Home Explore Blog CI



nixpkgs
4th chunk of `nixos/modules/services/databases/foundationdb.md`
d77ea40afca483f56140739e072df41a243ddc7ea14d10f200000001000008a2
endpoint's certificate chain. For example, a FoundationDB server may be
configured to only accept client connections over TLS, where the client TLS
certificate is from organization *Acme Co* in the
*Research and Development* unit.

Configuring TLS with FoundationDB is done using the
{option}`services.foundationdb.tls` options in order to control the
peer verification string, as well as the certificate and its private key.

Note that the certificate and its private key must be accessible to the
FoundationDB user account that the server runs under. These files are also
NOT managed by NixOS, as putting them into the store may reveal private
information.

After you have a key and certificate file in place, it is not enough to
simply set the NixOS module options -- you must also configure the
{command}`fdb.cluster` file to specify that a given set of
coordinators use TLS. This is as simple as adding the suffix
{command}`:tls` to your cluster coordinator configuration, after the
port number. For example, assuming you have a coordinator on localhost with
the default configuration, simply specifying:

```
XXXXXX:XXXXXX@127.0.0.1:4500:tls
```

will configure all clients and server processes to use TLS from now on.

## Backups and Disaster Recovery {#module-services-foundationdb-disaster-recovery}

The usual rules for doing FoundationDB backups apply on NixOS as written in
the FoundationDB manual. However, one important difference is the security
profile for NixOS: by default, the {command}`foundationdb` systemd
unit uses *Linux namespaces* to restrict write access to
the system, except for the log directory, data directory, and the
{command}`/etc/foundationdb/` directory. This is enforced by default
and cannot be disabled.

However, a side effect of this is that the {command}`fdbbackup`
command doesn't work properly for local filesystem backups: FoundationDB
uses a server process alongside the database processes to perform backups
and copy the backups to the filesystem. As a result, this process is put
under the restricted namespaces above: the backup process can only write to
a limited number of paths.

In order to allow flexible backup locations on local disks, the FoundationDB
Title: Configuring TLS and Backups/Disaster Recovery in FoundationDB on NixOS
Summary
This section details how to configure TLS for FoundationDB by using the `services.foundationdb.tls` options and updating the `fdb.cluster` file with the `:tls` suffix. It also addresses backup and disaster recovery on NixOS, highlighting the limitations imposed by Linux namespaces on the `fdbbackup` command's write access and the need to configure `backup_allowed_paths` for local backups.