Revamped selective enable

samba/CHANGELOG.md

@@ -1,11 +1,8 @@
 # Changelog
-## 13.0.0
+## 12.4.0
 
-This change enhances security and user control, but may require updating your configuration
-to access shares that contain potentially sensitive information.
-
-- Default shares reduced to 'media' and 'share'
-- Add ability to selectively enable exposed shares.
+- Add the ability to enable and disable specific shares
+- Add optional logging of samba configuration at startup
 
 ## 12.3.2
 

samba/DOCS.md

@@ -12,9 +12,10 @@ Follow these steps to get the add-on installed on your system:
 
 1. In the configuration section, set a username and password.
    You can specify any username and password; these are not related in any way to the login credentials you use to log in to Home Assistant or to log in to the computer with which you will use Samba share.
-2. Save the configuration.
-3. Start the add-on.
-4. Check the add-on log output to see the result.
+2. Review the enabled shares.  Disable any you do not plan to use (they can be re-enabled later)
+3. Save the configuration.
+4. Start the add-on.
+5. Check the add-on log output to see the result.
 
 ## Connection
 
@@ -40,6 +41,14 @@ Add-on configuration:
 workgroup: WORKGROUP
 username: homeassistant
 password: YOUR_PASSWORD
+enabled_shares:
+  - addons
+  - addon_configs
+  - backup
+  - config
+  - media
+  - share
+  - ssl
 allow_hosts:
   - 10.0.0.0/8
   - 172.16.0.0/12
@@ -52,6 +61,7 @@ veto_files:
   - ".DS_Store"
   - Thumbs.db
 compatibility_mode: false
+debug: false
 ```
 
 ### Option: `workgroup` (required)
@@ -66,6 +76,10 @@ The username you would like to use to authenticate with the Samba server.
 
 The password that goes with the username configured for authentication.
 
+### Option: `enabled_shares` (required)
+
+List of Samba shares able to be accessed.
+
 ### Option: `allow_hosts` (required)
 
 List of hosts/networks allowed to access the shared folders.
@@ -85,58 +99,12 @@ when you absolutely need it and understand the possible consequences.
 
 Defaults to `false`.
 
-### Option: `enable_addons`
-
-Setting this option to `true` will allow Samba to expose the 'addons' folder,
-which is used for installing custom local plugins.
-
-Defaults to `false`.
-
-### Option: `enable_addon_configs`
-
-Setting this option to `true` will allow Samba to expose the 'addon_configs' folder,
-which is used for setting configuration of plugins.
-
-defaults to `false`.
-
-### Option: `enable_backups`
-
-Setting this option to `true` will allow Samba to expose the 'backup' folder,
-which is where HomeAssistant places its backups.  These backups can contain any information
-stored in your configurations for Homeassistant or any add-on, including secrets.
-
-Defaults to `false`.
-
-### Option: `enable_configs`
-
-Setting this option to `true` will allow Samba to expose the 'config' folder,
-which is where HomeAssistant stores it core configuration files and databases.  This
-includes secrets.
-
-Defaults to `false`.
-
-### Option: `enable_media`
-
-This option will allow Samba to expose the 'media' folder, which is where HomeAssistant
-expects you to store any local media files.  This is generally safe to expose.
+### Option: `debug` (optional)
 
-Defaults to `true`.  If you want to not allow this access, change to `false`.
+Outputs the resulting Samba config in the log. Generally, unless you
+know what you would be wanting to do with this information, not necessary.
 
-### Option: `enable_share`
-
-This option will allow Samba to expose the 'share' folder, which is where HomeAssistant
-stores information it expects to be shared between different plugins and HomeAssistant.
-
-Defaults to `true`.  If you want to not allow this access, change to `false`.
-
-### Option: `enable_ssl`
-
-Setting this option to `true` will allow Samba to expose the 'ssl' folder,
-which is where HomeAssistant stores its public and private SSL keys.  These are considered
-sensitive because anyone who gets ahold of both parts can impersonante your HomeAssistant server,
-including using that to collect credentials.
-
-Defaults to `false`.
+Optional config.  If not defined, then it will default to `false`.
 
 ## Support
 

samba/config.yaml

@@ -1,5 +1,5 @@
 ---
-version: 13.0.0
+version: 12.4.0
 slug: samba
 name: Samba share
 description: Expose Home Assistant folders with SMB/CIFS
@@ -27,6 +27,14 @@ options:
   username: homeassistant
   password: null
   workgroup: WORKGROUP
+  enabled_shares:
+    - addons
+    - addon_configs
+    - backup
+    - config
+    - media
+    - share
+    - ssl
   compatibility_mode: false
   veto_files:
     - ._*
@@ -41,27 +49,16 @@ options:
     - 169.254.0.0/16
     - fe80::/10
     - fc00::/7
-  allow_addons: false
-  allow_addon_configs: false
-  allow_backup: false
-  allow_config: false
-  allow_media: true
-  allow_share: true
-  allow_ssl: false
 schema:
   username: str
   password: password
   workgroup: str
+  enabled_shares:
+    - "match(^(?i:(addons|addon_configs|backup|config|media|share|ssl))$)"
   compatibility_mode: bool
   veto_files:
     - str
   allow_hosts:
     - str
-  allow_addons: bool
-  allow_addon_configs: bool
-  allow_backup: bool
-  allow_config: bool
-  allow_media: bool
-  allow_share: bool
-  allow_ssl: bool
+  debug: bool?
 startup: services

samba/rootfs/etc/s6-overlay/s6-rc.d/init-smbd/run

@@ -12,11 +12,7 @@ if ! bashio::config.has_value 'username' || ! bashio::config.has_value 'password
     bashio::exit.nok "Setting a username and password is required!"
 fi
 
-if bashio::config.false 'enable_addons' && bashio::config.false 'enable_addon_configs' && bashio::config.false 'enable_backup' && \
- bashio::config.false 'enable_config' && bashio::config.false 'enable_media' && bashio::config.false 'enable_share' && \
- bashio::config.false 'enable_ssl'; then
-    bashio::exit.nok "No shares enabled for Samba to present!"
-fi
+bashio::config.require "enabled_shares" "Samba is a tool for sharing folders.  Starting it without sharing any folders defeats the purpose."
 
 # Read hostname from API or setting default "hassio"
 HOSTNAME=$(bashio::info.hostname)
@@ -36,11 +32,17 @@ fi
 bashio::log.info "Interfaces: $(printf '%s ' "${interfaces[@]}")"
 
 # Generate Samba configuration.
-jq ".interfaces = $(jq -c -n '$ARGS.positional' --args -- "${interfaces[@]}")" /data/options.json \
+jq ".interfaces = $(jq -c -n '$ARGS.positional' --args -- "${interfaces[@]}") |
+    .enabled_shares.[] |= ascii_downcase" /data/options.json \
     | tempio \
       -template /usr/share/tempio/smb.gtpl \
       -out /etc/samba/smb.conf
 
+if bashio::config.true 'debug'; then
+    bashio::log.yellow "Resulting Samba config:"
+    bashio::log.yellow "$(cat /etc/samba/smb.conf)"
+fi
+
 # Init user
 username=$(bashio::config 'username')
 password=$(bashio::config 'password')

samba/rootfs/usr/share/tempio/smb.gtpl

@@ -26,7 +26,7 @@
    dos charset = CP850
    unix charset = UTF-8
 
-{{ if .allow_config }}
+{{ if (has "config" .enabled_shares) }}
 [config]
    browseable = yes
    writeable = yes
@@ -39,7 +39,7 @@
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
 {{ end }}
 
-{{ if .allow_addons }}
+{{ if (has "addons" .enabled_shares) }}
 [addons]
    browseable = yes
    writeable = yes
@@ -52,7 +52,7 @@
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
 {{ end }}
 
-{{ if .allow_addon_configs }}
+{{ if (has "addon_configs" .enabled_shares) }}
 [addon_configs]
    browseable = yes
    writeable = yes
@@ -65,7 +65,7 @@
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
 {{ end }}
 
-{{ if .allow_ssl }}
+{{ if (has "ssl" .enabled_shares) }}
 [ssl]
    browseable = yes
    writeable = yes
@@ -78,7 +78,7 @@
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
 {{ end }}
 
-{{ if .allow_share }}
+{{ if (has "share" .enabled_shares) }}
 [share]
    browseable = yes
    writeable = yes
@@ -91,7 +91,7 @@
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
 {{ end }}
 
-{{ if .allow_backup }}
+{{ if (has "backup" .enabled_shares) }}
 [backup]
    browseable = yes
    writeable = yes
@@ -104,7 +104,7 @@
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
 {{ end }}
 
-{{ if .allow_media }}
+{{ if (has "media" .enabled_shares) }}
 [media]
    browseable = yes
    writeable = yes

samba/translations/en.yaml

@@ -11,6 +11,11 @@ configuration:
   workgroup:
     name: Workgroup
     description: Change WORKGROUP to reflect your network needs.
+  enabled_shares:
+    name: Enabled Shares - allowed values are addons, addon_configs, backup, config, media, share, or ssl
+    description: >-
+      List of file shares to make available.  Any you wish to add must be typed in.
+      The listed values are the only allowed values;  Config cannot be saved if any other value is in the list.
   compatibility_mode:
     name: Enable Compatibility Mode
     description: >-
@@ -21,37 +26,6 @@ configuration:
   allow_hosts:
     name: Allowed Hosts
     description: List of hosts/networks allowed to access the shared folders.
-  allow_addons:
-    name: Allow Add-Ons folder
-    description: >-
-      Allow SMB access to the Add-ons folder.
-      This is disabled by default.
-  allow_addon_configs:
-    name: Allow Add-On Configs folder
-    description: >-
-      Allow SMB access to the Add-on Configurations folder.
-      This is disabled by default.
-  allow_backup:
-    name: Allow Backups folder
-    description: >-
-      Allow SMB access to the folder where HomeAssistant keeps its backups.
-      This is disabled by default.
-  allow_config:
-    name: Allow Configs folder
-    description: >-
-      Allow SMB access to the HomeAssistant Core configuration folder.
-      This is disabled by default.
-  allow_media:
-    name: Allow Media folder
-    description: >-
-      Allow SMB access to the Media folder
-  allow_share:
-    name: Allow Share folders
-    description: >-
-      Allow SMB access to the Share folder (which is shared with all
-      HomeAssistant Add-ons).
-  allow_ssl:
-    name: Allow SSL folder
-    description: >-
-      Allow SMB access to the ssl folder, where HomeAssistant keeps SSL Keys.
-      This is disabled by default.
+  debug:
+    name: Debug Logging
+    description: Log the resulting Samba config in the log