mDMS/infra/samba-canon/entrypoint.sh

#!/bin/sh
set -eu

# Map the in-container "canon" user to the same UID/GID as `m` on the host
# (UID 1000 / GID 1000). force user = canon in smb.conf then guarantees that
# every file written through SMB lands as m:m on the NFS-mounted /mnt/mdms/inbox.
TARGET_UID="${PUID:-1000}"
TARGET_GID="${PGID:-1000}"

if ! getent group canon >/dev/null 2>&1; then
    addgroup -g "${TARGET_GID}" canon
fi

if ! getent passwd canon >/dev/null 2>&1; then
    adduser -D -H -u "${TARGET_UID}" -G canon -s /sbin/nologin canon
fi

if [ -z "${CANON_PASSWORD:-}" ]; then
    echo "FATAL: CANON_PASSWORD env var is required" >&2
    exit 1
fi

# (Re)apply the Samba password every boot so rotating it = restart the container.
printf '%s\n%s\n' "${CANON_PASSWORD}" "${CANON_PASSWORD}" | smbpasswd -s -a canon >/dev/null
smbpasswd -e canon >/dev/null

# Verify the bind-mounted /inbox exists and is writable from the container.
# smbd will drop privilege per session to the canon user (uid 1000), which
# matches m on the host — files therefore land as m:m on the NFS mount.
if ! test -d /inbox; then
    echo "FATAL: /inbox missing — bind mount /mnt/mdms/inbox not set." >&2
    exit 1
fi
if ! test -w /inbox; then
    echo "FATAL: /inbox not writable. Check NFS mount + permissions on /mnt/mdms/inbox (must be writable by uid ${TARGET_UID})." >&2
    exit 1
fi

echo "samba-canon ready: smbd $(smbd --version | head -1), user=canon uid=${TARGET_UID} gid=${TARGET_GID}"

exec smbd --foreground --no-process-group --log-stdout