titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cleanup

Browse Source
This commit is contained in:
Simon Gardling
2026-03-03 19:21:31 -05:00
parent cdccab855d
commit d4b679d1a5
12 changed files with 256 additions and 265 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
configuration.nix
View File

@@ -133,41 +133,6 @@
compressor = "zstd"; compressor = "zstd";
supportedFilesystems = [ "f2fs" ]; supportedFilesystems = [ "f2fs" ];
}; };
# BBR congestion control handles variable-latency VPN connections much
# better than CUBIC by probing bandwidth continuously rather than
# reacting to packet loss.
kernelModules = [ "tcp_bbr" ];
kernel.sysctl = {
# Use BBR + fair queuing for smooth throughput through the WireGuard VPN
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
# Disable slow-start after idle: prevents TCP from resetting window
# size on each burst cycle (the primary cause of the 0 -> 40 MB/s spikes)
"net.ipv4.tcp_slow_start_after_idle" = 0;
# Larger socket buffers to accommodate the VPN bandwidth-delay product
# (22ms RTT * target throughput). Current 2.5MB max is too small.
"net.core.rmem_max" = 16777216;
"net.core.wmem_max" = 16777216;
"net.ipv4.tcp_rmem" = "4096 87380 16777216";
"net.ipv4.tcp_wmem" = "4096 65536 16777216";
# Higher backlog for the large number of concurrent torrent connections
"net.core.netdev_max_backlog" = 5000;
# Faster cleanup of dead connections from torrent peer churn
"net.ipv4.tcp_fin_timeout" = 15; # default 60
"net.ipv4.tcp_tw_reuse" = 1;
# Minecraft server optimizations
# Disable autogroup for better scheduling of game server threads
"kernel.sched_autogroup_enabled" = 0;
# Huge pages for Minecraft JVM (ZGC ZGenerational needs heap + ~15% overhead)
# 4000MB heap = 2000 pages, plus ~285 for ZGC metadata = ~2285 needed
"vm.nr_hugepages" = 2600;
};
}; };
environment.etc = { environment.etc = {
@@ -237,8 +202,10 @@
hostName = hostname; hostName = hostname;
hostId = "0f712d56"; hostId = "0f712d56";
firewall.enable = true; firewall.enable = true;
firewall.trustedInterfaces = [ "wg-br" ];
useDHCP = false; useDHCP = false;
# Disabled because of Jellyfin (various issues)
enableIPv6 = false; enableIPv6 = false;
interfaces.${eth_interface} = { interfaces.${eth_interface} = {

137
flake.nix
View File

@@ -97,142 +97,7 @@
eth_interface = "enp4s0"; eth_interface = "enp4s0";
system = "x86_64-linux"; system = "x86_64-linux";
service_configs = rec { service_configs = import ./service-configs.nix;
zpool_ssds = "tank";
zpool_hdds = "hdds";
torrents_path = "/torrents";
services_dir = "/services";
music_dir = "/${zpool_ssds}/music";
media_group = "media";
cpu_arch = "znver3";
ports = {
http = 80;
https = 443;
jellyfin = 8096; # no services.jellyfin option for this
torrent = 6011;
bitmagnet = 3333;
gitea = 2283;
immich = 2284;
soulseek_web = 5030;
soulseek_listen = 50300;
llama_cpp = 8991;
vaultwarden = 8222;
syncthing_gui = 8384;
syncthing_protocol = 22000;
syncthing_discovery = 21027;
minecraft = 25565;
matrix = 6167;
matrix_federation = 8448;
coturn = 3478;
coturn_tls = 5349;
ntfy = 2586;
livekit = 7880;
lk_jwt = 8081;
prowlarr = 9696;
sonarr = 8989;
radarr = 7878;
bazarr = 6767;
jellyseerr = 5055;
};
https = {
certs = services_dir + "/http_certs";
domain = "gardling.com";
};
gitea = {
dir = services_dir + "/gitea";
domain = "git.${https.domain}";
};
postgres = {
socket = "/run/postgresql";
dataDir = services_dir + "/sql";
};
immich = {
dir = services_dir + "/immich";
};
minecraft = {
parent_dir = services_dir + "/minecraft";
server_name = "main";
};
torrent = {
SavePath = torrents_path;
TempPath = torrents_path + "/incomplete";
};
jellyfin = {
dataDir = services_dir + "/jellyfin";
cacheDir = services_dir + "/jellyfin_cache";
};
slskd = rec {
base = "/var/lib/slskd";
downloads = base + "/downloads";
incomplete = base + "/incomplete";
};
vaultwarden = {
path = "/var/lib/vaultwarden";
};
monero = {
dataDir = services_dir + "/monero";
};
matrix = {
dataDir = "/var/lib/continuwuity";
domain = "matrix.${https.domain}";
};
ntfy = {
domain = "ntfy.${https.domain}";
};
livekit = {
domain = "livekit.${https.domain}";
};
syncthing = {
dataDir = services_dir + "/syncthing";
signalBackupDir = "/${zpool_ssds}/bak/signal";
grayjayBackupDir = "/${zpool_ssds}/bak/grayjay";
};
prowlarr = {
dataDir = services_dir + "/prowlarr";
};
sonarr = {
dataDir = services_dir + "/sonarr";
};
radarr = {
dataDir = services_dir + "/radarr";
};
bazarr = {
dataDir = services_dir + "/bazarr";
};
jellyseerr = {
configDir = services_dir + "/jellyseerr";
};
recyclarr = {
dataDir = services_dir + "/recyclarr";
};
media = {
moviesDir = torrents_path + "/media/movies";
tvDir = torrents_path + "/media/tv";
};
};
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;

17
modules/zfs.nix
View File

@@ -27,15 +27,20 @@ in
boot.kernelParams = boot.kernelParams =
let let
gb = 32; arc_gb = 32;
mb = gb * 1000; arc_mb = arc_gb * 1000;
kb = mb * 1000; arc_kb = arc_mb * 1000;
b = kb * 1000; arc_b = arc_kb * 1000;
dirty_gb = 8; # Default value is 4GB, helps smooth writes
dirty_mb = dirty_gb * 1000;
dirty_kb = dirty_mb * 1000;
dirty_b = dirty_kb * 1000;
in in
[ [
"zfs.zfs_arc_max=${builtins.toString b}" "zfs.zfs_arc_max=${builtins.toString arc_b}"
"zfs.zfs_txg_timeout=120" # longer TXG open time = larger sequential writes "zfs.zfs_txg_timeout=120" # longer TXG open time = larger sequential writes
"zfs.zfs_dirty_data_max=8589934592" # 8GB dirty data buffer (default 4GB) for USB HDD write smoothing "zfs.zfs_dirty_data_max=${builtins.toString dirty_b}"
"zfs.zfs_delay_min_dirty_percent=80" # delay write throttling until 80% dirty (default 60%) "zfs.zfs_delay_min_dirty_percent=80" # delay write throttling until 80% dirty (default 60%)
"zfs.zfs_vdev_async_write_max_active=30" # more concurrent async writes to vdevs (default 10) "zfs.zfs_vdev_async_write_max_active=30" # more concurrent async writes to vdevs (default 10)
]; ];

140
service-configs.nix Normal file
View File

@@ -0,0 +1,140 @@
rec {
zpool_ssds = "tank";
zpool_hdds = "hdds";
torrents_path = "/torrents";
services_dir = "/services";
music_dir = "/${zpool_ssds}/music";
media_group = "media";
cpu_arch = "znver3";
ports = {
http = 80;
https = 443;
jellyfin = 8096; # no services.jellyfin option for this
torrent = 6011;
bitmagnet = 3333;
gitea = 2283;
immich = 2284;
soulseek_web = 5030;
soulseek_listen = 50300;
llama_cpp = 8991;
vaultwarden = 8222;
syncthing_gui = 8384;
syncthing_protocol = 22000;
syncthing_discovery = 21027;
minecraft = 25565;
matrix = 6167;
matrix_federation = 8448;
coturn = 3478;
coturn_tls = 5349;
ntfy = 2586;
livekit = 7880;
lk_jwt = 8081;
prowlarr = 9696;
sonarr = 8989;
radarr = 7878;
bazarr = 6767;
jellyseerr = 5055;
};
https = {
certs = services_dir + "/http_certs";
domain = "gardling.com";
};
gitea = {
dir = services_dir + "/gitea";
domain = "git.${https.domain}";
};
postgres = {
socket = "/run/postgresql";
dataDir = services_dir + "/sql";
};
immich = {
dir = services_dir + "/immich";
};
minecraft = {
parent_dir = services_dir + "/minecraft";
server_name = "main";
memory = rec {
heap_size_m = 4000;
large_page_size_m = 2;
};
};
torrent = {
SavePath = torrents_path;
TempPath = torrents_path + "/incomplete";
};
jellyfin = {
dataDir = services_dir + "/jellyfin";
cacheDir = services_dir + "/jellyfin_cache";
};
slskd = rec {
base = "/var/lib/slskd";
downloads = base + "/downloads";
incomplete = base + "/incomplete";
};
vaultwarden = {
path = "/var/lib/vaultwarden";
};
monero = {
dataDir = services_dir + "/monero";
};
matrix = {
dataDir = "/var/lib/continuwuity";
domain = "matrix.${https.domain}";
};
ntfy = {
domain = "ntfy.${https.domain}";
};
livekit = {
domain = "livekit.${https.domain}";
};
syncthing = {
dataDir = services_dir + "/syncthing";
signalBackupDir = "/${zpool_ssds}/bak/signal";
grayjayBackupDir = "/${zpool_ssds}/bak/grayjay";
};
prowlarr = {
dataDir = services_dir + "/prowlarr";
};
sonarr = {
dataDir = services_dir + "/sonarr";
};
radarr = {
dataDir = services_dir + "/radarr";
};
bazarr = {
dataDir = services_dir + "/bazarr";
};
jellyseerr = {
configDir = services_dir + "/jellyseerr";
};
recyclarr = {
dataDir = services_dir + "/recyclarr";
};
media = {
moviesDir = torrents_path + "/media/movies";
tvDir = torrents_path + "/media/tv";
};
}

25
services/minecraft.nix
View File

@@ -21,6 +21,19 @@
]) ])
]; ];
boot.kernel.sysctl = {
# Disable autogroup for better scheduling of game server threads
"kernel.sched_autogroup_enabled" = 0;
# We want to determine the number of hugepages based on how many minecraft needs.
# This can be determined by dividing the heap size by the size of a large page.
# Doing this gives us how many large pages are needed.
# Then we add 300 to give some headroom.
"vm.nr_hugepages" =
(service_configs.minecraft.memory.heap_size_m / service_configs.minecraft.memory.large_page_size_m)
+ 300;
};
services.minecraft-servers = { services.minecraft-servers = {
enable = true; enable = true;
eula = true; eula = true;
@@ -31,14 +44,10 @@
enable = true; enable = true;
package = pkgs.fabricServers.fabric-1_21_11; package = pkgs.fabricServers.fabric-1_21_11;
jvmOpts = jvmOpts = lib.concatStringsSep " " [
let
heap_size = "4000M";
in
lib.concatStringsSep " " [
# Memory # Memory
"-Xmx${heap_size}" "-Xmx${builtins.toString service_configs.minecraft.memory.heap_size_m}M"
"-Xms${heap_size}" "-Xms${builtins.toString service_configs.minecraft.memory.heap_size_m}M"
# GC # GC
"-XX:+UseZGC" "-XX:+UseZGC"
"-XX:+ZGenerational" "-XX:+ZGenerational"
@@ -65,7 +74,7 @@
"-XX:+UseVectorCmov" "-XX:+UseVectorCmov"
# Large pages (requires vm.nr_hugepages sysctl) # Large pages (requires vm.nr_hugepages sysctl)
"-XX:+UseLargePages" "-XX:+UseLargePages"
"-XX:LargePageSizeInBytes=2m" "-XX:LargePageSizeInBytes=${builtins.toString service_configs.minecraft.memory.large_page_size_m}M"
]; ];
serverProperties = { serverProperties = {

32
services/wg.nix
View File

@@ -17,4 +17,36 @@
# "192.168.0.0/24" # "192.168.0.0/24"
]; ];
}; };
boot = {
# BBR congestion control handles variable-latency VPN connections much
# better than CUBIC by probing bandwidth continuously rather than
# reacting to packet loss.
kernelModules = [ "tcp_bbr" ];
kernel.sysctl = {
# Use BBR + fair queuing for smooth throughput through the WireGuard VPN
"net.core.default_qdisc" = "fq";
"net.ipv4.tcp_congestion_control" = "bbr";
# Disable slow-start after idle: prevents TCP from resetting window
# size on each burst cycle (the primary cause of the 0 -> 40 MB/s spikes)
"net.ipv4.tcp_slow_start_after_idle" = 0;
# Larger socket buffers to accommodate the VPN bandwidth-delay product
# (22ms RTT * target throughput). Current 2.5MB max is too small.
"net.core.rmem_max" = 16777216;
"net.core.wmem_max" = 16777216;
"net.ipv4.tcp_rmem" = "4096 87380 16777216";
"net.ipv4.tcp_wmem" = "4096 65536 16777216";
# Higher backlog for the large number of concurrent torrent connections
"net.core.netdev_max_backlog" = 5000;
# Faster cleanup of dead connections from torrent peer churn
"net.ipv4.tcp_fin_timeout" = 15; # default 60
"net.ipv4.tcp_tw_reuse" = 1;
};
};
networking.firewall.trustedInterfaces = [ "wg-br" ];
} }

10
tests/fail2ban-gitea.nix
View File

@@ -5,18 +5,14 @@
... ...
}: }:
let let
testServiceConfigs = { baseServiceConfigs = import ../service-configs.nix;
testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
zpool_ssds = ""; zpool_ssds = "";
gitea = { gitea = {
dir = "/var/lib/gitea"; dir = "/var/lib/gitea";
domain = "git.test.local"; domain = "git.test.local";
}; };
postgres = { ports.gitea = 3000;
socket = "/run/postgresql";
};
ports = {
gitea = 3000;
};
}; };
testLib = lib.extend ( testLib = lib.extend (

15
tests/fail2ban-immich.nix
View File

@@ -5,17 +5,12 @@
... ...
}: }:
let let
testServiceConfigs = { baseServiceConfigs = import ../service-configs.nix;
testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
zpool_ssds = ""; zpool_ssds = "";
https = { https.domain = "test.local";
domain = "test.local"; ports.immich = 2283;
}; immich.dir = "/var/lib/immich";
ports = {
immich = 2283;
};
immich = {
dir = "/var/lib/immich";
};
}; };
testLib = lib.extend ( testLib = lib.extend (

11
tests/fail2ban-jellyfin.nix
View File

@@ -5,19 +5,14 @@
... ...
}: }:
let let
testServiceConfigs = { baseServiceConfigs = import ../service-configs.nix;
testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
zpool_ssds = ""; zpool_ssds = "";
https = { https.domain = "test.local";
domain = "test.local";
};
ports = {
jellyfin = 8096;
};
jellyfin = { jellyfin = {
dataDir = "/var/lib/jellyfin"; dataDir = "/var/lib/jellyfin";
cacheDir = "/var/cache/jellyfin"; cacheDir = "/var/cache/jellyfin";
}; };
media_group = "media";
}; };
testLib = lib.extend ( testLib = lib.extend (

5
tests/fail2ban-ssh.nix
View File

@@ -5,11 +5,6 @@
... ...
}: }:
let let
testServiceConfigs = {
zpool_ssds = "";
zpool_hdds = "";
};
securityModule = import ../modules/security.nix; securityModule = import ../modules/security.nix;
sshModule = sshModule =

13
tests/fail2ban-vaultwarden.nix
View File

@@ -5,17 +5,10 @@
... ...
}: }:
let let
testServiceConfigs = { baseServiceConfigs = import ../service-configs.nix;
testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
zpool_ssds = ""; zpool_ssds = "";
https = { https.domain = "test.local";
domain = "test.local";
};
ports = {
vaultwarden = 8222;
};
vaultwarden = {
path = "/var/lib/vaultwarden";
};
}; };
testLib = lib.extend ( testLib = lib.extend (

21
tests/minecraft.nix
View File

@@ -6,18 +6,14 @@
... ...
}: }:
let let
testServiceConfigs = { baseServiceConfigs = import ../service-configs.nix;
minecraft = { testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
server_name = "main";
parent_dir = "/var/lib/minecraft";
};
https = {
domain = "test.local";
};
ports = {
minecraft = 25565;
};
zpool_ssds = ""; zpool_ssds = "";
https.domain = "test.local";
minecraft.parent_dir = "/var/lib/minecraft";
minecraft.memory = rec {
heap_size_m = 1000;
};
}; };
# Create pkgs with nix-minecraft overlay and unfree packages allowed # Create pkgs with nix-minecraft overlay and unfree packages allowed
@@ -46,6 +42,9 @@ testPkgs.testers.runNixOSTest {
../services/minecraft.nix ../services/minecraft.nix
]; ];
# Force to 0 because no huge pages in vms ?
boot.kernel.sysctl."vm.nr_hugepages" = lib.mkForce 0;
# Enable caddy service (required by minecraft service) # Enable caddy service (required by minecraft service)
services.caddy.enable = true; services.caddy.enable = true;