Add Samba/SSH/Bupstash deployment.
Change-Id: I4e16583990514b28531c99b2ed3dc21e09debe98
diff --git a/images.nix b/images.nix
index dfa228d..8db4d03 100644
--- a/images.nix
+++ b/images.nix
@@ -147,7 +147,7 @@
install -Dm755 $src/init $out/init
- for svc in avahi dbus nmbd smbd; do
+ for svc in avahi dbus nmbd smbd sshd; do
install -Dm755 $src/service/$svc/run $out/service/$svc/run
done
@@ -161,9 +161,12 @@
contents = with pkgs; [
# Services.
avahi
+ bupstash
dbus
+ openssh
#samba4Full
(samba.override { enableMDNS = true; enableProfiling = false; enableRegedit = false; })
+ scponly
# Control.
execline
@@ -255,12 +258,16 @@
group =
builtins.toFile "group" ''
+ root::0:
+ sshd::996:
dbus::997:
avahi::998:
'';
passwd =
builtins.toFile "passwd" ''
+ root::0:0::/tmp:/nonexistent
+ sshd::996:996::/tmp:/nonexistent
dbus::997:997::/tmp:/nonexistent
avahi::998:998::/tmp:/nonexistent
nobody::999:999::/tmp:/nonexistent
diff --git a/samba/init b/samba/init
new file mode 100755
index 0000000..ba654d9
--- /dev/null
+++ b/samba/init
@@ -0,0 +1,23 @@
+#! /bin/sh
+
+set -eux
+
+SMBCONF=/vol/samba-config/smb.conf
+SMBPASSWD=/vol/samba-smbpasswd/smbpasswd
+SSHDCONF=/vol/sshd-config
+
+# --- sshd ---
+cp -pL "$SSHDCONF"/* /etc/ssh/
+chown -R sshd:sshd /etc/ssh
+mkdir -p /var/empty
+
+# --- Samba ---
+cp -pL "$SMBPASSWD" /var/lib/samba/private/
+cp -pL "$SMBCONF" /var/lib/samba/
+
+cut -d: -f1,2 "$SMBPASSWD" | sed 's/:/ /' | while read name id; do
+ echo "$name::$id:$id::/home/$name:/bin/sh" >>/etc/passwd
+ echo "$name::$id:" >>/etc/group
+done
+
+exec s6-svscan /service
diff --git a/samba/samba.yaml b/samba/samba.yaml
new file mode 100644
index 0000000..375078a
--- /dev/null
+++ b/samba/samba.yaml
@@ -0,0 +1,190 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+
+metadata:
+ name: samba
+ namespace: mulk
+ labels:
+ name: samba
+ k8s-app: samba
+
+spec:
+ replicas: 1
+
+ strategy:
+ type: Recreate
+
+ selector:
+ matchLabels:
+ k8s-app: samba
+ name: samba
+
+ template:
+ metadata:
+ labels:
+ name: samba
+ k8s-app: samba
+
+ spec:
+ imagePullSecrets:
+ - name: portus-token
+
+ volumes:
+ - name: homes
+ persistentVolumeClaim:
+ claimName: samba-homes
+ - name: samba-smbpasswd
+ secret:
+ secretName: samba-smbpasswd
+ defaultMode: 0600
+ items:
+ - key: smbpasswd
+ path: smbpasswd
+ mode: 0600
+ - name: samba-config
+ configMap:
+ name: samba-config
+ - name: sshd-config
+ secret:
+ secretName: sshd-config
+ defaultMode: 0600
+
+ hostNetwork: true
+
+ containers:
+ - name: master
+ image: docker.benkard.de/mulk/samba:5fdaazgkjc73m6pjahxgfc9xxymrcd8i
+ imagePullPolicy: Always
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 300Mi
+ requests:
+ cpu: 10m
+ memory: 300Mi
+ volumeMounts:
+ - name: homes
+ mountPath: /home
+ - name: samba-smbpasswd
+ mountPath: /vol/samba-smbpasswd/smbpasswd
+ subPath: smbpasswd
+ readOnly: true
+ - name: samba-config
+ mountPath: /vol/samba-config
+ readOnly: true
+ - name: sshd-config
+ mountPath: /vol/sshd-config
+ readOnly: true
+ ports:
+ - containerPort: 445
+ name: smb
+ protocol: TCP
+ hostPort: 445
+ - containerPort: 22445
+ name: ssh
+ protocol: TCP
+ hostPort: 22445
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+
+metadata:
+ name: samba-homes
+ namespace: mulk
+
+ labels:
+ name: samba-homes
+ k8s-app: samba
+
+ annotations:
+ volume.beta.kubernetes.io/storage-provisioner: rancher.io/local-path
+
+spec:
+ accessModes:
+ - ReadWriteOnce
+
+ resources:
+ requests:
+ storage: 1Ti
+
+ storageClassName: local-path
+
+---
+kind: ConfigMap
+apiVersion: v1
+
+metadata:
+ name: samba-config
+ namespace: mulk
+
+ labels:
+ k8s-app: samba
+
+data:
+ smb.conf: |
+ [global]
+ log file = /dev/stdout
+ load printers = no
+ printcap name = /dev/null
+ unix password sync = no
+ preserve case = yes
+ short preserve case = yes
+ default case = lower
+ workgroup = MSTPLUS
+ passdb backend = smbpasswd:/var/lib/samba/private/smbpasswd
+ disable spoolss = yes
+ unix extensions = yes
+ map to guest = bad user
+ #usershare allow guests = yes
+ multicast dns register = yes
+ mdns name = netbios
+ acl allow execute always = yes
+
+ spotlight = no
+ rpc_server:mdsvc = embedded
+
+ [homes]
+ path = /home/%S
+ read only = no
+ browseable = no
+ valid users = %S
+
+ vfs objects = catia fruit streams_xattr
+
+ durable handles = yes
+ kernel oplocks = no
+ kernel share modes = no
+ posix locking = yes
+
+ #create mask = 0664
+ #force create mode = 0644
+ #directory mask = 2755
+ #force directory mode = 2755
+ #directory security mask = 2755
+ #force directory security mode = 2755
+ inherit acls = yes
+ inherit permissions = yes
+ strict locking = no
+ follow symlinks = yes
+ wide links = no
+ ea support = yes
+ #acl allow execute always = yes
+
+ spotlight backend = noindex
+
+ fruit:aapl = yes
+ fruit:time machine = yes
+ #fruit:model = TimeCapsule
+ fruit:advertise_fullsync = true
+ fruit:copyfile = yes
+ fruit:resource = xattr
+ fruit:metadata = stream
+ fruit:locking = none
+ fruit:encoding = native
+ fruit:wipe_intentionally_left_blank_rfork = yes
+ fruit:delete_empty_adfiles = yes
+ fruit:veto_appledouble = no
+ fruit:time machine max size = 500G
+---
diff --git a/samba/service/avahi/run b/samba/service/avahi/run
new file mode 100755
index 0000000..cce3256
--- /dev/null
+++ b/samba/service/avahi/run
@@ -0,0 +1,3 @@
+#! /bin/execlineb
+
+avahi-daemon --no-rlimits
diff --git a/samba/service/dbus/run b/samba/service/dbus/run
new file mode 100755
index 0000000..ce0c267
--- /dev/null
+++ b/samba/service/dbus/run
@@ -0,0 +1,3 @@
+#! /bin/execlineb
+
+dbus-daemon --system --nofork
diff --git a/samba/service/nmbd/run b/samba/service/nmbd/run
new file mode 100755
index 0000000..c58a8ce
--- /dev/null
+++ b/samba/service/nmbd/run
@@ -0,0 +1,3 @@
+#! /bin/execlineb
+
+nmbd --no-process-group --log-stdout --foreground --configfile=/var/lib/samba/smb.conf
diff --git a/samba/service/smbd/run b/samba/service/smbd/run
new file mode 100755
index 0000000..33d2137
--- /dev/null
+++ b/samba/service/smbd/run
@@ -0,0 +1,3 @@
+#! /bin/execlineb
+
+smbd --no-process-group --log-stdout --foreground --configfile=/var/lib/samba/smb.conf
diff --git a/samba/service/sshd/run b/samba/service/sshd/run
new file mode 100755
index 0000000..1b3d0c9
--- /dev/null
+++ b/samba/service/sshd/run
@@ -0,0 +1,3 @@
+#! /bin/execlineb
+
+/sbin/sshd -D -e -p 22445