Skip to main content

Samba NAS

The CM5 runs a Samba server exposing four shares: Windows network backups, Apple Time Machine, read-only access to Frigate snapshots, and a Gentoo binary package host. Avahi provides mDNS registration so macOS clients discover the Time Machine share automatically without manual configuration.

Package requirements

The following packages are installed by the image script: 
STACK_PACKAGES=(
    samba
    avahi          # mDNS for Time Machine discovery
    nss-mdns
    nginx          # serve Gentoo binhost over HTTP
    rsync          # sync packages to binhost
)

smb.conf

The complete Samba configuration is written to /etc/samba/smb.conf by the image script:
/etc/samba/smb.conf
[global]
    workgroup = WORKGROUP
    server string = CM5-NAS
    server role = standalone server
    log file = /var/log/samba/%m.log
    max log size = 50
    dns proxy = no
    # mDNS / TimeMachine
    multicast dns register = yes

[windows-backups]
    path = /srv/nas/windows-backups
    valid users = @nas-users
    read only = no
    browsable = yes
    create mask = 0664
    directory mask = 0775

[timemachine]
    path = /srv/nas/timemachine
    valid users = @nas-users
    read only = no
    fruit:aapl = yes
    fruit:time machine = yes      # TimeMachine over SMB
    vfs objects = catia fruit streams_xattr

[frigate-snapshots]
    path = /media/frigate/snapshots
    valid users = @nas-users
    read only = yes
    browsable = yes

[gentoo-binhost]
    path = /srv/gentoo-binhost
    public = yes
    read only = yes
    browsable = yes

Share reference

Sets the server role to standalone (no Active Directory domain), registers the server via mDNS with multicast dns register = yes, and limits log files to 50 KB per client. Replace WORKGROUP with your Windows workgroup name if needed.
A read/write share for Windows File History and manual backups. Access is restricted to members of the nas-users group. Files are created with 0664 permissions and directories with 0775 to allow group members to read each other’s files.
Apple Time Machine share using the fruit VFS module stack: catia handles macOS special characters in filenames, fruit provides the AFP-compatibility layer and Time Machine advertisement, and streams_xattr stores extended attributes as filesystem xattrs rather than separate files. fruit:aapl = yes enables Apple extensions protocol negotiation.
Read-only share exposing /media/frigate/snapshots. Members of nas-users can browse and download detection snapshots from any SMB client without SSH access to the CM5.
Public read-only share for Gentoo binary packages. The same directory is also served over HTTP by nginx — see the Gentoo binhost section below.

User and group setup

All share access (except gentoo-binhost) requires membership in the nas-users group: 
# create the group
groupadd nas-users

# add a user to the group
usermod -aG nas-users <username>

# create a Samba password for the user (separate from the system password)
smbpasswd -a <username>
Samba maintains its own password database separate from /etc/shadow. Run smbpasswd -a <username> for every user who needs SMB access — system account passwords do not apply.

Apple Time Machine over SMB

macOS discovers Time Machine destinations advertised over mDNS. The fruit VFS module handles the advertisement when combined with Avahi.

Avahi service advertisement

Create an Avahi service file to advertise the Time Machine share:
/etc/avahi/services/timemachine.service
<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
  <name replace-wildcards="yes">%h Time Machine</name>
  <service>
    <type>_smb._tcp</type>
    <port>445</port>
  </service>
  <service>
    <type>_adisk._tcp</type>
    <port>9</port>
    <txt-record>sys=waMa=0,adVF=0x100</txt-record>
    <txt-record>dk0=adVN=timemachine,adVF=0x82</txt-record>
  </service>
</service-group>
The _adisk._tcp service record is what macOS looks for when populating the Time Machine destination list. adVN=timemachine must match the Samba share name exactly.

Enabling services

systemctl enable --now smb.service nmb.service
systemctl enable --now avahi-daemon.service
nmb.service provides NetBIOS name resolution for older Windows clients. It is not required for macOS Time Machine but is harmless to enable.

Configuring Time Machine on macOS

1

Open Time Machine preferences

Go to System SettingsGeneralTime Machine.
2

Add backup disk

Click Add Backup Disk. The CM5 should appear as CM5-NAS in the list under Network Locations.
3

Authenticate

Enter the credentials for a user in the nas-users group (the Samba password, not the system password).
4

Select the timemachine share

Choose the timemachine share as the backup destination.
If the CM5 does not appear in the Time Machine picker, run avahi-browse -a on the CM5 to verify it is advertising the _adisk._tcp service, and check that avahi-daemon.service is running.

Gentoo binhost (nginx)

The gentoo-binhost share is also served over HTTP by nginx, which Portage uses to fetch binary packages directly via URL:
/etc/nginx/sites-available/gentoo-binhost
server {
    listen 80;
    server_name gentoo-binhost.local;

    root /srv/gentoo-binhost;
    autoindex on;

    # Gentoo portage fetches packages by path
    # /srv/gentoo-binhost/
    #   └── aarch64-unknown-linux-gnu/
    #       └── packages/
    #           └── *.gpkg.tar  or  *.xpak

    location / {
        try_files $uri $uri/ =404;
    }

    # compress package listings
    gzip on;
    gzip_types text/plain application/octet-stream;
}
Enable the site and start nginx: 
ln -s /etc/nginx/sites-available/gentoo-binhost /etc/nginx/sites-enabled/
systemctl enable --now nginx.service
On a Gentoo client, add the following to make.conf to use the CM5 as a binary host:
/etc/portage/make.conf
BINPKG_FORMAT="gpkg"
PORTAGE_BINHOST="http://gentoo-binhost.local/aarch64-unknown-linux-gnu/packages/"
Then install packages from the binhost: 
emerge --getbinpkg <package>

Syncing packages to the binhost

Use rsync to push built packages from a Gentoo build machine to the CM5: 
rsync -avz /var/cache/binpkgs/ cm5:/srv/gentoo-binhost/aarch64-unknown-linux-gnu/packages/

Storage layout

PathSharePurpose
/srv/nas/windows-backupswindows-backupsWindows File History and manual backups
/srv/nas/timemachinetimemachinemacOS Time Machine backups
/media/frigate/snapshotsfrigate-snapshotsFrigate detection snapshots (read-only)
/srv/gentoo-binhostgentoo-binhostGentoo binary packages (SMB + HTTP)
The image script creates all NAS directories at build time: 
mkdir -p /srv/nas/{windows-backups,timemachine,mosquitto-data,mosquitto-log}
mkdir -p /srv/gentoo-binhost
Consider mounting /srv/nas on a dedicated Btrfs subvolume on the NVMe or SATA drive for performance and snapshot isolation. The @frigate subvolume already has nodatacow set — apply the same flag to any subvolume that holds large, frequently written files.

Build docs developers (and LLMs) love

Get started for freeTalk to us