fix(nextcloud): auto-sync DB password from Vault rotation into config.php

Nextcloud persists dbpassword in config.php on its PVC and ignores
MYSQL_PASSWORD env var after initial install. When Vault rotates the
MySQL password, config.php goes stale causing HTTP 500 crash loops.

Adds a before-starting hook that patches config.php with the current
MYSQL_PASSWORD on every pod start. Combined with Stakater Reloader
annotation, the full rotation chain is now automated:
Vault rotates → ESO syncs Secret → Reloader restarts pod → hook
patches config.php → Nextcloud connects with new password.

Also fixes stale existingClaim (nextcloud-data-iscsi → nextcloud-data-proxmox).

stacks/nextcloud/chart_values.yaml

@@ -83,10 +83,16 @@ nextcloud:
     - name: apache-tuning
       configMap:
         name: nextcloud-apache-tuning
+    - name: db-password-sync
+      configMap:
+        name: nextcloud-db-password-sync
+        defaultMode: 0755
   extraVolumeMounts:
     - name: apache-tuning
       mountPath: /etc/apache2/mods-available/mpm_prefork.conf
       subPath: mpm_prefork.conf
+    - name: db-password-sync
+      mountPath: /docker-entrypoint-hooks.d/before-starting
 
 internalDatabase:
   enabled: false
@@ -107,7 +113,7 @@ externalDatabase:
 
 persistence:
   enabled: true
-  existingClaim: nextcloud-data-iscsi
+  existingClaim: nextcloud-data-proxmox
 
   accessMode: ReadWriteOnce
   size: 20Gi
@@ -140,6 +146,7 @@ podAnnotations:
   diun.enable: "true"
   diun.include_tags: "^[0-9]+(?:.[0-9]+)?(?:.[0-9]+)?.*"
   dependency.kyverno.io/wait-for: "mysql.dbaas:3306,redis.redis:6379"
+  secret.reloader.stakater.com/reload: "nextcloud-db-creds"
 
 collabora:
   enabled: false # Using onlyoffice instead

stacks/nextcloud/main.tf

@@ -235,6 +235,50 @@ module "ingress" {
 }
 
 
+# Hook script: sync DB password from env var into config.php on every pod start.
+# Closes the Vault rotation gap: Vault rotates MySQL password → ESO syncs to K8s Secret →
+# Reloader restarts pod → this hook patches config.php with the current MYSQL_PASSWORD.
+resource "kubernetes_config_map" "db_password_sync_hook" {
+  metadata {
+    name      = "nextcloud-db-password-sync"
+    namespace = kubernetes_namespace.nextcloud.metadata[0].name
+  }
+
+  data = {
+    "sync-db-password.sh" = <<-EOF
+      #!/bin/bash
+      set -e
+      CONFIG="/var/www/html/config/config.php"
+      if [ -z "$MYSQL_PASSWORD" ]; then
+        echo "MYSQL_PASSWORD not set, skipping config.php sync"
+        exit 0
+      fi
+      if [ ! -f "$CONFIG" ]; then
+        echo "config.php not found, skipping (first install)"
+        exit 0
+      fi
+      CURRENT_PW=$(php -r "include '$CONFIG'; echo \$CONFIG['dbpassword'] ?? '';")
+      if [ "$CURRENT_PW" = "$MYSQL_PASSWORD" ]; then
+        echo "DB password in config.php already matches MYSQL_PASSWORD"
+        exit 0
+      fi
+      echo "Updating DB password in config.php to match MYSQL_PASSWORD..."
+      php /docker-entrypoint-hooks.d/before-starting/patch-db-pw.php "$CONFIG" "$MYSQL_PASSWORD"
+      echo "DB password updated successfully"
+    EOF
+
+    "patch-db-pw.php" = <<-EOF
+      <?php
+      $file = $argv[1];
+      $newPw = $argv[2];
+      $content = file_get_contents($file);
+      $escaped = str_replace(["'", "\\"], ["\\'", "\\\\"], $newPw);
+      $content = preg_replace("/'dbpassword'\\s*=>\\s*'[^']*'/", "'dbpassword' => '" . $escaped . "'", $content);
+      file_put_contents($file, $content);
+    EOF
+  }
+}
+
 resource "kubernetes_config_map" "backup-script" {
   metadata {
     name      = "nextcloud-backup-script"