NFS Setup

NFS Server

NFS is a volume server, which normally has no security (thoug NFS v4 supports Kerberos). The idea behind NFS is that the client that mounts the volume is responsible for access control.

Host

The NFS server will be hosted by a TrueNAS server running under Proxmox - initially on [Metal1]({{<ref “/architecture/metal1”>}}). The VM can be reached by ssh to 192.168.182.4 (port 22222) - with passwordless authentication.

File Shares

There is (at least) one file share per customer instance. One share will be mounted in NextCloud to provide file access and syncing. Other shares will be added as required.

I am tempted to make the NextCloud share have access to all files, but people changing/ deleting these files may cause issues for the apps using those files, so this needs to be clarified later.

Docker

Docker for the customer must mount NFS volumes. Use NFSv3 (v4 required Kerberos authentication). In portainer, add the volume first as an NFS volume (always use driver local). Do NOT use rootsquash, but instead make sure file owner/groups are correct inside TrueNAS volume.

I think this forces us to use OpenLDAP to share usernames and passwords across all services.

Security

Each Customer has its own IP address range, so the file share(s) for that customer shall be restricted in TrueNAS to only allow connections from that IP address range.

I think this means every customer needs a separate docker network.

It waws problematic to get Nextcloud to run because of file permissions. This was solved (hopefully) by logging in to the TrueNAS Vm and changing the file ownership to www-data:www-data with rootsquash not set so uid/ gid is passed on.