Don’t worry about the NFS ownership unless you are going to use something such as kerberos, instead use a dedicated storage network and IP restrictions.
If you have an older slower CPU, encryption is not an issue. If you are using password based encryption on a data set you are protecting against access of the data in the event the physical theft of the TrueNAS system occurs.
So I understand ownership root:root with permissions 777 on exported NFS share is ok.
Just because I’ve seen that actually files that XO creates are owned by nobody:nogroup (65534:65534).
I was thinking:
I’m not sure under which user is actually XO connecting to the NFS share, but I could make dedicated user:group that only have rw access to Backup NFS share nothing more than that. And then use either Mapall User or Maproot User in NFS Share settings.
…and of course restrict NFS Share only to specific IP of XO instance (or I’ll try to make that non-routable VLAN, just for XO storage access).
In regards to dedicated non-routable VLAN for TrueNAS NFS shares access, I understand that only XO with TrueNAS needs to be on this VLAN, correct? XCP-NG Hosts and VMs don’t need access here for Backups right?