summary refs log tree commit diff
diff options
context:
space:
mode:
authormisuzu <bakalolka@gmail.com>2021-08-13 10:23:04 +0300
committermisuzu <bakalolka@gmail.com>2021-08-16 10:14:05 +0300
commit6802eb4241377920f93593f479318f999b29c21a (patch)
treeac59d42c6e150cd6ca3b27c68030c4810a1e30ff
parent9df2cb074d72ea80ac9fd225b29060c8cf13dd39 (diff)
downloadnixpkgs-6802eb4241377920f93593f479318f999b29c21a.tar
nixpkgs-6802eb4241377920f93593f479318f999b29c21a.tar.gz
nixpkgs-6802eb4241377920f93593f479318f999b29c21a.tar.bz2
nixpkgs-6802eb4241377920f93593f479318f999b29c21a.tar.lz
nixpkgs-6802eb4241377920f93593f479318f999b29c21a.tar.xz
nixpkgs-6802eb4241377920f93593f479318f999b29c21a.tar.zst
nixpkgs-6802eb4241377920f93593f479318f999b29c21a.zip
nixos/syncoid: add global and per-dataset permissions options
Diffstat
-rw-r--r--nixos/modules/services/backup/syncoid.nix63


1 files changed, 57 insertions, 6 deletions
diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix
index 73b01d4b53f..3ad8d279a36 100644
--- a/nixos/modules/services/backup/syncoid.nix
+++ b/nixos/modules/services/backup/syncoid.nix
@@ -79,6 +79,33 @@ in
       '';
     };
 
+    localSourceAllow = mkOption {
+      type = types.listOf types.str;
+      # Permissions snapshot and destroy are in case --no-sync-snap is not used
+      default = [ "bookmark" "hold" "send" "snapshot" "destroy" ];
+      description = ''
+        Permissions granted for the <option>services.syncoid.user</option> user
+        for local source datasets. See
+        <link xlink:href="https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html"/>
+        for available permissions.
+      '';
+    };
+
+    localTargetAllow = mkOption {
+      type = types.listOf types.str;
+      default = [ "change-key" "compression" "create" "mount" "mountpoint" "receive" "rollback" ];
+      example = [ "create" "mount" "receive" "rollback" ];
+      description = ''
+        Permissions granted for the <option>services.syncoid.user</option> user
+        for local target datasets. See
+        <link xlink:href="https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html"/>
+        for available permissions.
+        Make sure to include the <literal>change-key</literal> permission if you send raw encrypted datasets,
+        the <literal>compression</literal> permission if you send raw compressed datasets, and so on.
+        For remote target datasets you'll have to set your remote user permissions by yourself.
+      '';
+    };
+
     commonArgs = mkOption {
       type = types.listOf types.str;
       default = [ ];
@@ -133,6 +160,30 @@ in
             '';
           };
 
+          localSourceAllow = mkOption {
+            type = types.listOf types.str;
+            description = ''
+              Permissions granted for the <option>services.syncoid.user</option> user
+              for local source datasets. See
+              <link xlink:href="https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html"/>
+              for available permissions.
+              Defaults to <option>services.syncoid.localSourceAllow</option> option.
+            '';
+          };
+
+          localTargetAllow = mkOption {
+            type = types.listOf types.str;
+            description = ''
+              Permissions granted for the <option>services.syncoid.user</option> user
+              for local target datasets. See
+              <link xlink:href="https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html"/>
+              for available permissions.
+              Make sure to include the <literal>change-key</literal> permission if you send raw encrypted datasets,
+              the <literal>compression</literal> permission if you send raw compressed datasets, and so on.
+              For remote target datasets you'll have to set your remote user permissions by yourself.
+            '';
+          };
+
           sendOptions = mkOption {
             type = types.separatedString " ";
             default = "";
@@ -179,6 +230,8 @@ in
         config = {
           source = mkDefault name;
           sshKey = mkDefault cfg.sshKey;
+          localSourceAllow = mkDefault cfg.localSourceAllow;
+          localTargetAllow = mkDefault cfg.localTargetAllow;
         };
       }));
       default = { };
@@ -221,13 +274,11 @@ in
             path = [ "/run/booted-system/sw/bin/" ];
             serviceConfig = {
               ExecStartPre =
-                # Permissions snapshot and destroy are in case --no-sync-snap is not used
-                (map (buildAllowCommand "allow" [ "bookmark" "hold" "send" "snapshot" "destroy" ]) (localDatasetName c.source)) ++
-                (map (buildAllowCommand "allow" [ "create" "mount" "receive" "rollback" ]) (localDatasetName c.target));
+                (map (buildAllowCommand "allow" c.localSourceAllow) (localDatasetName c.source)) ++
+                (map (buildAllowCommand "allow" c.localTargetAllow) (localDatasetName c.target));
               ExecStopPost =
-                # Permissions snapshot and destroy are in case --no-sync-snap is not used
-                (map (buildAllowCommand "unallow" [ "bookmark" "hold" "send" "snapshot" "destroy" ]) (localDatasetName c.source)) ++
-                (map (buildAllowCommand "unallow" [ "create" "mount" "receive" "rollback" ]) (localDatasetName c.target));
+                (map (buildAllowCommand "unallow" c.localSourceAllow) (localDatasetName c.source)) ++
+                (map (buildAllowCommand "unallow" c.localTargetAllow) (localDatasetName c.target));
               ExecStart = lib.escapeShellArgs ([ "${pkgs.sanoid}/bin/syncoid" ]
                 ++ optionals c.useCommonArgs cfg.commonArgs
                 ++ optional c.recursive "-r"

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-12 18:03:10 +0000