apiVersion: v1
kind: ConfigMap
metadata:
  name: samba-files-nsswitch
  namespace: samba-files
data:
  nsswitch.conf: |
    passwd: files winbind
    group: files winbind
    shadow: files
    hosts: files dns
    networks: files
    protocols: files
    services: files
    ethers: files
    rpc: files
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: samba-files-krb5
  namespace: samba-files
data:
  krb5.conf: |
    [libdefaults]
      default_realm = UNDERCLOUD.LOCAL
      dns_lookup_realm = true
      dns_lookup_kdc = true
      rdns = false
      ticket_lifetime = 24h
      forwardable = true
      default_ccache_name = FILE:/tmp/krb5cc_%{uid}

    [domain_realm]
      .undercloud.local = UNDERCLOUD.LOCAL
      undercloud.local = UNDERCLOUD.LOCAL
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: samba-files
  namespace: samba-files
  labels:
    app: samba-files
spec:
  replicas: 1
  selector:
    matchLabels:
      app: samba-files
  template:
    metadata:
      labels:
        app: samba-files
    spec:
      hostname: filesrv1
      subdomain: samba-files
      shareProcessNamespace: true
      terminationGracePeriodSeconds: 30

      initContainers:
        - name: wait-for-ad
          image: quay.io/samba.org/samba-server:v0.8
          imagePullPolicy: IfNotPresent
          command: ["/bin/bash", "-ec"]
          args:
            - |
              set -euxo pipefail

              until getent hosts dc1.undercloud.local >/dev/null; do
                echo "waiting for dc1.undercloud.local dns"
                sleep 5
              done

              until bash -c "</dev/tcp/dc1.undercloud.local/389" 2>/dev/null; do
                echo "waiting for dc1.undercloud.local ldap"
                sleep 5
              done

              until bash -c "</dev/tcp/dc1.undercloud.local/636" 2>/dev/null; do
                echo "waiting for dc1.undercloud.local ldaps"
                sleep 5
              done

        - name: join-domain
          image: quay.io/samba.org/samba-server:v0.8
          imagePullPolicy: IfNotPresent
          env:
            - name: JOIN_USER
              valueFrom:
                secretKeyRef:
                  name: samba-files-join
                  key: username
            - name: JOIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: samba-files-join
                  key: password
          command: ["/bin/bash", "-ec"]
          args:
            - |
              set -euxo pipefail

              mkdir -p /run/samba
              mkdir -p /var/cache/samba
              mkdir -p /var/lib/samba
              mkdir -p /var/lib/samba/private
              mkdir -p /var/lib/samba/private/msg.sock
              mkdir -p /data

              chmod 0755 /var/lib/samba
              chmod 0755 /var/cache/samba
              chmod 0700 /var/lib/samba/private/msg.sock
              chmod 2770 /data

              cp /krb5/krb5.conf /etc/krb5.conf

              if net ads testjoin >/dev/null 2>&1; then
                echo "already joined"
                exit 0
              fi

              net ads join \
                -S dc1.undercloud.local \
                -U "${JOIN_USER}%${JOIN_PASSWORD}"

              net ads testjoin
          volumeMounts:
            - name: samba-config
              mountPath: /etc/samba/smb.conf
              subPath: smb.conf
            - name: krb5-config
              mountPath: /krb5/krb5.conf
              subPath: krb5.conf
            - name: samba-state
              mountPath: /var/lib/samba
            - name: samba-cache
              mountPath: /var/cache/samba
            - name: samba-run
              mountPath: /run/samba
            - name: share-data
              mountPath: /data

      containers:
        - name: winbindd
          image: quay.io/samba.org/samba-server:v0.8
          imagePullPolicy: IfNotPresent
          command: ["/bin/bash", "-ec"]
          args:
            - |
              set -euxo pipefail
              mkdir -p \
                /run/samba \
                /var/cache/samba \
                /var/lib/samba \
                /var/lib/samba/private \
                /var/lib/samba/private/msg.sock
              cp /krb5/krb5.conf /etc/krb5.conf
              exec winbindd --foreground --no-process-group
          volumeMounts:
            - name: samba-config
              mountPath: /etc/samba/smb.conf
              subPath: smb.conf
            - name: krb5-config
              mountPath: /krb5/krb5.conf
              subPath: krb5.conf
            - name: samba-state
              mountPath: /var/lib/samba
            - name: samba-cache
              mountPath: /var/cache/samba
            - name: samba-run
              mountPath: /run/samba
          startupProbe:
            exec:
              command: ["/bin/bash", "-ec", "wbinfo -p"]
            periodSeconds: 5
            timeoutSeconds: 5
            failureThreshold: 24
          readinessProbe:
            exec:
              command: ["/bin/bash", "-ec", "wbinfo -p && wbinfo -P"]
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 20
            failureThreshold: 6

        - name: smbd
          image: quay.io/samba.org/samba-server:v0.8
          imagePullPolicy: IfNotPresent
          ports:
            - name: smb
              containerPort: 445
              protocol: TCP
            - name: netbios-ssn
              containerPort: 139
              protocol: TCP
          command: ["/bin/bash", "-ec"]
          args:
            - |
              set -euxo pipefail

              mkdir -p \
                /run/samba \
                /var/cache/samba \
                /var/lib/samba \
                /var/lib/samba/private \
                /var/lib/samba/private/msg.sock

              cp /krb5/krb5.conf /etc/krb5.conf

              until wbinfo -p && wbinfo -P; do
                echo "waiting for winbind/dc"
                sleep 5
              done

              until getent group 'UNDERCLOUD\fileserver-access' >/dev/null; do
                echo "waiting for group resolution"
                sleep 2
              done

              mkdir -p \
                /data/data \
                /data/music \
                /data/movies \
                /data/tvshows

              chgrp 'UNDERCLOUD\fileserver-access' /data || chgrp 21105 /data
              chgrp 'UNDERCLOUD\fileserver-access' /data/data /data/music /data/movies /data/tvshows || true

              chmod 2770 /data
              chmod 2770 /data/data /data/music /data/movies /data/tvshows

              exec smbd --foreground --no-process-group --debug-stdout -d 3
          volumeMounts:
            - name: samba-config
              mountPath: /etc/samba/smb.conf
              subPath: smb.conf
            - name: nsswitch-config
              mountPath: /etc/nsswitch.conf
              subPath: nsswitch.conf
            - name: krb5-config
              mountPath: /krb5/krb5.conf
              subPath: krb5.conf
            - name: samba-state
              mountPath: /var/lib/samba
            - name: samba-cache
              mountPath: /var/cache/samba
            - name: samba-run
              mountPath: /run/samba
            - name: share-data
              mountPath: /data
          startupProbe:
            tcpSocket:
              port: 445
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 18

          readinessProbe:
            tcpSocket:
              port: 445
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 6

      volumes:
        - name: samba-config
          configMap:
            name: samba-files-config
        - name: krb5-config
          configMap:
            name: samba-files-krb5
        - name: samba-cache
          emptyDir: {}
        - name: samba-run
          emptyDir: {}
        - name: samba-state
          persistentVolumeClaim:
            claimName: samba-files-state
        - name: share-data
          persistentVolumeClaim:
            claimName: samba-files-data
        - name: nsswitch-config
          configMap:
            name: samba-files-nsswitch
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: samba-files-state
  namespace: samba-files
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  storageClassName: cephfs-hyper
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: samba-files-data
  namespace: samba-files
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 200Gi
  storageClassName: cephfs-hyper-slow
---
apiVersion: v1
kind: Service
metadata:
  name: samba-files
  namespace: samba-files
  labels:
    app: samba-files
spec:
  internalTrafficPolicy: Cluster
  clusterIP: 2001:470:7116:f:1::30
  clusterIPs:
    - 2001:470:7116:f:1::30
    - 10.0.91.30
  ipFamilies:
    - IPv6
    - IPv4
  ipFamilyPolicy: PreferDualStack
  type: ClusterIP
  selector:
    app: samba-files
  ports:
    - name: smb
      port: 445
      protocol: TCP
      targetPort: 445
    - name: netbios-ssn
      port: 139
      protocol: TCP
      targetPort: 139