I’m in the process of building out a homelab in order to self-host a bunch of stuff (mostly accessed to be accessed while home or via VPN, though I’ve got plans for a DMZ for some services that will be accessible on the open web down the line). Household consists of mostly Linux desktops and laptops, plus one Mac.
Everything is hosted off of a Proxmox VM server, with the exception of a dedicated firewall box (OPNSense) and an old Soekris engineering box that I’m hoping to have handle auth (should be powerful enough for a single household, and having it separate will hopefully make maintenance easier).
I’m currently working how I want to handle file-shares and how I want to handle single sign-on and I’ve realised these are somewhat intertwined (e.g. if I want NFSv4, I probably want an SSO platform that supports Kerberos, but if I can do what I need with NFSv3 and firewall rules then it’s easier to go with something like Authentik that seems to be about right for my scale but doesn’t really do older stuff like Kerberos).
I’m interested in knowing what filesharing protocols people use on their homelabs (is there just NFS and SMB out there, I are there others I should look at?)
Also what precautions to you take to secure them? (just creds, or network / firewall level security as well?).
Check out Univention Corporate Server. It speaks samba and ldap, so that takes care of Kerberos. It also has keycloak optionally available for SSO. I had already settled on Authentik as my SSO provider at work, so I use UCS ldap as the source for user accounts within authentik.
In my homelab I’m using TrueNAS Scale for all the shares, a mix of SMB and NFS. All NFS shares are exported to static IP Linux VMs, while the SMB shares are used in a more general way on both Windows and Linux with the standard user/pass combo.
Given proper network segmentation with both VLANs and physical separation and firewall control, didn’t feel the need for any additional security measures specifically for shares.
I am kind of with Dr.Heat. I use a mix of SMB and NFS. I don’t do single sign on because there would be no benefit to me. I am the only person that uses my home lab. My set up is similar to the OP: I have dual WAN connections (Xfinity and T-Mobile) feeding into a stand alone pfsense box. pfsense feeds into my managed switch and all other hardware feeds off the switch. I have a couple of Promox nodes, a Synology NAS, and virtualized instances of OMV and TrueNAS scale. MY WAP is VLAN aware and candle up to 8 SSIDs (four on 2.4ghz and four on 5ghz). I have 6 VLANs: trusted, un-trusted, guest, IOT, television and management. Only my wife and I can access the trusted VLAN, Untrusted is for all the things I expose to the internet (wordpress, discourse, Nextcloud, etc.). The kids are all relegated to the guest network. The others are self explanatory. I do not open any ports/no DMZ on my firewall. Everything is exposed through cloudflare tunnels and/or over my tailscale network. None of my shares are on the IOT, Television, guest, or management network. Most of my shares are on the Synology and the OMV and TrueNAS instances are mostly for back up at this point. I do also use Synology’s drive client and Quickconnect services at times.
SMB is the way to go for file sharing, I only use NFS for my Linux to TrueNAS & Synology services such as XCP-ng and that is on a dedicated storage network.
I second Tom’s thoughts on this, I use SMB for everything (other than iSCSI in very specific situations, but that isn’t file sharing) other than Linux to TrueNAS. SMB is great and easy to setup and manage permissions on.