From 565fad4522e2f5a0227d9c5a51862d6397d3e58c Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sat, 3 Jan 2026 12:22:41 -0300
Subject: [PATCH] nextcloud-mail-sync: portal RBAC

---
 .../nextcloud-mail-sync/kustomization.yaml    |  1 +
 services/nextcloud-mail-sync/portal-rbac.yaml | 29 +++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 services/nextcloud-mail-sync/portal-rbac.yaml

diff --git a/services/nextcloud-mail-sync/kustomization.yaml b/services/nextcloud-mail-sync/kustomization.yaml
index c349f1e..fb18550 100644
--- a/services/nextcloud-mail-sync/kustomization.yaml
+++ b/services/nextcloud-mail-sync/kustomization.yaml
@@ -4,6 +4,7 @@ kind: Kustomization
 namespace: nextcloud
 resources:
   - cronjob.yaml
+  - portal-rbac.yaml
 configMapGenerator:
   - name: nextcloud-mail-sync-script
     files:
diff --git a/services/nextcloud-mail-sync/portal-rbac.yaml b/services/nextcloud-mail-sync/portal-rbac.yaml
new file mode 100644
index 0000000..dc9a4e4
--- /dev/null
+++ b/services/nextcloud-mail-sync/portal-rbac.yaml
@@ -0,0 +1,29 @@
+# services/nextcloud-mail-sync/portal-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: bstein-dev-home-nextcloud-mail-sync
+rules:
+  - apiGroups: ["batch"]
+    resources: ["cronjobs"]
+    verbs: ["get"]
+    resourceNames: ["nextcloud-mail-sync"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: bstein-dev-home-nextcloud-mail-sync
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: bstein-dev-home-nextcloud-mail-sync
+subjects:
+  - kind: ServiceAccount
+    name: bstein-dev-home
+    namespace: bstein-dev-home