From d87903ac6b184df2a944229c8905e2a0eea1ead2 Mon Sep 17 00:00:00 2001 From: Daniel Fullmer Date: Fri, 20 Nov 2020 13:33:16 -0800 Subject: nixos/syncoid: fix permissions without --no-sync-snap After 733acfa140d5b73bc69c53c4ebd90ccc5f281f0e, syncoid would fail to run if commonArgs did not include [ "--no-sync-snap" ], since it would not have permissions to create or destroy snapshots. --- nixos/modules/services/backup/syncoid.nix | 16 ++++++++-------- nixos/tests/sanoid.nix | 1 - 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix index e72e3fa59cf..b764db1f14e 100644 --- a/nixos/modules/services/backup/syncoid.nix +++ b/nixos/modules/services/backup/syncoid.nix @@ -197,14 +197,14 @@ in { ])) (attrValues cfg.commands); after = [ "zfs.target" ]; serviceConfig = { - ExecStartPre = (map (pool: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user "hold,send" pool - ]) (getPools "source")) ++ - (map (pool: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user "create,mount,receive,rollback" pool - ]) (getPools "target")); + ExecStartPre = let + allowCmd = permissions: pool: lib.escapeShellArgs [ + "+/run/booted-system/sw/bin/zfs" "allow" + cfg.user (concatStringsSep "," permissions) pool + ]; + in + (map (allowCmd [ "hold" "send" "snapshot" "destroy" ]) (getPools "source")) ++ + (map (allowCmd [ "create" "mount" "receive" "rollback" ]) (getPools "target")); User = cfg.user; Group = cfg.group; }; diff --git a/nixos/tests/sanoid.nix b/nixos/tests/sanoid.nix index 66ddaad60ea..44e14ef4e44 100644 --- a/nixos/tests/sanoid.nix +++ b/nixos/tests/sanoid.nix @@ -39,7 +39,6 @@ in { services.syncoid = { enable = true; sshKey = "/var/lib/syncoid/id_ecdsa"; - commonArgs = [ "--no-sync-snap" ]; commands."pool/test".target = "root@target:pool/test"; }; }; -- cgit 1.4.1