diff --git a/kubernetes/apps/storage/zfs-media1/smb/configs/config.yaml b/kubernetes/apps/storage/kantai3-samba/app/configs/config.yaml similarity index 72% rename from kubernetes/apps/storage/zfs-media1/smb/configs/config.yaml rename to kubernetes/apps/storage/kantai3-samba/app/configs/config.yaml index 4a80e13ed..d6c977fc7 100644 --- a/kubernetes/apps/storage/zfs-media1/smb/configs/config.yaml +++ b/kubernetes/apps/storage/kantai3-samba/app/configs/config.yaml @@ -1,9 +1,10 @@ samba-container-config: v0 configs: - media: + default: globals: - default shares: + - homeassistant-backup - media globals: default: @@ -38,6 +39,23 @@ globals: winbind request timeout: "2" workgroup: "WORKGROUP" shares: + homeassistant-backup: + options: + access based share enum: "false" + available: "true" + browseable: "true" + comment: "" + create mask: "0660" + directory mask: "0770" + guest ok: "false" + kernel oplocks: "false" + mangled names: "false" + path: /homeassistant-backup + posix locking: "false" + read only: "false" + smbd max xattr size: "2097152" + # NOTE: acl_xattr is not loaded because it uses security.NTACL which requires SYS_ADMIN. + vfs objects: streams_xattr media: options: access based share enum: "false" diff --git a/kubernetes/apps/storage/kantai3-samba/app/externalsecret.yaml b/kubernetes/apps/storage/kantai3-samba/app/externalsecret.yaml new file mode 100644 index 000000000..d515f0ae8 --- /dev/null +++ b/kubernetes/apps/storage/kantai3-samba/app/externalsecret.yaml @@ -0,0 +1,37 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: kantai3-samba +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword + target: + name: kantai3-samba + template: + data: + users.json: |- + { + "samba-container-config": "v0", + "users": { + {{- $users := list }} + {{- $users = append $users (dict "name" .a_username "password" .a_password "uid" (.a_uid | atoi) "gid" (.a_gid | atoi)) }} + {{- $users = append $users (dict "name" .b_username "password" .b_password "uid" (.b_uid | atoi) "gid" (.b_gid | atoi)) }} + "all_entries": {{ $users | toJson }} + } + } + dataFrom: + - extract: + key: smb:media-owner + rewrite: + - regexp: + source: "(.*)" + target: "a_$1" + - extract: + key: smb:homeassistant + rewrite: + - regexp: + source: "(.*)" + target: "b_$1" diff --git a/kubernetes/apps/storage/zfs-media1/smb/helmrelease.yaml b/kubernetes/apps/storage/kantai3-samba/app/helmrelease.yaml similarity index 88% rename from kubernetes/apps/storage/zfs-media1/smb/helmrelease.yaml rename to kubernetes/apps/storage/kantai3-samba/app/helmrelease.yaml index de354a8b3..9b11508c7 100644 --- a/kubernetes/apps/storage/zfs-media1/smb/helmrelease.yaml +++ b/kubernetes/apps/storage/kantai3-samba/app/helmrelease.yaml @@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: zfs-media1-smb + name: kantai3-samba spec: interval: 30m chart: @@ -30,7 +30,7 @@ spec: operator: Exists effect: NoSchedule controllers: - zfs-media1-smb: + kantai3-samba: type: statefulset annotations: reloader.stakater.com/auto: "true" @@ -42,7 +42,7 @@ spec: tag: fedora-latest env: SAMBACC_CONFIG: /config/config.yaml:/config/users.json - SAMBA_CONTAINER_ID: media + SAMBA_CONTAINER_ID: default ports: - containerPort: 445 hostPort: 445 @@ -68,13 +68,10 @@ spec: # https://github.com/containerd/containerd/pull/9320 seccompProfile: { type: Unconfined } service: - zfs-media1-smb: - controller: zfs-media1-smb + kantai3-samba: + controller: kantai3-samba clusterIP: None ipFamilyPolicy: PreferDualStack - annotations: - external-dns.alpha.kubernetes.io/endpoints-type: HostIP - external-dns.alpha.kubernetes.io/hostname: smb.media1.internal. ports: smb: port: 445 @@ -86,18 +83,21 @@ spec: projected: sources: - configMap: - name: zfs-media1-smb + name: kantai3-samba items: - key: config.yaml path: config.yaml - secret: - name: zfs-media1-smb + name: kantai3-samba items: - key: users.json path: users.json globalMounts: - path: /config readOnly: true + homeassistant-backup: + type: persistentVolumeClaim + existingClaim: homeassistant-backup media: type: persistentVolumeClaim existingClaim: zfs-media1 diff --git a/kubernetes/apps/storage/zfs-media1/smb/kustomization.yaml b/kubernetes/apps/storage/kantai3-samba/app/kustomization.yaml similarity index 89% rename from kubernetes/apps/storage/zfs-media1/smb/kustomization.yaml rename to kubernetes/apps/storage/kantai3-samba/app/kustomization.yaml index 67a1c858d..a7fe2b8c1 100644 --- a/kubernetes/apps/storage/zfs-media1/smb/kustomization.yaml +++ b/kubernetes/apps/storage/kantai3-samba/app/kustomization.yaml @@ -4,10 +4,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./externalsecret.yaml - - ./networkpolicy.yaml - ./helmrelease.yaml + - ./networkpolicy.yaml + - ./pvc.yaml configMapGenerator: - - name: zfs-media1-smb + - name: kantai3-samba files: - ./configs/config.yaml generatorOptions: diff --git a/kubernetes/apps/storage/zfs-media1/smb/networkpolicy.yaml b/kubernetes/apps/storage/kantai3-samba/app/networkpolicy.yaml similarity index 90% rename from kubernetes/apps/storage/zfs-media1/smb/networkpolicy.yaml rename to kubernetes/apps/storage/kantai3-samba/app/networkpolicy.yaml index 00493c15c..d2658f7ec 100644 --- a/kubernetes/apps/storage/zfs-media1/smb/networkpolicy.yaml +++ b/kubernetes/apps/storage/kantai3-samba/app/networkpolicy.yaml @@ -2,11 +2,11 @@ apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: - name: zfs-media1-smb + name: kantai3-samba spec: endpointSelector: matchLabels: - app.kubernetes.io/name: zfs-media1-smb + app.kubernetes.io/name: kantai3-samba egress: - toCIDR: - 192.168.1.0/24 diff --git a/kubernetes/apps/storage/kantai3-samba/app/pvc.yaml b/kubernetes/apps/storage/kantai3-samba/app/pvc.yaml new file mode 100644 index 000000000..8806a765f --- /dev/null +++ b/kubernetes/apps/storage/kantai3-samba/app/pvc.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: zfs-media1 +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Ti + storageClassName: "" + volumeMode: Filesystem + volumeName: storage-zfs-media1 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: homeassistant-backup +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 108Gi + storageClassName: "" + volumeMode: Filesystem + volumeName: homeassistant-backup diff --git a/kubernetes/apps/storage/kantai3-samba/ks.yaml b/kubernetes/apps/storage/kantai3-samba/ks.yaml new file mode 100644 index 000000000..8322ea12f --- /dev/null +++ b/kubernetes/apps/storage/kantai3-samba/ks.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kantai3-samba + namespace: flux-system +spec: + targetNamespace: storage + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: external-secrets-stores + - name: openebs-zfs-volumes + path: ./kubernetes/apps/storage/kantai3-samba/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m diff --git a/kubernetes/apps/storage/kustomization.yaml b/kubernetes/apps/storage/kustomization.yaml index d559c287e..fdfc5e269 100644 --- a/kubernetes/apps/storage/kustomization.yaml +++ b/kubernetes/apps/storage/kustomization.yaml @@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml + - ./kantai3-samba/ks.yaml - ./maintenance/ks.yaml - ./media-kantai1/ks.yaml - - ./zfs-media1/ks.yaml diff --git a/kubernetes/apps/storage/zfs-media1/ks.yaml b/kubernetes/apps/storage/zfs-media1/ks.yaml deleted file mode 100644 index 130d6181b..000000000 --- a/kubernetes/apps/storage/zfs-media1/ks.yaml +++ /dev/null @@ -1,61 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: storage-zfs-media1-volume - namespace: flux-system -spec: - targetNamespace: storage - dependsOn: - - name: openebs-zfs-volumes - path: ./kubernetes/apps/storage/zfs-media1/volume - prune: false # don't prune media volume for safety - sourceRef: - kind: GitRepository - name: home-kubernetes - wait: false - interval: 30m - retryInterval: 1m ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app storage-zfs-media1-smb - namespace: flux-system -spec: - targetNamespace: storage - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores - - name: storage-zfs-media1-volume - path: ./kubernetes/apps/storage/zfs-media1/smb - prune: true - sourceRef: - kind: GitRepository - name: home-kubernetes - wait: false - interval: 30m - retryInterval: 1m ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: storage-zfs-media1-snapshot - namespace: flux-system -spec: - targetNamespace: storage - dependsOn: - - name: storage-zfs-media1-volume - path: ./kubernetes/apps/storage/zfs-media1/snapshot - prune: true - sourceRef: - kind: GitRepository - name: home-kubernetes - wait: false - interval: 30m - retryInterval: 1m diff --git a/kubernetes/apps/storage/zfs-media1/smb/externalsecret.yaml b/kubernetes/apps/storage/zfs-media1/smb/externalsecret.yaml deleted file mode 100644 index 75c71a5b0..000000000 --- a/kubernetes/apps/storage/zfs-media1/smb/externalsecret.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: zfs-media1-smb -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword - target: - name: zfs-media1-smb - template: - data: - users.json: |- - { - "samba-container-config": "v0", - "users": { - {{- $users := list }} - {{- $users = append $users (dict "name" .username "password" .password "uid" (.uid | atoi) "gid" (.gid | atoi)) }} - "all_entries": {{ $users | toJson }} - } - } - dataFrom: - - extract: - key: media-owner diff --git a/kubernetes/apps/storage/zfs-media1/snapshot/cronjob.yaml b/kubernetes/apps/storage/zfs-media1/snapshot/cronjob.yaml deleted file mode 100644 index 49f130ec5..000000000 --- a/kubernetes/apps/storage/zfs-media1/snapshot/cronjob.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: zfs-media1-snapshot - annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled -spec: - schedule: "0 8 * * MON" # weekly on Monday at 8:00 - jobTemplate: - spec: - template: - spec: - containers: - - name: snapshot - image: alpine:3.20.3 - imagePullPolicy: IfNotPresent - command: - - /bin/sh - - -c - - TS=$(date +%FT%T%Z) && chroot /host /usr/local/sbin/zfs snapshot citerne/media1@${TS} - securityContext: - privileged: true - runAsUser: 0 - volumeMounts: - - mountPath: /host - name: host - nodeSelector: - kubernetes.io/hostname: kantai3 - restartPolicy: OnFailure - volumes: - - hostPath: - path: / - type: Directory - name: host diff --git a/kubernetes/apps/storage/zfs-media1/snapshot/kustomization.yaml b/kubernetes/apps/storage/zfs-media1/snapshot/kustomization.yaml deleted file mode 100644 index 28d703898..000000000 --- a/kubernetes/apps/storage/zfs-media1/snapshot/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./cronjob.yaml diff --git a/kubernetes/apps/storage/zfs-media1/volume/kustomization.yaml b/kubernetes/apps/storage/zfs-media1/volume/kustomization.yaml deleted file mode 100644 index 7a275d3c4..000000000 --- a/kubernetes/apps/storage/zfs-media1/volume/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./pvc.yaml diff --git a/kubernetes/apps/storage/zfs-media1/volume/pvc.yaml b/kubernetes/apps/storage/zfs-media1/volume/pvc.yaml deleted file mode 100644 index b168c71d3..000000000 --- a/kubernetes/apps/storage/zfs-media1/volume/pvc.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: zfs-media1 -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 50Ti - storageClassName: "" - volumeMode: Filesystem - volumeName: storage-zfs-media1