diff --git a/nixos/modules/services/backup/syncoid.nix b/nixos/modules/services/backup/syncoid.nix
index 73b01d4b53fa..3ad8d279a36d 100644
--- a/nixos/modules/services/backup/syncoid.nix
+++ b/nixos/modules/services/backup/syncoid.nix
@@ -79,6 +79,33 @@ in
'';
};
+ localSourceAllow = mkOption {
+ type = types.listOf types.str;
+ # Permissions snapshot and destroy are in case --no-sync-snap is not used
+ default = [ "bookmark" "hold" "send" "snapshot" "destroy" ];
+ description = ''
+ Permissions granted for the user
+ for local source datasets. See
+
+ for available permissions.
+ '';
+ };
+
+ localTargetAllow = mkOption {
+ type = types.listOf types.str;
+ default = [ "change-key" "compression" "create" "mount" "mountpoint" "receive" "rollback" ];
+ example = [ "create" "mount" "receive" "rollback" ];
+ description = ''
+ Permissions granted for the user
+ for local target datasets. See
+
+ for available permissions.
+ Make sure to include the change-key permission if you send raw encrypted datasets,
+ the compression permission if you send raw compressed datasets, and so on.
+ For remote target datasets you'll have to set your remote user permissions by yourself.
+ '';
+ };
+
commonArgs = mkOption {
type = types.listOf types.str;
default = [ ];
@@ -133,6 +160,30 @@ in
'';
};
+ localSourceAllow = mkOption {
+ type = types.listOf types.str;
+ description = ''
+ Permissions granted for the user
+ for local source datasets. See
+
+ for available permissions.
+ Defaults to option.
+ '';
+ };
+
+ localTargetAllow = mkOption {
+ type = types.listOf types.str;
+ description = ''
+ Permissions granted for the user
+ for local target datasets. See
+
+ for available permissions.
+ Make sure to include the change-key permission if you send raw encrypted datasets,
+ the compression permission if you send raw compressed datasets, and so on.
+ For remote target datasets you'll have to set your remote user permissions by yourself.
+ '';
+ };
+
sendOptions = mkOption {
type = types.separatedString " ";
default = "";
@@ -179,6 +230,8 @@ in
config = {
source = mkDefault name;
sshKey = mkDefault cfg.sshKey;
+ localSourceAllow = mkDefault cfg.localSourceAllow;
+ localTargetAllow = mkDefault cfg.localTargetAllow;
};
}));
default = { };
@@ -221,13 +274,11 @@ in
path = [ "/run/booted-system/sw/bin/" ];
serviceConfig = {
ExecStartPre =
- # Permissions snapshot and destroy are in case --no-sync-snap is not used
- (map (buildAllowCommand "allow" [ "bookmark" "hold" "send" "snapshot" "destroy" ]) (localDatasetName c.source)) ++
- (map (buildAllowCommand "allow" [ "create" "mount" "receive" "rollback" ]) (localDatasetName c.target));
+ (map (buildAllowCommand "allow" c.localSourceAllow) (localDatasetName c.source)) ++
+ (map (buildAllowCommand "allow" c.localTargetAllow) (localDatasetName c.target));
ExecStopPost =
- # Permissions snapshot and destroy are in case --no-sync-snap is not used
- (map (buildAllowCommand "unallow" [ "bookmark" "hold" "send" "snapshot" "destroy" ]) (localDatasetName c.source)) ++
- (map (buildAllowCommand "unallow" [ "create" "mount" "receive" "rollback" ]) (localDatasetName c.target));
+ (map (buildAllowCommand "unallow" c.localSourceAllow) (localDatasetName c.source)) ++
+ (map (buildAllowCommand "unallow" c.localTargetAllow) (localDatasetName c.target));
ExecStart = lib.escapeShellArgs ([ "${pkgs.sanoid}/bin/syncoid" ]
++ optionals c.useCommonArgs cfg.commonArgs
++ optional c.recursive "-r"