NFS Setup Guide¶
NFS configuration for Frigate recordings (Docker VM → NAS).
Overview¶
┌─────────────────┐ NFS ┌─────────────────┐
│ Docker VM │ ◄──────────────────► │ NAS │
│ (192.168.0.10) │ │ (192.168.0.12) │
│ │ │ │
│ /mnt/nas/ │ │ /srv/frigate │
│ └── frigate/ │ │ (Purple 2TB) │
│ │ │ │
│ [Frigate NVR] │ │ [NFS Server] │
└─────────────────┘ └─────────────────┘
Purpose: Frigate runs on Docker VM (Intel N150 QuickSync) but stores recordings on NAS (WD Purple 2TB dedicated to surveillance).
NAS Configuration (Server)¶
1. Install NFS Server¶
2. Create Export Directory¶
# Create directory on Purple 2TB (already mounted at /mnt/purple)
sudo mkdir -p /srv/frigate
# Create symlink from mount point
sudo ln -s /mnt/purple/frigate /srv/frigate
# Set ownership (match Docker VM user)
sudo chown -R 1000:1000 /srv/frigate
sudo chmod 755 /srv/frigate
3. Configure Exports¶
Add the following lines:
/srv/frigate 192.168.0.10(rw,sync,no_subtree_check,no_root_squash)
/srv/media 192.168.0.0/24(ro,sync,no_subtree_check)
/srv/downloads 192.168.0.0/24(rw,sync,no_subtree_check)
Options explained¶
rw- Read/write accesssync- Write changes to disk before replying (safer)no_subtree_check- Disable subtree checking (better performance)no_root_squash- Allow root access from client (needed for Docker)
4. Apply Configuration¶
# Export the shares
sudo exportfs -ra
# Verify exports
sudo exportfs -v
# Expected output:
# /srv/frigate 192.168.0.10(rw,wdelay,no_root_squash,no_subtree_check,sec=sys,rw,secure,no_root_squash,no_all_squash)
5. Start NFS Service¶
sudo systemctl enable nfs-kernel-server
sudo systemctl start nfs-kernel-server
sudo systemctl status nfs-kernel-server
6. Firewall (if enabled)¶
# Allow NFS from Docker VM
sudo ufw allow from 192.168.0.10 to any port nfs
sudo ufw allow from 192.168.0.10 to any port 111 # portmapper
Docker VM Configuration (Client)¶
1. Install NFS Client¶
2. Create Mount Point¶
3. Test Mount¶
# Manual mount to test
sudo mount -t nfs 192.168.0.12:/srv/frigate /mnt/nas/frigate
# Verify mount
df -h /mnt/nas/frigate
ls -la /mnt/nas/frigate
# Test write access
touch /mnt/nas/frigate/test.txt
rm /mnt/nas/frigate/test.txt
4. Configure Persistent Mount¶
Add the following line:
Options explained¶
defaults- Standard mount options_netdev- Wait for network before mountingnofail- Don't fail boot if mount fails
5. Apply and Verify¶
# Unmount if already mounted
sudo umount /mnt/nas/frigate
# Mount using fstab
sudo mount -a
# Verify
mount | grep frigate
df -h /mnt/nas/frigate
Frigate Configuration¶
Docker Compose¶
In docker/fixed/docker-vm/security/docker-compose.yml:
Environment¶
In .env:
Frigate Config¶
In frigate.yml:
Recordings will be stored at /media/frigate inside the container, which maps to /mnt/nas/frigate on the host, which is the NFS mount to NAS.
Troubleshooting¶
Mount Fails on Boot¶
# Check if NFS services are running
systemctl status nfs-common
# Check network connectivity
ping 192.168.0.12
# Try manual mount with verbose output
sudo mount -v -t nfs 192.168.0.12:/srv/frigate /mnt/nas/frigate
Permission Denied¶
# On NAS: Check ownership
ls -la /srv/frigate
# Should be owned by UID 1000
sudo chown -R 1000:1000 /srv/frigate
# On NAS: Check exports
sudo exportfs -v
# Ensure no_root_squash is set
Stale File Handle¶
# Unmount and remount
sudo umount -f /mnt/nas/frigate
sudo mount -a
# Or lazy unmount if busy
sudo umount -l /mnt/nas/frigate
sudo mount -a
NFS Performance¶
Verification Checklist¶
NAS (Server)¶
- [ ] NFS server installed and running
- [ ]
/srv/frigatedirectory exists - [ ] Ownership set to 1000:1000
- [ ] Export configured in
/etc/exports - [ ]
exportfs -vshows the share
Docker VM (Client)¶
- [ ] NFS client installed
- [ ]
/mnt/nas/frigatemount point exists - [ ] Manual mount works
- [ ] fstab entry added
- [ ]
mount -asucceeds - [ ] Write test passes
Frigate¶
- [ ]
FRIGATE_RECORDINGSset in.env - [ ] Container starts without errors
- [ ] Recordings appear in
/mnt/nas/frigate
Alternative: Via Tailscale¶
If accessing via Tailscale mesh instead of local network:
# /etc/exports on NAS
/srv/frigate 100.68.63.168(rw,sync,no_subtree_check,no_root_squash)
# /etc/fstab on Docker VM
100.82.77.97:/srv/frigate /mnt/nas/frigate nfs defaults,_netdev,nofail 0 0
This allows Frigate to access NAS recordings even when not on local network.
Security Considerations¶
Network Isolation¶
NFS is only accessible on the local LAN (192.168.0.0/24):
- Firewall restricts access to specific IPs
- NFS ports not exposed to internet
- OPNsense blocks NFS traffic from IoT/Guest VLANs
Export Options¶
| Option | Security Impact |
|---|---|
| 192.168.0.10 | Only Docker VM can access (not subnet wildcard) |
| sync | Data integrity - writes confirmed before reply |
| no_root_squash | Needed for Docker, but limits to specific IP |
Hardening (Optional)¶
For additional security, consider:
# Use sec=krb5p for Kerberos encryption (complex setup)
/srv/frigate 192.168.0.10(rw,sync,no_subtree_check,no_root_squash,sec=krb5p)
# Or use NFSv4 with stronger authentication
/srv/frigate 192.168.0.10(rw,sync,no_subtree_check,no_root_squash,fsid=0)
Monitoring¶
Related Documentation¶
docs/architecture/hardware.md- NAS drive layout (Purple 2TB for Frigate)docs/architecture/fixed-homelab.md- Docker VM and NAS setupdocs/strategy/security-hardening.md- General security practicesdocker/fixed/docker-vm/security/docker-compose.yml- Frigate config