diff --git a/nixos/modules/services/databases/tigerbeetle.md b/nixos/modules/services/databases/tigerbeetle.md
index 12d920e7bcc7..7cf3bedda5e0 100644
--- a/nixos/modules/services/databases/tigerbeetle.md
+++ b/nixos/modules/services/databases/tigerbeetle.md
@@ -35,3 +35,10 @@ Note that the TigerBeetle module won't open any firewall ports automatically, so
 
 A complete list of options for TigerBeetle can be found [here](#opt-services.tigerbeetle.enable).
 
+## Upgrading {#module-services-tigerbeetle-upgrading}
+
+Usually, TigerBeetle's [upgrade process](https://docs.tigerbeetle.com/operating/upgrading) only requires replacing the binary used for the servers.
+This is not directly possible with NixOS since the new binary will be located at a different place in the Nix store.
+
+However, since TigerBeetle is managed through systemd on NixOS, the only action you need to take when upgrading is to make sure the version of TigerBeetle you're upgrading to supports upgrades from the version you're currently running.
+This information will be on the [release notes](https://github.com/tigerbeetle/tigerbeetle/releases) for the version you're upgrading to.
diff --git a/nixos/modules/services/databases/tigerbeetle.nix b/nixos/modules/services/databases/tigerbeetle.nix
index a9c7a24250a6..7b512055e44e 100644
--- a/nixos/modules/services/databases/tigerbeetle.nix
+++ b/nixos/modules/services/databases/tigerbeetle.nix
@@ -42,8 +42,8 @@ in
       };
 
       cacheGridSize = mkOption {
-        type = types.strMatching "[0-9]+(K|M|G)B";
-        default = "1GB";
+        type = types.strMatching "[0-9]+(K|M|G)iB";
+        default = "1GiB";
         description = ''
           The grid cache size.
           The grid cache acts like a page cache for TigerBeetle.
@@ -97,16 +97,26 @@ in
         '';
 
         serviceConfig = {
-          Type = "exec";
-
-          DynamicUser = true;
-          ProtectHome = true;
           DevicePolicy = "closed";
-
+          DynamicUser = true;
+          ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}";
+          LockPersonality = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectProc = "noaccess";
+          ProtectSystem = "strict";
+          RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
           StateDirectory = "tigerbeetle";
           StateDirectoryMode = 700;
-
-          ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}";
+          Type = "exec";
         };
       };