nixos/syncoid: fix permissions without --no-sync-snap

After 733acfa140d5b73bc69c53c4ebd90ccc5f281f0e, syncoid would fail to
run if commonArgs did not include [ "--no-sync-snap" ], since it would
not have permissions to create or destroy snapshots.

2 files changed, 8 insertions, 9 deletions

diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix
index e72e3fa59cf..b764db1f14e 100644
--- a/nixos/modules/services/backup/syncoid.nix
+++ b/nixos/modules/services/backup/syncoid.nix
@@ -197,14 +197,14 @@ in {
                ])) (attrValues cfg.commands);
         after = [ "zfs.target" ];
         serviceConfig = {
-          ExecStartPre = (map (pool: lib.escapeShellArgs [
-            "+/run/booted-system/sw/bin/zfs" "allow"
-            cfg.user "hold,send" pool
-          ]) (getPools "source")) ++
-          (map (pool: lib.escapeShellArgs [
-            "+/run/booted-system/sw/bin/zfs" "allow"
-            cfg.user "create,mount,receive,rollback" pool
-          ]) (getPools "target"));
+          ExecStartPre = let
+            allowCmd = permissions: pool: lib.escapeShellArgs [
+              "+/run/booted-system/sw/bin/zfs" "allow"
+              cfg.user (concatStringsSep "," permissions) pool
+            ];
+          in
+            (map (allowCmd [ "hold" "send" "snapshot" "destroy" ]) (getPools "source")) ++
+            (map (allowCmd [ "create" "mount" "receive" "rollback" ]) (getPools "target"));
           User = cfg.user;
           Group = cfg.group;
         };
diff --git a/nixos/tests/sanoid.nix b/nixos/tests/sanoid.nix
index 66ddaad60ea..44e14ef4e44 100644
--- a/nixos/tests/sanoid.nix
+++ b/nixos/tests/sanoid.nix
@@ -39,7 +39,6 @@ in {
       services.syncoid = {
         enable = true;
         sshKey = "/var/lib/syncoid/id_ecdsa";
-        commonArgs = [ "--no-sync-snap" ];
         commands."pool/test".target = "root@target:pool/test";
       };
     };