From b9f98165ab22b3981d7017ce88f268c4176f8072 Mon Sep 17 00:00:00 2001 From: Elis Hirwing Date: Sun, 25 Jul 2021 18:27:36 +0200 Subject: nixos/sanoid: Use a function to build allow/unallow commands --- nixos/modules/services/backup/sanoid.nix | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/backup/sanoid.nix b/nixos/modules/services/backup/sanoid.nix index 9713581165b..c7f276e3f04 100644 --- a/nixos/modules/services/backup/sanoid.nix +++ b/nixos/modules/services/backup/sanoid.nix @@ -73,6 +73,17 @@ let # Extract unique dataset names datasets = unique (attrNames cfg.datasets); + # Function to build "zfs allow" and "zfs unallow" commands for the + # filesystems we've delegated permissions to. + buildAllowCommand = zfsAction: permissions: dataset: lib.escapeShellArgs [ + # Here we explicitly use the booted system to guarantee the stable API needed by ZFS + "-+/run/booted-system/sw/bin/zfs" + zfsAction + "sanoid" + (concatStringsSep "," permissions) + dataset + ]; + configFile = let mkValueString = v: if builtins.isList v then concatStringsSep "," v @@ -156,18 +167,13 @@ in { systemd.services.sanoid = { description = "Sanoid snapshot service"; serviceConfig = { - ExecStartPre = map (dataset: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "allow" - "sanoid" "snapshot,mount,destroy" dataset - ]) datasets; + ExecStartPre = (map (buildAllowCommand "allow" [ "snapshot" "mount" "destroy" ]) datasets); + ExecStopPost = (map (buildAllowCommand "unallow" [ "snapshot" "mount" "destroy" ]) datasets); ExecStart = lib.escapeShellArgs ([ "${pkgs.sanoid}/bin/sanoid" "--cron" "--configdir" (pkgs.writeTextDir "sanoid.conf" configFile) ] ++ cfg.extraArgs); - ExecStopPost = map (dataset: lib.escapeShellArgs [ - "+/run/booted-system/sw/bin/zfs" "unallow" "sanoid" dataset - ]) datasets; User = "sanoid"; Group = "sanoid"; DynamicUser = true; -- cgit 1.4.1