al3xtjames/palworld-server.nix

## palworld-server.nix
{ common, config, lib, pkgs, ... }:

let
  cfg = config.services.palworld-server;
in {
  options.services.palworld-server = with lib; {
    enable = mkEnableOption "Palworld dedicated server";

    user = mkOption {
      type = types.str;
      default = "palworld";
      description = "User account under which Palworld runs.";
    };

    group = mkOption {
      type = types.str;
      default = "palworld";
      description = "Group under which Palworld runs.";
    };

    port = mkOption {
      type = types.port;
      default = 8211;
      description = "UDP port which Palworld will listen on.";
    };

    openFirewall = mkOption {
      type = types.bool;
      default = true;
      description = "Whether to automatically open the configured port in the firewall.";
    };
  };

  # Based on https://kevincox.ca/2022/12/09/valheim-server-nixos-v2/
  config = lib.mkIf cfg.enable {
    users.users."${cfg.user}" = {
      isSystemUser = true;
      home = "/var/lib/palworld";
      createHome = true;
      homeMode = "755";
      group = cfg.group;
    };

    users.groups."${cfg.group}" = {};

    networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ cfg.port ];

    systemd.services.palworld-server = {
      description = "Palworld Dedicated Server";
      after = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        ExecStartPre = pkgs.writeShellScript "update-palworld-server.sh" ''
          ${pkgs.steamcmd}/bin/steamcmd +force_install_dir ~ +login anonymous \
            +app_update 2394010 validate +quit

          mkdir -p .steam/sdk64
          ln -f -s ../../linux64/steamclient.so .steam/sdk64/steamclient.so
        '';

        ExecStart = lib.escapeShellArgs [
          "${pkgs.steam-run}/bin/steam-run"
          "~/PalServer.sh"
          "port=${toString cfg.port}"
          "-useperfthreads"
          "-NoAsyncLoadingThread"
          "-UseMultithreadForDS"
        ];

        Restart = "always";
        User = cfg.user;
        WorkingDirectory = "~";
        TimeoutStartSec = 600; # Allow time for updates.

        # Hardening options
        CapabilityBoundingSet = [ "" ];
        LockPersonality = true;
        NoNewPrivileges = true;
        PrivateDevices = true;
        PrivateIPC = true;
        PrivateTmp = true;
        PrivateUsers = true;
        ProtectClock = true;
        ProtectControlGroups = true;
        ProtectHome = true;
        ProtectHostname = true;
        ProtectKernelLogs = true;
        ProtectKernelModules = true;
        ProtectKernelTunables = true;
        ProtectProc = "invisible";
        ProtectSystem = "full";
        RemoveIPC = true;
        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
        RestrictRealtime = true;
        RestrictSUIDSGID = true;
      };
    };
  };
}
	{ common, config, lib, pkgs, ... }:

	let
	cfg = config.services.palworld-server;
	in {
	options.services.palworld-server = with lib; {
	enable = mkEnableOption "Palworld dedicated server";

	user = mkOption {
	type = types.str;
	default = "palworld";
	description = "User account under which Palworld runs.";
	};

	group = mkOption {
	type = types.str;
	default = "palworld";
	description = "Group under which Palworld runs.";
	};

	port = mkOption {
	type = types.port;
	default = 8211;
	description = "UDP port which Palworld will listen on.";
	};

	openFirewall = mkOption {
	type = types.bool;
	default = true;
	description = "Whether to automatically open the configured port in the firewall.";
	};
	};

	# Based on https://kevincox.ca/2022/12/09/valheim-server-nixos-v2/
	config = lib.mkIf cfg.enable {
	users.users."${cfg.user}" = {
	isSystemUser = true;
	home = "/var/lib/palworld";
	createHome = true;
	homeMode = "755";
	group = cfg.group;
	};

	users.groups."${cfg.group}" = {};

	networking.firewall.allowedUDPPorts = lib.optionals cfg.openFirewall [ cfg.port ];

	systemd.services.palworld-server = {
	description = "Palworld Dedicated Server";
	after = [ "network.target" ];
	wantedBy = [ "multi-user.target" ];

	serviceConfig = {
	ExecStartPre = pkgs.writeShellScript "update-palworld-server.sh" ''
	${pkgs.steamcmd}/bin/steamcmd +force_install_dir ~ +login anonymous \
	+app_update 2394010 validate +quit

	mkdir -p .steam/sdk64
	ln -f -s ../../linux64/steamclient.so .steam/sdk64/steamclient.so
	'';

	ExecStart = lib.escapeShellArgs [
	"${pkgs.steam-run}/bin/steam-run"
	"~/PalServer.sh"
	"port=${toString cfg.port}"
	"-useperfthreads"
	"-NoAsyncLoadingThread"
	"-UseMultithreadForDS"
	];

	Restart = "always";
	User = cfg.user;
	WorkingDirectory = "~";
	TimeoutStartSec = 600; # Allow time for updates.

	# Hardening options
	CapabilityBoundingSet = [ "" ];
	LockPersonality = true;
	NoNewPrivileges = true;
	PrivateDevices = true;
	PrivateIPC = true;
	PrivateTmp = true;
	PrivateUsers = true;
	ProtectClock = true;
	ProtectControlGroups = true;
	ProtectHome = true;
	ProtectHostname = true;
	ProtectKernelLogs = true;
	ProtectKernelModules = true;
	ProtectKernelTunables = true;
	ProtectProc = "invisible";
	ProtectSystem = "full";
	RemoveIPC = true;
	RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
	RestrictRealtime = true;
	RestrictSUIDSGID = true;
	};
	};
	};
	}