pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #79759 from lopsided98/syncoid-no-root

nixos/syncoid: automatically setup privilege delegation

Benjamin Hipple f98312fc 7426e53f

options
unified split
Changed files
+53 -8
nixos
modules
services
backup
syncoid.nix
tests
sanoid.nix
+48 -4
nixos/modules/services/backup/syncoid.nix 
···

       
4

       
4

       
 

       



     

       
5

       
5

       
 

       
let


     

       
6

       
6

       
 

       
  cfg = config.services.syncoid;


     

       

       
7

       
+

       



     

       

       
8

       
+

       
  # Extract pool names of local datasets (ones that don't contain "@") that


     

       

       
9

       
+

       
  # have the specified type (either "source" or "target")


     

       

       
10

       
+

       
  getPools = type: unique (map (d: head (builtins.match "([^/]+).*" d)) (


     

       

       
11

       
+

       
    # Filter local datasets


     

       

       
12

       
+

       
    filter (d: !hasInfix "@" d)


     

       

       
13

       
+

       
    # Get datasets of the specified type


     

       

       
14

       
+

       
    (catAttrs type (attrValues cfg.commands))


     

       

       
15

       
+

       
  ));


     

       
7

       
16

       
 

       
in {


     

       
8

       
17

       
 

       



     

       
9

       
18

       
 

       
    # Interface


     
···

       
26

       
35

       
 

       



     

       
27

       
36

       
 

       
      user = mkOption {


     

       
28

       
37

       
 

       
        type = types.str;


     

       
29

       

       
-

       
        default = "root";


     

       

       
38

       
+

       
        default = "syncoid";


     

       
30

       
39

       
 

       
        example = "backup";


     

       
31

       
40

       
 

       
        description = ''


     

       
32

       

       
-

       
          The user for the service. Sudo or ZFS privilege delegation must be


     

       
33

       

       
-

       
          configured to use a user other than root.


     

       

       
41

       
+

       
          The user for the service. ZFS privilege delegation will be


     

       

       
42

       
+

       
          automatically configured for any local pools used by syncoid if this


     

       

       
43

       
+

       
          option is set to a user other than root. The user will be given the


     

       

       
44

       
+

       
          "hold" and "send" privileges on any pool that has datasets being sent


     

       

       
45

       
+

       
          and the "create", "mount", "receive", and "rollback" privileges on


     

       

       
46

       
+

       
          any pool that has datasets being received.


     

       
34

       
47

       
 

       
        '';


     

       

       
48

       
+

       
      };


     

       

       
49

       
+

       



     

       

       
50

       
+

       
      group = mkOption {


     

       

       
51

       
+

       
        type = types.str;


     

       

       
52

       
+

       
        default = "syncoid";


     

       

       
53

       
+

       
        example = "backup";


     

       

       
54

       
+

       
        description = "The group for the service.";


     

       
35

       
55

       
 

       
      };


     

       
36

       
56

       
 

       



     

       
37

       
57

       
 

       
      sshKey = mkOption {


     
···

       
150

       
170

       
 

       
    # Implementation


     

       
151

       
171

       
 

       



     

       
152

       
172

       
 

       
    config = mkIf cfg.enable {


     

       

       
173

       
+

       
      users =  {


     

       

       
174

       
+

       
        users = mkIf (cfg.user == "syncoid") {


     

       

       
175

       
+

       
          syncoid = {


     

       

       
176

       
+

       
            group = cfg.group;


     

       

       
177

       
+

       
            isSystemUser = true;


     

       

       
178

       
+

       
          };


     

       

       
179

       
+

       
        };


     

       

       
180

       
+

       
        groups = mkIf (cfg.group == "syncoid") {


     

       

       
181

       
+

       
          syncoid = {};


     

       

       
182

       
+

       
        };


     

       

       
183

       
+

       
      };


     

       

       
184

       
+

       



     

       
153

       
185

       
 

       
      systemd.services.syncoid = {


     

       
154

       
186

       
 

       
        description = "Syncoid ZFS synchronization service";


     

       
155

       
187

       
 

       
        script = concatMapStringsSep "\n" (c: lib.escapeShellArgs


     
···

       
160

       
192

       
 

       
            ++ c.extraArgs


     

       
161

       
193

       
 

       
            ++ [ "--sendoptions" c.sendOptions


     

       
162

       
194

       
 

       
                 "--recvoptions" c.recvOptions


     

       

       
195

       
+

       
                 "--no-privilege-elevation"


     

       
163

       
196

       
 

       
                 c.source c.target


     

       
164

       
197

       
 

       
               ])) (attrValues cfg.commands);


     

       
165

       
198

       
 

       
        after = [ "zfs.target" ];


     

       
166

       

       
-

       
        serviceConfig.User = cfg.user;


     

       

       
199

       
+

       
        serviceConfig = {


     

       

       
200

       
+

       
          ExecStartPre = (map (pool: lib.escapeShellArgs [


     

       

       
201

       
+

       
            "+/run/booted-system/sw/bin/zfs" "allow"


     

       

       
202

       
+

       
            cfg.user "hold,send" pool


     

       

       
203

       
+

       
          ]) (getPools "source")) ++


     

       

       
204

       
+

       
          (map (pool: lib.escapeShellArgs [


     

       

       
205

       
+

       
            "+/run/booted-system/sw/bin/zfs" "allow"


     

       

       
206

       
+

       
            cfg.user "create,mount,receive,rollback" pool


     

       

       
207

       
+

       
          ]) (getPools "target"));


     

       

       
208

       
+

       
          User = cfg.user;


     

       

       
209

       
+

       
          Group = cfg.group;


     

       

       
210

       
+

       
        };


     

       
167

       
211

       
 

       
        startAt = cfg.interval;


     

       
168

       
212

       
 

       
      };


     

       
169

       
213

       
 

       
    };
+5 -4
nixos/tests/sanoid.nix 
···

       
38

       
38

       
 

       



     

       
39

       
39

       
 

       
      services.syncoid = {


     

       
40

       
40

       
 

       
        enable = true;


     

       
41

       

       
-

       
        sshKey = "/root/.ssh/id_ecdsa";


     

       

       
41

       
+

       
        sshKey = "/var/lib/syncoid/id_ecdsa";


     

       
42

       
42

       
 

       
        commonArgs = [ "--no-sync-snap" ];


     

       
43

       
43

       
 

       
        commands."pool/test".target = "root@target:pool/test";


     

       
44

       
44

       
 

       
      };


     
···

       
69

       
69

       
 

       
        "udevadm settle",


     

       
70

       
70

       
 

       
    )


     

       
71

       
71

       
 

       



     

       
72

       

       
-

       
    source.succeed("mkdir -m 700 /root/.ssh")


     

       
73

       
72

       
 

       
    source.succeed(


     

       
74

       

       
-

       
        "cat '${snakeOilPrivateKey}' > /root/.ssh/id_ecdsa"


     

       

       
73

       
+

       
        "mkdir -m 700 -p /var/lib/syncoid",


     

       

       
74

       
+

       
        "cat '${snakeOilPrivateKey}' > /var/lib/syncoid/id_ecdsa",


     

       

       
75

       
+

       
        "chmod 600 /var/lib/syncoid/id_ecdsa",


     

       

       
76

       
+

       
        "chown -R syncoid:syncoid /var/lib/syncoid/",


     

       
75

       
77

       
 

       
    )


     

       
76

       

       
-

       
    source.succeed("chmod 600 /root/.ssh/id_ecdsa")


     

       
77

       
78

       
 

       



     

       
78

       
79

       
 

       
    source.succeed("touch /tmp/mnt/test.txt")


     

       
79

       
80

       
 

       
    source.systemctl("start --wait sanoid.service")