mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-09-29 15:43:00 +00:00
nixos/tigerbeetle: add docs on upgrading, add more systemd hardening (#332899)
This commit is contained in:
parent
5820b7618c
commit
15ddcc64cd
@ -35,3 +35,10 @@ Note that the TigerBeetle module won't open any firewall ports automatically, so
|
||||
|
||||
A complete list of options for TigerBeetle can be found [here](#opt-services.tigerbeetle.enable).
|
||||
|
||||
## Upgrading {#module-services-tigerbeetle-upgrading}
|
||||
|
||||
Usually, TigerBeetle's [upgrade process](https://docs.tigerbeetle.com/operating/upgrading) only requires replacing the binary used for the servers.
|
||||
This is not directly possible with NixOS since the new binary will be located at a different place in the Nix store.
|
||||
|
||||
However, since TigerBeetle is managed through systemd on NixOS, the only action you need to take when upgrading is to make sure the version of TigerBeetle you're upgrading to supports upgrades from the version you're currently running.
|
||||
This information will be on the [release notes](https://github.com/tigerbeetle/tigerbeetle/releases) for the version you're upgrading to.
|
||||
|
@ -42,8 +42,8 @@ in
|
||||
};
|
||||
|
||||
cacheGridSize = mkOption {
|
||||
type = types.strMatching "[0-9]+(K|M|G)B";
|
||||
default = "1GB";
|
||||
type = types.strMatching "[0-9]+(K|M|G)iB";
|
||||
default = "1GiB";
|
||||
description = ''
|
||||
The grid cache size.
|
||||
The grid cache acts like a page cache for TigerBeetle.
|
||||
@ -97,16 +97,26 @@ in
|
||||
'';
|
||||
|
||||
serviceConfig = {
|
||||
Type = "exec";
|
||||
|
||||
DynamicUser = true;
|
||||
ProtectHome = true;
|
||||
DevicePolicy = "closed";
|
||||
|
||||
DynamicUser = true;
|
||||
ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}";
|
||||
LockPersonality = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "noaccess";
|
||||
ProtectSystem = "strict";
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
StateDirectory = "tigerbeetle";
|
||||
StateDirectoryMode = 700;
|
||||
|
||||
ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}";
|
||||
Type = "exec";
|
||||
};
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user