From 2df709af93e92cc98cd3dedd0f3eac8a2e3025e9 Mon Sep 17 00:00:00 2001
From: Alex Mickelson <alexmickelson96@gmail.com>
Date: Sat, 7 Feb 2026 15:00:00 -0700
Subject: [PATCH] zfs permissions

---
 nix/modules/gitea-runner.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/nix/modules/gitea-runner.nix b/nix/modules/gitea-runner.nix
index 9c5c7d8..06b3be5 100644
--- a/nix/modules/gitea-runner.nix
+++ b/nix/modules/gitea-runner.nix
@@ -50,6 +50,20 @@
 
   users.groups.gitea-runner = { };
 
+  system.activationScripts.zfs-delegate-gitea-runner = {
+    text = 
+      let
+        poolNames = [ "data-ssd", "backup" ];
+        permissions = "compression,create,destroy,mount,mountpoint,receive,rollback,send,snapshot,hold";
+      in
+      ''
+        ${lib.concatMapStringsSep "\n" (pool: 
+          "${pkgs.zfs}/bin/zfs allow -u gitea-runner ${permissions} ${pool} || true"
+        ) poolNames}
+      '';
+    deps = [ ];
+  };
+
   systemd.services.gitea-runner-infrastructure.serviceConfig = {
     WorkingDirectory = lib.mkForce "/var/lib/gitea-runner/infrastructure";