From edf85740911cabde9fa259825d996f3e4d0eace7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20D=C3=A9siles?=
 <1536672+cdesiles@users.noreply.github.com>
Date: Fri, 14 Nov 2025 00:05:58 +0100
Subject: [PATCH] fix: zfs chown recursion high bug

---
 roles/zfs/tasks/dataset-ownership.yml | 18 +++++++++++++-----
 roles/zfs/tasks/datasets.yml          | 10 ----------
 roles/zfs/tasks/install.yml           |  4 ++--
 3 files changed, 15 insertions(+), 17 deletions(-)

diff --git a/roles/zfs/tasks/dataset-ownership.yml b/roles/zfs/tasks/dataset-ownership.yml
index f6f9ac4..6c94b53 100644
--- a/roles/zfs/tasks/dataset-ownership.yml
+++ b/roles/zfs/tasks/dataset-ownership.yml
@@ -1,5 +1,5 @@
 ---
-# due to Ansible limitations, we cannot loop over a block, so we loop over a distinct tasks file...
+# due to Ansible limitations, we cannot loop over a block, so we loop over distinct task files
 # @see https://stackoverflow.com/a/58911694
 - name: Set ownership on dataset mountpoint
   block:
@@ -7,10 +7,18 @@
       ansible.builtin.command: "zfs get -H -o value mountpoint {{ dataset.name }}"
       register: mountpoint
       changed_when: false
-    - name: Set owner of mountpoints
+
+    - name: Fail if mountpoint is system directory
+      ansible.builtin.fail:
+        msg: "Mountpoint resolved to a system directory ({{ mountpoint.stdout }}), aborting to avoid changing ownership."
+      when:
+        - mountpoint.stdout | trim == ''
+        - mountpoint.stdout | trim is not match('^/$|^(/usr|/bin|/sbin|/etc|/var|/lib|/lib64)$')
+
+    - name: Set mountpoint ownership
       ansible.builtin.file:
         path: "{{ mountpoint.stdout }}"
-        owner: "{{ dataset.user | default(main_user) }}"
-        group: "{{ dataset.group | default(main_user) }}"
+        owner: "{{ dataset.user | default(ansible_user) }}"
+        group: "{{ dataset.group | default(ansible_user) }}"
         state: directory
-        recurse: true
+        recurse: false
diff --git a/roles/zfs/tasks/datasets.yml b/roles/zfs/tasks/datasets.yml
index d6eeaa1..383593c 100644
--- a/roles/zfs/tasks/datasets.yml
+++ b/roles/zfs/tasks/datasets.yml
@@ -8,16 +8,6 @@
     origin: "{{ item.origin | default(omit) }}"
   with_items: "{{ zfs_datasets }}"
 
-- ansible.builtin.command:
-    cmd: whoami
-  no_log: true
-  become: false
-  register: main_user
-
-- ansible.builtin.set_fact:
-    main_user: "{{ main_user.stdout }}"
-  no_log: true
-
 - name: Set dataset ownership
   ansible.builtin.include_tasks: "./dataset-ownership.yml"
   loop: "{{ zfs_datasets }}"
diff --git a/roles/zfs/tasks/install.yml b/roles/zfs/tasks/install.yml
index febb2ae..d357306 100644
--- a/roles/zfs/tasks/install.yml
+++ b/roles/zfs/tasks/install.yml
@@ -6,7 +6,7 @@
   failed_when: false
 
 - name: Install zfs
-  when: zfs_dkms_installed.stderr
+  when: zfs_dkms_installed.stderr | length > 0
   block:
     - name: Disable SUDOERS password prompt for makepkg
       no_log: true
@@ -50,7 +50,7 @@
   failed_when: false
 
 - name: Install zrepl
-  when: zrepl_installed.stderr
+  when: zrepl_installed.stderr | length > 0
   block:
     - name: Disable SUDOERS password prompt for makepkg
       no_log: true