nixos/syncoid: fix permissions without --no-sync-snap

After 733acfa140, syncoid would fail to run if commonArgs did not include [ "--no-sync-snap" ], since it would not have permissions to create or destroy snapshots.
2020-11-20 13:33:16 -08:00 · 2020-11-20 13:33:16 -08:00 · d87903ac6b
commit d87903ac6b
parent 01083f116d
2 changed files with 8 additions and 9 deletions
--- a/nixos/modules/services/backup/syncoid.nix
+++ b/nixos/modules/services/backup/syncoid.nix
@ -197,14 +197,14 @@ in {
               ])) (attrValues cfg.commands);
        after = [ "zfs.target" ];
        serviceConfig = {
-          ExecStartPre = (map (pool: lib.escapeShellArgs [
-            "+/run/booted-system/sw/bin/zfs" "allow"
-            cfg.user "hold,send" pool
-          ]) (getPools "source")) ++
-          (map (pool: lib.escapeShellArgs [
-            "+/run/booted-system/sw/bin/zfs" "allow"
-            cfg.user "create,mount,receive,rollback" pool
-          ]) (getPools "target"));
+          ExecStartPre = let
+            allowCmd = permissions: pool: lib.escapeShellArgs [
+              "+/run/booted-system/sw/bin/zfs" "allow"
+              cfg.user (concatStringsSep "," permissions) pool
+            ];
+          in
+            (map (allowCmd [ "hold" "send" "snapshot" "destroy" ]) (getPools "source")) ++
+            (map (allowCmd [ "create" "mount" "receive" "rollback" ]) (getPools "target"));
          User = cfg.user;
          Group = cfg.group;
        };
--- a/nixos/tests/sanoid.nix
+++ b/nixos/tests/sanoid.nix
@ -39,7 +39,6 @@ in {
      services.syncoid = {
        enable = true;
        sshKey = "/var/lib/syncoid/id_ecdsa";
-        commonArgs = [ "--no-sync-snap" ];
        commands."pool/test".target = "root@target:pool/test";
      };
    };