zfs conditionals and delegated perms

ansible/roles/zfs-install/defaults/main.yml

@@ -6,6 +6,7 @@ zfs_prereq_packages:
 zfs_packages:
   - zfs-utils
   - zfs-dkms
+  - mbuffer
 zfs_arc_min: '1073741824' 
 zfs_arc_max: '4294967296'
 zfs_zpool_ashift: '12'

ansible/roles/zfs-install/files/zfs-recv_authorized_keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+6ruP8XcCD3nWS9z0hp+Hnf6pxoL1nF4I0L9g9/3Sr zfs-recv@lab.balsillie.net

ansible/roles/zfs-install/tasks/main.yml

@@ -1,77 +1,99 @@
 ---
-- name: install zfs prerequisites
+- name: register kernel version
-  become: true
-  community.general.pacman:
-    name: "{{ zfs_prereq_packages }}"
-    state: latest
-    update_cache: true
-  when:
-    - ansible_os_family == 'Arch'
-
-- name: add gpg parameters file from template
-  become: true
-  ansible.builtin.template:
-    src: key-params.j2
-    dest: /root/key-params
-    owner: root
-    group: root
-    mode: 0660
-
-- name: generate gpg key for root
-  become: true
   ansible.builtin.shell: 
-    cmd: gpg --batch --gen-key /root/key-params
+    cmd: uname -r
+  check_mode: no
+  register: kernel_version
 
-- name: import zfs signing key
+- name: check if zfs kernel module exists
-  become: true
+  ansible.builtin.stat:
-  ansible.builtin.shell:
+    path: /lib/modules/{{ kernel_version.stdout }}/updates/dkms/zfs.ko.zst
-    cmd: gpg --receive-keys {{ aur_zfs_key_fingerprint|quote }}
+  register: zfs_module
 
-- name: trust zfs signing key
+- block:
-  become: true
+  - name: install zfs prerequisites
-  ansible.builtin.shell:
+    become: true
-    cmd: gpg --quick-lsign-key {{ aur_zfs_key_fingerprint|quote }}
+    community.general.pacman:
+      name: "{{ zfs_prereq_packages }}"
+      state: latest
+      update_cache: true
+    when:
+      - ansible_os_family == 'Arch'
 
-- name: install zfs module
+  - name: add gpg parameters file from template
-  become: true
+    become: true
-  community.general.pacman:
+    ansible.builtin.template:
-    executable: /usr/bin/pikaur
+      src: key-params.j2
-    name: "{{ zfs_packages }}"
+      dest: /root/key-params
-    state: latest
+      owner: root
-    update_cache: true
+      group: root
-  when:
+      mode: 0660
-    - ansible_os_family == 'Arch'
 
-- name: set zfs module parameters
+  - name: generate gpg key for root
-  become: true
+    become: true
-  ansible.builtin.template:
+    ansible.builtin.shell:
-    src: zfs.conf.j2
+      cmd: gpg --batch --gen-key /root/key-params
-    dest: /etc/modprobe.d/zfs.conf
-    owner: root
-    group: root
-    mode: 0664
 
-- name: load zfs module
+  - name: import zfs signing key
-  become: true
+    become: true
-  community.general.modprobe:
+    ansible.builtin.shell:
-    name: zfs
+      cmd: gpg --receive-keys {{ aur_zfs_key_fingerprint|quote }}
-    state: present
+
+  - name: trust zfs signing key
+    become: true
+    ansible.builtin.shell:
+      cmd: gpg --quick-lsign-key {{ aur_zfs_key_fingerprint|quote }}
+
+  - name: install zfs module
+    become: true
+    community.general.pacman:
+      executable: /usr/bin/pikaur
+      name: "{{ zfs_packages }}"
+      state: latest
+      update_cache: true
+    when:
+      - ansible_os_family == 'Arch'
+
+  - name: set zfs module parameters
+    become: true
+    ansible.builtin.template:
+      src: zfs.conf.j2
+      dest: /etc/modprobe.d/zfs.conf
+      owner: root
+      group: root
+      mode: 0664
+
+  - name: load zfs module
+    become: true
+    community.general.modprobe:
+      name: zfs
+      state: present
+
+  - name: enable zfs services
+    become: true
+    ansible.builtin.service:
+      name: "{{ item }}"
+      state: started
+      enabled: yes
+    loop:
+      - zfs-import-cache.service
+      - zfs-mount.service
+      - zfs.target
+  when: not zfs_module.stat.exists 
+
+- name: check if zpool exists
+  community.general.zpool_facts: 
+    name: "{{ zfs_zpool_name }}"
 
 - name: create zpool
   become: true
   ansible.builtin.shell:
     cmd: zpool create -o ashift={{ zfs_zpool_ashift|quote }} -o autotrim=on -o cachefile=/etc/zfs/zpool.cache -O acltype=posixacl -O atime=off -O xattr=sa -O mountpoint=none -O canmount=off -O devices=off -O compression={{ zfs_zpool_compression|quote }} {{ zfs_zpool_name|quote }} {{ zfs_zpool_type|quote }} {{ zfs_zpool_disk_a|quote }} {{ zfs_zpool_disk_b|quote }} 
+  when: ansible_zfs_pools[0].name != zfs_zpool_name
 
-- name: enable zfs services
+- name: check if zfs dataset exists
-  become: true
+  community.general.zfs_facts:
-  ansible.builtin.service:
+    name: "{{ zfs_backup_dataset }}"
-    name: "{{ item }}"
-    state: started
-    enabled: yes
-  loop:
-    - zfs-import-cache.service
-    - zfs-mount.service
-    - zfs.target
 
 - name: create backup zfs dataset
   community.general.zfs:
@@ -89,3 +111,48 @@
       volmode: dev
       devices: off
       atime: off
+  when: ansible_zfs_datasets[0].name != zfs_backup_dataset
+
+- name: create zfs receive user
+  become: true
+  ansible.builtin.user:
+    name: zfs-recv
+    shell: /bin/bash
+    state: present
+    create_home: yes
+
+- name: add ssh directory for zfs receive user
+  become: true
+  ansible.builtin.file:
+    path: /home/zfs-recv/.ssh
+    state: directory
+    owner: zfs-recv
+    group: zfs-recv
+    mode: 0755
+
+- name: add authorized key for zfs receive user
+  become: true
+  ansible.builtin.copy:
+    src: zfs-recv_authorized_keys
+    dest: /home/zfs-recv/.ssh/authorized_keys
+    owner: zfs-recv
+    group: zfs-recv
+    mode: 0644
+
+- name: add zfs delegated permission for zfs-recv user
+  become: true
+  community.general.zfs_delegate_admin:
+    name: "{{ zfs_backup_dataset }}"
+    local: yes
+    descendents: yes
+    state: present
+    users:
+      - zfs-recv
+    permissions:
+      - compression
+      - mountpoint
+      - create
+      - mount
+      - receive
+      - rollback
+      - recordsize