nixos/syncoid: Reformat file with nixpkgs-fmt
This commit is contained in:
parent
b9f98165ab
commit
fa58d89b24
@ -8,7 +8,8 @@ let
|
||||
# Extract local dasaset names (so no datasets containing "@")
|
||||
localDatasetName = d: optionals (d != null) (
|
||||
let m = builtins.match "([^/@]+[^@]*)" d; in
|
||||
optionals (m != null) m);
|
||||
optionals (m != null) m
|
||||
);
|
||||
|
||||
# Escape as required by: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
|
||||
escapeUnitName = name:
|
||||
@ -19,10 +20,14 @@ let
|
||||
# filesystems we've delegated permissions to.
|
||||
buildAllowCommand = zfsAction: permissions: dataset: lib.escapeShellArgs [
|
||||
# Here we explicitly use the booted system to guarantee the stable API needed by ZFS
|
||||
"-+/run/booted-system/sw/bin/zfs" zfsAction
|
||||
cfg.user (concatStringsSep "," permissions) dataset
|
||||
"-+/run/booted-system/sw/bin/zfs"
|
||||
zfsAction
|
||||
cfg.user
|
||||
(concatStringsSep "," permissions)
|
||||
dataset
|
||||
];
|
||||
in {
|
||||
in
|
||||
{
|
||||
|
||||
# Interface
|
||||
|
||||
@ -76,7 +81,7 @@ in {
|
||||
|
||||
commonArgs = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
default = [ ];
|
||||
example = [ "--no-sync-snap" ];
|
||||
description = ''
|
||||
Arguments to add to every syncoid command, unless disabled for that
|
||||
@ -88,7 +93,7 @@ in {
|
||||
|
||||
service = mkOption {
|
||||
type = types.attrs;
|
||||
default = {};
|
||||
default = { };
|
||||
description = ''
|
||||
Systemd configuration common to all syncoid services.
|
||||
'';
|
||||
@ -158,7 +163,7 @@ in {
|
||||
|
||||
service = mkOption {
|
||||
type = types.attrs;
|
||||
default = {};
|
||||
default = { };
|
||||
description = ''
|
||||
Systemd configuration specific to this syncoid service.
|
||||
'';
|
||||
@ -166,7 +171,7 @@ in {
|
||||
|
||||
extraArgs = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
default = [ ];
|
||||
example = [ "--sshport 2222" ];
|
||||
description = "Extra syncoid arguments for this command.";
|
||||
};
|
||||
@ -176,7 +181,7 @@ in {
|
||||
sshKey = mkDefault cfg.sshKey;
|
||||
};
|
||||
}));
|
||||
default = {};
|
||||
default = { };
|
||||
example = literalExample ''
|
||||
{
|
||||
"pool/test".target = "root@target:pool/test";
|
||||
@ -201,13 +206,15 @@ in {
|
||||
};
|
||||
};
|
||||
groups = mkIf (cfg.group == "syncoid") {
|
||||
syncoid = {};
|
||||
syncoid = { };
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services = mapAttrs' (name: c:
|
||||
systemd.services = mapAttrs'
|
||||
(name: c:
|
||||
nameValuePair "syncoid-${escapeUnitName name}" (mkMerge [
|
||||
{ description = "Syncoid ZFS synchronization from ${c.source} to ${c.target}";
|
||||
{
|
||||
description = "Syncoid ZFS synchronization from ${c.source} to ${c.target}";
|
||||
after = [ "zfs.target" ];
|
||||
startAt = cfg.interval;
|
||||
# syncoid may need zpool to get feature@extensible_dataset
|
||||
@ -226,10 +233,14 @@ in {
|
||||
++ optional c.recursive "-r"
|
||||
++ optionals (c.sshKey != null) [ "--sshkey" c.sshKey ]
|
||||
++ c.extraArgs
|
||||
++ [ "--sendoptions" c.sendOptions
|
||||
"--recvoptions" c.recvOptions
|
||||
++ [
|
||||
"--sendoptions"
|
||||
c.sendOptions
|
||||
"--recvoptions"
|
||||
c.recvOptions
|
||||
"--no-privilege-elevation"
|
||||
c.source c.target
|
||||
c.source
|
||||
c.target
|
||||
]);
|
||||
User = cfg.user;
|
||||
Group = cfg.group;
|
||||
@ -246,7 +257,7 @@ in {
|
||||
# systemd-analyze security | grep syncoid-'*'
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
DeviceAllow = ["/dev/zfs"];
|
||||
DeviceAllow = [ "/dev/zfs" ];
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
NoNewPrivileges = true;
|
||||
@ -272,7 +283,7 @@ in {
|
||||
BindPaths = [ "/dev/zfs" ];
|
||||
BindReadOnlyPaths = [ builtins.storeDir "/etc" "/run" "/bin/sh" ];
|
||||
# Avoid useless mounting of RootDirectory= in the own RootDirectory= of ExecStart='s mount namespace.
|
||||
InaccessiblePaths = ["-+/run/syncoid/${escapeUnitName name}"];
|
||||
InaccessiblePaths = [ "-+/run/syncoid/${escapeUnitName name}" ];
|
||||
MountAPIVFS = true;
|
||||
# Create RootDirectory= in the host's mount namespace.
|
||||
RuntimeDirectory = [ "syncoid/${escapeUnitName name}" ];
|
||||
@ -283,8 +294,15 @@ in {
|
||||
# perf stat -x, 2>perf.log -e 'syscalls:sys_enter_*' syncoid …
|
||||
# awk >perf.syscalls -F "," '$1 > 0 {sub("syscalls:sys_enter_","",$3); print $3}' perf.log
|
||||
# systemd-analyze syscall-filter | grep -v -e '#' | sed -e ':loop; /^[^ ]/N; s/\n //; t loop' | grep $(printf ' -e \\<%s\\>' $(cat perf.syscalls)) | cut -f 1 -d ' '
|
||||
"~@aio" "~@chown" "~@keyring" "~@memlock" "~@privileged"
|
||||
"~@resources" "~@setuid" "~@sync" "~@timer"
|
||||
"~@aio"
|
||||
"~@chown"
|
||||
"~@keyring"
|
||||
"~@memlock"
|
||||
"~@privileged"
|
||||
"~@resources"
|
||||
"~@setuid"
|
||||
"~@sync"
|
||||
"~@timer"
|
||||
];
|
||||
SystemCallArchitectures = "native";
|
||||
# This is for BindPaths= and BindReadOnlyPaths=
|
||||
@ -294,8 +312,9 @@ in {
|
||||
}
|
||||
cfg.service
|
||||
c.service
|
||||
])) cfg.commands;
|
||||
]))
|
||||
cfg.commands;
|
||||
};
|
||||
|
||||
meta.maintainers = with maintainers; [ julm lopsided98 ];
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user