mirror/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-09-29 07:32:58 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

nixos/tigerbeetle: add docs on upgrading, add more systemd hardening (#332899)

Browse Source
This commit is contained in:
Daniel Sidhion 2024-09-24 23:56:38 -07:00 committed by GitHub
parent 5820b7618c
commit 15ddcc64cd
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 26 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/modules/services/databases/tigerbeetle.md
View File

@ -35,3 +35,10 @@ Note that the TigerBeetle module won't open any firewall ports automatically, so
A complete list of options for TigerBeetle can be found [here](#opt-services.tigerbeetle.enable).
## Upgrading {#module-services-tigerbeetle-upgrading}
Usually, TigerBeetle's [upgrade process](https://docs.tigerbeetle.com/operating/upgrading) only requires replacing the binary used for the servers.
This is not directly possible with NixOS since the new binary will be located at a different place in the Nix store.
However, since TigerBeetle is managed through systemd on NixOS, the only action you need to take when upgrading is to make sure the version of TigerBeetle you're upgrading to supports upgrades from the version you're currently running.
This information will be on the [release notes](https://github.com/tigerbeetle/tigerbeetle/releases) for the version you're upgrading to.

28
nixos/modules/services/databases/tigerbeetle.nix
View File

@ -42,8 +42,8 @@ in
};
cacheGridSize = mkOption {
type = types.strMatching "[0-9]+(K|M|G)B";
default = "1GB";
type = types.strMatching "[0-9]+(K|M|G)iB";
default = "1GiB";
description = ''
The grid cache size.
The grid cache acts like a page cache for TigerBeetle.
@ -97,16 +97,26 @@ in
'';
serviceConfig = {
Type = "exec";
DynamicUser = true;
ProtectHome = true;
DevicePolicy = "closed";
DynamicUser = true;
ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}";
LockPersonality = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "noaccess";
ProtectSystem = "strict";
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
StateDirectory = "tigerbeetle";
StateDirectoryMode = 700;
ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}";
Type = "exec";
};
};