nextcloud(external_storage): add per-mount enableSharing option

Lets admin natively share folders from inside an external mount with
internal users/groups or via public link. The two PVE pool browsers
(visible to admin only) get enableSharing=true so they can act as a
"share-from picker" over /srv/nfs and /srv/nfs-ssd; /anca-elements
stays false so anca manages re-sharing inside her own view.

- Manifest schema gains enableSharing on rootMounts + archiveMounts.
- Bootstrap Job adds sync_option() and reconciles enable_sharing via
  occ files_external:option (idempotent — occ no-ops same-value set).

stacks/nextcloud/.terraform.lock.hcl

@@ -29,6 +29,21 @@ provider "registry.terraform.io/gavinbunney/kubectl" {
   constraints = "~> 1.14"
   hashes = [
     "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=",
+    "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71",
+    "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7",
+    "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c",
+    "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e",
+    "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba",
+    "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e",
+    "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7",
+    "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2",
+    "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f",
+    "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71",
+    "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e",
+    "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310",
+    "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82",
   ]
 }
 
@@ -37,6 +52,20 @@ provider "registry.terraform.io/goauthentik/authentik" {
   constraints = "~> 2024.10"
   hashes = [
     "h1:roBMd+gi+TGgikH/bMzEI8JfvJiMAQWt+8FmokCrQIs=",
+    "zh:090260dc7889ea822ec1d899344e1ee23eba5290461989c0796149c9511f2316",
+    "zh:13c2655ff824b0dc4b9bb832b5ca6d41dba97cb280330258c5fef4115e236209",
+    "zh:166a73c3a810c9c895d68a8ff968158f339f8a2c1c03e20ec9fc5ed99cc64e20",
+    "zh:203777eae1cdc711233315499643180604cff2324411b186b7cf07fdbe16f655",
+    "zh:3b2f18c9a8d28dac74dc6bbf168c946855ab9c68f053578d4630c50d5eaf30a0",
+    "zh:4822275985f6b74b6196c47112316a4252db22cf4ceaef7c9ab4c66d488abf2f",
+    "zh:53ea97562666c8a5a2f6d63d418a302a7f8ee4b7bb7da35dedaa89aa5708b7f0",
+    "zh:56b8a230901e3550c92a1d3f58ee9dafe9853f30fe4315af3ab28ae63262e15d",
+    "zh:6293ab7b1fd8206a0c853591f50186aca4a1eff117b2a773e10760a23a2c83e9",
+    "zh:9433970f79fb92d8aae3ee436db5630ab312c78b6dc9df9c1db3273a18f8aaa1",
+    "zh:95df406214f79b3b98222d7c7fe8fc319a3d90b7a9d53e1d5abbda5dfb8b9436",
+    "zh:a85880da0552a42c8f449390fbd7d8b03541d1a13e04bba9f1404fa658754260",
+    "zh:a95f6e9bd62c67e70eba1b1a14728856b9a6a28cd1e5e3be54a7718882c87e7f",
+    "zh:dd599b51c5beb34a4c6feece244fde07d2558d69929449ab1fd39a5ebe738781",
   ]
 }
 
@@ -64,6 +93,18 @@ provider "registry.terraform.io/hashicorp/kubernetes" {
   version = "3.1.0"
   hashes = [
     "h1:oodIAuFMikXNmEtil5MQgP4dfSctUBYQiGJfjbsF3NY=",
+    "zh:0215c5c60be62028c09a2f22458e89cda3ef5830a632299f1d401eb3538874b0",
+    "zh:09ebb9f442431e278a310a9423f32caf467cb4b3cad3fe59573ca71fa7b14e20",
+    "zh:0c4e5912f83bb35846ae0a9ae54fc320706ee61894cd21cc6b4181b1c5a2fa5c",
+    "zh:1678c982853ad461e65ccb5e79d585e13ed109dd47dab2a66d3a7a304faeef65",
+    "zh:1c050a5c15e330457a9c18caacf61a923c59d663e13f2962e4b32f04fef523a0",
+    "zh:2c55bcec83be58ec132c7cb0a1ac644758b800d794fdc636d53a0eada0358a3a",
+    "zh:a062bb0aa316c08d8460c66a5d68da71da40de5d3bc3b31abcf3a1a9a19650f1",
+    "zh:a26fdea0afaa9b247c73c0b42843ca51ba7db0ac2571f9d3d50dcabd20ca1b98",
+    "zh:c872c9385a78d502bf5823d61cd3bb0f9a0585030e025eb12585c83451beeaa1",
+    "zh:f180879af931182beee4c8c0d9dab62b81d86f17ddcbe3786ef4c7cec9163a4e",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+    "zh:f70f5789264069e0eef06f9b5d5fde955ef7206f7d446d1ce51a4c37a3f3e02f",
   ]
 }
 

stacks/nextcloud/backend.tf

@@ -1,7 +1,7 @@
 # Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
 terraform {
   backend "pg" {
-    conn_str    = "postgres://terraform_state:tOvxJ-7fxdWq0p3jKeYB@10.0.20.200:5432/terraform_state?sslmode=disable"
+    conn_str    = "postgres://terraform_state:LicuZK1nVl4ILE5HF-A9@10.0.20.200:5432/terraform_state?sslmode=disable"
     schema_name = "nextcloud"
   }
 }

stacks/nextcloud/external_storage.tf

@@ -33,16 +33,23 @@ resource "kubernetes_config_map_v1" "nextcloud_external_storage_manifest" {
 
   data = {
     "manifest.json" = jsonencode({
+      # enableSharing: lets users right-click a folder inside the mount and
+      # share it with another NC user/group/public link. NC defaults to false
+      # for local-backend mounts; we opt-in per-mount. Currently true on the
+      # admin pool browsers (admin uses them as a "share-from picker"); false
+      # on /anca-elements (anca manages her own re-sharing inside her view).
       rootMounts = [
         {
           mountPoint      = "/PVE NFS Pool"
           dataDir         = "/mnt/pve-nfs"
           applicableGroup = "admin"
+          enableSharing   = true
         },
         {
           mountPoint      = "/PVE NFS-SSD Pool"
           dataDir         = "/mnt/pve-nfs-ssd"
           applicableGroup = "admin"
+          enableSharing   = true
         },
       ]
       archiveMounts = [
@@ -52,6 +59,7 @@ resource "kubernetes_config_map_v1" "nextcloud_external_storage_manifest" {
           # NC usernames (not display names): admin is Viktor, anca is Anca.
           applicableUsers  = ["anca", "admin"]
           applicableGroups = []
+          enableSharing    = false
         },
       ]
     })
@@ -243,14 +251,23 @@ resource "kubernetes_job_v1" "nextcloud_external_storage_bootstrap" {
                 '($c - $d)[]')
             }
 
+            # sync_option <mountId> <key> <value>
+            # Reconciles a single mount option. occ files_external:option is
+            # idempotent (no error on setting same value), so we always write.
+            sync_option() {
+              nc_occ files_external:option "$1" "$2" "$3" >/dev/null
+            }
+
             # ── 6. Process root mounts (admin group only) ───────────────────
             ROOT_COUNT=$(jq '.rootMounts | length' "$MANIFEST")
             for i in $(seq 0 $((ROOT_COUNT - 1))); do
               MP=$(jq -r ".rootMounts[$i].mountPoint" "$MANIFEST")
               DIR=$(jq -r ".rootMounts[$i].dataDir" "$MANIFEST")
               GROUP=$(jq -r ".rootMounts[$i].applicableGroup" "$MANIFEST")
+              ENABLE_SHARING=$(jq -r ".rootMounts[$i].enableSharing // false" "$MANIFEST")
               MID=$(ensure_mount "$MP" "$DIR")
               sync_applicable "$MID" '[]' "[\"$GROUP\"]"
+              sync_option "$MID" enable_sharing "$ENABLE_SHARING"
             done
 
             # ── 7. Process archive mounts (per-user / per-group) ───────────
@@ -260,8 +277,10 @@ resource "kubernetes_job_v1" "nextcloud_external_storage_bootstrap" {
               DIR=$(jq -r ".archiveMounts[$i].dataDir" "$MANIFEST")
               USERS_JSON=$(jq -c ".archiveMounts[$i].applicableUsers // []" "$MANIFEST")
               GROUPS_JSON=$(jq -c ".archiveMounts[$i].applicableGroups // []" "$MANIFEST")
+              ENABLE_SHARING=$(jq -r ".archiveMounts[$i].enableSharing // false" "$MANIFEST")
               MID=$(ensure_mount "$MP" "$DIR")
               sync_applicable "$MID" "$USERS_JSON" "$GROUPS_JSON"
+              sync_option "$MID" enable_sharing "$ENABLE_SHARING"
             done
 
             echo "[bootstrap] Bootstrap complete."