Configuration
Goals:
- End goal: mount an NFS share over the LAN either automatically at boot or on-demand when files are accessed
- Current goal: mount an NFS share with the correct damn permissions
Devices:
- TrueNAS server accessible via LAN
10.0.0.7
- Debian mini PC running virtualized in Proxmox accessible via LAN
10.0.0.4
Current (semi-working) configuration
TrueNAS
- Dedicated user created with username
nfs
, uid3001
, gid3001
,nologin
shell - TrueNAS pool
tank
created at/mnt/tank
- TrueNAS dataset
media
created on pool at/mnt/tank/media
- Dataset preset: Generic
- User:
nfs, uid=3001
- Group:
nfs, gid=3001
- Permissions:
775
- NFS service
- Enabled protocols: NFSv3, NFSv4
- Remainder at defaults
- NFS share created with
media
dataset- Mapall user:
nfs
- Mapall group:
nfs
- Remainder at defaults
- Mapall user:
Debian mini PC
- Created user
nfs
withuid=3001
andgid=3001
-
Added primary user to
nfs
group -
Added directory
/nfs/media
with permissions:sudo chown -R nfs:nfs /nfs
-
Edited
/etc/fstab
:
- Mount command:
Results
Can mount with no errors and correct permissions.
- Initial permissions upon mounting:
- Permissions upon creating a file and directory (with primary user):
- Can delete file and directory.
Note
On client system (laptop I am using to SSH into all other machines) running WSL, I can also mount the fileshare. (Had to enable the “insecure” option by ticking the box for “Allow non-root mount” in NFS service config.) Notably, since the
nfs
user did not exist on this client, the user and group showed up as just their id (3001
) - but everything still worked the same way, was able to mount the share and create/edit/delete files and directories.
Final thoughts (for now)
Seems to work.
Primary consideration:
- Security. Someone has to be connected to the LAN, but this would give anyone able to mount an NFS share the ability to write and delete my files, as all clients connected to it are treated as the
nfs
user.
Some possible mitigations:
- Look into NFSv4 (maybe - it doesn’t seem too promising, and this was a massive pain to set up)
- Structure of different datasets:
media
for Jellyfin / Navidrome, restrict to10.0.0.4
IP- This is the only one that needs to be an NFS share, I think?
syncthing
for syncing files directly to client machinesnextcloud
for hosted files / personal services (need to do some digging on this one)backups
for backupsfilebrowser
to serve files on the server to the LAN without opening it up via NFS
- Need to do some more digging on encryption with TrueNAS
Next steps:
- Figure out auto-mount at boot (or, more likely, mount on-demand)
- Figure out permissions with Jellyfin - might be a non-issue
- Restrict IP to just Debian mini PC (
10.0.0.4
)
EOF