+2 -1

flake.nix

reviewed

··· 130 130 } // { 131 131 inherit (pkgs) 132 132 steamworks-sdk-redist 133 133 - systemd-transparent-udp-forwarderd; 133 133 + systemd-transparent-udp-forwarderd 134 134 + force-bind; 134 135 }); 135 136 136 137 apps = eachSystem (system: import ./lib/apps {

+1

lib/pkgs/default.nix

reviewed

··· 3 3 mkSteamPackage = import ./mk-steam-package.nix self super; 4 4 mkSteamWrapper = import ./mk-steam-wrapper.nix self super; 5 5 systemd-transparent-udp-forwarderd = import ./systemd-transparent-udp-forwarderd.nix self super; 6 6 + force-bind = import ./force-bind-seccomp.nix self super; 6 7 steamworks-sdk-redist = import ./steamworks-sdk-redist.nix self super; 7 8 palworld-server = import ./palworld-server.nix self super; 8 9 }

+55

lib/pkgs/force-bind-seccomp.nix

reviewed

··· 1 1 + self: pkgs @ { 2 2 + stdenv, 3 3 + autoPatchelfHook, 4 4 + fetchFromGitHub, 5 5 + writeText, 6 6 + ... 7 7 + }: 8 8 + 9 9 + let 10 10 + makefile = writeText "Makefile" '' 11 11 + TARGETS = force-bind target-mkdir target-bind parent-socket-activate 12 12 + 13 13 + all: $(TARGETS) 14 14 + 15 15 + force-bind: main.c scm_functions.c 16 16 + $(CC) $(CFLAGS) -o $@ $^ 17 17 + 18 18 + parent-socket-activate: parent_soocket_activate.c 19 19 + $(CC) $(CFLAGS) -o $@ $^ 20 20 + 21 21 + target-mkdir: target_mkdir.c 22 22 + $(CC) $(CFLAGS) -o $@ $^ 23 23 + 24 24 + target-bind: target_bind.c 25 25 + $(CC) $(CFLAGS) -o $@ $^ 26 26 + 27 27 + .PHONY: all 28 28 + ''; 29 29 + in stdenv.mkDerivation rec { 30 30 + pname = "force-bind"; 31 31 + version = "0.0.1-4867c53"; 32 32 + 33 33 + nativeBuildInputs = [ autoPatchelfHook ]; 34 34 + buildInputs = with self; [ stdenv.cc.cc.lib stdenv.cc.libc.linuxHeaders ]; 35 35 + buildPhase = "make"; 36 36 + 37 37 + src = fetchFromGitHub { 38 38 + owner = "kitten"; 39 39 + repo = "force-bind-seccomp"; 40 40 + rev = "0df29fbbe20f5c191c3b76951af090ab60d533e8"; 41 41 + sha256 = "sha256-SWdPacxJ2WmB+8b8uVpxrnlLuH3wAvFIDyfBclh0a/4="; 42 42 + }; 43 43 + postPatch = '' 44 44 + cp ${makefile} Makefile; 45 45 + ''; 46 46 + installPhase = '' 47 47 + runHook preInstall 48 48 + install -Dm755 force-bind "$out/bin/$pname" 49 49 + install -Dm755 target-bind "$out/bin/$pname-test-target-bind" 50 50 + install -Dm755 parent-socket-activate "$out/bin/$pname-test-socket-activate" 51 51 + runHook postInstall 52 52 + ''; 53 53 + 54 54 + meta.mainProgram = pname; 55 55 + }

+1 -6

lib/pkgs/mk-steam-wrapper.nix

reviewed

··· 37 37 runpaths = libs ++ optionals useBox64 nativeLibs; 38 38 combinedEnv = optionalAttrs useBox64 { 39 39 BOX64_LOG = logLevel; 40 40 - BOX64_DYNAREC_STRONGMEM = 1; 41 41 - BOX64_DYNAREC_BIGBLOCK = 1; 42 42 - BOX64_DYNAREC_SAFEFLAGS = 1; 43 43 - BOX64_DYNAREC_FASTROUND = 1; 44 44 - BOX64_DYNAREC_FASTNAN = 1; 45 45 - BOX64_DYNAREC_X87DOUBLE = 0; 40 40 + BOX64_DYNAREC_STRONGMEM = 0; 46 41 } // env; 47 42 in bin: 48 43 stdenv.mkDerivation rec {

+4 -2

lib/pkgs/systemd-transparent-udp-forwarderd.nix

reviewed

··· 1 1 - pkgs @ { 1 1 + self: pkgs @ { 2 2 stdenv, 3 3 cmake, 4 4 pkg-config, ··· 7 7 ... 8 8 }: 9 9 10 10 - stdenv.mkDerivation { 10 10 + stdenv.mkDerivation rec { 11 11 pname = "systemd-transparent-udp-forwarderd"; 12 12 version = "0.0.1-add-activity-timeout-shutdown"; 13 13 nativeBuildInputs = [ cmake pkg-config ]; ··· 24 24 install -Dm755 systemd-transparent-udp-forwarderd "$out/bin/$pname" 25 25 runHook postInstall 26 26 ''; 27 27 + 28 28 + meta.mainProgram = pname; 27 29 }

+4

machines/ramune/configuration.nix

reviewed

··· 61 61 ServerName = "London Boroughs"; 62 62 AllowConnectPlatform = "Xbox"; 63 63 PalEggDefaultHatchingTime = 1; 64 64 + GuildPlayerMaxNum = 10; 65 65 + bShowPlayerList = true; 66 66 + bEnableNonLoginPenalty = false; 67 67 + bUseAuth = false; 64 68 }; 65 69 }; 66 70 };

+25 -12

modules/games/palworld/default.nix

reviewed

··· 5 5 isEnabled = config.modules.games.enable && config.modules.games.palworld.enable; 6 6 baseCfg = config.modules.games; 7 7 cfg = config.modules.games.palworld; 8 8 + port = toString cfg.port; 8 9 9 10 name = "palworld-server"; 10 11 scripts = (import ../lib/scripts.nix) args; ··· 59 60 description = "Whether to enable Community Server mode"; 60 61 }; 61 62 62 62 - autostart = mkOption { 63 63 - default = false; 64 64 - type = types.bool; 65 65 - }; 66 66 - 67 63 datadir = mkOption { 68 64 type = types.path; 69 65 default = "${baseCfg.datadir}/palworld"; ··· 81 77 82 78 threads = mkOption { 83 79 type = types.int; 84 84 - default = 4; 80 80 + default = 5; 85 81 }; 86 82 87 83 maxPlayers = mkOption { ··· 110 106 "d ${cfg.datadir} 0755 ${baseCfg.user} ${baseCfg.group} - -" 111 107 ]; 112 108 109 109 + systemd.sockets."${name}" = { 110 110 + wantedBy = [ "sockets.target" ]; 111 111 + partOf = [ "${name}.service" ]; 112 112 + listenDatagrams = [ "0.0.0.0:${port}" ]; 113 113 + socketConfig = { 114 114 + SocketUser = "${baseCfg.user}"; 115 115 + SocketGroup = "${baseCfg.group}"; 116 116 + }; 117 117 + }; 118 118 + 113 119 systemd.services."${name}" = let 114 120 dirs = { 115 121 Pal = "${cfg.package}/Pal"; ··· 129 135 script = let 130 136 args = [ 131 137 "Pal" 132 132 - "-port=${toString cfg.port}" 138 138 + "-port=${port}" 139 139 + "-publicport=${port}" 133 140 "-useperfthreads" 134 141 "-NoAsyncLoadingThread" 135 142 "-UseMultithreadForDS" ··· 139 146 ++ optionals (cfg.ip != null) [ "-publicip=${cfg.ip}" ] 140 147 ++ optionals cfg.public [ "-publiclobby" ]; 141 148 bin = getExe (pkgs.mkSteamWrapper "${cfg.datadir}/Pal/Binaries/Linux/PalServer-Linux-Shipping"); 142 142 - in "${bin} ${concatStringsSep " " args}"; 149 149 + forceBind = "${getExe pkgs.force-bind} -m '0.0.0.0:${port}=sd=0'"; 150 150 + in "${forceBind} ${bin} ${concatStringsSep " " args}"; 143 151 in { 144 144 - wantedBy = mkIf cfg.autostart [ "multi-user.target" ]; 145 145 - after = [ "network.target" ]; 152 152 + after = [ "network-online.target" ]; 153 153 + wants = [ "network-online.target" ]; 146 154 path = with pkgs; [ xdg-user-dirs util-linux ]; 147 155 148 156 inherit script; ··· 160 168 Group = "${baseCfg.group}"; 161 169 WorkingDirectory = "${cfg.datadir}"; 162 170 163 163 - CPUWeight = 80; 171 171 + CPUWeight = 90; 164 172 CPUQuota = "${toString ((cfg.threads + 1) * 100)}%"; 165 173 174 174 + /* 166 175 PrivateDevices = true; 167 176 PrivateTmp = true; 168 177 PrivateUsers = true; ··· 172 181 ProtectKernelModules = true; 173 182 ProtectKernelTunables = true; 174 183 RestrictRealtime = true; 175 175 - LockPersonality = true; 184 184 + */ 185 185 + 186 186 + # force-bind needs to stay unlocked and needs to be able to ptrace 187 187 + LockPersonality = false; 188 188 + CapabilityBoundingSet = [ "CAP_SYS_PTRACE" ]; 176 189 177 190 # Palworld needs namespaces and system calls 178 191 RestrictNamespaces = false;

-1

modules/router/kernel.nix

reviewed

··· 65 65 "kernel.sysrq" = 4; 66 66 "kernel.unprivileged_bpf_disabled" = true; 67 67 "kernel.perf_event_paranoid" = 3; 68 68 - "kernel.yama.ptrace_scope" = 2; 69 68 "kernel.kexec_load_disabled" = true; 70 69 "net.core.bpf_jit_harden" = 2; 71 70 "dev.tty.ldisc_autoload" = false;