Want to know how to install FoundryVTT onto your own NixOS server? This post goes over the details of installing Foundry VTT version 10.291 onto your own NixOS system/server using the Nix Flake by reckonrode.
This post still applies for more recent versions - however there are changes in how you would handle different Foundry Versions. My next post describes this in further detail.
Installing the Flake
In my last post I discussed how to install the role-playing virtual tabletop Foundry VTT into a NixOS 22.11 system. It’s worth going over the details of that post if you wish to understand the process of installing the flake in-depth - however, the details necessary are provided here.
NixOS 22.11 allows you to use a /etc/nixos/flake.nix file to specify the configuration for your system instead of /etc/nixos/configuration.nix. The following example file sets up the system and includes reckonrode’s FoundryVTT flake. If you use this without looking at my last post, remember to replace MYHOSTNAME with the name of your system’s hostname.
1
2
3
4
5
6
7
8
9
10
11
12
{
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
inputs.foundryvtt.url = "github:reckenrode/nix-foundryvtt/6c52bfc6824a3dba673df4894a71193ec32aa399";
outputs = { self, nixpkgs, ... }@inputs: {
nixosConfigurations.MYHOSTNAME = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = [ ./configuration.nix ];
};
};
}
You no longer need to specify a specific commit for
inputs.foundryvtt.url. Have a look at my later post on Foundry versions
The key line here is the inputs.foundryvtt.url that provides the github repository and commit hash. It is not necessary to specify a hash or tag; however, this is useful to ensure that a future update doesn’t break your system build.
Adding FoundryVTT to the Nix Store
The Nix store is a place on your system for any packages that are to be used for setting up applications. As FoundryVTT is not free to download, it is not possible to have a flake do this automatically. As such, you will need to download the correct Linux version of FoundryVTT yourself. It should be named as it is downloaded FoundryVTT-10.291.zip somewhere where you can access it from the terminal. All you have to do then is run the following command:
1
nix-store --add-fixed sha256 FoundryVTT-10.291.zip
This command adds a fixed file (i.e. it won’t be changed) and calculates the sha256 hash to place it into your system. The sha256 hash is also required for the flake to work.
Setting up Your Configuration
The following snippet shows what is necessary within your configuration files. If putting this directly in your /etc/nixos/configuration.nix, you should add inputs to the set of brackets at the top and add inputs.foundryvtt.nixosModules.foundryvtt to your imports. This example presumes that the configuration is in a separate file and imported into your primary configuration.nix.
1
2
3
4
5
6
7
8
9
10
{ inputs, ... }:
{
imports = [ inputs.foundryvtt.nixosModules.foundryvtt ];
services.foundryvtt = {
enable = true;
hostName = "myhostname.com";
proxySSL = true;
proxyPort = 443;
};
}
All you need to get the service up and running is the enable option; however, there are a few more things you may wish to do to ensure that your server is setup for secure communication. As such, the proxy lines tell FoundryVTT that it is behind a reverse-proxy and which port is being used by that reverse-proxy.
What’s a reverse-proxy? It is a web-server that forwards traffic to a background service - hiding the actual service software ports. Another advantage is that you can have it handle SSL certification, so any traffic to your server will be correctly encrypted. The simplest one to use is Caddy. How simple is it?
1
2
3
4
5
6
7
services.caddy = {
enable = true;
virtualHosts."foundry.myhostname.com".extraConfig = ''
reverse_proxy localhost:30000
'';
};
That’s how simple. Providing you have your DNS records set to forward foundry.myhostname.com to your server, this is all you need to setup encrypted communication and hide the actual server running at localhost:30000 (localhost meaning the same system).
Don’t forget - you also need to allow communication through the firewall:
1
2
3
4
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 ];
};
Once this is all done, you should be able to run nixos-rebuild and fingers crossed it will all be set up and running!
Have a look at my later post on Foundry versions about specifying which exact version you wish to host
Bonus Points: Using a NixOS Container
If you want the server to be even more secure, you can use a NixOS container to separate off the service from the rest of the system. This is similar to how you might use a virtual machine or a docker container, only that it is built into the NixOS ecosystem.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
{ inputs, pkgs, ... }:
{
containers.foundry = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
bindMounts.foundrydata = {
mountPoint = "/var/lib/foundryvtt";
isReadOnly = false;
hostPath = "/my/local/data/foundryvtt";
};
config = with inputs; {
imports = [ foundryvtt.nixosModules.foundryvtt ];
services.foundryvtt = {
enable = true;
hostname = "foundry.myhostname.com";
proxySSL = true;
proxyPort = 443;
};
networking.firewall = {
enable = true;
allowedTCPPorts = [ 30000 ];
};
system.stateVersion = "22.11";
};
};
}
This sets up FoundryVTT server on a private internal network at 192.168.100.11, and sets a bind-mount to mount a directory on the host (in this case /my/local/data/foundryvtt - this should be changed to where you want it). I recommend the bind-mount to ensure you can upload and backup your server data simply. There are a few more things to do to get this to work.
- Change Caddy to point to
192.168.100.11instead oflocalhost - Add NAT to the host network configuration:
1
2
3
4
5
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "eth0";
};
The internalInterfaces line specifies which internal network devices will be allowed to use NAT to access the internet. In this case, to make it simple, ve-+ specifies all virtual ethernet devices created by the container system. If you use multiple services, you may/may not wish to allow all devices.
Some Final Thoughts
I’m really starting to like how NixOS allows you to setup the configuration in one place. It allows you to easily setup a protected container with the services, reverse-proxy and anything else all within the same configuration format. This makes server setup really easy as you don’t have to worry about multiple configuration formats in different folders, and also makes porting configurations between systems very easy.
If you found this useful, then share this around to those that may find it useful! Please leave a comment down below if you have any questions or something else to say!