Unverified Commit 15ddcc64 authored by Daniel Sidhion's avatar Daniel Sidhion Committed by GitHub
Browse files

nixos/tigerbeetle: add docs on upgrading, add more systemd hardening (#332899)

parent 5820b761

nixos/modules/services/databases/tigerbeetle.md

+7 −0
Original line number Diff line number Diff line
@@ -35,3 +35,10 @@ Note that the TigerBeetle module won't open any firewall ports automatically, so 


A complete list of options for TigerBeetle can be found [here](#opt-services.tigerbeetle.enable).



## Upgrading {#module-services-tigerbeetle-upgrading}



Usually, TigerBeetle's [upgrade process](https://docs.tigerbeetle.com/operating/upgrading) only requires replacing the binary used for the servers.

This is not directly possible with NixOS since the new binary will be located at a different place in the Nix store.



However, since TigerBeetle is managed through systemd on NixOS, the only action you need to take when upgrading is to make sure the version of TigerBeetle you're upgrading to supports upgrades from the version you're currently running.

This information will be on the [release notes](https://github.com/tigerbeetle/tigerbeetle/releases) for the version you're upgrading to.

nixos/modules/services/databases/tigerbeetle.nix

+18 −8
Original line number Diff line number Diff line
@@ -42,8 +42,8 @@ in 
      };



      cacheGridSize = mkOption {

        type = types.strMatching "[0-9]+(K|M|G)B";

        default = "1GB";

        type = types.strMatching "[0-9]+(K|M|G)iB";

        default = "1GiB";

        description = ''

          The grid cache size.

          The grid cache acts like a page cache for TigerBeetle.
@@ -97,16 +97,26 @@ in 
        '';



        serviceConfig = {

          Type = "exec";



          DevicePolicy = "closed";

          DynamicUser = true;

          ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}";

          LockPersonality = true;

          ProtectClock = true;

          ProtectControlGroups = true;

          ProtectHome = true;

          DevicePolicy = "closed";



          ProtectHostname = true;

          ProtectKernelLogs = true;

          ProtectKernelModules = true;

          ProtectKernelTunables = true;

          ProtectProc = "noaccess";

          ProtectSystem = "strict";

          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];

          RestrictNamespaces = true;

          RestrictRealtime = true;

          RestrictSUIDSGID = true;

          StateDirectory = "tigerbeetle";

          StateDirectoryMode = 700;



          ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}";

          Type = "exec";

        };

      };