user collaboration for NAS and FBX "cloud" apps on central user-data (& simpler backup/external disk mapping)

List of things to allow freedombox users to easily work and collaborate (in all sub-groups, and one-to-one) on their user-data files with/from all available apps (the best app for each particular task), i.e. on a shared /home filesystem that contains auto-created group directories (that work without any of the usual permission hassles and copy/move problems).

Basic trick: "when each user is in their own (private) group, the given group permissions on created files (umask) are moot until you write into a set-group-id directory"

Benefits

first collaborative NAS solution

• Beyond just bulk network storage space.
• Individual user- and group-directories work out-of-the-box without requiring any custom administration or permission handling.

"Cloud apps" features

• Online access to user-data through a web-based filemanager.
• All Freedombox apps storing their user-data in /home/ or /home/group/, and the files accessible to the users directly and with other apps where useful (e.g. syncthing).

Advanced features

• Possibly using the freedombox as LDAP login server and allow to boot clients from a PXE netboot server app.
• Remotely mounting the central freedombox user dirs under /home on local network clients.

The desirable practice is to just have to go into a directory like /home/<user>/<app>, /home/group/<groupname>, or (if an app really only supports a fixed directory location) /home/group/<appname>.

How to administrate the NAS / "cloud" features?

Not needed, all users and groups created get their sharing folders automatically below /home/ and /home/group/ (groupdirectories).

How to use the NAS / "cloud" features?

Simply browse the /home filesystem or the (single, central) network share, when prompted (remote samba user) enter your freedombox user credentials, and work with the files in the accessible user and group folders (according to unix file permissions).

Note: Apps itself continue to need and use (invisible) ACLs to access their specific subdirectories within the user and group dirs (whenever apps run under their own UID instead of that of the user's). For the users however the access permissions to the files simply depend on their locations whithin the /home directory tree (UPG scheme).

Tasklist

(For testing, a script is available to create the group directories: $518)

• Make debian's UPG scheme work for collaboration dirs (#1889)

• improve home directory skeletons (in debian's upstream?), to automatically create collaboration directories for every newly created user and group (with incoming/ and private/ sub-dirs https://wiki.debian.org/UserPrivateGroups#Using_User_Private_Groups).

• Automatically fix permissions of falsely (client-enforced) permissions (from SFTP uploads or moved files), with inotifywatches on the /home/group dirs. #1796 (comment 177325)

• Ship with a default /home network share that requires user credentials. Or a public "/" share that only lists non-system, world-readable dirs to allow browsing, and will requests user credentials to enter and browse /home (belonging to "users" group?)?

• Ajust the current network sharing UI that maps disks to individually configured shares, to map (bind mount) disks to (possibly multiple) location(s) below /home and in this way defining the granted access permission(s):

  Instead of having to pick the disk drives and being able to select only from three (user-only, single-group, and pubic) sharing modes, the UI can allows to pick the disks drive and tick off users and groups from their familiar /home directory tree (listing) (technically additional (bind)mounts will map the mounted disk to the individual users and group dirs, providing them with filesystem access permissions). And, a single toggle could switch between sharing the whole disk or just a specially created directory on it.

• (ideally) find and include a compatible web-based filemanger app to access /home (filestash? from the apps to include list)

• (optionally) list the user and group directories in the /home share (access-UI #1869 (comment 179788))

• (optionally) make further use of the fact that the /home directory listing in the access-UI and allow admins to add/remove users and groups right there on the same page by "adding new user directories" (i.e. user management seamlessly integrated in a single, central "access" UI). Then users won't have to "decent into the system configuration to manage user accounts", but instead add a new directory on the NAS for the user right there in the "access" app.

Related discussions of many aspects:

• https://discuss.freedombox.org/t/default-user-home-shares-and-out-of-the-box-collaboration/973/10
• https://discuss.freedombox.org/t/request-for-comments-agenda-items-for-2020-summit/1227/13
• #1796 (closed)
• #1869

This issue also implements an important part of having a central /home location for all local data (#1885).