Been beating around the bush on permissions for NFS for way too long. Permisisons are hard.
The delay on getting nfs setup was due to permissions. I couldn’t decide how I wanted to allow NFS permissions to exist and who to grant them to. I didn’t know if I should get granular with group ids and user ids, or if I should manage it from the subnet level.
Long story short I ended up allowing read/write from the internal subnets in my network.
I also pretty much opened read/write to everyone on that network. I did disable openvpn read/write from the vlan subnet though. This means only internal servers have access.
/etc/exports looks something like:
/srv/nfspoint 10.0.0.0/255.255.255.0(rw,no_root_squash,sync)
/srv/nfspoint 10.0.1.0/255.255.255.0(rw,no_root_squash,sync)
Ansible
Need this automated so I can run it across devices.
---
- name: Install NFS Tools
apt:
name: nfs-common
state: present
update_cache: yes
become: true
become_method: sudo
- name: Make Directory
file:
path: /media/nfspoint
state: directory
become: true
become_method: sudo
- name: Add NFS Block to /etc/fstab
blockinfile:
dest: /etc/fstab
marker: "## {mark} added by ansible"
block: |
## BEGIN added by ansible
# NFS Mount
10.0.0.253:/nfs/point /media/nfspoint nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0
## END added by ansible
become: yes
become_method: sudo
- name: Mount an NFS volume
ansible.posix.mount:
src: 10.0.0.253:/nfs/point
path: /media/nfspoint
opts: rw,sync,hard,intr
state: mounted
fstype: nfs