From ff164ef19cb620f1227accb6b8ee677857da9704 Mon Sep 17 00:00:00 2001
From: Michael Weinrich <661595+micxer@users.noreply.github.com>
Date: Sun, 18 Aug 2024 02:14:39 +0200
Subject: [PATCH] Update cron.sh to fix permission errors in cron jobs (#5)

---
 files/nextcloud/cron.sh | 36 ++++++++++++++++++++++++++++++++----
 tasks/main.yml          |  1 +
 tasks/nextcloud.yml     |  1 +
 3 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/files/nextcloud/cron.sh b/files/nextcloud/cron.sh
index 0ecfee1..da2478d 100644
--- a/files/nextcloud/cron.sh
+++ b/files/nextcloud/cron.sh
@@ -1,6 +1,34 @@
 #!/bin/sh
-set -eu
 # https://github.com/nextcloud/docker/issues/1740#issuecomment-1308141561
-adduser --disabled-password --gecos "" --no-create-home --uid "$UID" cron
-mv /var/spool/cron/crontabs/www-data /var/spool/cron/crontabs/cron
-exec busybox crond -f -L /dev/stdout
\ No newline at end of file
+set -eu
+
+# FIXME: cron jobs are hardcoded for `www-data` user,
+# but apache doesn't run under `www-data` in non-root containers,
+# which leads to permission errors in cron jobs.
+#
+# We create a user with the UID under which apache is running,
+# and then move the cron job from `www-data` to that user.
+
+UID_USER="$(getent passwd $UID | cut -d: -f1)"
+
+if [ -z "$UID_USER" ]; then
+  UID_USER=user
+  adduser --disabled-password \
+          --gecos "" \
+          --uid "$UID" \
+          $UID_USER
+fi
+
+if ! [ -f "/crontabs/$UID_USER" ]; then
+  mkdir /crontabs || true
+  cp /var/spool/cron/crontabs/www-data \
+     /crontabs/$UID_USER
+  # NOTE: crontab must be "own"ed by root,
+  # but we make it g+w to allow a non-root host user to edit it.
+  chown "root:$GID" /crontabs/$UID_USER
+  chmod g+w /crontabs/$UID_USER
+fi
+
+exec busybox crond -f -l 0 \
+                   -L /dev/stdout \
+                   -c /crontabs
diff --git a/tasks/main.yml b/tasks/main.yml
index c023b11..0e587e7 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -14,6 +14,7 @@
     owner: "{{ docker_compose_generator_uid }}"
     group: "{{ docker_compose_generator_gid }}"
     mode: "0600"
+    backup: true
 
 - name: Include nextcloud tasks
   ansible.builtin.include_tasks: nextcloud.yml
diff --git a/tasks/nextcloud.yml b/tasks/nextcloud.yml
index 48c1e14..a8f351e 100644
--- a/tasks/nextcloud.yml
+++ b/tasks/nextcloud.yml
@@ -32,3 +32,4 @@
     owner: "{{ docker_compose_generator_uid }}"
     group: "{{ docker_compose_generator_gid }}"
     mode: "0600"
+    backup: true