Hey All! I’m in the process of building my first homelab and I want to hear your thoughts on installing Nextcloud on VM/Docker image on a host, and mounting my data (which is sitting on a different host) via NFS share over the network. The reason for this is because I currently have two servers, one of which is my storage server (TrueNAS) and another ESXi host which host all of my infra.
I have plenty of VMs with this setup, but I am still hesitant to do this with Nextcloud, mostly because NFS has no authentication/ACL and uses a single IP for providing “security” for my data. I plan to put some pretty personal stuff in Nextcloud (this is a home network and nothing inside will ever be exposed to the Internet) and I want to be sure that my setup is done right.
My plan is to:
- Install Nextcloud VM/Docker image on my ESXi host > let’s say that the VM will have IP of: 192.168.3.5
- Share my data over NFS from TrueNAS and tell it that only a single IP will have access to it: 192.168.3.5
- Mount the NFS share over my VM (most likely Ubuntu) > point Nextcloud to that mount
Here is my concern: This whole VM or Docker image (still haven’t decided which one I should use) will have access to this data, since all the services inside it will share a single IP. I’m not sure if this is really a reliable way to do this.
Can you share your opinion - should I proceed with such setup or think of something else if I want to preserve my valuable data?
It is safe to do a mount. Just make sure you do a separate nfs share for Nextcloud data and mount that.
I plan to keep all the Nextcloud configurations on the VM itself and just clone/snapshot or backup the VM whenever I plan to upgrade or perform major changes.
The only data which I plan to mount via NFS share will be my own - pictures, videos, so on.
Back to the security topic - as I understand (pardon me if I’m wrong) mounting the data via NFS share will mean that all the users, including the non-privileged ones will have access to the information, same way as root and www-data. Doesn’t this bring risk to the setup?
Only if other has access via ssh to the VM. Ifnits only Nextcloud on it and Yiu restricted access to just that VM it won’t be a problem.
Nextcloud will keep the different users on it from each other.
You can secure nfs more by adding Kerberos and ACL. But that will be overkill if you only connect Nextcloud to the share
Correct, only Nextcloud will have access to that NFS share, and I don’t want to bring another complexity with Kerberos anyway.
Thanks for helping me and maintaining this awesome product!
You can also secure NFS by tunneling it over WireGuard and only allowing connections via tunnels.
Pardon me if this sound stupid, as I’m not very familiar with WireGuard - I look at it solely as a VPN protocol. Why would I want to use a VPN on a LAN network?
Yes, it’s a VPN protocol. But you can still use it between any machines even on the same network. This adds a strong encryption to the network traffic. Then if you want, you can also tell your service such as NFS to only listen on the tunnel interface, so a client has to authenticate the VPN before they can even attempt a NFS connection.
It’s not necessary, but if you’re worried about security, it’s an extra layer you can add.