fix(nextcloud): auto-sync DB password from Vault rotation into config.php

Nextcloud persists dbpassword in config.php on its PVC and ignores MYSQL_PASSWORD env var after initial install. When Vault rotates the MySQL password, config.php goes stale causing HTTP 500 crash loops. Adds a before-starting hook that patches config.php with the current MYSQL_PASSWORD on every pod start. Combined with Stakater Reloader annotation, the full rotation chain is now automated: Vault rotates → ESO syncs Secret → Reloader restarts pod → hook patches config.php → Nextcloud connects with new password. Also fixes stale existingClaim (nextcloud-data-iscsi → nextcloud-data-proxmox).
2026-04-10 22:23:41 +01:00 · 2026-04-10 22:23:41 +01:00 · a0392a9617
commit a0392a9617
parent 92e0c18e81
3 changed files with 1294 additions and 1206 deletions
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@ -235,6 +235,50 @@ module "ingress" {
 }


+# Hook script: sync DB password from env var into config.php on every pod start.
+# Closes the Vault rotation gap: Vault rotates MySQL password → ESO syncs to K8s Secret →
+# Reloader restarts pod → this hook patches config.php with the current MYSQL_PASSWORD.
+resource "kubernetes_config_map" "db_password_sync_hook" {
+  metadata {
+    name      = "nextcloud-db-password-sync"
+    namespace = kubernetes_namespace.nextcloud.metadata[0].name
+  }
+
+  data = {
+    "sync-db-password.sh" = <<-EOF
+      #!/bin/bash
+      set -e
+      CONFIG="/var/www/html/config/config.php"
+      if [ -z "$MYSQL_PASSWORD" ]; then
+        echo "MYSQL_PASSWORD not set, skipping config.php sync"
+        exit 0
+      fi
+      if [ ! -f "$CONFIG" ]; then
+        echo "config.php not found, skipping (first install)"
+        exit 0
+      fi
+      CURRENT_PW=$(php -r "include '$CONFIG'; echo \$CONFIG['dbpassword'] ?? '';")
+      if [ "$CURRENT_PW" = "$MYSQL_PASSWORD" ]; then
+        echo "DB password in config.php already matches MYSQL_PASSWORD"
+        exit 0
+      fi
+      echo "Updating DB password in config.php to match MYSQL_PASSWORD..."
+      php /docker-entrypoint-hooks.d/before-starting/patch-db-pw.php "$CONFIG" "$MYSQL_PASSWORD"
+      echo "DB password updated successfully"
+    EOF
+
+    "patch-db-pw.php" = <<-EOF
+      <?php
+      $file = $argv[1];
+      $newPw = $argv[2];
+      $content = file_get_contents($file);
+      $escaped = str_replace(["'", "\\"], ["\\'", "\\\\"], $newPw);
+      $content = preg_replace("/'dbpassword'\\s*=>\\s*'[^']*'/", "'dbpassword' => '" . $escaped . "'", $content);
+      file_put_contents($file, $content);
+    EOF
+  }
+}
+
 resource "kubernetes_config_map" "backup-script" {
  metadata {
    name      = "nextcloud-backup-script"