# services/nextcloud/maintenance-cronjob.yaml
apiVersion: batch/v1
kind: CronJob
metadata:
  name: nextcloud-maintenance
  namespace: nextcloud
spec:
  schedule: "30 4 * * *"
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      template:
        metadata:
          annotations:
            vault.hashicorp.com/agent-inject: "true"
            vault.hashicorp.com/role: "nextcloud"
            vault.hashicorp.com/agent-inject-secret-nextcloud-env.sh: "kv/data/atlas/nextcloud/nextcloud-db"
            vault.hashicorp.com/agent-inject-template-nextcloud-env.sh: |
              {{- with secret "kv/data/atlas/nextcloud/nextcloud-db" -}}
              export POSTGRES_DB="{{ .Data.data.database }}"
              export POSTGRES_USER="{{ .Data.data.db-username }}"
              export POSTGRES_PASSWORD="{{ .Data.data.db-password }}"
              {{- end }}
              {{- with secret "kv/data/atlas/nextcloud/nextcloud-admin" -}}
              export NEXTCLOUD_ADMIN_USER="{{ .Data.data.admin-user }}"
              export NEXTCLOUD_ADMIN_PASSWORD="{{ .Data.data.admin-password }}"
              {{- end }}
              export ADMIN_USER="${NEXTCLOUD_ADMIN_USER}"
              export ADMIN_PASS="${NEXTCLOUD_ADMIN_PASSWORD}"
              {{- with secret "kv/data/atlas/nextcloud/nextcloud-oidc" -}}
              export OIDC_CLIENT_ID="{{ .Data.data.client-id }}"
              export OIDC_CLIENT_SECRET="{{ .Data.data.client-secret }}"
              {{- end }}
              {{- with secret "kv/data/atlas/shared/postmark-relay" -}}
              export SMTP_NAME="{{ index .Data.data "relay-username" }}"
              export SMTP_PASSWORD="{{ index .Data.data "relay-password" }}"
              {{- end }}
              {{- with secret "kv/data/atlas/shared/keycloak-admin" -}}
              export KC_ADMIN_USER="{{ .Data.data.username }}"
              export KC_ADMIN_PASS="{{ .Data.data.password }}"
              {{- end }}
        spec:
          restartPolicy: OnFailure
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          serviceAccountName: nextcloud-vault
          containers:
            - name: maintenance
              image: nextcloud:29-apache
              imagePullPolicy: IfNotPresent
              command: ["/bin/sh", "-c"]
              args:
                - |
                  set -euo pipefail
                  . /vault/secrets/nextcloud-env.sh
                  exec /maintenance/maintenance.sh
              env:
                - name: NC_URL
                  value: https://cloud.bstein.dev
              volumeMounts:
                - name: nextcloud-web
                  mountPath: /var/www/html
                - name: nextcloud-config-pvc
                  mountPath: /var/www/html/config
                - name: nextcloud-custom-apps
                  mountPath: /var/www/html/custom_apps
                - name: nextcloud-user-data
                  mountPath: /var/www/html/data
                - name: maintenance-script
                  mountPath: /maintenance/maintenance.sh
                  subPath: maintenance.sh
              resources:
                requests:
                  cpu: 100m
                  memory: 256Mi
                limits:
                  cpu: 500m
                  memory: 512Mi
          volumes:
            - name: nextcloud-config-pvc
              persistentVolumeClaim:
                claimName: nextcloud-config-v2
            - name: nextcloud-custom-apps
              persistentVolumeClaim:
                claimName: nextcloud-custom-apps-v2
            - name: nextcloud-user-data
              persistentVolumeClaim:
                claimName: nextcloud-user-data-v2
            - name: nextcloud-web
              persistentVolumeClaim:
                claimName: nextcloud-web-v2
            - name: maintenance-script
              configMap:
                name: nextcloud-maintenance-script
                defaultMode: 0755