = { + description = "Teeworlds Server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${pkgs.teeworlds}/bin/teeworlds_srv -f ${teeworldsConf}"; + + # Hardening + CapabilityBoundingSet = false; + PrivateDevices = true; + PrivateUsers = true; + ProtectHome = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + SystemCallArchitectures = "native"; + }; + }; + }; +} diff --git a/nixos/modules/services/games/terraria.nix b/nixos/modules/services/games/terraria.nix new file mode 100644 index 00000000000..29f976b3c2a --- /dev/null +++ b/nixos/modules/services/games/terraria.nix @@ -0,0 +1,169 @@ +{ config, lib, options, pkgs, ... }: + +with lib; + +let + cfg = config.services.terraria; + opt = options.services.terraria; + worldSizeMap = { small = 1; medium = 2; large = 3; }; + valFlag = name: val: optionalString (val != null) "-${name} \"${escape ["\\" "\""] (toString val)}\""; + boolFlag = name: val: optionalString val "-${name}"; + flags = [ + (valFlag "port" cfg.port) + (valFlag "maxPlayers" cfg.maxPlayers) + (valFlag "password" cfg.password) + (valFlag "motd" cfg.messageOfTheDay) + (valFlag "world" cfg.worldPath) + (valFlag "autocreate" (builtins.getAttr cfg.autoCreatedWorldSize worldSizeMap)) + (valFlag "banlist" cfg.banListPath) + (boolFlag "secure" cfg.secure) + (boolFlag "noupnp" cfg.noUPnP) + ]; + stopScript = pkgs.writeScript "terraria-stop" '' + #!${pkgs.runtimeShell} + + if ! [ -d "/proc/$1" ]; then + exit 0 + fi + + ${getBin pkgs.tmux}/bin/tmux -S ${cfg.dataDir}/terraria.sock send-keys Enter exit Enter + ${getBin pkgs.coreutils}/bin/tail --pid="$1" -f /dev/null + ''; +in +{ + options = { + services.terraria = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + If enabled, starts a Terraria server. The server can be connected to via <literal>tmux -S ''${config.${opt.dataDir}}/terraria.sock attach</literal> + for administration by users who are a part of the <literal>terraria</literal> group (use <literal>C-b d</literal> shortcut to detach again). + ''; + }; + + port = mkOption { + type = types.port; + default = 7777; + description = '' + Specifies the port to listen on. + ''; + }; + + maxPlayers = mkOption { + type = types.ints.u8; + default = 255; + description = '' + Sets the max number of players (between 1 and 255). + ''; + }; + + password = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Sets the server password. Leave <literal>null</literal> for no password. + ''; + }; + + messageOfTheDay = mkOption { + type = types.nullOr types.str; + default = null; + description = '' + Set the server message of the day text. + ''; + }; + + worldPath = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + The path to the world file (<literal>.wld</literal>) which should be loaded. + If no world exists at this path, one will be created with the size + specified by <literal>autoCreatedWorldSize</literal>. + ''; + }; + + autoCreatedWorldSize = mkOption { + type = types.enum [ "small" "medium" "large" ]; + default = "medium"; + description = '' + Specifies the size of the auto-created world if <literal>worldPath</literal> does not + point to an existing world. + ''; + }; + + banListPath = mkOption { + type = types.nullOr types.path; + default = null; + description = '' + The path to the ban list. + ''; + }; + + secure = mkOption { + type = types.bool; + default = false; + description = "Adds additional cheat protection to the server."; + }; + + noUPnP = mkOption { + type = types.bool; + default = false; + description = "Disables automatic Universal Plug and Play."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Wheter to open ports in the firewall"; + }; + + dataDir = mkOption { + type = types.str; + default = "/var/lib/terraria"; + example = "/srv/terraria"; + description = "Path to variable state data directory for terraria."; + }; + }; + }; + + config = mkIf cfg.enable { + users.users.terraria = { + description = "Terraria server service user"; + home = cfg.dataDir; + createHome = true; + uid = config.ids.uids.terraria; + }; + + users.groups.terraria = { + gid = config.ids.gids.terraria; + members = [ "terraria" ]; + }; + + systemd.services.terraria = { + description = "Terraria Server Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + + serviceConfig = { + User = "terraria"; + Type = "forking"; + GuessMainPID = true; + ExecStart = "${getBin pkgs.tmux}/bin/tmux -S ${cfg.dataDir}/terraria.sock new -d ${pkgs.terraria-server}/bin/TerrariaServer ${concatStringsSep " " flags}"; + ExecStop = "${stopScript} $MAINPID"; + }; + + postStart = '' + ${pkgs.coreutils}/bin/chmod 660 ${cfg.dataDir}/terraria.sock + ${pkgs.coreutils}/bin/chgrp terraria ${cfg.dataDir}/terraria.sock + ''; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ cfg.port ]; + allowedUDPPorts = [ cfg.port ]; + }; + + }; +} |