this post was submitted on 09 Feb 2025
80 points (97.6% liked)

Selfhosted

42057 readers
462 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
80
Homelab upgrade - "Modern" alternatives to NFS, SSHFS? (self.selfhosted)
submitted 2 days ago* (last edited 2 days ago) by MajorSauce to c/[email protected]
64 comments fedilink hide all child comments
 

Hi all!

I will soon acquire a pretty beefy unit compared to my current setup (3 node server with each 16C, 512G RAM and 32T Storage).

Currently I run TrueNAS and Proxmox on bare metal and most of my storage is made available to apps via SSHFS or NFS.

I recently started looking for "modern" distributed filesystems and found some interesting S3-like/compatible projects.

To name a few:

  • MinIO
  • SeaweedFS
  • Garage
  • GlusterFS

I like the idea of abstracting the filesystem to allow me to move data around, play with redundancy and balancing, etc.

My most important services are:

  • Plex (Media management/sharing)
  • Stash (Like Plex πŸ™ƒ)
  • Nextcloud
  • Caddy with Adguard Home and Unbound DNS
  • Most of the Arr suite
  • Git, Wiki, File/Link sharing services

As you can see, a lot of download/streaming/torrenting of files accross services. Smaller services are on a Docker VM on Proxmox.

Currently the setup is messy due to the organic evolution of my setup, but since I will upgrade on brand new metal, I was looking for suggestions on the pillars.

So far, I am considering installing a Proxmox cluster with the 3 nodes and host VMs for the heavy stuff and a Docker VM.

How do you see the file storage portion? Should I try a full/partial plunge info S3-compatible object storage? What architecture/tech would be interesting to experiment with?

Or should I stick with tried-and-true, boring solutions like NFS Shares?

Thank you for your suggestions!

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 15 points 1 day ago (4 children)

What's wrong with NFS? It is performant and simple.

[–] [email protected] 10 points 1 day ago (1 children)

NFS is fine if you can lock it down at the network level, but otherwise it's Not For Security.

[–] [email protected] 4 points 1 day ago* (last edited 1 day ago) (1 children)

NFS + Kerberos?

But everything I read about NFS and so on: You deploy it on a dedicated storage LAN and not in your usual networking LAN.

[–] [email protected] 2 points 1 day ago

I tried it once. NFSv4 isn't simple like NFSv3 is. Fewer systems support it too.

[–] [email protected] 16 points 1 day ago (1 children)

By default, unencrypted, and unauthenticated, and permissions rely on IDs the client can fake.

May or may not be a problem in practice, one should think about their personal threat model.

Mine are read only and unauthenticated because they're just media files, but I did add unneeded encryption via ktls because it wasn't too hard to add (I already had a valid certificate to reuse)

[–] [email protected] 7 points 1 day ago (1 children)

NFS is good for hypervisor level storage. If someone compromises the host system you are in trouble.

[–] [email protected] 4 points 1 day ago (1 children)

If someone compromises the host system you are in trouble.

Not only the host. You have to trust every client to behave, as @forbiddenlake already mentioned, NFS relies on IDs that clients can easily fake to pretend they are someone else. Without rolling out all the Kerberos stuff, there really is no security when it comes to NFS.

[–] [email protected] 1 points 1 day ago (1 children)

You misunderstand. The hypervisor is the client. Stuff higher in the stack only sees raw storage. (By hypervisors I also mean docker and kubernetes) From a security perspective you just set an IP allow list

[–] [email protected] 1 points 1 day ago

Sure, if you have exactly one client that can access the server and you can ensure physical security of the actual network, I suppose it is fine. Still, those are some severe limitations and show how limited the ancient NFS protocol is, even in version 4.

[–] [email protected] 1 points 1 day ago

It is a pain to figure out how to give everyone the same user id. I only have a couple computers at home. I've never figured out how to make LDAP work (including laptops which might not have network access when I'm on the road). Worse some systems start with userid 1000, some 1001. NFS is a real mess - but I use it because I haven't found anything better for unix.

[–] [email protected] 3 points 1 day ago

Gotta agree. Even better if backed by zfs.