diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix
index e72e3fa59cf9..b764db1f14e4 100644
--- a/nixos/modules/services/backup/syncoid.nix
+++ b/nixos/modules/services/backup/syncoid.nix
@@ -197,14 +197,14 @@ in {
                ])) (attrValues cfg.commands);
         after = [ "zfs.target" ];
         serviceConfig = {
-          ExecStartPre = (map (pool: lib.escapeShellArgs [
-            "+/run/booted-system/sw/bin/zfs" "allow"
-            cfg.user "hold,send" pool
-          ]) (getPools "source")) ++
-          (map (pool: lib.escapeShellArgs [
-            "+/run/booted-system/sw/bin/zfs" "allow"
-            cfg.user "create,mount,receive,rollback" pool
-          ]) (getPools "target"));
+          ExecStartPre = let
+            allowCmd = permissions: pool: lib.escapeShellArgs [
+              "+/run/booted-system/sw/bin/zfs" "allow"
+              cfg.user (concatStringsSep "," permissions) pool
+            ];
+          in
+            (map (allowCmd [ "hold" "send" "snapshot" "destroy" ]) (getPools "source")) ++
+            (map (allowCmd [ "create" "mount" "receive" "rollback" ]) (getPools "target"));
           User = cfg.user;
           Group = cfg.group;
         };
diff --git a/nixos/tests/sanoid.nix b/nixos/tests/sanoid.nix
index da6d4c9ffe82..c691bfc08ef7 100644
--- a/nixos/tests/sanoid.nix
+++ b/nixos/tests/sanoid.nix
@@ -33,14 +33,22 @@ in {
 
           autosnap = true;
         };
-        datasets."pool/test".useTemplate = [ "test" ];
+        datasets."pool/sanoid".useTemplate = [ "test" ];
+        extraArgs = [ "--verbose" ];
       };
 
       services.syncoid = {
         enable = true;
         sshKey = "/var/lib/syncoid/id_ecdsa";
-        commonArgs = [ "--no-sync-snap" ];
-        commands."pool/test".target = "root@target:pool/test";
+        commands = {
+          # Sync snapshot taken by sanoid
+          "pool/sanoid" = {
+            target = "root@target:pool/sanoid";
+            extraArgs = [ "--no-sync-snap" ];
+          };
+          # Take snapshot and sync
+          "pool/syncoid".target = "root@target:pool/syncoid";
+        };
       };
     };
     target = { ... }: {
@@ -54,18 +62,19 @@ in {
 
   testScript = ''
     source.succeed(
-        "mkdir /tmp/mnt",
+        "mkdir /mnt",
         "parted --script /dev/vdb -- mklabel msdos mkpart primary 1024M -1s",
         "udevadm settle",
-        "zpool create pool /dev/vdb1",
-        "zfs create -o mountpoint=legacy pool/test",
-        "mount -t zfs pool/test /tmp/mnt",
+        "zpool create pool -R /mnt /dev/vdb1",
+        "zfs create pool/sanoid",
+        "zfs create pool/syncoid",
         "udevadm settle",
     )
     target.succeed(
+        "mkdir /mnt",
         "parted --script /dev/vdb -- mklabel msdos mkpart primary 1024M -1s",
         "udevadm settle",
-        "zpool create pool /dev/vdb1",
+        "zpool create pool -R /mnt /dev/vdb1",
         "udevadm settle",
     )
 
@@ -76,16 +85,15 @@ in {
         "chown -R syncoid:syncoid /var/lib/syncoid/",
     )
 
-    source.succeed("touch /tmp/mnt/test.txt")
+    # Take snapshot with sanoid
+    source.succeed("touch /mnt/pool/sanoid/test.txt")
     source.systemctl("start --wait sanoid.service")
 
+    # Sync snapshots
     target.wait_for_open_port(22)
+    source.succeed("touch /mnt/pool/syncoid/test.txt")
     source.systemctl("start --wait syncoid.service")
-    target.succeed(
-        "mkdir /tmp/mnt",
-        "zfs set mountpoint=legacy pool/test",
-        "mount -t zfs pool/test /tmp/mnt",
-    )
-    target.succeed("cat /tmp/mnt/test.txt")
+    target.succeed("cat /mnt/pool/sanoid/test.txt")
+    target.succeed("cat /mnt/pool/syncoid/test.txt")
   '';
 })