nixos/modules/services/backup/syncoid.nix at 21.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / backup / syncoid.nix
at 21.11-pre 7.1 kB view raw
  1{ config, lib, pkgs, ... }:
  2
  3with lib;
  4
  5let
  6  cfg = config.services.syncoid;
  7
  8  # Extract pool names of local datasets (ones that don't contain "@") that
  9  # have the specified type (either "source" or "target")
 10  getPools = type: unique (map (d: head (builtins.match "([^/]+).*" d)) (
 11    # Filter local datasets
 12    filter (d: !hasInfix "@" d)
 13    # Get datasets of the specified type
 14    (catAttrs type (attrValues cfg.commands))
 15  ));
 16in {
 17
 18    # Interface
 19
 20    options.services.syncoid = {
 21      enable = mkEnableOption "Syncoid ZFS synchronization service";
 22
 23      interval = mkOption {
 24        type = types.str;
 25        default = "hourly";
 26        example = "*-*-* *:15:00";
 27        description = ''
 28          Run syncoid at this interval. The default is to run hourly.
 29
 30          The format is described in
 31          <citerefentry><refentrytitle>systemd.time</refentrytitle>
 32          <manvolnum>7</manvolnum></citerefentry>.
 33        '';
 34      };
 35
 36      user = mkOption {
 37        type = types.str;
 38        default = "syncoid";
 39        example = "backup";
 40        description = ''
 41          The user for the service. ZFS privilege delegation will be
 42          automatically configured for any local pools used by syncoid if this
 43          option is set to a user other than root. The user will be given the
 44          "hold" and "send" privileges on any pool that has datasets being sent
 45          and the "create", "mount", "receive", and "rollback" privileges on
 46          any pool that has datasets being received.
 47        '';
 48      };
 49
 50      group = mkOption {
 51        type = types.str;
 52        default = "syncoid";
 53        example = "backup";
 54        description = "The group for the service.";
 55      };
 56
 57      sshKey = mkOption {
 58        type = types.nullOr types.path;
 59        # Prevent key from being copied to store
 60        apply = mapNullable toString;
 61        default = null;
 62        description = ''
 63          SSH private key file to use to login to the remote system. Can be
 64          overridden in individual commands.
 65        '';
 66      };
 67
 68      commonArgs = mkOption {
 69        type = types.listOf types.str;
 70        default = [];
 71        example = [ "--no-sync-snap" ];
 72        description = ''
 73          Arguments to add to every syncoid command, unless disabled for that
 74          command. See
 75          <link xlink:href="https://github.com/jimsalterjrs/sanoid/#syncoid-command-line-options"/>
 76          for available options.
 77        '';
 78      };
 79
 80      commands = mkOption {
 81        type = types.attrsOf (types.submodule ({ name, ... }: {
 82          options = {
 83            source = mkOption {
 84              type = types.str;
 85              example = "pool/dataset";
 86              description = ''
 87                Source ZFS dataset. Can be either local or remote. Defaults to
 88                the attribute name.
 89              '';
 90            };
 91
 92            target = mkOption {
 93              type = types.str;
 94              example = "user@server:pool/dataset";
 95              description = ''
 96                Target ZFS dataset. Can be either local
 97                (<replaceable>pool/dataset</replaceable>) or remote
 98                (<replaceable>user@server:pool/dataset</replaceable>).
 99              '';
100            };
101
102            recursive = mkOption {
103              type = types.bool;
104              default = false;
105              description = ''
106                Whether to also transfer child datasets.
107              '';
108            };
109
110            sshKey = mkOption {
111              type = types.nullOr types.path;
112              # Prevent key from being copied to store
113              apply = mapNullable toString;
114              description = ''
115                SSH private key file to use to login to the remote system.
116                Defaults to <option>services.syncoid.sshKey</option> option.
117              '';
118            };
119
120            sendOptions = mkOption {
121              type = types.separatedString " ";
122              default = "";
123              example = "Lc e";
124              description = ''
125                Advanced options to pass to zfs send. Options are specified
126                without their leading dashes and separated by spaces.
127              '';
128            };
129
130            recvOptions = mkOption {
131              type = types.separatedString " ";
132              default = "";
133              example = "ux recordsize o compression=lz4";
134              description = ''
135                Advanced options to pass to zfs recv. Options are specified
136                without their leading dashes and separated by spaces.
137              '';
138            };
139
140            useCommonArgs = mkOption {
141              type = types.bool;
142              default = true;
143              description = ''
144                Whether to add the configured common arguments to this command.
145              '';
146            };
147
148            extraArgs = mkOption {
149              type = types.listOf types.str;
150              default = [];
151              example = [ "--sshport 2222" ];
152              description = "Extra syncoid arguments for this command.";
153            };
154          };
155          config = {
156            source = mkDefault name;
157            sshKey = mkDefault cfg.sshKey;
158          };
159        }));
160        default = {};
161        example = literalExample ''
162          {
163            "pool/test".target = "root@target:pool/test";
164          }
165        '';
166        description = "Syncoid commands to run.";
167      };
168    };
169
170    # Implementation
171
172    config = mkIf cfg.enable {
173      users =  {
174        users = mkIf (cfg.user == "syncoid") {
175          syncoid = {
176            group = cfg.group;
177            isSystemUser = true;
178          };
179        };
180        groups = mkIf (cfg.group == "syncoid") {
181          syncoid = {};
182        };
183      };
184
185      systemd.services.syncoid = {
186        description = "Syncoid ZFS synchronization service";
187        script = concatMapStringsSep "\n" (c: lib.escapeShellArgs
188          ([ "${pkgs.sanoid}/bin/syncoid" ]
189            ++ (optionals c.useCommonArgs cfg.commonArgs)
190            ++ (optional c.recursive "-r")
191            ++ (optionals (c.sshKey != null) [ "--sshkey" c.sshKey ])
192            ++ c.extraArgs
193            ++ [ "--sendoptions" c.sendOptions
194                 "--recvoptions" c.recvOptions
195                 "--no-privilege-elevation"
196                 c.source c.target
197               ])) (attrValues cfg.commands);
198        after = [ "zfs.target" ];
199        serviceConfig = {
200          ExecStartPre = let
201            allowCmd = permissions: pool: lib.escapeShellArgs [
202              "+/run/booted-system/sw/bin/zfs" "allow"
203              cfg.user (concatStringsSep "," permissions) pool
204            ];
205          in
206            (map (allowCmd [ "hold" "send" "snapshot" "destroy" ]) (getPools "source")) ++
207            (map (allowCmd [ "create" "mount" "receive" "rollback" ]) (getPools "target"));
208          User = cfg.user;
209          Group = cfg.group;
210        };
211        startAt = cfg.interval;
212      };
213    };
214
215    meta.maintainers = with maintainers; [ lopsided98 ];
216  }