Overview
Just another Linux Dedicated Server Guide… but with some advanced goodies.Features:- Server will run as a systemd service- Server will be sandboxed and secured
Introduction
This guide will be an update to an old guide[forums.planetaryannihilation.com] i wrote a while ago. Now that Debian 9 is stable and has some new systemd features we will be using that to secure our server. But it should work on any modern linux distribution with systemd.
This guide assumes you run your server as an unpriviliged user (called <user>) from the home directory. Whenever you see a ‘$ ‘ before a command it means run it as this user. Some things have to be done as root. Either its mentioned in the text or the command starts with an ‘# ‘.
I avoided the use of code-blocks in this guide, because it messes up the line breaks. This way you can easily copy&paste configs from here.
Download and install the server
Make yourself a user where you want to run the gameserver. We need to install a few packages if they are not already installed:
# apt install mercurial golang libgl1-mesa-glx
On your user account let’s make a directory for PA and get papatcher to download the game:
$ cd
$ mkdir pa
$ cd pa
$ hg clone [link]
$ go run papatcher/papatcher.go -stream=stable
Enter your Uber account name/passwort and the game will download.
The systemd service
As root run:
# systemctl edit –force pa
and paste the following into the editor:
## /etc/systemd/system/pa.service
[Unit]
Description=Planetary Annihilation: TITANS Dedicated Server
Documentation=https://steamcommunity.com/sharedfiles/filedetails/?id=1541095723
After=network.target
[Service]
User=<user>
ExecStart=’/home/<user>/.local/Uber Entertainment/Planetary Annihilation/stable/server’
–headless –game-mode “PAExpansion1:Config” –allow-lan –server-name “Just another PA Server”
–enable-crash-reporting –mt-enabled
–max-players 10 –max-spectators 5
Restart=always
Nice=-4
# Security and Sandboxing
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
ProtectSystem=strict
ProtectHome=read-only
SystemCallFilter=~@mount
ReadWritePaths=’/home/<user>/.local/Uber Entertainment’
[Install]
WantedBy=multi-user.target
## END OF FILE
Replace all instances of <user> with the username which runs your server, then save and exit the editor.
With systemd we get some nice security and sandboxing features for free that we can enable easily. Sandboxing means that the process started by systemd sees another filesystem as the rest of the system. With ‘ProtectSystem=strict’ and ‘ProtectHome=read-only’ the entire file system hierarchy is mounted read-only for the service. Of course it needs to write to some places (to write logs) which are listed as ‘ReadWritePaths’.
After that you can enable und start your server:
# systemctl enable –now pa
And see if everything runs ok with:
# systemctl status pa
It will be restartet on every type of crash or normal exit. If no players are connected it seems to exit itself after 5 minutes. systemd will restart it then.
That would be it. HF!