diff --git a/knowledge base/acl.md b/knowledge base/acl.md
new file mode 100644
index 0000000..eda7495
--- /dev/null
+++ b/knowledge base/acl.md
@@ -0,0 +1,98 @@
+# Access Control Lists assignment
+
+## Table of contents
+
+1. [TL;DR](#tldr)
+1. [Set default permissions for files and directories](#set-default-permissions-for-files-and-directories)
+1. [Further readings](#further-readings)
+
+## TL;DR
+
+List of [permission tags][syntax descriptions for setting acls] and [inheritance options][acl inheritance].
+
+```sh
+# Install the tool.
+apt install 'acl'
+dnf install 'acl'
+
+# Show ACLs.
+getfacl 'test/declarations.h'
+
+# Set permissions for users.
+setfacl -m 'u:username:rwx' 'test/declarations.h'
+
+# Add permissions for users.
+# Position number starts from 0.
+setfacl -a '1' 'u:username:rwx' 'test/declarations.h'
+setfacl -a '5' 'owner@:rw-p-daARWcCos:f------:allow' 'path/to/file'
+setfacl -a '6' 'owner@:rwxpDdaARWcCos:-d-----:allow' 'path/to/dir'
+
+# Set permissions for groups.
+setfacl -m "g:groupname:r-x" 'test/declarations.h'
+
+# Add permissions for groups.
+# Position number starts from 0.
+setfacl -a '2' 'g:groupname:r-x' 'test/declarations.h'
+setfacl -a '7' 'group@:r--p--aAR-c--s:f------:allow' 'path/to/file'
+setfacl -a '8' 'group@:r-xp--aAR-c--s:-d-----:allow' 'path/to/dir'
+
+# Add permissions for everyone else (others).
+# Position number starts from 0.
+setfacl -a '3' 'o::r-x' 'test/declarations.h'
+setfacl -a '9' 'everyone@:r-----a-R-c---:f------:allow' 'path/to/file'
+setfacl -a '10' 'everyone@:r-x---a-R-c---:-d-----:allow' 'path/to/dir'
+
+# Make children files and directories inherit acls.
+# A.K.A. sets default ACLs.
+setfacl -d -m 'u:dummy:rw' 'test'
+
+# Remove specific acls.
+setfacl -x 'u:dummy:rw' 'test'
+
+# Remove all ACL entries except for the ones synthesized from the file mode.
+# If a 'mask' entry was in them, the resulting ACLs will be set accordingly.
+setfacl -b 'test/declarations.h'
+```
+
+## Set default permissions for files and directories
+
+Suppose you want a folder to set the default permissions of newly created files and directories to `0664` (`-rw-rw-r--`) and `0775` (`drwxrwxr-x`) respectively.
+
+The best way to achieve this would be to set up it's ACLs accordingly:
+
+| Who | ACL Type | Permissions | Flags | Translated `getfacl` Tags | Resulting Unix Permissions |
+| --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | ---------------------------------------- | -------------------------- |
+| owner@ | Allow | Read Data, Write Data, Append Data
Read Named Attributes, Write Named Attributes
Read Attributes, Write Attributes
Delete
Read ACL, Write ACL
Write Owner
Synchronize | File Inherit | ` owner@:rw-p-daARWcCos:f------:allow` | `-rw-------` |
+| owner@ | Allow | Read Data, Write Data, Append Data
Read Named Attributes, Write Named Attributes
Execute
Read Attributes, Write Attributes
Delete, Delete Child
Read ACL, Write ACL
Write Owner
Synchronize | Directory Inherit | ` owner@:rwxpDdaARWcCos:-d-----:allow` | `drwx------` |
+| group@ | Allow | Read Data, Write Data, Append Data
Read Named Attributes, Write Named Attributes
Read Attributes, Write Attributes
Delete
Read ACL, Write ACL
Write Owner
Synchronize | File Inherit | ` group@:rw-p-daARWcCos:f------:allow` | `----rw----` |
+| group@ | Allow | Read Data, Write Data, Append Data
Read Named Attributes, Write Named Attributes
Execute
Read Attributes, Write Attributes
Delete, Delete Child
Read ACL, Write ACL
Write Owner
Synchronize | Directory Inherit | ` group@:rwxpDdaARWcCos:-d-----:allow` | `d---rwx---` |
+| everyone@ | Allow | Read Data
Read Named Attributes
Read Attributes
Read ACL | File Inherit | `everyone@:r-----a-R-c---:f------:allow` | `-------r--` |
+| everyone@ | Allow | Read Data
Read Named Attributes
Execute
Read Attributes
Read ACL | Directory Inherit | `everyone@:r-x---a-R-c---:-d-----:allow` | `d------r-x` |
+
+```sh
+# Set default permissions of '0664' for files and '0775' for directories.
+# Includes ACL-type permissions accordingly.
+setfacl -m 'owner@:rw-p-daARWcCos:f------:allow' 'path/to/dir'
+setfacl -a '1' 'owner@:rwxpDdaARWcCos:-d-----:allow' 'path/to/dir'
+setfacl -m 'group@:r--p--aAR-c--s:f------:allow' 'path/to/dir'
+setfacl -a '3' 'group@:r-xp--aAR-c--s:-d-----:allow' 'path/to/dir'
+setfacl -m 'everyone@:r-----a-R-c---:f------:allow' 'path/to/dir'
+setfacl -a '5' 'everyone@:r-x---a-R-c---:-d-----:allow' 'path/to/dir'
+```
+
+## Further readings
+
+- [Access Control Lists (ACL) in Linux]
+- [`setfacl` FreeBSD manual page][setfacl freebsd manual page]
+- [Syntax descriptions for setting ACLs]
+- [ACL inheritance]
+
+
+
+
+[access control lists (acl) in linux]: https://www.geeksforgeeks.org/access-control-listsacl-linux/
+[acl inheritance]: https://docs.oracle.com/cd/E19253-01/819-5461/gbaax/index.html
+[setfacl freebsd manual page]: https://man.freebsd.org/cgi/man.cgi?setfacl
+[syntax descriptions for setting acls]: https://docs.oracle.com/cd/E19253-01/819-5461/gbaay/index.html
diff --git a/knowledge base/diy nas/v1.md b/knowledge base/diy nas/v1.md
index e77a10d..fac9801 100644
--- a/knowledge base/diy nas/v1.md
+++ b/knowledge base/diy nas/v1.md
@@ -4,7 +4,11 @@
1. [Hardware](#hardware)
1. [Software](#software)
-1. [Operational issues](#operational-issues)
+1. [Operational burdens](#operational-burdens)
+ 1. [Reserved managed port for Proxmox](#reserved-managed-port-for-proxmox)
+ 1. [Disk passthrough](#disk-passthrough)
+ 1. [Default permissions on files and directories](#default-permissions-on-files-and-directories)
+ 1. [Default permissions in SMB shares](#default-permissions-in-smb-shares)
1. [Further readings](#further-readings)
1. [Sources](#sources)
@@ -24,11 +28,15 @@
[Proxmox] on bare metal, running [TrueNAS Core] as VM.
-## Operational issues
+## Operational burdens
+
+### Reserved managed port for Proxmox
One NIC is used by Proxmox as _management port_.
This one is given a fixed IP address and bridged from inside the system.
+### Disk passthrough
+
To allow for disk suspension and SMART checks from the VM, Proxmox needs to **directly** attach the disks to it:
```sh
@@ -45,7 +53,32 @@ $ qm set 100 -sata2 /dev/disk/by-id/ata-ST4000VN008-2DR166_ZGY9WL4Z
$ qm set 100 -sata3 /dev/disk/by-id/ata-ST4000VN008-2DR166_ZGY9W66G
```
-Wanting to aggregate
+### Default permissions on files and directories
+
+Suppose you want a shared dataset to set the default permissions of newly created files and directories to `0664` and `0775` respectively.
+
+The best way to achieve this would be to set up the dataset's ACLs accordingly:
+
+| Who | ACL Type | Permissions Type | Permissions | Flags Type | Flags | Translated `getfacl` Tags | Resulting Unix Permissions |
+| --------- | -------- | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ----------------- | ---------------------------------------- | -------------------------- |
+| owner@ | Allow | Advanced | Read Data, Write Data, Append Data
Read Named Attributes, Write Named Attributes
Read Attributes, Write Attributes
Delete
Read ACL, Write ACL
Write Owner
Synchronize | Advanced | File Inherit | ` owner@:rw-p-daARWcCos:f------:allow` | `-rw-------` |
+| owner@ | Allow | Basic | Full Control | Advanced | Directory Inherit | ` owner@:rwxpDdaARWcCos:-d-----:allow` | `drwx------` |
+| group@ | Allow | Advanced | Read Data, Write Data, Append Data
Read Named Attributes, Write Named Attributes
Read Attributes, Write Attributes
Delete
Read ACL, Write ACL
Write Owner
Synchronize | Advanced | File Inherit | ` group@:rw-p-daARWcCos:f------:allow` | `----rw----` |
+| group@ | Allow | Basic | Full Control | Advanced | Directory Inherit | ` group@:rwxpDdaARWcCos:-d-----:allow` | `d---rwx---` |
+| everyone@ | Allow | Advanced | Read Data
Read Named Attributes
Read Attributes
Read ACL | Advanced | File Inherit | `everyone@:r-----a-R-c---:f------:allow` | `-------r--` |
+| everyone@ | Allow | Advanced | Read Data
Read Named Attributes
Execute
Read Attributes
Read ACL | Advanced | Directory Inherit | `everyone@:r-x---a-R-c---:-d-----:allow` | `d------r-x` |
+
+#### Default permissions in SMB shares
+
+A simpler but arguably worse way to achieve a similar result **only for SMB shares** is by using the _mask_ `smb.conf` additional parameters in the share definition:
+
+```txt
+create mask = 664
+directory mask = 775
+```
+
+If a dataset has no ACLs set and you create a SMB share for it, you are asked to create them for its filesystem.
+You can cancel at this point and go for the additional parameters instead.
## Further readings
@@ -56,6 +89,7 @@ Wanting to aggregate
All the references in the [further readings] section, plus the following:
- [The Perfect Home Server 2023]
+- [How to run TrueNAS on Proxmox?]
-
-1. [TL;DR](#tldr)
-1. [Further readings](#further-readings)
-
-## TL;DR
-
-```sh
-# Install the tool.
-apt install 'acl'
-dnf install 'acl'
-
-# Show acls of files.
-getfacl 'test/declarations.h'
-
-# Set permissions for users.
-setfacl -m 'u:username:rwx' 'test/declarations.h'
-
-# Set permissions for groups.
-setfacl -m "g:groupname:r-x" 'test/declarations.h'
-
-# Make children files and directories inherit acls.
-# A.K.A. sets default acls.
-setfacl -d -m 'u:dummy:rw' 'test'
-
-# Remove specific acls.
-setfacl -x 'u:dummy:rw' 'test'
-
-# Remove all acls.
-setfacl -b 'test/declarations.h'
-```
-
-## Further readings
-
-- [Access Control Lists (ACL) in Linux]
-
-
-
-
-[access control lists (acl) in linux]: https://www.geeksforgeeks.org/access-control-listsacl-linux/
diff --git a/knowledge base/mount samba shares from a unix client.md b/knowledge base/mount samba shares from a unix client.md
index dbd67c3..5ce5593 100644
--- a/knowledge base/mount samba shares from a unix client.md
+++ b/knowledge base/mount samba shares from a unix client.md
@@ -8,12 +8,17 @@
## TL;DR
```sh
-sudo mount -t cifs -o user=my-user //nas.local/shared_folder local_folder
+# Mount samba shares as user 'myself'.
+# Such user and a group of the same name exist on the server.
+# Show permissions on directories as octal 775 and on files as octal 664.
+sudo mount '//nas.lan/shared/folder' 'local/folder' -t 'cifs' \
+ -o 'user=myself,uid=myself,gid=myself,dir_mode=0775,file_mode=0664'
```
## Further readings
- [Mounting samba shares from a unix client]
+- [`mount.cifs` man page][mount.cifs man page]
[mounting samba shares from a unix client]: https://wiki.samba.org/index.php/Mounting_samba_shares_from_a_unix_client
+
+
+[mount.cifs man page]: https://manpages.debian.org/testing/cifs-utils/mount.cifs.8.en.html