feat(storage): make one samba ss for kantai3 node

Since a samba server uses a host port, there can only be one per node.
This patch reworks storage to have a single samba server on kantai3 (nee
kaidame), and adds the homeassistant-backup share to it, in addition to
the existing and initial media1 share.

kubernetes/apps/storage/zfs-media1/smb/configs/config.yaml → kubernetes/apps/storage/kantai3-samba/app/configs/config.yaml

@@ -1,9 +1,10 @@
 samba-container-config: v0
 configs:
-  media:
+  default:
     globals:
       - default
     shares:
+      - homeassistant-backup
       - media
 globals:
   default:
@@ -38,6 +39,23 @@ globals:
       winbind request timeout: "2"
       workgroup: "WORKGROUP"
 shares:
+  homeassistant-backup:
+    options:
+      access based share enum: "false"
+      available: "true"
+      browseable: "true"
+      comment: ""
+      create mask: "0660"
+      directory mask: "0770"
+      guest ok: "false"
+      kernel oplocks: "false"
+      mangled names: "false"
+      path: /homeassistant-backup
+      posix locking: "false"
+      read only: "false"
+      smbd max xattr size: "2097152"
+      # NOTE: acl_xattr is not loaded because it uses security.NTACL which requires SYS_ADMIN.
+      vfs objects: streams_xattr
   media:
     options:
       access based share enum: "false"

kubernetes/apps/storage/kantai3-samba/app/externalsecret.yaml

@@ -0,0 +1,37 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: kantai3-samba
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  target:
+    name: kantai3-samba
+    template:
+      data:
+        users.json: |-
+          {
+            "samba-container-config": "v0",
+            "users": {
+              {{- $users := list }}
+              {{- $users = append $users (dict "name" .a_username "password" .a_password "uid" (.a_uid | atoi) "gid" (.a_gid | atoi)) }}
+              {{- $users = append $users (dict "name" .b_username "password" .b_password "uid" (.b_uid | atoi) "gid" (.b_gid | atoi)) }}
+              "all_entries": {{ $users | toJson }}
+            }
+          }
+  dataFrom:
+    - extract:
+        key: smb:media-owner
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "a_$1"
+    - extract:
+        key: smb:homeassistant
+      rewrite:
+        - regexp:
+            source: "(.*)"
+            target: "b_$1"

kubernetes/apps/storage/zfs-media1/smb/helmrelease.yaml → kubernetes/apps/storage/kantai3-samba/app/helmrelease.yaml

@@ -3,7 +3,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: zfs-media1-smb
+  name: kantai3-samba
 spec:
   interval: 30m
   chart:
@@ -30,7 +30,7 @@ spec:
           operator: Exists
           effect: NoSchedule
     controllers:
-      zfs-media1-smb:
+      kantai3-samba:
         type: statefulset
         annotations:
           reloader.stakater.com/auto: "true"
@@ -42,7 +42,7 @@ spec:
               tag: fedora-latest
             env:
               SAMBACC_CONFIG: /config/config.yaml:/config/users.json
-              SAMBA_CONTAINER_ID: media
+              SAMBA_CONTAINER_ID: default
             ports:
               - containerPort: 445
                 hostPort: 445
@@ -68,13 +68,10 @@ spec:
               # https://github.com/containerd/containerd/pull/9320
               seccompProfile: { type: Unconfined }
     service:
-      zfs-media1-smb:
-        controller: zfs-media1-smb
+      kantai3-samba:
+        controller: kantai3-samba
         clusterIP: None
         ipFamilyPolicy: PreferDualStack
-        annotations:
-          external-dns.alpha.kubernetes.io/endpoints-type: HostIP
-          external-dns.alpha.kubernetes.io/hostname: smb.media1.internal.
         ports:
           smb:
             port: 445
@@ -86,18 +83,21 @@ spec:
           projected:
             sources:
               - configMap:
-                  name: zfs-media1-smb
+                  name: kantai3-samba
                   items:
                     - key: config.yaml
                       path: config.yaml
               - secret:
-                  name: zfs-media1-smb
+                  name: kantai3-samba
                   items:
                     - key: users.json
                       path: users.json
         globalMounts:
           - path: /config
             readOnly: true
+      homeassistant-backup:
+        type: persistentVolumeClaim
+        existingClaim: homeassistant-backup
       media:
         type: persistentVolumeClaim
         existingClaim: zfs-media1

kubernetes/apps/storage/zfs-media1/smb/kustomization.yaml → kubernetes/apps/storage/kantai3-samba/app/kustomization.yaml

@@ -4,10 +4,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./externalsecret.yaml
-  - ./networkpolicy.yaml
   - ./helmrelease.yaml
+  - ./networkpolicy.yaml
+  - ./pvc.yaml
 configMapGenerator:
-  - name: zfs-media1-smb
+  - name: kantai3-samba
     files:
       - ./configs/config.yaml
 generatorOptions:

kubernetes/apps/storage/zfs-media1/smb/networkpolicy.yaml → kubernetes/apps/storage/kantai3-samba/app/networkpolicy.yaml

@@ -2,11 +2,11 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
-  name: zfs-media1-smb
+  name: kantai3-samba
 spec:
   endpointSelector:
     matchLabels:
-      app.kubernetes.io/name: zfs-media1-smb
+      app.kubernetes.io/name: kantai3-samba
   egress:
     - toCIDR:
         - 192.168.1.0/24

kubernetes/apps/storage/kantai3-samba/app/pvc.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: zfs-media1
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 50Ti
+  storageClassName: ""
+  volumeMode: Filesystem
+  volumeName: storage-zfs-media1
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: homeassistant-backup
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 108Gi
+  storageClassName: ""
+  volumeMode: Filesystem
+  volumeName: homeassistant-backup

kubernetes/apps/storage/kantai3-samba/ks.yaml

@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app kantai3-samba
+  namespace: flux-system
+spec:
+  targetNamespace: storage
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-secrets-stores
+    - name: openebs-zfs-volumes
+  path: ./kubernetes/apps/storage/kantai3-samba/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m

kubernetes/apps/storage/kustomization.yaml

@@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./namespace.yaml
+  - ./kantai3-samba/ks.yaml
   - ./maintenance/ks.yaml
   - ./media-kantai1/ks.yaml
-  - ./zfs-media1/ks.yaml