Configuration

Goals:

  • End goal: mount an NFS share over the LAN either automatically at boot or on-demand when files are accessed
  • Current goal: mount an NFS share with the correct damn permissions

Devices:

  • TrueNAS server accessible via LAN 10.0.0.7
  • Debian mini PC running virtualized in Proxmox accessible via LAN 10.0.0.4

Current (semi-working) configuration

TrueNAS

  • Dedicated user created with username nfs, uid 3001, gid 3001, nologin shell
  • TrueNAS pool tank created at /mnt/tank
  • TrueNAS dataset media created on pool at /mnt/tank/media
    • Dataset preset: Generic
    • User: nfs, uid=3001
    • Group: nfs, gid=3001
    • Permissions: 775
  • NFS service
    • Enabled protocols: NFSv3, NFSv4
    • Remainder at defaults
  • NFS share created with media dataset
    • Mapall user: nfs
    • Mapall group: nfs
    • Remainder at defaults

Debian mini PC

  • Created user nfs with uid=3001 and gid=3001
sudo useradd nfs -u3001 -g3001 -s /usr/sbin/nologin
  • Added primary user to nfs group

  • Added directory /nfs/media with permissions:

    • sudo chown -R nfs:nfs /nfs
  • Edited /etc/fstab:

# /etc/fstab
10.0.0.7:/mnt/tank/media /nfs/media nfs rw,noexec,noauto 0 0
  • Mount command:
sudo mount 10.0.0.7:/mnt/tank/media /nfs/media

Results

Can mount with no errors and correct permissions.

  • Initial permissions upon mounting:
drwxrwxr-x nfs nfs /nfs/media
  • Permissions upon creating a file and directory (with primary user):
-rw-r--r-- nfs nfs file
drwxr-xr-x nfs nfs dir
  • Can delete file and directory.

Note

On client system (laptop I am using to SSH into all other machines) running WSL, I can also mount the fileshare. (Had to enable the “insecure” option by ticking the box for “Allow non-root mount” in NFS service config.) Notably, since the nfs user did not exist on this client, the user and group showed up as just their id (3001) - but everything still worked the same way, was able to mount the share and create/edit/delete files and directories.

Final thoughts (for now)

Seems to work.

Primary consideration:

  • Security. Someone has to be connected to the LAN, but this would give anyone able to mount an NFS share the ability to write and delete my files, as all clients connected to it are treated as the nfs user.

Some possible mitigations:

  • Look into NFSv4 (maybe - it doesn’t seem too promising, and this was a massive pain to set up)
  • Structure of different datasets:
    • media for Jellyfin / Navidrome, restrict to 10.0.0.4 IP
      • This is the only one that needs to be an NFS share, I think?
    • syncthing for syncing files directly to client machines
    • nextcloud for hosted files / personal services (need to do some digging on this one)
    • backups for backups
    • filebrowser to serve files on the server to the LAN without opening it up via NFS
  • Need to do some more digging on encryption with TrueNAS

Next steps:

  • Figure out auto-mount at boot (or, more likely, mount on-demand)
  • Figure out permissions with Jellyfin - might be a non-issue
  • Restrict IP to just Debian mini PC (10.0.0.4)

EOF