diff options
Diffstat (limited to 'nixos/modules/services/databases/tigerbeetle.nix')
| -rw-r--r-- | nixos/modules/services/databases/tigerbeetle.nix | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/nixos/modules/services/databases/tigerbeetle.nix b/nixos/modules/services/databases/tigerbeetle.nix index a9c7a24250a69..7b512055e44e5 100644 --- a/nixos/modules/services/databases/tigerbeetle.nix +++ b/nixos/modules/services/databases/tigerbeetle.nix @@ -42,8 +42,8 @@ in }; cacheGridSize = mkOption { - type = types.strMatching "[0-9]+(K|M|G)B"; - default = "1GB"; + type = types.strMatching "[0-9]+(K|M|G)iB"; + default = "1GiB"; description = '' The grid cache size. The grid cache acts like a page cache for TigerBeetle. @@ -97,16 +97,26 @@ in ''; serviceConfig = { - Type = "exec"; - + DevicePolicy = "closed"; DynamicUser = true; + ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}"; + LockPersonality = true; + ProtectClock = true; + ProtectControlGroups = true; ProtectHome = true; - DevicePolicy = "closed"; - + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "noaccess"; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; StateDirectory = "tigerbeetle"; StateDirectoryMode = 700; - - ExecStart = "${lib.getExe cfg.package} start --cache-grid=${cfg.cacheGridSize} --addresses=${lib.escapeShellArg (builtins.concatStringsSep "," cfg.addresses)} ${replicaDataPath}"; + Type = "exec"; }; }; |