Add smb encrypt option

[7CqKcKvfAf]

Adds option to set "smb encrypt" to off/desired/required. If set to required, all traffic between client and server will be encrypted instead of plain text message traffic.
Encryption requires to use SMB3 and cannot be used in combination with compatibility mode option.

Summary by CodeRabbit

• New Features

  • Added SMB encryption option with three settings — off, desired (default), required — to control encryption of client-server traffic; "required" enforces SMB3 and restricts guest access.

• Documentation

  • Added docs and translation strings for the encryption option and expanded guidance on server signing and compatibility mode behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[home-assistant]

Hi @7CqKcKvfAf

It seems you haven't yet signed a CLA. Please do so here.

Once you do that we will be able to review and accept this pull request.

Thanks!

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

Stale

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a new SMB encryption option (off|desired|required), bumps version to 12.5.5, updates schema, docs, translation, and templates to conditionally emit smb encrypt and related SMB3 settings when encryption is required.

Changes

Cohort / File(s)	Summary
Changelog & Docs samba/CHANGELOG.md, samba/DOCS.md, samba/translations/en.yaml	Add 12.5.5 changelog entry; document new encryption option, values, and default; add translation configuration.encryption with name and description.
Config Schema samba/config.yaml	Bump version to 12.5.5; add top-level options.encryption default "desired" and schema allowing off|desired|required.
SMB Template samba/rootfs/usr/share/tempio/smb.gtpl	Replace unconditional server signing with conditional block that emits smb encrypt = {{ .encryption }}; when required, apply SMB3-specific protocol/sign settings and ignore compatibility_mode; otherwise apply server signing and preserve compatibility_mode handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add smb encrypted option' directly matches the main objective: adding a new SMB encryption configuration option with off/desired/required values.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

samba/rootfs/usr/share/tempio/smb.gtpl (1)

22-34: Consider using server signing = mandatory instead of auto when encryption is required.

The logic correctly enforces SMB3 protocols when encryption is required and properly ignores compatibility_mode in this case. However, Samba best practices recommend server signing = mandatory when using SMB3 with encryption enabled. While signing becomes implicit with encryption at the transport level, explicitly setting it to mandatory ensures consistent security enforcement and aligns with documented hardening guidance.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 104349e and 044015c.

📒 Files selected for processing (5)

• samba/CHANGELOG.md
• samba/DOCS.md
• samba/config.yaml
• samba/rootfs/usr/share/tempio/smb.gtpl
• samba/translations/en.yaml

🧰 Additional context used

📓 Path-based instructions (1)

*/**(html|markdown|md)

⚙️ CodeRabbit configuration file

*/**(html|markdown|md): - For instructional content in documentation, use a direct and authoritative tone. Avoid expressions of politeness such as 'may' or 'please', and ensure the goal of the instruction is fronted.

• Apply the Microsoft Style Guide to ensure documentation maintains clarity and conciseness.
• In step-by-step instructions, front the location phrase in the instructional sentence.
• In step-by-step instructions, front the 'goal' in the instructional sentence.
• In step-by-step instructions, if in doubt what to front, front the 'goal' before the location phrase in the instructional sentence.
• do not hyphenate terms like 'top-right' or 'bottom-left' with 'corner'

*/**(html|markdown|md): - Use bold to mark UI strings.

• If "" are used to mark UI strings, replace them by bold.

• Be brief in your replies and don't add fluff like "thank you for..." and "Please let me know if"

• Use sentence-style capitalization also in headings.

do not comment on HTML used for icons

Avoid flagging inline HTML for embedding videos in future reviews for this repository.

Files:

• samba/CHANGELOG.md
• samba/config.yaml
• samba/DOCS.md

🔇 Additional comments (7)

samba/CHANGELOG.md (1)

3-6: LGTM!

The changelog entry follows the established format and accurately describes the new feature.

samba/translations/en.yaml (1)

36-41: LGTM!

The translation entry accurately describes the encryption feature and its interaction with compatibility mode.

samba/DOCS.md (2)

110-116: LGTM!

The documentation is clear, direct, and follows the Microsoft Style Guide. UI values are properly bolded, and the explanation is concise.

---

117-122: LGTM!

The documentation enhancement is clear and follows guidelines. The security explanation is valuable, and values are properly formatted.

samba/config.yaml (3)

2-2: LGTM!

Version bump is consistent with the changelog entry.

---

40-40: LGTM!

The default value "desired" is appropriate and aligns with the documentation.

---

64-64: LGTM!

The schema correctly defines the three allowed encryption values.