1 { config, lib, pkgs, ... }:
6 cfg = config.services.syncoid;
7 inherit (config.networking) nftables;
9 # Extract local dasaset names (so no datasets containing "@")
10 localDatasetName = d: optionals (d != null) (
11 let m = builtins.match "([^/@]+[^@]*)" d; in
12 optionals (m != null) m
15 # Escape as required by: https://www.freedesktop.org/software/systemd/man/systemd.unit.html
16 escapeUnitName = name:
17 lib.concatMapStrings (s: if lib.isList s then "-" else s)
18 (builtins.split "[^a-zA-Z0-9_.\\-]+" name);
20 # Function to build "zfs allow" commands for the filesystems we've
21 # delegated permissions to. It also checks if the target dataset
22 # exists before delegating permissions, if it doesn't exist we
23 # delegate it to the parent dataset. This should solve the case of
24 # provisoning new datasets.
25 buildAllowCommand = permissions: dataset: (
26 "-+${pkgs.writeShellScript "zfs-allow-${dataset}" ''
28 # Run a ZFS list on the dataset to check if it exists
29 if zfs list ${lib.escapeShellArg dataset} >/dev/null 2>/dev/null; then
30 zfs allow "$USER" ${lib.escapeShellArgs [
31 (concatStringsSep "," permissions)
35 zfs allow "$USER" ${lib.escapeShellArgs [
36 (concatStringsSep "," permissions)
37 # Remove the last part of the path
38 (builtins.dirOf dataset)
44 # Function to build "zfs unallow" commands for the filesystems we've
45 # delegated permissions to. Here we unallow both the target and
46 # the parent dataset because at this stage we have no way of
47 # knowing if the allow command did execute on the parent dataset or
48 # not in the pre-hook. We can't run the same if-then-else in the post hook
49 # since the dataset should have been created at this point.
50 buildUnallowCommand = dataset: (
51 "-+${pkgs.writeShellScript "zfs-unallow-${dataset}" ''
53 zfs unallow "$USER" ${lib.escapeShellArg dataset}
54 zfs unallow "$USER" ${lib.escapeShellArg (builtins.dirOf dataset)}
62 options.services.syncoid = {
63 enable = mkEnableOption "Syncoid ZFS synchronization service";
68 example = "*-*-* *:15:00";
70 Run syncoid at this interval. The default is to run hourly.
72 The format is described in
73 <citerefentry><refentrytitle>systemd.time</refentrytitle>
74 <manvolnum>7</manvolnum></citerefentry>.
79 type = types.nullOr types.path;
80 # Prevent key from being copied to store
81 apply = mapNullable toString;
84 SSH private key file to use to login to the remote system. Can be
85 overridden in individual commands.
86 For more SSH tuning, you may use syncoid's <literal>--sshoption</literal>
87 in <link linkend="opt-services.syncoid.commonArgs">commonArgs</link>
88 and/or in the <literal>extraArgs<literal> of a specific command.
92 localSourceAllow = mkOption {
93 type = types.listOf types.str;
94 # Permissions snapshot and destroy are in case --no-sync-snap is not used
95 default = [ "bookmark" "hold" "send" "snapshot" "destroy" ];
97 Permissions granted for the syncoid user for local source datasets.
98 See <link xlink:href="https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html"/>
99 for available permissions.
103 localTargetAllow = mkOption {
104 type = types.listOf types.str;
105 # destroy is needed :
106 # syncoid[3282027]: Resuming interrupted zfs send/receive from rpool/var/mail to losurdo/backup/mermet/var/mail (~ UNKNOWN remaining):
107 # syncoid[3282885]: cannot resume send: 'rpool/var/mail@autosnap_2021-10-17_15:00:19_hourly' used in the initial send no longer exists
108 # syncoid[3282897]: cannot receive: failed to read from stream
109 # syncoid[3282027]: WARN: resetting partially receive state because the snapshot source no longer exists
110 # syncoid[3283326]: cannot destroy 'losurdo/backup/mermet/var/mail/%recv': permission denied
111 default = [ "change-key" "compression" "create" "destroy" "mount" "mountpoint" "receive" "rollback" ];
112 example = [ "create" "mount" "receive" "rollback" ];
114 Permissions granted for the syncoid user for local target datasets.
115 See <link xlink:href="https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html"/>
116 for available permissions.
117 Make sure to include the <literal>change-key</literal> permission if you send raw encrypted datasets,
118 the <literal>compression</literal> permission if you send raw compressed datasets, and so on.
119 For remote target datasets you'll have to set your remote user permissions by yourself.
123 commonArgs = mkOption {
124 type = types.listOf types.str;
126 example = [ "--no-sync-snap" ];
128 Arguments to add to every syncoid command, unless disabled for that
130 <link xlink:href="https://github.com/jimsalterjrs/sanoid/#syncoid-command-line-options"/>
131 for available options.
139 Systemd configuration common to all syncoid services.
143 commands = mkOption {
144 type = types.attrsOf (types.submodule ({ name, ... }: {
148 example = "pool/dataset";
150 Source ZFS dataset. Can be either local or remote. Defaults to
157 example = "user@server:pool/dataset";
159 Target ZFS dataset. Can be either local
160 (<replaceable>pool/dataset</replaceable>) or remote
161 (<replaceable>user@server:pool/dataset</replaceable>).
165 recursive = mkEnableOption ''the transfer of child datasets'';
168 type = types.nullOr types.path;
169 # Prevent key from being copied to store
170 apply = mapNullable toString;
172 SSH private key file to use to login to the remote system.
173 Defaults to <option>services.syncoid.sshKey</option> option.
177 localSourceAllow = mkOption {
178 type = types.listOf types.str;
180 Permissions granted for the <option>services.syncoid.user</option> user
181 for local source datasets. See
182 <link xlink:href="https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html"/>
183 for available permissions.
184 Defaults to <option>services.syncoid.localSourceAllow</option> option.
188 localTargetAllow = mkOption {
189 type = types.listOf types.str;
191 Permissions granted for the <option>services.syncoid.user</option> user
192 for local target datasets. See
193 <link xlink:href="https://openzfs.github.io/openzfs-docs/man/8/zfs-allow.8.html"/>
194 for available permissions.
195 Make sure to include the <literal>change-key</literal> permission if you send raw encrypted datasets,
196 the <literal>compression</literal> permission if you send raw compressed datasets, and so on.
197 For remote target datasets you'll have to set your remote user permissions by yourself.
201 sendOptions = mkOption {
202 type = types.separatedString " ";
206 Advanced options to pass to zfs send. Options are specified
207 without their leading dashes and separated by spaces.
211 recvOptions = mkOption {
212 type = types.separatedString " ";
214 example = "ux recordsize o compression=lz4";
216 Advanced options to pass to zfs recv. Options are specified
217 without their leading dashes and separated by spaces.
221 useCommonArgs = mkEnableOption ''
222 configured common arguments to this command
223 '' // { default = true; };
229 Systemd configuration specific to this syncoid service.
233 extraArgs = mkOption {
234 type = types.listOf types.str;
236 example = [ "--sshport 2222" ];
237 description = "Extra syncoid arguments for this command.";
241 source = mkDefault name;
242 sshKey = mkDefault cfg.sshKey;
243 localSourceAllow = mkDefault cfg.localSourceAllow;
244 localTargetAllow = mkDefault cfg.localTargetAllow;
248 example = literalExample ''
250 "pool/test".target = "root@target:pool/test";
253 description = "Syncoid commands to run.";
259 config = mkIf cfg.enable {
260 systemd.services = mapAttrs'
262 nameValuePair "syncoid-${escapeUnitName name}" (mkMerge [
264 description = "Syncoid ZFS synchronization from ${c.source} to ${c.target}";
265 after = [ "zfs.target" ];
266 startAt = cfg.interval;
267 # Here we explicitly use the booted system to guarantee the stable API needed by ZFS.
268 # Moreover syncoid may need zpool to get feature@extensible_dataset.
269 path = [ "/run/booted-system/sw" ];
272 (map (buildAllowCommand c.localSourceAllow) (localDatasetName c.source)) ++
273 (map (buildAllowCommand c.localTargetAllow) (localDatasetName c.target)) ++
274 optional nftables.enable "+${pkgs.nftables}/bin/nft add element inet filter nixos-syncoid-uids { $USER }";
276 (map buildUnallowCommand (localDatasetName c.source)) ++
277 (map buildUnallowCommand (localDatasetName c.target)) ++
278 optional nftables.enable "+${pkgs.nftables}/bin/nft delete element inet filter nixos-syncoid-uids { $USER }";
279 ExecStart = lib.escapeShellArgs ([ "${pkgs.sanoid}/bin/syncoid" ]
280 ++ optionals c.useCommonArgs cfg.commonArgs
281 ++ optional c.recursive "--recursive"
282 ++ optionals (c.sshKey != null) [ "--sshkey" "\${CREDENTIALS_DIRECTORY}/ssh-key" ]
289 "--no-privilege-elevation"
294 LoadCredential = [ "ssh-key:${c.sshKey}" ];
295 # Prevent SSH control sockets of different syncoid services from interfering
297 # Permissive access to /proc because syncoid
298 # calls ps(1) to detect ongoing `zfs receive`.
300 ProtectProc = "default";
302 # The following options are only for optimizing:
303 # systemd-analyze security | grep syncoid-'*'
304 AmbientCapabilities = "";
305 CapabilityBoundingSet = "";
306 DeviceAllow = [ "/dev/zfs" ];
307 LockPersonality = true;
308 MemoryDenyWriteExecute = true;
309 NoNewPrivileges = true;
310 PrivateDevices = true;
311 PrivateMounts = true;
312 PrivateNetwork = mkDefault false;
315 ProtectControlGroups = true;
317 ProtectHostname = true;
318 ProtectKernelLogs = true;
319 ProtectKernelModules = true;
320 ProtectKernelTunables = true;
321 ProtectSystem = "strict";
323 RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
324 RestrictNamespaces = true;
325 RestrictRealtime = true;
326 RestrictSUIDSGID = true;
327 RootDirectory = "/run/syncoid/${escapeUnitName name}";
328 RootDirectoryStartOnly = true;
329 BindPaths = [ "/dev/zfs" ];
330 BindReadOnlyPaths = [ builtins.storeDir "/etc" "/run" "/bin/sh"
331 # A custom LD_LIBRARY_PATH is needed to access in `getent passwd`
332 # the systemd's entry about the DynamicUser=,
333 # so that ssh won't fail with: "No user exists for uid $UID".
334 # Unfortunately, Bash is incompatible with libnss_systemd.so:
335 # https://www.mail-archive.com/bug-bash@gnu.org/msg24306.html
336 # Hence the wrapping of ssh is done here as a mounted path,
337 # because Nixpkgs' wrapping of syncoid enforces the use
338 # of the ${pkgs.openssh}/bin/ssh path.
339 # This problem does not arise on NixOS systems where stdenv.hostPlatform.libc == "musl",
340 # because then Bash is built with --without-bash-malloc
341 ("${pkgs.writeShellScript "ssh-with-support-for-DynamicUser" ''
342 export LD_LIBRARY_PATH="${config.system.nssModules.path}"
343 exec -a ${pkgs.openssh}/bin/ssh /bin/ssh "$@"
344 ''}:${pkgs.openssh}/bin/ssh")
345 "${pkgs.openssh}/bin/ssh:/bin/ssh"
347 # Avoid useless mounting of RootDirectory= in the own RootDirectory= of ExecStart='s mount namespace.
348 InaccessiblePaths = [ "-+/run/syncoid/${escapeUnitName name}" ];
350 # Create RootDirectory= in the host's mount namespace.
351 RuntimeDirectory = [ "syncoid/${escapeUnitName name}" ];
352 RuntimeDirectoryMode = "700";
355 # Groups in @system-service which do not contain a syscall listed by:
356 # perf stat -x, 2>perf.log -e 'syscalls:sys_enter_*' syncoid …
357 # awk >perf.syscalls -F "," '$1 > 0 {sub("syscalls:sys_enter_","",$3); print $3}' perf.log
358 # systemd-analyze syscall-filter | grep -v -e '#' | sed -e ':loop; /^[^ ]/N; s/\n //; t loop' | grep $(printf ' -e \\<%s\\>' $(cat perf.syscalls)) | cut -f 1 -d ' '
368 SystemCallArchitectures = "native";
369 # This is for BindPaths= and BindReadOnlyPaths=
370 # to allow traversal of directories they create in RootDirectory=.
378 networking.nftables.ruleset = ''
379 # A set containing the dynamic UIDs of the syncoid services currently active
380 add set inet filter nixos-syncoid-uids { type uid; }
381 # Example of use (assuming fw2net is being called by the output chain):
382 #add rule inet filter fw2net meta skuid @nixos-syncoid-uids meta l4proto tcp accept
386 meta.maintainers = with maintainers; [ julm lopsided98 ];