diff options
author | Elis Hirwing <elis@hirwing.se> | 2021-07-25 09:59:18 +0200 |
---|---|---|
committer | Elis Hirwing <elis@hirwing.se> | 2021-07-25 10:12:32 +0200 |
commit | 70862830f0a1415acd6c9fb7fc74ab59530f41dc (patch) | |
tree | d1f795ff862f2c4d877f1ec9bf76cf3ef1b60e4d | |
parent | 9df5935217ef8979adb7b14004fadc9fdcc898d4 (diff) | |
download | nixpkgs-70862830f0a1415acd6c9fb7fc74ab59530f41dc.tar nixpkgs-70862830f0a1415acd6c9fb7fc74ab59530f41dc.tar.gz nixpkgs-70862830f0a1415acd6c9fb7fc74ab59530f41dc.tar.bz2 nixpkgs-70862830f0a1415acd6c9fb7fc74ab59530f41dc.tar.lz nixpkgs-70862830f0a1415acd6c9fb7fc74ab59530f41dc.tar.xz nixpkgs-70862830f0a1415acd6c9fb7fc74ab59530f41dc.tar.zst nixpkgs-70862830f0a1415acd6c9fb7fc74ab59530f41dc.zip |
nixos/syncoid: Extract datasets rather than pools
When sending or receiving datasets with the old implementation it wouldn't matter which dataset we were sending or receiving, we would always delegate permissions to the entire pool.
-rw-r--r-- | nixos/modules/services/backup/syncoid.nix | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix index 888ef20f642..80a704a7d26 100644 --- a/nixos/modules/services/backup/syncoid.nix +++ b/nixos/modules/services/backup/syncoid.nix @@ -5,9 +5,9 @@ with lib; let cfg = config.services.syncoid; - # Extract the pool name of a local dataset (any dataset not containing "@") - localPoolName = d: optionals (d != null) ( - let m = builtins.match "([^/@]+)[^@]*" d; in + # Extract local dasaset names (so no datasets containing "@") + localDatasetName = d: optionals (d != null) ( + let m = builtins.match "([^/@]+[^@]*)" d; in optionals (m != null) m); # Escape as required by: https://www.freedesktop.org/software/systemd/man/systemd.unit.html @@ -206,15 +206,15 @@ in { path = [ "/run/booted-system/sw/bin/" ]; serviceConfig = { ExecStartPre = - map (pool: lib.escapeShellArgs [ + map (dataset: lib.escapeShellArgs [ "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user "bookmark,hold,send,snapshot,destroy" pool + cfg.user "bookmark,hold,send,snapshot,destroy" dataset # Permissions snapshot and destroy are in case --no-sync-snap is not used - ]) (localPoolName c.source) ++ - map (pool: lib.escapeShellArgs [ + ]) (localDatasetName c.source) ++ + map (dataset: lib.escapeShellArgs [ "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user "create,mount,receive,rollback" pool - ]) (localPoolName c.target); + cfg.user "create,mount,receive,rollback" dataset + ]) (localDatasetName c.target); ExecStart = lib.escapeShellArgs ([ "${pkgs.sanoid}/bin/syncoid" ] ++ optionals c.useCommonArgs cfg.commonArgs ++ optional c.recursive "-r" |