nixos/syncoid: Reformat file with nixpkgs-fmt

This commit is contained in:
Elis Hirwing 2021-07-25 18:31:19 +02:00
parent b9f98165ab
commit fa58d89b24
No known key found for this signature in database
GPG Key ID: D57EFA625C9A925F

View File

@ -8,7 +8,8 @@ let
# Extract local dasaset names (so no datasets containing "@")
localDatasetName = d: optionals (d != null) (
let m = builtins.match "([^/@]+[^@]*)" d; in
optionals (m != null) m);
optionals (m != null) m
);
# Escape as required by: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
escapeUnitName = name:
@ -19,10 +20,14 @@ let
# filesystems we've delegated permissions to.
buildAllowCommand = zfsAction: permissions: dataset: lib.escapeShellArgs [
# Here we explicitly use the booted system to guarantee the stable API needed by ZFS
"-+/run/booted-system/sw/bin/zfs" zfsAction
cfg.user (concatStringsSep "," permissions) dataset
"-+/run/booted-system/sw/bin/zfs"
zfsAction
cfg.user
(concatStringsSep "," permissions)
dataset
];
in {
in
{
# Interface
@ -76,7 +81,7 @@ in {
commonArgs = mkOption {
type = types.listOf types.str;
default = [];
default = [ ];
example = [ "--no-sync-snap" ];
description = ''
Arguments to add to every syncoid command, unless disabled for that
@ -88,7 +93,7 @@ in {
service = mkOption {
type = types.attrs;
default = {};
default = { };
description = ''
Systemd configuration common to all syncoid services.
'';
@ -158,7 +163,7 @@ in {
service = mkOption {
type = types.attrs;
default = {};
default = { };
description = ''
Systemd configuration specific to this syncoid service.
'';
@ -166,7 +171,7 @@ in {
extraArgs = mkOption {
type = types.listOf types.str;
default = [];
default = [ ];
example = [ "--sshport 2222" ];
description = "Extra syncoid arguments for this command.";
};
@ -176,7 +181,7 @@ in {
sshKey = mkDefault cfg.sshKey;
};
}));
default = {};
default = { };
example = literalExample ''
{
"pool/test".target = "root@target:pool/test";
@ -201,13 +206,15 @@ in {
};
};
groups = mkIf (cfg.group == "syncoid") {
syncoid = {};
syncoid = { };
};
};
systemd.services = mapAttrs' (name: c:
systemd.services = mapAttrs'
(name: c:
nameValuePair "syncoid-${escapeUnitName name}" (mkMerge [
{ description = "Syncoid ZFS synchronization from ${c.source} to ${c.target}";
{
description = "Syncoid ZFS synchronization from ${c.source} to ${c.target}";
after = [ "zfs.target" ];
startAt = cfg.interval;
# syncoid may need zpool to get feature@extensible_dataset
@ -226,10 +233,14 @@ in {
++ optional c.recursive "-r"
++ optionals (c.sshKey != null) [ "--sshkey" c.sshKey ]
++ c.extraArgs
++ [ "--sendoptions" c.sendOptions
"--recvoptions" c.recvOptions
++ [
"--sendoptions"
c.sendOptions
"--recvoptions"
c.recvOptions
"--no-privilege-elevation"
c.source c.target
c.source
c.target
]);
User = cfg.user;
Group = cfg.group;
@ -246,7 +257,7 @@ in {
# systemd-analyze security | grep syncoid-'*'
AmbientCapabilities = "";
CapabilityBoundingSet = "";
DeviceAllow = ["/dev/zfs"];
DeviceAllow = [ "/dev/zfs" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
NoNewPrivileges = true;
@ -272,7 +283,7 @@ in {
BindPaths = [ "/dev/zfs" ];
BindReadOnlyPaths = [ builtins.storeDir "/etc" "/run" "/bin/sh" ];
# Avoid useless mounting of RootDirectory= in the own RootDirectory= of ExecStart='s mount namespace.
InaccessiblePaths = ["-+/run/syncoid/${escapeUnitName name}"];
InaccessiblePaths = [ "-+/run/syncoid/${escapeUnitName name}" ];
MountAPIVFS = true;
# Create RootDirectory= in the host's mount namespace.
RuntimeDirectory = [ "syncoid/${escapeUnitName name}" ];
@ -283,8 +294,15 @@ in {
# perf stat -x, 2>perf.log -e 'syscalls:sys_enter_*' syncoid …
# awk >perf.syscalls -F "," '$1 > 0 {sub("syscalls:sys_enter_","",$3); print $3}' perf.log
# systemd-analyze syscall-filter | grep -v -e '#' | sed -e ':loop; /^[^ ]/N; s/\n //; t loop' | grep $(printf ' -e \\<%s\\>' $(cat perf.syscalls)) | cut -f 1 -d ' '
"~@aio" "~@chown" "~@keyring" "~@memlock" "~@privileged"
"~@resources" "~@setuid" "~@sync" "~@timer"
"~@aio"
"~@chown"
"~@keyring"
"~@memlock"
"~@privileged"
"~@resources"
"~@setuid"
"~@sync"
"~@timer"
];
SystemCallArchitectures = "native";
# This is for BindPaths= and BindReadOnlyPaths=
@ -294,8 +312,9 @@ in {
}
cfg.service
c.service
])) cfg.commands;
]))
cfg.commands;
};
meta.maintainers = with maintainers; [ julm lopsided98 ];
}
}