Add starbound server

configuration/default.nix

@@ -6,6 +6,7 @@
     ./services/minecraft.nix
     ./services/nextcloud.nix
     ./services/webserver.nix
+    ./services/starbound.nix
     ./ids.nix
   ];
 
@@ -20,6 +21,9 @@
     trustedUsers = [ "@wheel" ];
   };
 
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg) ["forge-server" "steam-runtime" "steamcmd"];
+
   sops = {
     defaultSopsFile = ../keys/external.yaml;
     secrets.steam = { };
@@ -34,7 +38,7 @@
     useDHCP = false;
     interfaces.eth0.useDHCP = true;
 
-    firewall.allowedTCPPorts = [ 80 443 2222 2221 25565 ];
+    firewall.allowedTCPPorts = [ 80 443 2222 2221 25565 21025 ];
   };
 
   time.timeZone = "Europe/London";

configuration/services/configs/starbound.json

@@ -0,0 +1,50 @@
+{
+  "allowAdminCommands" : true,
+  "allowAdminCommandsFromAnyone" : false,
+  "allowAnonymousConnections" : true,
+  "allowAssetsMismatch" : true,
+  "anonymousConnectionsAreAdmin" : false,
+  "bannedIPs" : [],
+  "bannedUuids" : [],
+  "checkAssetsDigest" : false,
+  "clearPlayerFiles" : false,
+  "clearUniverseFiles" : false,
+  "clientIPJoinable" : false,
+  "clientP2PJoinable" : true,
+  "configurationVersion" : {
+    "basic" : 2,
+    "server" : 4
+  },
+  "crafting" : {
+    "filterHaveMaterials" : false
+  },
+  "gameServerBind" : "::",
+  "gameServerPort" : 21025,
+  "interactiveHighlight" : true,
+  "inventory" : {
+    "pickupToActionBar" : true
+  },
+  "maxPlayers" : 8,
+  "maxTeamSize" : 4,
+  "monochromeLighting" : false,
+  "playerBackupFileCount" : 3,
+  "queryServerBind" : "::",
+  "queryServerPort" : 21025,
+  "rconServerBind" : "::",
+  "rconServerPassword" : "",
+  "rconServerPort" : 21026,
+  "rconServerTimeout" : 1000,
+  "runQueryServer" : false,
+  "runRconServer" : false,
+  "safeScripts" : true,
+  "scriptInstructionLimit" : 10000000,
+  "scriptInstructionMeasureInterval" : 10000,
+  "scriptProfilingEnabled" : false,
+  "scriptRecursionLimit" : 100,
+  "serverFidelity" : "automatic",
+  "serverName" : "tlater.net",
+  "serverOverrideAssetsDigest" : null,
+  "serverUsers" : {
+  },
+  "tutorialMessages" : true
+}

configuration/services/minecraft.nix

@@ -51,9 +51,6 @@ let
   eula = pkgs.writeText "eula.txt" "eula=true";
 
 in {
-  nixpkgs.config.allowUnfreePredicate = pkg:
-    builtins.elem (lib.getName pkg) [ "forge-server" ];
-
   users = {
     extraUsers.minecraft = {
       uid = config.ids.uids.minecraft;

configuration/services/starbound.nix

@@ -0,0 +1,110 @@
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib) concatStringsSep;
+in {
+  systemd.services.starbound = {
+    description = "Starbound";
+    after = ["network.target"];
+
+    serviceConfig = {
+      ExecStart = "${pkgs.local.starbound}/bin/launch-starbound ${./configs/starbound.json}";
+
+      Type = "simple";
+
+      # Credential loading for steam auth (if necessary; prefer
+      # anonymous login wherever possible).
+      LoadCredential = "steam:/run/secrets/steam";
+
+      # Security settings
+      DynamicUser = true;
+
+      # This is where the StateDirectory ends up
+      WorkingDirectory = "/var/lib/starbound";
+      # Creates /var/lib/starbound (or rather, a symlink there to
+      # /var/lib/private/starbound), and sets it up to be writeable to
+      # by the dynamic user.
+      StateDirectory = "starbound";
+
+      # Note some settings below are basically tautologous with
+      # `NoNewPrivileges`, but they all work slightly differently so
+      # add additional layers in case of bugs.
+
+      ## THESE SETTINGS ARE A GOOD IDEA BUT THE STEAM CLIENT IS
+      ## REALLY, REALLY BAD, AND FOR SOME REASON I NEED TO USE IT TO
+      ## DOWNLOAD GAME SERVERS AS WELL:
+      ##
+      # To guarantee the above (only permits 64-bit syscalls, 32-bit
+      # syscalls can circumvent the above restrictions).
+      #
+      # Obviously, if running a 32 bit game server, change this.
+      # SystemCallArchitectures = "native";
+      # Game servers shouldn't need to create new namespaces ever.
+      #
+      # TODO: Since steam uses namespaces for things *entirely
+      # unrelated* to installing game servers, we need to allow
+      # namespace access. Ideally I'd instead do this in an
+      # ExecStartPre, but alas, this isn't possible because of
+      # https://github.com/systemd/systemd/issues/19604.
+      #
+      # RestrictNamespaces = true;
+
+      # Don't need to let the game server see other user accounts
+      PrivateUsers = true;
+      # *Probably* not harmful for game servers, which probably don't update dynamically
+      ProtectHostname = true;
+      # Yeah, if a game server tries to edit the hardware clock something's fishy
+      ProtectClock = true;
+      # Don't let game servers modify kernel settings, duh
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectKernelLogs = true;
+      # Game servers shouldn't use cgroups themselves either
+      ProtectControlGroups = true;
+      # Most game servers will never need other socket types
+      RestrictAddressFamilies = ["AF_UNIX AF_INET AF_INET6"];
+      # Also a no-brainer, no game server should ever need this
+      LockPersonality = true;
+      # Some game servers will probably try to set this, but they
+      # don't need it. It's only required for audio processing and
+      # such, which the server end doesn't need to do.
+      RestrictRealtime = true;
+      # Don't allow a variety of syscalls that gameservers have no
+      # business using anyway
+      SystemCallFilter =
+        "~"
+        + (concatStringsSep " " [
+          "@clock"
+          "@cpu-emulation"
+          "@debug"
+          "@keyring"
+          "@memlock"
+          "@module"
+          # "@mount"  TODO: Consider adding when steamcmd is run in ExecStartPre
+          "@obsolete"
+          "@raw-io"
+          "@reboot"
+          "@resources"
+          "@setuid"
+          "@swap"
+        ]);
+      # Normally only "read-only", but steamcmd will puke if there is
+      # no home directory to write to (though the nix package will
+      # implicitly symlink to the path that we set in its override, so
+      # no actual files are created, besides a symlink).
+      ProtectHome = "tmpfs";
+
+      # Implied by DynamicUser anyway, but it doesn't hurt to add
+      # these explicitly, at least for reference.
+      RemoveIPC = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      NoNewPrivileges = true;
+      RestrictSUIDSGID = true;
+      ProtectSystem = "strict";
+      # ProtectHome = "read-only"; # See further up
+    };
+  };
+}