Switch from SMB CSI to hostPath for torrents volume

SMB CSI driver doesn't work with minikube podman driver due to
kernel-level mount restrictions. Use hostPath instead since the
SMB share is already mounted on indri at /Volumes/torrents.

- Remove SMB PV and secret template
- Add hostPath PVs for torrent and kiwix namespaces
- Both PVs point to same /Volumes/torrents directory

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

argocd/manifests/kiwix/kustomization.yaml

@@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kiwix
 resources:
+  - pv.yaml
   - pvc.yaml
   - configmap-zim-torrents.yaml
   - configmap-sync-script.yaml

argocd/manifests/kiwix/pv.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: torrents-pv-kiwix
+spec:
+  capacity:
+    storage: 1Ti
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ""
+  hostPath:
+    path: /Volumes/torrents
+    type: Directory

argocd/manifests/kiwix/pvc.yaml

@@ -8,7 +8,7 @@ spec:
   accessModes:
     - ReadWriteMany  # Need write for the sync sidecar to work
   storageClassName: ""
-  volumeName: torrents-smb-pv
+  volumeName: torrents-pv-kiwix
   resources:
     requests:
       storage: 1Ti

argocd/manifests/torrent/kustomization.yaml

@@ -3,9 +3,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: torrent
 resources:
-  - pv-smb.yaml
+  - pv.yaml
   - pvc.yaml
   - deployment.yaml
   - service.yaml
   - ingress-tailscale.yaml
-# Note: secret-smb.yaml.tpl must be applied manually with credentials from 1Password

argocd/manifests/torrent/pv-smb.yaml

@@ -1,29 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: torrents-smb-pv
-spec:
-  capacity:
-    storage: 1Ti
-  accessModes:
-    - ReadWriteMany
-  persistentVolumeReclaimPolicy: Retain
-  storageClassName: ""
-  mountOptions:
-    - dir_mode=0777
-    - file_mode=0777
-    - uid=1000
-    - gid=1000
-    - noperm
-    - mfsymlinks
-    - cache=strict
-    - noserverino  # Required to prevent data corruption
-  csi:
-    driver: smb.csi.k8s.io
-    volumeHandle: torrents-smb-pv
-    volumeAttributes:
-      source: //sifaka/torrents
-    nodeStageSecretRef:
-      name: smbcreds
-      namespace: torrent

argocd/manifests/torrent/pv.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: torrents-pv
+spec:
+  capacity:
+    storage: 1Ti
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ""
+  hostPath:
+    path: /Volumes/torrents
+    type: Directory

argocd/manifests/torrent/pvc.yaml

@@ -8,7 +8,7 @@ spec:
   accessModes:
     - ReadWriteMany
   storageClassName: ""
-  volumeName: torrents-smb-pv
+  volumeName: torrents-pv
   resources:
     requests:
       storage: 1Ti

argocd/manifests/torrent/secret-smb.yaml.tpl

@@ -1,14 +0,0 @@
-# Template - apply manually with credentials from 1Password
-# kubectl --context=minikube-indri create secret generic smbcreds \
-#   --namespace torrent \
-#   --from-literal=username=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-k8s/username") \
-#   --from-literal=password=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-k8s/password")
-apiVersion: v1
-kind: Secret
-metadata:
-  name: smbcreds
-  namespace: torrent
-type: Opaque
-stringData:
-  username: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-k8s/username }}"
-  password: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-k8s/password }}"