fix(freeipa): harden container SMB setup and fetch-alerts script

ansipa-smb.service: WantedBy=multi-user.target (was smb.service) so the
  setup service always runs at boot, not only when smb.service pulls it in

docker-compose.yml: add NetBIOS UDP ports 137/138 to match Dockerfile EXPOSE
  and nmb.service being enabled

ansipa-smb-setup.sh:
  - use printf '%q' when writing SMB_SCAN_PASSWORD to ansipa-smb.env so
    passwords with spaces or shell-special chars are correctly quoted
  - always write /etc/cron.d/ansipa-check-scans (remove the [[ ! -f ]] guard)
    since /etc/cron.d is on the ephemeral container layer and is lost on
    container recreation; the service runs on every start anyway

Dockerfile: add -e SMB_SCAN_PASSWORD and -p 445:445 to the quick-test comment

ansipa-fetch-alerts.sh: replace $NEW && log with [[ "$NEW" == true ]] && log
  to avoid set -e ambiguity with the 'false' builtin

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

setup/modules/FreeipaAnsible/ansible/ansipa-fetch-alerts.sh

@@ -122,7 +122,7 @@ for ALERT_NAME in "${SERVER_ALERTS[@]}"; do
         echo "$ALERT_NAME" >> "$FETCHED_STATE"
     fi
 
-    $NEW && log "New alert delivered: $ALERT_NAME"
+    [[ "$NEW" == true ]] && log "New alert delivered: $ALERT_NAME"
 done
 
 log "Done. ${#SERVER_ALERTS[@]} server alert(s) for $HOSTNAME."

setup/modules/FreeipaAnsible/image/Dockerfile

@@ -12,7 +12,8 @@
 #     -e IPA_DOMAIN=example.com \
 #     -e IPA_ADMIN_PASSWORD=Secret123 \
 #     -e IPA_DM_PASSWORD=Secret456 \
-#     -p 443:443 -p 389:389 -p 636:636 -p 88:88 \
+#     -e SMB_SCAN_PASSWORD=Secret789 \
+#     -p 443:443 -p 389:389 -p 636:636 -p 88:88 -p 445:445 \
 #     freeipa-server
 #
 # For production use docker-compose.yml instead.

setup/modules/FreeipaAnsible/image/ansipa-smb-setup.sh

@@ -31,8 +31,9 @@ fi
 [[ -z "$SMB_PASS" ]] && die "SMB_SCAN_PASSWORD not set and $ENV_FILE not present. Set it in .env."
 
 # ── Persist for subsequent restarts ──────────────────────────────────────────
+# %q shell-quotes the value so passwords with spaces or special chars are safe.
 mkdir -p "$(dirname "$ENV_FILE")"
-printf 'SMB_SCAN_PASSWORD=%s\n' "$SMB_PASS" > "$ENV_FILE"
+printf 'SMB_SCAN_PASSWORD=%q\n' "$SMB_PASS" > "$ENV_FILE"
 chmod 600 "$ENV_FILE"
 
 # ── Directory structure (idempotent) ──────────────────────────────────────────
@@ -81,13 +82,13 @@ printf '%s\n%s\n' "$SMB_PASS" "$SMB_PASS" | smbpasswd    -s "$SMB_USER" 2>/dev/n
 log "WARN: smbpasswd returned non-zero (user may already exist with correct password)"
 
 # ── Server-side scan checker cron (hourly, analysed on the IPA server itself) ─
-if [[ ! -f /etc/cron.d/ansipa-check-scans ]]; then
+# Always (re-)write: /etc/cron.d is on the ephemeral container layer and is
+# lost on container recreation, so we must restore it on every start.
 cat > /etc/cron.d/ansipa-check-scans <<'CRON'
 # ansipa: analyze client scan logs and write alerts — managed, do not edit.
 0 * * * * root /usr/local/sbin/ansipa-check-scans.sh 2>&1 | logger -t ansipa-check-scans
 CRON
 chmod 644 /etc/cron.d/ansipa-check-scans
 log "Installed hourly scan-checker cron"
-fi
 
 log "Samba setup complete. Share: //localhost/ansipa-scans  user: $SMB_USER"

setup/modules/FreeipaAnsible/image/ansipa-smb.service

@@ -15,4 +15,6 @@ StandardOutput=journal
 StandardError=journal
 
 [Install]
-WantedBy=smb.service
+# multi-user.target ensures this runs on every container start.
+# Before=smb.service guarantees smb.conf and the Samba user exist before smbd starts.
+WantedBy=multi-user.target

setup/modules/FreeipaAnsible/image/docker-compose.yml

@@ -59,6 +59,8 @@ services:
       - "443:443"
       - "445:445"
       - "139:139"
+      - "137:137/udp"
+      - "138:138/udp"
     networks:
       ipa-net:
         ipv4_address: 172.30.0.10