diff options
author | Elis Hirwing <elis@hirwing.se> | 2021-07-25 18:27:36 +0200 |
---|---|---|
committer | Elis Hirwing <elis@hirwing.se> | 2021-07-26 11:03:35 +0200 |
commit | b9f98165ab22b3981d7017ce88f268c4176f8072 (patch) | |
tree | e254fdf54ea5680fd2aa213ab98fdc1880853287 /nixos | |
parent | ecd32b8104e6cca16fe1b2cfb89f39a8c7c01731 (diff) | |
download | nixpkgs-b9f98165ab22b3981d7017ce88f268c4176f8072.tar nixpkgs-b9f98165ab22b3981d7017ce88f268c4176f8072.tar.gz nixpkgs-b9f98165ab22b3981d7017ce88f268c4176f8072.tar.bz2 nixpkgs-b9f98165ab22b3981d7017ce88f268c4176f8072.tar.lz nixpkgs-b9f98165ab22b3981d7017ce88f268c4176f8072.tar.xz nixpkgs-b9f98165ab22b3981d7017ce88f268c4176f8072.tar.zst nixpkgs-b9f98165ab22b3981d7017ce88f268c4176f8072.zip |
nixos/sanoid: Use a function to build allow/unallow commands
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/backup/sanoid.nix | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/nixos/modules/services/backup/sanoid.nix b/nixos/modules/services/backup/sanoid.nix index 9713581165b..c7f276e3f04 100644 --- a/nixos/modules/services/backup/sanoid.nix +++ b/nixos/modules/services/backup/sanoid.nix @@ -73,6 +73,17 @@ let # Extract unique dataset names datasets = unique (attrNames cfg.datasets); + # Function to build "zfs allow" and "zfs unallow" commands for the + # filesystems we've delegated permissions to. + buildAllowCommand = zfsAction: permissions: dataset: lib.escapeShellArgs [ + # Here we explicitly use the booted system to guarantee the stable API needed by ZFS + "-+/run/booted-system/sw/bin/zfs" + zfsAction + "sanoid" + (concatStringsSep "," permissions) + dataset + ]; + configFile = let mkValueString = v: if builtins.isList v then concatStringsSep "," v @@ -156,18 +167,13 @@ in { systemd.services.sanoid = { description = "Sanoid snapshot service"; serviceConfig = { - ExecStartPre = map (dataset: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - "sanoid" "snapshot,mount,destroy" dataset - ]) datasets; + ExecStartPre = (map (buildAllowCommand "allow" [ "snapshot" "mount" "destroy" ]) datasets); + ExecStopPost = (map (buildAllowCommand "unallow" [ "snapshot" "mount" "destroy" ]) datasets); ExecStart = lib.escapeShellArgs ([ "${pkgs.sanoid}/bin/sanoid" "--cron" "--configdir" (pkgs.writeTextDir "sanoid.conf" configFile) ] ++ cfg.extraArgs); - ExecStopPost = map (dataset: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "unallow" "sanoid" dataset - ]) datasets; User = "sanoid"; Group = "sanoid"; DynamicUser = true; |