minecraft systemd service

README.adoc

Use these files for managing a Minecraft server with systemd.

Place minecraft.service in /etc/systemd/system, and run systemctl daemon-reload. minecraft should go into /etc/conf.d or an equivalent directory (change the path in the service too). /etc/conf.d/minecraft should not have world permissions. chown root:root and chmod 600 the file.

The user and group minecraft should exist. The minecraft user should only be a member of the minecraft group, for system security. The service is set up as such that security exploits of the Minecraft server and/or Java do not severely affect the rest of the system. /home is entirely inaccessible, /tmp and /var/tmp are sandboxed, no real device access is possible, and system directories like /etc cannot be written to. This takes hold even if there are otherwise file modes that would allow it.

mcrcon is used to stop the server, and required to be installed for such. It may also be used to manage the server without having to login with the Minecraft client.

It is recommended to add another user on the system to the minecraft group for backup purposes and other uses, but root would be required for restoration.

minecraft

# This file is for /etc/conf.d

# RCON_PASSWD needs to be identical rcon.password in server.properties
RCON_PASSWD=example
MINHEAP=2G
MAXHEAP=4G
THREADS=6

minecraft.service

[Unit]
Description=Minecraft server
Wants=network.target
After=local-fs.target network.target

[Service]
User=minecraft
Group=minecraft
UMask=0027

EnvironmentFile=/etc/conf.d/minecraft
KillMode=none
SuccessExitStatus=0 1 255

NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProtectHome=true
ProtectSystem=full

WorkingDirectory=~
ExecStart=/usr/bin/java -Xms${MINHEAP} -Xmx${MAXHEAP} -XX:ParallelGCThreads=${THREADS} -jar server.jar --nogui
ExecStop=/usr/bin/mcrcon -H localhost -p ${RCON_PASSWD} stop

[Install]
WantedBy=multi-user.target