This is a total rewrite since FreeBSD and ZFS have the ability to export nfs directly. You can always not use the sharenfs function in zfs (ie, sharenfs=off) and use the standard way of exporting. ZFS running nfs actually is not as pretty as the old way, but it is very efficient for maintenance.
The following assumes you have a zpool named storage and you will create a tree of nfs exportable directories under that.
For our needs, we want some exports that will go to our Linux Xen machines, which will have common data between them. For example, our xen configuration files should be available across all of our DOM0's. That allows us to migrate from one DOM0 to another. Additionally, we need some space to store installer images (iso's), and another one where we just put some stuff that is handy to have on DOM0's.
We also want to export to a couple of running virtuals to store large amounts of data. Since they have public interfaces, we need to set up our nfs server to only allow limited access to our nfs server, both by limiting through nfs and also with firewalls.
zfs create -o atime=off -o dedup=off -o mountpoint=/media/nfs_root storage/nfs_root zfs create -o sharenfs='alldirs,network 10.19.209.0/24' -o quota=100G storage/nfs_root/dom0 mkdir /media/nfs_root/dom0/xen-configs mkdir /media/nfs_root/dom0/xen-store mkdir /media/nfs_root/dom0/xen-images chmod 777 /media/nfs_root/dom0/xen* zfs create -o sharenfs='network 10.19.209.144/32' storage/nfs_root/simon zfs create -o sharenfs='network 10.19.209.155/32' storage/nfs_root/strax
Note that we created storage/nfs_root so we could set some options that will be inherited by subdirectories, in this case, the mount point, atime=off and dedup=off (that is the default anyway).
We then created storage/nfs_root/dom0 under it, and gave it a quota of 100G. The dom0 stuff should be fairly secure since their firewalls limit the access, so we just put the alldirs option in to allow the dom0's to mount subdirectories wherever they want.
Finally, we create two stores for some servers to put their stuff in, and we limit access to them to only the server itself.