From eb3a6824e6697fd8e9cdcc4eeee427b9bad139b7 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Thu, 1 Jan 2026 17:47:07 -0300
Subject: [PATCH] nextcloud: flux-manage mail sync

---
 .../flux-system/applications/kustomization.yaml |  1 +
 .../nextcloud-mail-sync/kustomization.yaml      | 17 +++++++++++++++++
 scripts/nextcloud-mail-sync.sh                  |  4 ++--
 services/nextcloud-mail-sync/kustomization.yaml | 10 ++++++++++
 4 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 clusters/atlas/flux-system/applications/nextcloud-mail-sync/kustomization.yaml
 create mode 100644 services/nextcloud-mail-sync/kustomization.yaml

diff --git a/clusters/atlas/flux-system/applications/kustomization.yaml b/clusters/atlas/flux-system/applications/kustomization.yaml
index 37d7699..a503520 100644
--- a/clusters/atlas/flux-system/applications/kustomization.yaml
+++ b/clusters/atlas/flux-system/applications/kustomization.yaml
@@ -25,3 +25,4 @@ resources:
   - ci-demo/kustomization.yaml
   - ci-demo/image-automation.yaml
   - ai-llm/kustomization.yaml
+  - nextcloud-mail-sync/kustomization.yaml
diff --git a/clusters/atlas/flux-system/applications/nextcloud-mail-sync/kustomization.yaml b/clusters/atlas/flux-system/applications/nextcloud-mail-sync/kustomization.yaml
new file mode 100644
index 0000000..1eef5c4
--- /dev/null
+++ b/clusters/atlas/flux-system/applications/nextcloud-mail-sync/kustomization.yaml
@@ -0,0 +1,17 @@
+# clusters/atlas/flux-system/applications/nextcloud-mail-sync/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: nextcloud-mail-sync
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./services/nextcloud-mail-sync
+  targetNamespace: nextcloud
+  timeout: 2m
+  dependsOn:
+    - name: keycloak
diff --git a/scripts/nextcloud-mail-sync.sh b/scripts/nextcloud-mail-sync.sh
index b4d171f..8cfbf64 100755
--- a/scripts/nextcloud-mail-sync.sh
+++ b/scripts/nextcloud-mail-sync.sh
@@ -15,7 +15,7 @@ account_exists() {
   local email="${2}"
 
   # Nextcloud Mail does not provide a list command; export is safe (does not print passwords).
-  php occ mail:account:export "${user_id}" 2>/dev/null | grep -Fq -- "- E-Mail: ${email}"
+  /usr/sbin/runuser -u www-data -- php occ mail:account:export "${user_id}" 2>/dev/null | grep -Fq -- "- E-Mail: ${email}"
 }
 
 token=$(
@@ -46,7 +46,7 @@ echo "${users}" | jq -c '.[]' | while read -r user; do
     continue
   fi
   echo "Syncing ${email}"
-  php occ mail:account:create \
+  /usr/sbin/runuser -u www-data -- php occ mail:account:create \
     "${username}" "${username}" "${email}" \
     mail.bstein.dev 993 ssl "${email}" "${app_pw}" \
     mail.bstein.dev 587 tls "${email}" "${app_pw}" || true
diff --git a/services/nextcloud-mail-sync/kustomization.yaml b/services/nextcloud-mail-sync/kustomization.yaml
new file mode 100644
index 0000000..cc1fa68
--- /dev/null
+++ b/services/nextcloud-mail-sync/kustomization.yaml
@@ -0,0 +1,10 @@
+# services/nextcloud-mail-sync/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: nextcloud
+configMapGenerator:
+  - name: nextcloud-mail-sync-script
+    files:
+      - sync.sh=../../scripts/nextcloud-mail-sync.sh
+    options:
+      disableNameSuffixHash: true