titan-iac/scripts/nextcloud-mail-sync.sh

#!/bin/bash
set -euo pipefail

KC_BASE="${KC_BASE:?}"
KC_REALM="${KC_REALM:?}"
KC_ADMIN_USER="${KC_ADMIN_USER:?}"
KC_ADMIN_PASS="${KC_ADMIN_PASS:?}"
MAILU_DOMAIN="${MAILU_DOMAIN:?}"

if ! command -v jq >/dev/null 2>&1; then
  apt-get update && apt-get install -y jq curl >/dev/null
fi

list_mail_accounts() {
  local user_id="${1}"
  local export_out

  # Nextcloud Mail does not provide a list command; export is safe (does not print passwords).
  # Some occ commands emit to stderr; capture both streams so we don't mis-detect "no accounts".
  if ! export_out=$(/usr/sbin/runuser -u www-data -- php occ mail:account:export "${user_id}" 2>&1); then
    echo "WARN: unable to export mail accounts for ${user_id}; skipping sync for safety" >&2
    return 1
  fi

  # The export output is human-readable and includes blocks like:
  #   Account 10:
  #   - E-Mail: user@example.com
  # Extract "account-id <tab> email" pairs.
  awk '
    /^Account[[:space:]]+[0-9]+:/ {
      id=$2;
      sub(/:$/, "", id);
      next;
    }
    id != "" && /@/ {
      # Keep the regex simple (mawk does not support interval expressions like {2,}).
      if (match($0, /[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+/)) {
        printf("%s\t%s\n", id, substr($0, RSTART, RLENGTH));
        id="";
      }
    }
  ' <<<"${export_out}" | sort -u
}

token=$(
  curl -s -d "grant_type=password" \
    -d "client_id=admin-cli" \
    -d "username=${KC_ADMIN_USER}" \
    -d "password=${KC_ADMIN_PASS}" \
    "${KC_BASE}/realms/master/protocol/openid-connect/token" | jq -r '.access_token'
)

if [[ -z "${token}" || "${token}" == "null" ]]; then
  echo "Failed to obtain admin token"
  exit 1
fi

cd /var/www/html

users=$(curl -s -H "Authorization: Bearer ${token}" \
  "${KC_BASE}/admin/realms/${KC_REALM}/users?max=2000")

echo "${users}" | jq -c '.[]' | while read -r user; do
  username=$(echo "${user}" | jq -r '.username')
  keycloak_email=$(echo "${user}" | jq -r '.email // empty')
  mailu_email=$(echo "${user}" | jq -r '(.attributes.mailu_email[0] // .attributes.mailu_email // empty)')
  app_pw=$(echo "${user}" | jq -r '(.attributes.mailu_app_password[0] // .attributes.mailu_app_password // empty)')

  if [[ -z "${mailu_email}" ]]; then
    if [[ -n "${keycloak_email}" && "${keycloak_email,,}" == *"@${MAILU_DOMAIN,,}" ]]; then
      mailu_email="${keycloak_email}"
    else
      mailu_email="${username}@${MAILU_DOMAIN}"
    fi
  fi

  [[ -z "${mailu_email}" || -z "${app_pw}" ]] && continue

  if ! accounts=$(list_mail_accounts "${username}"); then
    continue
  fi

  # Manage only internal Mailu-domain accounts; leave any external accounts untouched.
  mailu_accounts=$(awk -v d="${MAILU_DOMAIN,,}" 'tolower($2) ~ ("@" d "$") {print}' <<<"${accounts}" || true)

  desired_email="${mailu_email}"
  primary_id=""
  primary_email=""

  if [[ -n "${mailu_accounts}" ]]; then
    while IFS=$'\t' read -r account_id account_email; do
      if [[ -z "${primary_id}" ]]; then
        primary_id="${account_id}"
        primary_email="${account_email}"
      fi
      if [[ "${account_email,,}" == "${desired_email,,}" ]]; then
        primary_id="${account_id}"
        primary_email="${account_email}"
        break
      fi
    done <<<"${mailu_accounts}"

    echo "Updating ${username} mail account ${primary_id} (${primary_email})"
    /usr/sbin/runuser -u www-data -- php occ mail:account:update -q "${primary_id}" \
      --name "${username}" \
      --email "${desired_email}" \
      --imap-host mail.bstein.dev \
      --imap-port 993 \
      --imap-ssl-mode ssl \
      --imap-user "${desired_email}" \
      --imap-password "${app_pw}" \
      --smtp-host mail.bstein.dev \
      --smtp-port 587 \
      --smtp-ssl-mode tls \
      --smtp-user "${desired_email}" \
      --smtp-password "${app_pw}" \
      --auth-method password >/dev/null 2>&1 || true

    # Remove any extra Mailu-domain accounts for this user to prevent duplicates.
    while IFS=$'\t' read -r account_id account_email; do
      if [[ "${account_id}" == "${primary_id}" ]]; then
        continue
      fi
      echo "Deleting extra mail account ${account_id} (${account_email})"
      /usr/sbin/runuser -u www-data -- php occ mail:account:delete -q "${account_id}" >/dev/null 2>&1 || true
    done <<<"${mailu_accounts}"
  else
    echo "Creating mail account for ${username} (${desired_email})"
    /usr/sbin/runuser -u www-data -- php occ mail:account:create -q \
      "${username}" "${username}" "${desired_email}" \
      mail.bstein.dev 993 ssl "${desired_email}" "${app_pw}" \
      mail.bstein.dev 587 tls "${desired_email}" "${app_pw}" password >/dev/null 2>&1 || true
  fi
done
Keep nextcloud scripts single-sourced under scripts/ 2025-12-14 14:05:01 -03:00			`#!/bin/bash`
			`set -euo pipefail`

			`KC_BASE="${KC_BASE:?}"`
			`KC_REALM="${KC_REALM:?}"`
			`KC_ADMIN_USER="${KC_ADMIN_USER:?}"`
			`KC_ADMIN_PASS="${KC_ADMIN_PASS:?}"`
mailu: sync via mailu_email attribute 2026-01-03 02:35:47 -03:00			`MAILU_DOMAIN="${MAILU_DOMAIN:?}"`
Keep nextcloud scripts single-sourced under scripts/ 2025-12-14 14:05:01 -03:00
			`if ! command -v jq >/dev/null 2>&1; then`
			`apt-get update && apt-get install -y jq curl >/dev/null`
			`fi`

fix(nextcloud): dedupe + update mail accounts 2026-01-03 06:52:53 -03:00			`list_mail_accounts() {`
nextcloud: fix mail sync idempotency 2026-01-01 17:36:23 -03:00			`local user_id="${1}"`
fix(nextcloud): dedupe + update mail accounts 2026-01-03 06:52:53 -03:00			`local export_out`
nextcloud: fix mail sync idempotency 2026-01-01 17:36:23 -03:00
			`# Nextcloud Mail does not provide a list command; export is safe (does not print passwords).`
fix(nextcloud-mail-sync): capture occ export output reliably 2026-01-03 07:13:58 -03:00			`# Some occ commands emit to stderr; capture both streams so we don't mis-detect "no accounts".`
			`if ! export_out=$(/usr/sbin/runuser -u www-data -- php occ mail:account:export "${user_id}" 2>&1); then`
nextcloud: make mail sync idempotent 2026-01-01 23:24:11 -03:00			`echo "WARN: unable to export mail accounts for ${user_id}; skipping sync for safety" >&2`
fix(nextcloud): dedupe + update mail accounts 2026-01-03 06:52:53 -03:00			`return 1`
nextcloud: make mail sync idempotent 2026-01-01 23:24:11 -03:00			`fi`

fix(nextcloud): dedupe + update mail accounts 2026-01-03 06:52:53 -03:00			`# The export output is human-readable and includes blocks like:`
			`# Account 10:`
			`# - E-Mail: user@example.com`
			`# Extract "account-id <tab> email" pairs.`
			`awk '`
			`/^Account[[:space:]]+[0-9]+:/ {`
			`id=$2;`
			`sub(/:$/, "", id);`
			`next;`
			`}`
			`id != "" && /@/ {`
fix(nextcloud-mail-sync): fix bash syntax 2026-01-03 07:39:45 -03:00			`# Keep the regex simple (mawk does not support interval expressions like {2,}).`
fix(nextcloud-mail-sync): mawk-compatible email regex 2026-01-03 07:18:50 -03:00			`if (match($0, /[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+/)) {`
fix(nextcloud-mail-sync): portable email parsing 2026-01-03 07:06:30 -03:00			`printf("%s\t%s\n", id, substr($0, RSTART, RLENGTH));`
fix(nextcloud): dedupe + update mail accounts 2026-01-03 06:52:53 -03:00			`id="";`
			`}`
			`}`
			`' <<<"${export_out}" \| sort -u`
Add tests and dedupe nextcloud mail sync 2025-12-14 14:15:19 -03:00			`}`

Keep nextcloud scripts single-sourced under scripts/ 2025-12-14 14:05:01 -03:00			`token=$(`
			`curl -s -d "grant_type=password" \`
			`-d "client_id=admin-cli" \`
			`-d "username=${KC_ADMIN_USER}" \`
			`-d "password=${KC_ADMIN_PASS}" \`
			`"${KC_BASE}/realms/master/protocol/openid-connect/token" \| jq -r '.access_token'`
			`)`

			`if [[ -z "${token}" \|\| "${token}" == "null" ]]; then`
			`echo "Failed to obtain admin token"`
			`exit 1`
			`fi`

nextcloud: fix mail sync idempotency 2026-01-01 17:36:23 -03:00			`cd /var/www/html`

Keep nextcloud scripts single-sourced under scripts/ 2025-12-14 14:05:01 -03:00			`users=$(curl -s -H "Authorization: Bearer ${token}" \`
			`"${KC_BASE}/admin/realms/${KC_REALM}/users?max=2000")`

			`echo "${users}" \| jq -c '.[]' \| while read -r user; do`
			`username=$(echo "${user}" \| jq -r '.username')`
mailu: sync via mailu_email attribute 2026-01-03 02:35:47 -03:00			`keycloak_email=$(echo "${user}" \| jq -r '.email // empty')`
			`mailu_email=$(echo "${user}" \| jq -r '(.attributes.mailu_email[0] // .attributes.mailu_email // empty)')`
mailu: store app password as list 2026-01-02 03:09:26 -03:00			`app_pw=$(echo "${user}" \| jq -r '(.attributes.mailu_app_password[0] // .attributes.mailu_app_password // empty)')`
mailu: sync via mailu_email attribute 2026-01-03 02:35:47 -03:00
			`if [[ -z "${mailu_email}" ]]; then`
			`if [[ -n "${keycloak_email}" && "${keycloak_email,,}" == *"@${MAILU_DOMAIN,,}" ]]; then`
			`mailu_email="${keycloak_email}"`
			`else`
			`mailu_email="${username}@${MAILU_DOMAIN}"`
			`fi`
			`fi`

			`[[ -z "${mailu_email}" \|\| -z "${app_pw}" ]] && continue`
fix(nextcloud): dedupe + update mail accounts 2026-01-03 06:52:53 -03:00
			`if ! accounts=$(list_mail_accounts "${username}"); then`
Add tests and dedupe nextcloud mail sync 2025-12-14 14:15:19 -03:00			`continue`
			`fi`
fix(nextcloud): dedupe + update mail accounts 2026-01-03 06:52:53 -03:00
			`# Manage only internal Mailu-domain accounts; leave any external accounts untouched.`
			`mailu_accounts=$(awk -v d="${MAILU_DOMAIN,,}" 'tolower($2) ~ ("@" d "$") {print}' <<<"${accounts}" \|\| true)`

			`desired_email="${mailu_email}"`
			`primary_id=""`
			`primary_email=""`

			`if [[ -n "${mailu_accounts}" ]]; then`
			`while IFS=$'\t' read -r account_id account_email; do`
			`if [[ -z "${primary_id}" ]]; then`
			`primary_id="${account_id}"`
			`primary_email="${account_email}"`
			`fi`
			`if [[ "${account_email,,}" == "${desired_email,,}" ]]; then`
			`primary_id="${account_id}"`
			`primary_email="${account_email}"`
			`break`
			`fi`
			`done <<<"${mailu_accounts}"`

			`echo "Updating ${username} mail account ${primary_id} (${primary_email})"`
			`/usr/sbin/runuser -u www-data -- php occ mail:account:update -q "${primary_id}" \`
			`--name "${username}" \`
			`--email "${desired_email}" \`
			`--imap-host mail.bstein.dev \`
			`--imap-port 993 \`
			`--imap-ssl-mode ssl \`
			`--imap-user "${desired_email}" \`
			`--imap-password "${app_pw}" \`
			`--smtp-host mail.bstein.dev \`
			`--smtp-port 587 \`
			`--smtp-ssl-mode tls \`
			`--smtp-user "${desired_email}" \`
			`--smtp-password "${app_pw}" \`
			`--auth-method password >/dev/null 2>&1 \|\| true`

			`# Remove any extra Mailu-domain accounts for this user to prevent duplicates.`
			`while IFS=$'\t' read -r account_id account_email; do`
			`if [[ "${account_id}" == "${primary_id}" ]]; then`
			`continue`
			`fi`
			`echo "Deleting extra mail account ${account_id} (${account_email})"`
			`/usr/sbin/runuser -u www-data -- php occ mail:account:delete -q "${account_id}" >/dev/null 2>&1 \|\| true`
			`done <<<"${mailu_accounts}"`
			`else`
			`echo "Creating mail account for ${username} (${desired_email})"`
			`/usr/sbin/runuser -u www-data -- php occ mail:account:create -q \`
			`"${username}" "${username}" "${desired_email}" \`
			`mail.bstein.dev 993 ssl "${desired_email}" "${app_pw}" \`
			`mail.bstein.dev 587 tls "${desired_email}" "${app_pw}" password >/dev/null 2>&1 \|\| true`
			`fi`
Keep nextcloud scripts single-sourced under scripts/ 2025-12-14 14:05:01 -03:00			`done`