An Ansible role to install and configure automated ZFS snapshots and replication using Sanoid/Syncoid
Requirements
Sanoid package available in distribution
systemd
In order for Syncoid to replicate to a remote host, you must ensure that SSH access via public key authentication is correctly set up for the relevant users
All settings supported by Sanoid in templates are supported - see sanoid.conf and sanoid.defaults.conf for details
Similarly, most Syncoid flags are configurable via syncoid_syncs.
sanoid_datasets[]
Variable
Default
Comments
name
Required
ZFS dataset to snapshot
templates
Required
Sanoid template(s) to use for policy
recursive
"no"
Include child datasets with this dataset
process_children_only
"no"
Do not include this dataset
overrides
[]
List of template settings to override
syncoid_syncs[]
Variable
Default
Comments
src
Required
Source ZFS dataset
src_host
""
Source host
src_user
"root"
Source user. Ignored if src_host empty
dest
Required
Destination ZFS dataset
dest_host
""
Destination host
dest_user
"root"
Destination user. Ignored if dest_host empty
recursive
"no"
Copy child datasets
force_delete
"no"
Remove destination datasets recursively
Syncoid systemd Settings
Variable
Default
Comments
syncoid_service_name
"syncoid"
systemd service name for Syncoid
syncoid_timer_frequency
"daily"
systemd service frequency for Syncoid
syncoid_use_ssh_key
yes
Use an SSH key to login to remote hosts
syncoid_generate_ssh_key
yes
Generate an SSH key for Syncoid to use
syncoid_generated_ssh_key
id_syncoid
Name of generated SSH key
syncoid_ssh_key
/root/.ssh/{syncoid_generated_ssh_key|id_rsa}
Path to SSH key for Syncoid to use
syncoid_ssh_key_install_remote
yes
Install specified SSH key on remote hosts. Requires remote hosts to be defined in inventory
jimsalterjrs/sanoid#513 implements an insecure mode for syncoid which doesn't use SSH for transfers. This is useful when replicating to devices like a Raspberry Pi which doesn't support hardware AES and is therefore transfer speed is CPU limited.
Additional software (socat and busybox) is required on both ends for the transfer to work, along with firewall rules to allow traffic
When I run the role against a computer that already has configured the /etc/sanoid/sanoid.conf file, the role overwrites this file with the default template.
I guess this task should be changed in main.yaml from:
Currently this role generates RSA keys for Syncoid to pull the contents.
OpenSSH 9.5 uses the Ed25519 curve by default. It is considered more secure than RSA keys, while being more convenient and easier to handle, due to their shorter length.
It is suggested to add (optional) ed25519 key generation in a first step and to make it the default later, when proven stable.
In some situations it can be useful to have syncoid configured, but not enabled. This is currently not possible - if configurations exist, the timer will be enabled.