NFS for storage, tailscale / wireguard for access control?
Linux
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
I haven't played with tailscale, and most of my wireguard shenanigans have involved connecting to others' systems. Wouldn't those mostly control the network-level access but not the account-level access (centralized account/UID/gid and remote permissions) part?
Indeed, and good points. How many users do you have? I assume this isn’t just for you, and setting up multiple nfs shares with tailscale access policies isn’t feasible. SMB might be the best play. I’ll have to refresh my memory on file sharing protocols
Not too many users, but an ever changing variety of devices and services :-)
Late to the thread, but SFTPGo is very nice.
It can be exposed as web server, (S)FTP Server and WebDAV, has built in authentication system, have built in brute force protection.
All in a single executable.
Does this only need to work on LAN? I've not used Kerberos.
I've never had SMB break. It's definitely been my LAN network storage protocol of choice over the years, decent performance and perfect reliability so far.
And while I do have SSHFS set up, and use it sometimes, it's by far the slowest solution in my experience. I basically only use it to pull a file via phone if I need something off my desktop or home server that I didn't put in a location accessible via/synced to nextcloud, and I'm not at home to grab it via my desktop (which mounts my server's fulesystem via SMB).
Some time ago I finally set up off-site backup at my dad's, and while nextcloud has been my solution for convenient file storage, sharing and access from anywhere, it's extreme overkill for such a use-case.
It's better suited for syncing folders (using up space on both client and server), not mounting as a network storage location (though I think it can do that?)
What I ended up doing was setting up unencrypted FTP through the VPN that I use to access my home network. Server at dad's connects to it on startup, from there my server is able to see the off-site machine on my LAN and it can then dump backups into it.
I do actually have a NextCloud instance, which I primarily use for editing Documents (via Collabora) or syncing backups of folders like Pictures etc from the phone.
SMB/Samba by itself for just sharing folders I've had little issue with. Samba as a domain controller with domain-joined clients tied to domain logins is a more complicated beast and - in my experience -prone to breakage in my experience (expired tokens, certificate lifetimes, DNS integration, upgrade issues, etc) BUT it can provide a fairly complete package end-to-end when it works. I just feel that there should be a more Linux-centric/friendly and less bloaty solution that still others decent account-level security.
When you ask "only on LAN" the answer is yes with the caveat that I do also work through VPN, but that's often functionally the same thing save that the VPN login occurs after the user-login
I don't think you can get more "linuxy" than samba. You can go down to something simpler, like FTP, or SHHFS which is basically also FTP, but there's no SMB equivalent that's "more linux".
It's all just different implementations of different protocols that exist, and SMB is used the most for a reason.
Nextcloud uses webDAV, so it definitely can be mounted as a network drive (this is how I primarily use it, and it works well).
I use SSHFS. I have had some trouble getting it to mount automatically, but it will show up in Dolphin so it mounts when you click. If you set up keys (ideally ed25519), disable password authentication, set up fail2ban, and use nonstandard ports for outside lan I would consider it reasonably secure.
Perhaps freeipa wirh automounts?
Update: Based on some other sources, it sounds like giving another shot at freeIPA might be worth investigating. It's still got Samba etc and the last time I tried it things weren't more RedHat exactly friendly to my favored flavor (Debian) but it sounds like it might be better supported now
Update #2
OMFG it's years after I tried and FreeIPA on Debian is even more of a pain. Docker container issues galore, and it basically won't start without adding a bunch of options that reduce the container security to a smoldering ruin