Volumes & Storage

niso volumes provide persistent storage with access control, snapshots, encryption, and secure cleanup.

Volume types#

niso supports three types of storage:

manifest.toml

[volumes]# Named volume — managed by niso, persists across restartsdata = { mount = "/data", mode = "rw" }# Tmpfs — ephemeral, RAM-backed, fastcache = { mount = "/cache", tmpfs = true, size = "256M" }# Bind mount — map a host directory into the serviceconfig = { mount = "/config", host = "/etc/my-api", mode = "ro" }

Managing volumes#

bash

# Create a named volume$ niso volume create app-data# Create with options$ niso volume create app-data --shared --size-limit 10G --encrypted# List volumes$ niso volume list  NAME        SIZE    SERVICES    ENCRYPTED  app-data    245 MB  api (rw)    no  pg-data     1.2 GB  postgres    no# Inspect a volume$ niso volume inspect app-data# Show disk usage breakdown$ niso volume usage# Remove a volume$ niso volume remove app-data# Cleanup unused volumes$ niso volume prune --dry-run$ niso volume prune

Access control#

Volumes have explicit access grants. A service can only mount a volume if it has been granted access. This prevents accidental data sharing.

bash

# Grant read-write access$ niso volume grant app-data --service api --mode rw# Grant read-only access$ niso volume grant app-data --service cdn --mode ro# View access list$ niso volume access app-data  SERVICE    MODE  api        rw  cdn        ro# Revoke access$ niso volume revoke app-data --service cdn

Exclusive mode

Volumes declared with exclusive = true in a stack can only be mounted by one service at a time. This prevents concurrent writes to databases.

Snapshots and backups#

bash

# Create a snapshot (tar.zst archive)$ niso volume snapshot app-data  Created snapshot: app-data-2026-04-12T10:00:00.tar.zst# Restore from snapshot$ niso volume restore app-data --from app-data-2026-04-12T10:00:00.tar.zst# Export for migration$ niso volume export app-data --output /tmp/app-data-export.tar.zst# Import on another machine$ niso volume import app-data --from /tmp/app-data-export.tar.zst

Audit log#

Track who accessed what:

bash

$ niso volume audit --since 24h  2026-04-12T08:00  api      mount   app-data  rw  2026-04-12T06:00  backup   export  app-data  2026-04-11T22:00  api      mount   app-data  rw

Security#

All volume mounts include security hardening:

nosuid — prevent setuid binaries
nodev — no device nodes
nosymfollow — prevent symlink escapes
Optional LUKS2 encryption at rest
Size limits via filesystem quotas
Secure wipe on volume deletion

Encryption#

Enable per-volume encryption with LUKS2. Keys are stored in /var/lib/niso/keys/.

bash

$ niso volume create secrets --encrypted  Created encrypted volume: secrets  Key stored at: /var/lib/niso/keys/secrets.key

Volumes & Storage

niso volumes provide persistent storage with access control, snapshots, encryption, and secure cleanup.

Volume types#

niso supports three types of storage:

manifest.toml

[volumes]# Named volume — managed by niso, persists across restartsdata = { mount = "/data", mode = "rw" }# Tmpfs — ephemeral, RAM-backed, fastcache = { mount = "/cache", tmpfs = true, size = "256M" }# Bind mount — map a host directory into the serviceconfig = { mount = "/config", host = "/etc/my-api", mode = "ro" }

Managing volumes#

bash

# Create a named volume$ niso volume create app-data# Create with options$ niso volume create app-data --shared --size-limit 10G --encrypted# List volumes$ niso volume list  NAME        SIZE    SERVICES    ENCRYPTED  app-data    245 MB  api (rw)    no  pg-data     1.2 GB  postgres    no# Inspect a volume$ niso volume inspect app-data# Show disk usage breakdown$ niso volume usage# Remove a volume$ niso volume remove app-data# Cleanup unused volumes$ niso volume prune --dry-run$ niso volume prune

Access control#

Volumes have explicit access grants. A service can only mount a volume if it has been granted access. This prevents accidental data sharing.

bash

# Grant read-write access$ niso volume grant app-data --service api --mode rw# Grant read-only access$ niso volume grant app-data --service cdn --mode ro# View access list$ niso volume access app-data  SERVICE    MODE  api        rw  cdn        ro# Revoke access$ niso volume revoke app-data --service cdn

Exclusive mode

Volumes declared with exclusive = true in a stack can only be mounted by one service at a time. This prevents concurrent writes to databases.

Snapshots and backups#

bash

# Create a snapshot (tar.zst archive)$ niso volume snapshot app-data  Created snapshot: app-data-2026-04-12T10:00:00.tar.zst# Restore from snapshot$ niso volume restore app-data --from app-data-2026-04-12T10:00:00.tar.zst# Export for migration$ niso volume export app-data --output /tmp/app-data-export.tar.zst# Import on another machine$ niso volume import app-data --from /tmp/app-data-export.tar.zst

Audit log#

Track who accessed what:

bash

$ niso volume audit --since 24h  2026-04-12T08:00  api      mount   app-data  rw  2026-04-12T06:00  backup   export  app-data  2026-04-11T22:00  api      mount   app-data  rw

Security#

All volume mounts include security hardening:

nosuid — prevent setuid binaries
nodev — no device nodes
nosymfollow — prevent symlink escapes
Optional LUKS2 encryption at rest
Size limits via filesystem quotas
Secure wipe on volume deletion

Encryption#

Enable per-volume encryption with LUKS2. Keys are stored in /var/lib/niso/keys/.

bash

$ niso volume create secrets --encrypted  Created encrypted volume: secrets  Key stored at: /var/lib/niso/keys/secrets.key