dotfiles/modules/nixos/services/syncoid/default.nix

92 lines
2.5 KiB
Nix
Raw Normal View History

{
options,
config,
pkgs,
lib,
...
}: let
inherit (lib) mkIf;
cfg = config.aa.services.syncoid;
in {
options.aa.services.syncoid = with lib; {
enable = mkEnableOption "syncoid (ZFS snap replication)";
commands = mkOption {
type = types.attrs;
default = {};
description = "Commands to pass directly to syncoid, see `services.syncoid.commands`";
};
remoteTargetUser = mkOption {
type = types.str;
default = "";
description = "The user to use on the target machine.";
};
remoteTargetDatasets = mkOption {
type = types.listOf types.str;
default = [];
description = "Datasets to be used as a remote target (e.g. a NAS's backups dataset)";
};
remoteTargetPublicKeys = mkOption {
type = types.listOf types.str;
default = [];
description = "SSH public keys that the syncoid service's user should trust";
};
};
config = mkIf cfg.enable {
services.syncoid = {
enable = true;
2023-08-25 00:28:10 +00:00
localSourceAllow =
options.services.syncoid.localSourceAllow.default
++ [
"mount"
];
localTargetAllow =
options.services.syncoid.localTargetAllow.default
++ [
"destroy"
];
commands = lib.mkAliasDefinitions options.aa.services.syncoid.commands;
};
2023-08-25 00:28:10 +00:00
environment.systemPackages = mkIf (cfg.remoteTargetUser != "") (with pkgs; [
lzop
mbuffer
]);
users = mkIf (cfg.remoteTargetUser != "") {
users."${cfg.remoteTargetUser}" = {
shell = pkgs.bashInteractive;
group = cfg.remoteTargetUser;
isSystemUser = true;
home = "/var/lib/${cfg.remoteTargetUser}";
createHome = true;
openssh.authorizedKeys.keys = cfg.remoteTargetPublicKeys;
};
groups."${cfg.remoteTargetUser}" = {};
};
systemd.services.setup-syncoid-remote = {
description = "Permission setup for syncoid remote targets";
documentation = ["https://github.com/jimsalterjrs/sanoid/wiki/Syncoid#running-without-root"];
wantedBy = ["multi-user.target"];
path = [pkgs.zfs];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";
};
script = ''
DATASETS=(${toString cfg.remoteTargetDatasets})
for dataset in "''${DATASETS[@]}"; do
zfs allow \
-u ${cfg.remoteTargetUser} \
compression,mountpoint,create,mount,receive,rollback,destroy \
"$dataset"
done
'';
};
};
}