From c0a2b100ac9a59c131618da6633de0a8062d1ff2 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Tue, 20 Jan 2026 17:59:27 -0800
Subject: [PATCH] P6: Update plan for dedicated Synology user and mark torrents
 volume done

- Mark SMB share creation as DONE (torrents volume already exists)
- Add prerequisite for dedicated k8s-smb Synology user
- Update all 1Password references from synology-smb-torrents to synology-smb-k8s
- Update verification checklist accordingly

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 plans/k8s-migration/P6_kiwix.md | 55 +++++++++++++++++++--------------
 1 file changed, 32 insertions(+), 23 deletions(-)

diff --git a/plans/k8s-migration/P6_kiwix.md b/plans/k8s-migration/P6_kiwix.md
index a948325..d368f8f 100644
--- a/plans/k8s-migration/P6_kiwix.md
+++ b/plans/k8s-migration/P6_kiwix.md
@@ -118,20 +118,28 @@ This allows adding new ZIM archives by:
 
 ## Prerequisites (Manual Steps)
 
-### 1. Configure SMB Share on Sifaka (USER ACTION REQUIRED)
+### 1. Configure SMB Share on Sifaka
 
-On Synology DSM:
-1. Create shared folder: `torrents`
-   - Location: `/volume1/torrents`
-   - No compression, no encryption
-2. SMB is enabled by default on Synology; verify at Control Panel → File Services → SMB
-3. Set permissions on the `torrents` share:
-   - Give your user (eblume) Read/Write access
-4. Create or note credentials for k8s access:
-   - Can use existing Synology user credentials
-   - Store in 1Password for later k8s Secret creation
+**Status: DONE** - The `torrents` shared folder has been created at `/volume1/torrents`.
 
-### 2. Mirror SMB CSI Driver Helm Chart to Forge (USER ACTION REQUIRED)
+### 2. Create Dedicated Synology User for Kubernetes (USER ACTION REQUIRED)
+
+Create a dedicated Synology user for k8s SMB access (do not use personal account):
+
+On Synology DSM (Control Panel → User & Group):
+1. Create new user: `k8s-smb` (or similar)
+   - Set a strong password
+   - No admin privileges needed
+   - Deny access to all applications (only needs file services)
+2. Set permissions on the `torrents` share:
+   - Give `k8s-smb` user Read/Write access
+   - Remove or limit other user access as appropriate
+3. Store credentials in 1Password:
+   - Vault: `vg6xf6vvfmoh5hqjjhlhbeoaie` (blumeops vault)
+   - Item name: `synology-smb-k8s`
+   - Fields: `username` (k8s-smb), `password`
+
+### 3. Mirror SMB CSI Driver Helm Chart to Forge (USER ACTION REQUIRED)
 
 Mirror the SMB CSI driver chart to forge for GitOps deployment:
 
@@ -146,7 +154,7 @@ git remote add forge ssh://forgejo@indri.tail8d86e.ts.net:2200/eblume/csi-driver
 git push forge --all --tags
 ```
 
-### 3. Copy Existing Downloads to Sifaka
+### 4. Copy Existing Downloads to Sifaka
 
 Before migration, copy existing downloads to avoid re-downloading ~138GB:
 
@@ -161,12 +169,12 @@ rsync -avP ~/transmission/ /Volumes/torrents/
 ls -la /Volumes/torrents/*.zim
 ```
 
-### 4. Store SMB Credentials in 1Password
+### 5. Store SMB Credentials in 1Password
 
-Create a 1Password item for Synology SMB credentials:
+**Note:** This is covered in step 2 above. The 1Password item should be:
 - Vault: `vg6xf6vvfmoh5hqjjhlhbeoaie` (blumeops vault)
-- Item name: `synology-smb-torrents`
-- Fields: `username`, `password`
+- Item name: `synology-smb-k8s`
+- Fields: `username` (k8s-smb), `password`
 
 ---
 
@@ -256,8 +264,8 @@ spec:
 # Template - apply manually with credentials from 1Password
 # kubectl --context=minikube create secret generic smbcreds \
 #   --namespace torrent \
-#   --from-literal=username=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-torrents/username") \
-#   --from-literal=password=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-torrents/password")
+#   --from-literal=username=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-k8s/username") \
+#   --from-literal=password=$(op read "op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-k8s/password")
 apiVersion: v1
 kind: Secret
 metadata:
@@ -265,8 +273,8 @@ metadata:
   namespace: torrent
 type: Opaque
 stringData:
-  username: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-torrents/username }}"
-  password: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-torrents/password }}"
+  username: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-k8s/username }}"
+  password: "{{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/synology-smb-k8s/password }}"
 ```
 
 ---
@@ -1102,10 +1110,11 @@ If migration fails:
 
 ## Verification Checklist
 
-- [ ] SMB share configured on sifaka (`/volume1/torrents`)
+- [x] SMB share configured on sifaka (`/volume1/torrents`)
+- [ ] Dedicated Synology user (`k8s-smb`) created for k8s access
 - [ ] SMB CSI driver deployed to k8s
 - [ ] Existing downloads copied to sifaka
-- [ ] SMB credentials secret created in k8s
+- [ ] SMB credentials secret created in k8s (using `k8s-smb` user)
 - [ ] Transmission pod running in k8s (`torrent` namespace)
 - [ ] https://torrent.tail8d86e.ts.net accessible (web UI)
 - [ ] Can add torrents manually via web UI