Samba: Update Samba add-on to allow selectively enabling folders

samba/DOCS.md

@@ -85,6 +85,59 @@ when you absolutely need it and understand the possible consequences.
 
 Defaults to `false`.
 
+### Option: `enable_addons`
+
+Setting this option to `true` will allow Samba to expose the 'addons' folder,
+which is used for installing custom local plugins.
+
+Defaults to `false`.
+
+### Option: `enable_addon_configs`
+
+Setting this option to `true` will allow Samba to expose the 'addon_configs' folder,
+which is used for setting configuration of plugins.
+
+defaults to `false`.
+
+### Option: `enable_backups`
+
+Setting this option to `true` will allow Samba to expose the 'backup' folder,
+which is where HomeAssistant places its backups.  These backups can contain any information
+stored in your configurations for Homeassistant or any add-on, including secrets.
+
+Defaults to `false`.
+
+### Option: `enable_configs`
+
+Setting this option to `true` will allow Samba to expose the 'config' folder,
+which is where HomeAssistant stores it core configuration files and databases.  This
+includes secrets.
+
+Defaults to `false`.
+
+### Option: `enable_media`
+
+This option will allow Samba to expose the 'media' folder, which is where HomeAssistant
+expects you to store any local media files.  This is generally safe to expose.
+
+Defaults to `true`.  If you want to not allow this access, change to `false`.
+
+### Option: `enable_share`
+
+This option will allow Samba to expose the 'share' folder, which is where HomeAssistant
+stores information it expects to be shared between different plugins and HomeAssistant.
+
+Defaults to `true`.  If you want to not allow this access, change to `false`.
+
+### Option: `enable_ssl`
+
+Setting this option to `true` will allow Samba to expose the 'ssl' folder,
+which is where HomeAssistant stores its public and private SSL keys.  These are considered
+sensitive, because anyone who gets ahold of both parts can impersonante your HomeAssistant server,
+including using that to collect credentials.
+
+Defaults to `false`.
+
 ## Support
 
 Got questions?

samba/config.yaml

@@ -41,6 +41,13 @@ options:
     - 169.254.0.0/16
     - fe80::/10
     - fc00::/7
+  enable_addons: false
+  enable_addon_configs: false
+  enable_backup: false
+  enable_config: false
+  enable_media: true
+  enable_share: true
+  enable_ssl: false
 schema:
   username: str
   password: password
@@ -50,4 +57,11 @@ schema:
     - str
   allow_hosts:
     - str
+  enable_addons: bool
+  enable_addon_configs: bool
+  enable_backup: bool
+  enable_config: bool
+  enable_media: bool
+  enable_share: bool
+  enable_ssl: bool
 startup: services

samba/rootfs/etc/s6-overlay/s6-rc.d/init-smbd/run

@@ -12,6 +12,12 @@ if ! bashio::config.has_value 'username' || ! bashio::config.has_value 'password
     bashio::exit.nok "Setting a username and password is required!"
 fi
 
+if bashio::config.false 'enable_addons' && bashio::config.false 'enable_addon_configs' && bashio::config.false 'enable_backup' && \
+ bashio::config.false 'enable_config' && bashio::config.false 'enable_media' && bashio::config.false 'enable_share' && \
+ bashio::config.false 'enable_ssl'; then
+    bashio::exit.nok "No shares enabled for Samba to present!"
+fi
+
 # Read hostname from API or setting default "hassio"
 HOSTNAME=$(bashio::info.hostname)
 if bashio::var.is_empty "${HOSTNAME}"; then

samba/rootfs/usr/share/tempio/smb.gtpl

@@ -24,6 +24,7 @@
    dos charset = CP850
    unix charset = UTF-8
 
+{{ if .enable_config }}
 [config]
    browseable = yes
    writeable = yes
@@ -34,7 +35,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if .enable_addons }}
 [addons]
    browseable = yes
    writeable = yes
@@ -45,7 +48,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if .enable_addon_configs }}
 [addon_configs]
    browseable = yes
    writeable = yes
@@ -56,7 +61,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if .enable_ssl }}
 [ssl]
    browseable = yes
    writeable = yes
@@ -67,7 +74,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if .enable_share }}
 [share]
    browseable = yes
    writeable = yes
@@ -78,7 +87,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if .enable_backup }}
 [backup]
    browseable = yes
    writeable = yes
@@ -89,7 +100,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if .enable_media }}
 [media]
    browseable = yes
    writeable = yes
@@ -100,3 +113,4 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}

samba/translations/en.yaml

@@ -21,3 +21,24 @@ configuration:
   allow_hosts:
     name: Allowed Hosts
     description: List of hosts/networks allowed to access the shared folders.
+  enable_addons:
+    name: Enable Add-Ons folder
+    description: Enable SMB access to the Add-ons folder.  This is disabled by default.
+  enable_addon_configs:
+    name: Enable Add-On Configs folder
+    description: Enable SMB access to the Add-on Configuraitons folder. This is disabled by default.
+  enable_backup:
+    name: Enable Backups folder
+    description: Enable SMB access to the folder where HomeAssistant keeps its backups. This is disabled by default.
+  enable_config:
+    name: Enable Configs folder
+    description: Enable SMB access to the HomeAssistant Core configuration folder.  This is disabled by default.
+  enable_media:
+    name: Enable Media folder
+    description: Enable SMB access to the Media folder
+  enable_share:
+    name: Enable Share folders
+    description: Enable SMB access to the Share folder (which is shared with all HomeAssistant Add-ons).
+  enable_ssl:
+    name: Enable SSL folder
+    description: Enable SMB access to the ssl folder, where HomeAssistant keeps its SSL Keys.  This is disabled by default.