diff options
author | Elis Hirwing <elis@hirwing.se> | 2021-07-25 18:22:05 +0200 |
---|---|---|
committer | Elis Hirwing <elis@hirwing.se> | 2021-07-26 11:02:13 +0200 |
commit | ecd32b8104e6cca16fe1b2cfb89f39a8c7c01731 (patch) | |
tree | 89205dc31c829849d5e331f6d4dc702947aa39ff /nixos | |
parent | bb35e7c4044432111ab9fec5ef9c4260ae651582 (diff) | |
download | nixpkgs-ecd32b8104e6cca16fe1b2cfb89f39a8c7c01731.tar nixpkgs-ecd32b8104e6cca16fe1b2cfb89f39a8c7c01731.tar.gz nixpkgs-ecd32b8104e6cca16fe1b2cfb89f39a8c7c01731.tar.bz2 nixpkgs-ecd32b8104e6cca16fe1b2cfb89f39a8c7c01731.tar.lz nixpkgs-ecd32b8104e6cca16fe1b2cfb89f39a8c7c01731.tar.xz nixpkgs-ecd32b8104e6cca16fe1b2cfb89f39a8c7c01731.tar.zst nixpkgs-ecd32b8104e6cca16fe1b2cfb89f39a8c7c01731.zip |
nixos/syncoid: Build unallow commands as a post job to drop permissions
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/backup/syncoid.nix | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix index 80a704a7d26..71007f6c38e 100644 --- a/nixos/modules/services/backup/syncoid.nix +++ b/nixos/modules/services/backup/syncoid.nix @@ -14,6 +14,14 @@ let escapeUnitName = name: lib.concatMapStrings (s: if lib.isList s then "-" else s) (builtins.split "[^a-zA-Z0-9_.\\-]+" name); + + # Function to build "zfs allow" and "zfs unallow" commands for the + # filesystems we've delegated permissions to. + buildAllowCommand = zfsAction: permissions: dataset: lib.escapeShellArgs [ + # Here we explicitly use the booted system to guarantee the stable API needed by ZFS + "-+/run/booted-system/sw/bin/zfs" zfsAction + cfg.user (concatStringsSep "," permissions) dataset + ]; in { # Interface @@ -206,15 +214,13 @@ in { path = [ "/run/booted-system/sw/bin/" ]; serviceConfig = { ExecStartPre = - map (dataset: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user "bookmark,hold,send,snapshot,destroy" dataset - # Permissions snapshot and destroy are in case --no-sync-snap is not used - ]) (localDatasetName c.source) ++ - map (dataset: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - cfg.user "create,mount,receive,rollback" dataset - ]) (localDatasetName c.target); + # Permissions snapshot and destroy are in case --no-sync-snap is not used + (map (buildAllowCommand "allow" [ "bookmark" "hold" "send" "snapshot" "destroy" ]) (localDatasetName c.source)) ++ + (map (buildAllowCommand "allow" [ "create" "mount" "receive" "rollback" ]) (localDatasetName c.target)); + ExecStopPost = + # Permissions snapshot and destroy are in case --no-sync-snap is not used + (map (buildAllowCommand "unallow" [ "bookmark" "hold" "send" "snapshot" "destroy" ]) (localDatasetName c.source)) ++ + (map (buildAllowCommand "unallow" [ "create" "mount" "receive" "rollback" ]) (localDatasetName c.target)); ExecStart = lib.escapeShellArgs ([ "${pkgs.sanoid}/bin/syncoid" ] ++ optionals c.useCommonArgs cfg.commonArgs ++ optional c.recursive "-r" |