From fabb9a87eefb1b09121f649901b1f51bbd4757bb Mon Sep 17 00:00:00 2001
From: as-kholin <as-kholin@users.noreply.github.com>
Date: Thu, 16 Jan 2025 05:25:40 -0600
Subject: [PATCH] Samba: Update Samba add-on to allow selectively enabling
 folders (#3701)

Co-authored-by: nana-ska <56788012+nana-ska@users.noreply.github.com>
Co-authored-by: Stefan Agner <stefan@agner.ch>
---
 samba/CHANGELOG.md                               |  4 ++++
 samba/DOCS.md                                    | 16 +++++++++++++---
 samba/config.yaml                                | 12 +++++++++++-
 .../rootfs/etc/s6-overlay/s6-rc.d/init-smbd/run  |  5 ++++-
 samba/rootfs/usr/share/tempio/smb.gtpl           | 14 ++++++++++++++
 samba/translations/en.yaml                       |  9 +++++++++
 6 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/samba/CHANGELOG.md b/samba/CHANGELOG.md
index 04880d188a3..4526ed32b16 100644
--- a/samba/CHANGELOG.md
+++ b/samba/CHANGELOG.md
@@ -1,4 +1,8 @@
 # Changelog
+## 12.4.0
+
+- Add the ability to enable and disable specific shares, improving user control over folder access
+
 ## 12.3.3
 
 - Enable Samba configurations to improve interoperability with Apple devices
diff --git a/samba/DOCS.md b/samba/DOCS.md
index 2e6408198e1..49729074c8b 100644
--- a/samba/DOCS.md
+++ b/samba/DOCS.md
@@ -12,9 +12,7 @@ Follow these steps to get the add-on installed on your system:
 
 1. In the configuration section, set a username and password.
    You can specify any username and password; these are not related in any way to the login credentials you use to log in to Home Assistant or to log in to the computer with which you will use Samba share.
-2. Save the configuration.
-3. Start the add-on.
-4. Check the add-on log output to see the result.
+2. Review the enabled shares. Disable any you do not plan to use. Shares can be re-enabled later if needed.
 
 ## Connection
 
@@ -40,6 +38,14 @@ Add-on configuration:
 workgroup: WORKGROUP
 username: homeassistant
 password: YOUR_PASSWORD
+enabled_shares:
+  - addons
+  - addon_configs
+  - backup
+  - config
+  - media
+  - share
+  - ssl
 allow_hosts:
   - 10.0.0.0/8
   - 172.16.0.0/12
@@ -66,6 +72,10 @@ The username you would like to use to authenticate with the Samba server.
 
 The password that goes with the username configured for authentication.
 
+### Option: `enabled_shares` (required)
+
+List of Samba shares that will be accessible. Any shares removed or commented out of the list will not be accessible.
+
 ### Option: `allow_hosts` (required)
 
 List of hosts/networks allowed to access the shared folders.
diff --git a/samba/config.yaml b/samba/config.yaml
index 81a20f167da..99a27a02526 100644
--- a/samba/config.yaml
+++ b/samba/config.yaml
@@ -1,5 +1,5 @@
 ---
-version: 12.3.3
+version: 12.4.0
 slug: samba
 name: Samba share
 description: Expose Home Assistant folders with SMB/CIFS
@@ -27,6 +27,14 @@ options:
   username: homeassistant
   password: null
   workgroup: WORKGROUP
+  enabled_shares:
+    - addons
+    - addon_configs
+    - backup
+    - config
+    - media
+    - share
+    - ssl
   compatibility_mode: false
   veto_files:
     - ._*
@@ -45,6 +53,8 @@ schema:
   username: str
   password: password
   workgroup: str
+  enabled_shares:
+    - "match(^(?i:(addons|addon_configs|backup|config|media|share|ssl))$)"
   compatibility_mode: bool
   veto_files:
     - str
diff --git a/samba/rootfs/etc/s6-overlay/s6-rc.d/init-smbd/run b/samba/rootfs/etc/s6-overlay/s6-rc.d/init-smbd/run
index c6df56ac0f7..422b1b6439d 100755
--- a/samba/rootfs/etc/s6-overlay/s6-rc.d/init-smbd/run
+++ b/samba/rootfs/etc/s6-overlay/s6-rc.d/init-smbd/run
@@ -14,6 +14,8 @@ if ! bashio::config.has_value 'username' || ! bashio::config.has_value 'password
     bashio::exit.nok "Setting a username and password is required!"
 fi
 
+bashio::config.require "enabled_shares" "Samba is a tool for sharing folders. Starting it without sharing any folders defeats the purpose."
+
 # Read hostname from API or setting default "hassio"
 HOSTNAME=$(bashio::info.hostname)
 if bashio::var.is_empty "${HOSTNAME}"; then
@@ -32,7 +34,8 @@ fi
 bashio::log.info "Interfaces: $(printf '%s ' "${interfaces[@]}")"
 
 # Generate Samba configuration.
-jq ".interfaces = $(jq -c -n '$ARGS.positional' --args -- "${interfaces[@]}")" /data/options.json \
+jq ".interfaces = $(jq -c -n '$ARGS.positional' --args -- "${interfaces[@]}") |
+    .enabled_shares.[] |= ascii_downcase" /data/options.json \
     | tempio \
       -template /usr/share/tempio/smb.gtpl \
       -out /etc/samba/smb.conf
diff --git a/samba/rootfs/usr/share/tempio/smb.gtpl b/samba/rootfs/usr/share/tempio/smb.gtpl
index 6a673c85947..ad35a3e6fdf 100644
--- a/samba/rootfs/usr/share/tempio/smb.gtpl
+++ b/samba/rootfs/usr/share/tempio/smb.gtpl
@@ -28,6 +28,7 @@
 
    vfs objects = catia fruit streams_xattr
 
+{{ if (has "config" .enabled_shares) }}
 [config]
    browseable = yes
    writeable = yes
@@ -38,7 +39,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if (has "addons" .enabled_shares) }}
 [addons]
    browseable = yes
    writeable = yes
@@ -49,7 +52,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if (has "addon_configs" .enabled_shares) }}
 [addon_configs]
    browseable = yes
    writeable = yes
@@ -60,7 +65,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if (has "ssl" .enabled_shares) }}
 [ssl]
    browseable = yes
    writeable = yes
@@ -71,7 +78,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if (has "share" .enabled_shares) }}
 [share]
    browseable = yes
    writeable = yes
@@ -82,7 +91,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if (has "backup" .enabled_shares) }}
 [backup]
    browseable = yes
    writeable = yes
@@ -93,7 +104,9 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
 
+{{ if (has "media" .enabled_shares) }}
 [media]
    browseable = yes
    writeable = yes
@@ -104,3 +117,4 @@
    force group = root
    veto files = /{{ .veto_files | join "/" }}/
    delete veto files = {{ eq (len .veto_files) 0 | ternary "no" "yes" }}
+{{ end }}
diff --git a/samba/translations/en.yaml b/samba/translations/en.yaml
index d819acc9fb6..4b4e855af16 100644
--- a/samba/translations/en.yaml
+++ b/samba/translations/en.yaml
@@ -11,6 +11,15 @@ configuration:
   workgroup:
     name: Workgroup
     description: Change WORKGROUP to reflect your network needs.
+  enabled_shares:
+    name: >-
+      Enabled Shares - allowed values are:
+      addons, addon_configs, backup, config, media, share, or ssl.
+    description: >-
+      List of file shares to make available.
+      Adding a share requires typing its name to add it.
+      The listed values are the only allowed values.
+      The configuration cannot be saved if any non-allowed value is in the list.
   compatibility_mode:
     name: Enable Compatibility Mode
     description: >-