feat: acl on smb shares in truenas

knowledge base/diy nas/v1.md

@@ -4,7 +4,11 @@
 
 1. [Hardware](#hardware)
 1. [Software](#software)
-1. [Operational issues](#operational-issues)
+1. [Operational burdens](#operational-burdens)
+   1. [Reserved managed port for Proxmox](#reserved-managed-port-for-proxmox)
+   1. [Disk passthrough](#disk-passthrough)
+   1. [Default permissions on files and directories](#default-permissions-on-files-and-directories)
+      1. [Default permissions in SMB shares](#default-permissions-in-smb-shares)
 1. [Further readings](#further-readings)
 1. [Sources](#sources)
 
@@ -24,11 +28,15 @@
 
 [Proxmox] on bare metal, running [TrueNAS Core] as VM.
 
-## Operational issues
+## Operational burdens
+
+### Reserved managed port for Proxmox
 
 One NIC is used by Proxmox as _management port_.<br/>
 This one is given a fixed IP address and bridged from inside the system.
 
+### Disk passthrough
+
 To allow for disk suspension and SMART checks from the VM, Proxmox needs to **directly** attach the disks to it:
 
 ```sh
@@ -45,7 +53,32 @@ $ qm set 100 -sata2 /dev/disk/by-id/ata-ST4000VN008-2DR166_ZGY9WL4Z
 $ qm set 100 -sata3 /dev/disk/by-id/ata-ST4000VN008-2DR166_ZGY9W66G
 ```
 
-Wanting to aggregate 
+### Default permissions on files and directories
+
+Suppose you want a shared dataset to set the default permissions of newly created files and directories to `0664` and `0775` respectively.
+
+The best way to achieve this would be to set up the dataset's ACLs accordingly:
+
+| Who       | ACL Type | Permissions Type | Permissions                                                                                                                                                                                   | Flags Type | Flags             | Translated `getfacl` Tags                | Resulting Unix Permissions |
+| --------- | -------- | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- | ----------------- | ---------------------------------------- | -------------------------- |
+| owner@    | Allow    | Advanced         | Read Data, Write Data, Append Data<br/>Read Named Attributes, Write Named Attributes<br/>Read Attributes, Write Attributes<br/>Delete<br/>Read ACL, Write ACL<br/>Write Owner<br/>Synchronize | Advanced   | File Inherit      | `   owner@:rw-p-daARWcCos:f------:allow` | `-rw-------`               |
+| owner@    | Allow    | Basic            | Full Control                                                                                                                                                                                  | Advanced   | Directory Inherit | `   owner@:rwxpDdaARWcCos:-d-----:allow` | `drwx------`               |
+| group@    | Allow    | Advanced         | Read Data, Write Data, Append Data<br/>Read Named Attributes, Write Named Attributes<br/>Read Attributes, Write Attributes<br/>Delete<br/>Read ACL, Write ACL<br/>Write Owner<br/>Synchronize | Advanced   | File Inherit      | `   group@:rw-p-daARWcCos:f------:allow` | `----rw----`               |
+| group@    | Allow    | Basic            | Full Control                                                                                                                                                                                  | Advanced   | Directory Inherit | `   group@:rwxpDdaARWcCos:-d-----:allow` | `d---rwx---`               |
+| everyone@ | Allow    | Advanced         | Read Data<br/>Read Named Attributes<br/>Read Attributes<br/>Read ACL                                                                                                                          | Advanced   | File Inherit      | `everyone@:r-----a-R-c---:f------:allow` | `-------r--`               |
+| everyone@ | Allow    | Advanced         | Read Data<br/>Read Named Attributes<br/>Execute<br/>Read Attributes<br/>Read ACL                                                                                                              | Advanced   | Directory Inherit | `everyone@:r-x---a-R-c---:-d-----:allow` | `d------r-x`               |
+
+#### Default permissions in SMB shares
+
+A simpler but arguably worse way to achieve a similar result **only for SMB shares** is by using the _mask_ `smb.conf` additional parameters in the share definition:
+
+```txt
+create mask = 664
+directory mask = 775
+```
+
+If a dataset has no ACLs set and you create a SMB share for it, you are asked to create them for its filesystem.<br/>
+You can cancel at this point and go for the additional parameters instead.
 
 ## Further readings
 
@@ -56,6 +89,7 @@ Wanting to aggregate
 All the references in the [further readings] section, plus the following:
 
 - [The Perfect Home Server 2023]
+- [How to run TrueNAS on Proxmox?]
 
 <!--
   References
@@ -65,6 +99,7 @@ All the references in the [further readings] section, plus the following:
 [corsair rm850e]: https://www.corsair.com/ww/en/p/psu/cp-9020249-ww/rme-series-rm850e-fully-modular-low-noise-atx-power-supply-cp-9020249-ww
 [crucial ct2k16g4sfra32a]: https://eu.crucial.com/memory/ddr4/ct2k16g4sfra32a
 [fractal design node 304]: https://www.fractal-design.com/products/cases/node/node-304/black/
+[how to run truenas on proxmox?]: https://www.youtube.com/watch?v=M3pKprTdNqQ
 [intel celeron n5105]: https://www.intel.com/content/www/us/en/products/sku/212328/intel-celeron-processor-n5105-4m-cache-up-to-2-90-ghz/specifications.html
 [seagate ironwolf st4000vn008 4tb]: https://www.seagate.com/products/nas-drives/ironwolf-hard-drive/
 [the perfect home server 2023]: https://www.youtube.com/watch?v=vjDoQA4C22c