TrueNAS Goldeye — Cauldron Share Setup¶

Pool: primary Dataset: cauldron

Users¶

Credentials → Local Users → Add (three users):

User	Primary Group	Password	SMB Auth
`alchemy`	`alchemy`	set one	yes
`jellyfin`	`jellyfin`	none/disabled	no
`navidrome`	`navidrome`	none/disabled	no

TrueNAS auto-creates the matching group for each user by default.

ACL on Cauldron¶

Datasets → cauldron → Edit Permissions

Owner: alchemy
Owner Group: alchemy

ACL entries:

Who	Permission	Type
`owner@`	Full Control	Allow
User `jellyfin`	Modify	Allow
User `navidrome`	Modify	Allow
`everyone@`	Read / Traverse	Allow

Check Apply permissions recursively, then hit Save Access Control List.

Do NOT hit "Strip ACL" — that converts NFSv4 ACLs to POSIX and breaks the deny-ACE locking trick.

Shares → SMB → Add:

Path: /mnt/primary/cauldron
Name: cauldron
Preset: Default / Private SMB Datasets and Shares

Enable SMB service if not already running.

Connect from Windows: \\TRUENAS_IP\cauldron, log in as alchemy.

alchemy has full control over everything. The Video and Music folders appear as normal folders inside the share.

NFS Shares¶

Shares → NFS → Add (two shares):

Video¶

Path: /mnt/primary/cauldron/Video
Mapall User: jellyfin
Mapall Group: jellyfin
Authorized Networks: your subnet (e.g. 192.168.1.0/24)

Music¶

Path: /mnt/primary/cauldron/Music
Mapall User: navidrome
Mapall Group: navidrome
Authorized Networks: your subnet

Enable NFS service if not already running.

Client-side mounts¶

mount -t nfs TRUENAS_IP:/mnt/primary/cauldron/Video /mnt/video
mount -t nfs TRUENAS_IP:/mnt/primary/cauldron/Music /mnt/music

Each NFS share is jailed to its exported path — clients cannot traverse up to cauldron.

Locking Files from NFS Write/Delete¶

SSH into TrueNAS. Uses NFSv4 DENY ACEs targeting the specific NFS user. alchemy is unaffected since the deny is user-specific.

Flags: w = write data, a = append data, d = delete, D = delete child (for directories).

Lock a file¶

# Deny jellyfin write + delete on a video file
nfs4_setfacl -A 0 D::jellyfin:wadD /mnt/primary/cauldron/Video/somefile.mkv

# Deny navidrome write + delete on a music file
nfs4_setfacl -A 0 D::navidrome:wadD /mnt/primary/cauldron/Music/somefile.flac

Unlock a file¶

nfs4_setfacl -x D::jellyfin:wadD /mnt/primary/cauldron/Video/somefile.mkv
nfs4_setfacl -x D::navidrome:wadD /mnt/primary/cauldron/Music/somefile.flac

Check current ACL on a file¶

nfs4_getfacl /mnt/primary/cauldron/Video/somefile.mkv