nixos/sanoid: Extract datasets rather than pools

When making new snapshots we only need to delegate permissions to the
specific dataset rather than the entire pool.
This commit is contained in:
Elis Hirwing 2021-07-25 10:00:37 +02:00
parent 70862830f0
commit bb35e7c404
No known key found for this signature in database
GPG key ID: D57EFA625C9A925F

View file

@ -70,8 +70,8 @@ let
processChildrenOnly = process_children_only; processChildrenOnly = process_children_only;
}; };
# Extract pool names from configured datasets # Extract unique dataset names
pools = unique (map (d: head (builtins.match "([^/]+).*" d)) (attrNames cfg.datasets)); datasets = unique (attrNames cfg.datasets);
configFile = let configFile = let
mkValueString = v: mkValueString = v:
@ -156,18 +156,18 @@ in {
systemd.services.sanoid = { systemd.services.sanoid = {
description = "Sanoid snapshot service"; description = "Sanoid snapshot service";
serviceConfig = { serviceConfig = {
ExecStartPre = map (pool: lib.escapeShellArgs [ ExecStartPre = map (dataset: lib.escapeShellArgs [
"+/run/booted-system/sw/bin/zfs" "allow" "+/run/booted-system/sw/bin/zfs" "allow"
"sanoid" "snapshot,mount,destroy" pool "sanoid" "snapshot,mount,destroy" dataset
]) pools; ]) datasets;
ExecStart = lib.escapeShellArgs ([ ExecStart = lib.escapeShellArgs ([
"${pkgs.sanoid}/bin/sanoid" "${pkgs.sanoid}/bin/sanoid"
"--cron" "--cron"
"--configdir" (pkgs.writeTextDir "sanoid.conf" configFile) "--configdir" (pkgs.writeTextDir "sanoid.conf" configFile)
] ++ cfg.extraArgs); ] ++ cfg.extraArgs);
ExecStopPost = map (pool: lib.escapeShellArgs [ ExecStopPost = map (dataset: lib.escapeShellArgs [
"+/run/booted-system/sw/bin/zfs" "unallow" "sanoid" pool "+/run/booted-system/sw/bin/zfs" "unallow" "sanoid" dataset
]) pools; ]) datasets;
User = "sanoid"; User = "sanoid";
Group = "sanoid"; Group = "sanoid";
DynamicUser = true; DynamicUser = true;