bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nextcloud-mail-sync: harden auth, bump portal backend

Browse Source
This commit is contained in:
Brad Stein 2026-01-18 12:23:50 -03:00
parent 0eb526c907
commit ae3b0afbff
2 changed files with 14 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
services/bstein-dev-home/kustomization.yaml
View File

@ -22,7 +22,7 @@ images:
- name: registry.bstein.dev/bstein/bstein-dev-home-frontend - name: registry.bstein.dev/bstein/bstein-dev-home-frontend
newTag: 0.1.1-102 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend"} newTag: 0.1.1-102 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend"}
- name: registry.bstein.dev/bstein/bstein-dev-home-backend - name: registry.bstein.dev/bstein/bstein-dev-home-backend
newTag: 0.1.1-102 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"} newTag: 0.1.1-103 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend"}
configMapGenerator: configMapGenerator:
- name: chat-ai-gateway - name: chat-ai-gateway
namespace: bstein-dev-home namespace: bstein-dev-home

38
services/nextcloud-mail-sync/scripts/nextcloud-mail-sync.sh
View File

@ -54,38 +54,26 @@ list_mail_accounts() {
local export_out local export_out
# Nextcloud Mail does not provide a list command; export is safe (does not print passwords). # Nextcloud Mail does not provide a list command; export is safe (does not print passwords).
# Some occ commands emit to stderr; capture both streams so we don't mis-detect "no accounts". if ! export_out=$(/usr/sbin/runuser -u www-data -- php occ mail:account:export --output json "${user_id}"); then
if ! export_out=$(/usr/sbin/runuser -u www-data -- php occ mail:account:export "${user_id}" 2>&1); then
echo "WARN: unable to export mail accounts for ${user_id}; skipping sync for safety" >&2 echo "WARN: unable to export mail accounts for ${user_id}; skipping sync for safety" >&2
return 1 return 1
fi fi
# The export output is human-readable and includes blocks like: if ! jq -e 'type == "array"' >/dev/null 2>&1 <<<"${export_out}"; then
# Account 10: echo "WARN: unexpected mail export output for ${user_id}; skipping sync for safety" >&2
# - E-Mail: user@example.com return 1
# Extract "account-id <tab> email" pairs. fi
awk '
/^Account[[:space:]]+[0-9]+:/ { jq -r '.[] | "\(.id)\t\(.email)"' <<<"${export_out}" | sort -u
id=$2;
sub(/:$/, "", id);
next;
}
id != "" && /@/ {
# Keep the regex simple (mawk does not support interval expressions like {2,}).
if (match($0, /[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+/)) {
printf("%s\t%s\n", id, substr($0, RSTART, RLENGTH));
id="";
}
}
' <<<"${export_out}" | sort -u
} }
token=$( token=$(
curl -fsS -d "grant_type=password" \ curl -fsS \
-d "client_id=admin-cli" \ --data-urlencode "grant_type=password" \
-d "username=${KC_ADMIN_USER}" \ --data-urlencode "client_id=admin-cli" \
-d "password=${KC_ADMIN_PASS}" \ --data-urlencode "username=${KC_ADMIN_USER}" \
"${KC_BASE}/realms/master/protocol/openid-connect/token" | jq -r '.access_token' --data-urlencode "password=${KC_ADMIN_PASS}" \
"${KC_BASE}/realms/master/protocol/openid-connect/token" | jq -r '.access_token // empty'
) )
if [[ -z "${token}" || "${token}" == "null" ]]; then if [[ -z "${token}" || "${token}" == "null" ]]; then