NFS Mount Automation¶
This guide covers the automated NFS mount setup using 1Password for credential management.
Overview¶
The NFS mount automation system integrates with 1Password to securely store and retrieve mount credentials, automatically configuring NFS shares on macOS.
Features¶
- 🔐 Secure Credential Storage - Credentials stored in 1Password
- 🤖 Automated Setup - Mounts configured automatically
- 📝 fstab Integration - Optional persistent mounts
- ✅ Validation - Tests mounts before committing
- 🔄 Idempotent - Safe to run multiple times
Prerequisites¶
- 1Password Account - With CLI access
- 1Password CLI - Installed and configured
- NFS Server - Accessible from your network
- Admin Access - Required for fstab modifications
1Password Setup¶
Install 1Password CLI¶
The CLI is automatically installed via Homebrew in your dotfiles:
Authenticate¶
Sign in to 1Password:
Or use biometric authentication:
Creating Mount Entries¶
Item Structure¶
Create items in 1Password with:
- Tag: nfs-mount
- Fields:
- server - NFS server hostname/IP
- share - NFS export path
- mount_point - Local mount location
- options (optional) - Mount options
- add_to_fstab (optional) - "true" or "false"
Example Entry¶
Item Name: Home Media Server
Fields:
server: nas.home.lan
share: /volume1/media
mount_point: /Users/username/mnt/media
options: rw,noowners,nolockd,noresvport,hard,bg,intr,rw,tcp,nfc
add_to_fstab: true
Using 1Password GUI¶
- Open 1Password
- Create new item (type: Secure Note or Server)
- Add tag:
nfs-mount - Add fields as shown above
- Save
Using 1Password CLI¶
# Create template
op item create \
--category="Secure Note" \
--title="NFS Mount Name" \
--tags="nfs-mount" \
server="nas.local" \
share="/export/path" \
mount_point="/Users/$USER/mnt/name"
Mount Options¶
Common NFS mount options:
Basic Options¶
rw- Read-write accessro- Read-only accessnoowners- Ignore ownership (for compatibility)nolockd- Disable lock daemon
Network Options¶
noresvport- Use non-privileged portstcp- Use TCP protocol (recommended)udp- Use UDP protocolvers=3- Use NFSv3vers=4- Use NFSv4
Reliability Options¶
hard- Hard mount (recommended for important data)soft- Soft mount (timeout and return error)intr- Allow interruption of mount operationsbg- Retry mount in background if it fails
Performance Options¶
rsize=8192- Read buffer sizewsize=8192- Write buffer sizetimeo=900- Timeout (in tenths of seconds)retrans=5- Number of retransmissions
macOS Specific¶
nfc- Use NFS version 4 with Kerberosnoquota- Disable quota checking
Recommended Configuration¶
This provides: - Read-write access - Ignores Unix ownership (macOS compatibility) - No file locking - Non-reserved ports - Hard mount with background retry - Interruptible operations - TCP protocol - NFS version 4
Automation Script¶
The run_once_setup-nfs-mounts.sh.tmpl script handles all mount operations.
Script Features¶
- Discovery - Finds all
nfs-mounttagged items in 1Password - Validation - Verifies server accessibility
- Mount Point Creation - Creates directories if needed
- Mounting - Mounts NFS shares with specified options
- fstab Management - Optionally adds persistent mounts
- Error Handling - Provides clear error messages
Execution¶
The script runs automatically when you apply your dotfiles:
Manual execution:
Force re-run:
Persistent Mounts (fstab)¶
Adding to fstab¶
Set add_to_fstab: true in the 1Password item to persist mounts across reboots.
fstab entry format:
Manual fstab Management¶
Edit fstab:
Add entry:
nas.local:/export/media /Users/username/mnt/media nfs rw,noowners,nolockd,noresvport,hard,bg,intr,tcp 0 0
Mount all fstab entries:
Removing from fstab¶
- Set
add_to_fstab: falsein 1Password - Re-run the script
- Or manually edit with
sudo vifs
Manual Mount Operations¶
Mount NFS Share¶
# Create mount point
mkdir -p ~/mnt/media
# Mount
sudo mount -t nfs -o rw,noowners,nolockd nas.local:/export/media ~/mnt/media
Unmount¶
Force unmount:
Check Mounts¶
List all mounts:
Show mount details:
Troubleshooting¶
Mount Fails¶
Check server accessibility:
Test mount manually:
Permission Denied¶
Verify NFS export permissions on server:
Ensure client IP is allowed in server's export configuration.
Stale File Handle¶
Unmount and remount:
Mount Point Busy¶
Find processes using mount:
Kill processes or wait, then unmount.
1Password Authentication¶
Re-authenticate:
Check CLI access:
Network Issues¶
Check network connectivity:
Test NFS protocol:
Best Practices¶
- Use Hard Mounts - For important data
- Enable Background Retry - Use
bgoption - Use TCP - More reliable than UDP
- Set Timeouts - Prevent hanging on network issues
- Test Before fstab - Verify mounts work before persisting
- Document Shares - Use descriptive 1Password item names
- Regular Testing - Verify mounts after network changes
- Backup Credentials - 1Password emergency kit
Security Considerations¶
- Network Security
- Use VPN for remote access
- Restrict NFS exports to trusted IPs
-
Consider NFSv4 with Kerberos
-
Credential Management
- Keep 1Password vault secure
- Use strong master password
-
Enable 2FA on 1Password
-
Server Configuration
- Use
root_squashon server - Limit export access by IP/subnet
-
Regular security updates
-
Local Security
- Protect mount points with appropriate permissions
- Don't store sensitive data on NFS without encryption
- Monitor access logs
Advanced Configuration¶
Multiple Servers¶
Create separate 1Password items for each mount:
Item 1: Media Server (nas1.local:/media)
Item 2: Backup Server (nas2.local:/backups)
Item 3: Work Server (work.local:/projects)
Conditional Mounts¶
Use network detection to mount only when on specific networks:
if [[ "$(networksetup -getairportnetwork en0 | awk '{print $4}')" == "HomeNetwork" ]]; then
sudo mount ~/mnt/media
fi
Auto-mount on Network Connect¶
Use macOS Launch Agents to trigger mounts when network connects.
Automount¶
Enable automount service:
Configure auto_master: