From 6802eb4241377920f93593f479318f999b29c21a Mon Sep 17 00:00:00 2001 From: misuzu Date: Fri, 13 Aug 2021 10:23:04 +0300 Subject: nixos/syncoid: add global and per-dataset permissions options --- nixos/modules/services/backup/syncoid.nix | 63 ++++++++++++++++++++++++++++--- 1 file changed, 57 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix index 73b01d4b53fa..3ad8d279a36d 100644 --- a/nixos/modules/services/backup/syncoid.nix +++ b/nixos/modules/services/backup/syncoid.nix @@ -79,6 +79,33 @@ in ''; }; + localSourceAllow = mkOption { + type = types.listOf types.str; + # Permissions snapshot and destroy are in case --no-sync-snap is not used + default = [ "bookmark" "hold" "send" "snapshot" "destroy" ]; + description = '' + Permissions granted for the user + for local source datasets. See + + for available permissions. + ''; + }; + + localTargetAllow = mkOption { + type = types.listOf types.str; + default = [ "change-key" "compression" "create" "mount" "mountpoint" "receive" "rollback" ]; + example = [ "create" "mount" "receive" "rollback" ]; + description = '' + Permissions granted for the user + for local target datasets. See + + for available permissions. + Make sure to include the change-key permission if you send raw encrypted datasets, + the compression permission if you send raw compressed datasets, and so on. + For remote target datasets you'll have to set your remote user permissions by yourself. + ''; + }; + commonArgs = mkOption { type = types.listOf types.str; default = [ ]; @@ -133,6 +160,30 @@ in ''; }; + localSourceAllow = mkOption { + type = types.listOf types.str; + description = '' + Permissions granted for the user + for local source datasets. See + + for available permissions. + Defaults to option. + ''; + }; + + localTargetAllow = mkOption { + type = types.listOf types.str; + description = '' + Permissions granted for the user + for local target datasets. See + + for available permissions. + Make sure to include the change-key permission if you send raw encrypted datasets, + the compression permission if you send raw compressed datasets, and so on. + For remote target datasets you'll have to set your remote user permissions by yourself. + ''; + }; + sendOptions = mkOption { type = types.separatedString " "; default = ""; @@ -179,6 +230,8 @@ in config = { source = mkDefault name; sshKey = mkDefault cfg.sshKey; + localSourceAllow = mkDefault cfg.localSourceAllow; + localTargetAllow = mkDefault cfg.localTargetAllow; }; })); default = { }; @@ -221,13 +274,11 @@ in path = [ "/run/booted-system/sw/bin/" ]; serviceConfig = { ExecStartPre = - # Permissions snapshot and destroy are in case --no-sync-snap is not used - (map (buildAllowCommand "allow" [ "bookmark" "hold" "send" "snapshot" "destroy" ]) (localDatasetName c.source)) ++ - (map (buildAllowCommand "allow" [ "create" "mount" "receive" "rollback" ]) (localDatasetName c.target)); + (map (buildAllowCommand "allow" c.localSourceAllow) (localDatasetName c.source)) ++ + (map (buildAllowCommand "allow" c.localTargetAllow) (localDatasetName c.target)); ExecStopPost = - # Permissions snapshot and destroy are in case --no-sync-snap is not used - (map (buildAllowCommand "unallow" [ "bookmark" "hold" "send" "snapshot" "destroy" ]) (localDatasetName c.source)) ++ - (map (buildAllowCommand "unallow" [ "create" "mount" "receive" "rollback" ]) (localDatasetName c.target)); + (map (buildAllowCommand "unallow" c.localSourceAllow) (localDatasetName c.source)) ++ + (map (buildAllowCommand "unallow" c.localTargetAllow) (localDatasetName c.target)); ExecStart = lib.escapeShellArgs ([ "${pkgs.sanoid}/bin/syncoid" ] ++ optionals c.useCommonArgs cfg.commonArgs ++ optional c.recursive "-r" -- cgit v1.2.3