remove gss from nc-upgrade script

applications/base/nextcloud-cert-issuer.yml

@@ -1,15 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: letsencrypt
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: drive@sunet.se
-    privateKeySecretRef:
-      name: letsencrypt
-    solvers:
-      - http01:
-          ingress:
-            class: nginx
-

applications/richir-test/richir-test.yaml

@@ -1,45 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: richir-test
-  namespace: argocd
-  labels:
-    name: richir-test
-spec:
-  project: default
-  sources:
-    - repoURL: 'https://nextcloud.github.io/helm/'
-      chart: nextcloud
-      targetRevision: 6.5.1
-      helm:
-        valueFiles:
-          - $values/applications/richir-test/values.yaml
-    - repoURL: 'https://platform.sunet.se/Drive/k8s-manifests'
-      targetRevision: richir-nextcloud-helm
-      path: applications/base/
-      ref: values
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: richir
-  info:
-    - name: 'Example:'
-      value: 'https://example.com'
-  syncPolicy:
-    automated:
-      prune: false
-      selfHeal: true
-      allowEmpty: false
-    syncOptions: # maybe needs FIXME
-      - Validate=true # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ).
-      - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster.
-      - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan.
-      - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation
-      - RespectIgnoreDifferences=true # When syncing changes, respect fields ignored by the ignoreDifferences configuration
-      - ApplyOutOfSyncOnly=true # Only sync out-of-sync resources, rather than applying every object in the application
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        factor: 2
-        maxDuration: 3m
-  revisionHistoryLimit: 10

applications/richir-test/values.yaml

@@ -1,413 +0,0 @@
-# image:
-#   repository: 'docker.sunet.se/drive/nextcloud-custom'
-#   tag: '29.0.10.3-1'
-#   pullPolicy: 'Always'
-image:
-  repository: nextcloud
-  flavor: apache
-  # default is generated by flavor and appVersion
-  tag:
-  pullPolicy: IfNotPresent
-
-nameOverride: ""
-fullnameOverride: ""
-podAnnotations: {}
-deploymentAnnotations: {}
-deploymentLabels: {}
-
-replicaCount: 1
-
-ingress:
-  enabled: true
-  className: 'nginx'
-  annotations:
-    acme.cert-manager.io/http01-edit-in-place: 'true'
-    cert-manager.io/issuer: 'letsencrypt'
-  tls:
-    - secretName: 'tls-secret'
-      hosts:
-        - 'richir.drive.test.sunet.se'
-  labels:
-    app.kubernetes.io/instance: 'richir'
-  path: '/'
-  pathType: 'Prefix'
-
-lifecycle: {}
-  # postStartCommand: []
-  # preStopCommand: []
-
-phpClientHttpsFix:
-  enabled: false
-  protocol: 'https'
-
-nextcloud:
-  host: 'richir.drive.test.sunet.se'
-  existingSecret:
-    enabled: true
-    secretName: 'nc-secret'
-    passwordKey: 'nc_admin_password'
-    usernameKey: 'nc_admin_user'
-    smtpHostKey: 'smtp_host'
-    smtpPasswordKey: 'smtp_password'
-    smtpUsernameKey: 'smtp_user'
-  update: 0
-  containerPort: 80
-  datadir: '/var/www/html/data'
-  persistence:
-    subPath:
-  trustedDomains:
-    - 'customer.drive.test.sunet.se'
-  mail:
-    enabled: true
-    fromAddress: 'noreply@drive.test.sunet.se'
-    domain: 'drive.test.sunet.se'
-    smtp:
-      secure: 'tls'
-      port: 587
-      authtype: 'LOGIN'
-  objectStore:
-    s3:
-      enabled: true
-      legacyAuth: false
-      ssl: true
-      port: 443
-      region: 'us-east-1'
-      prefix: 'urn:oid:'
-      usePathStyle: true
-      autoCreate: true
-      storageClass: 'STANDARD'
-      existingSecret: 's3-secret'
-      secretKeys:
-        bucket: 's3_bucket'
-        accessKey: 's3_key'
-        host: 's3_host'
-        secretKey: 's3_secret'
-
-  ## PHP Configuration files
-  # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true
-  phpConfigs: {} #FIXME?
-  ## Default config files that utilize environment variables:
-  # see: https://github.com/nextcloud/docker/tree/master#auto-configuration-via-environment-variables
-  # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself
-  # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/.config
-  defaultConfigs:
-    # To protect /var/www/html/config
-    .htaccess: true
-    # Apache configuration for rewrite urls
-    apache-pretty-urls.config.php: false
-    # Define APCu as local cache
-    apcu.config.php: false
-    # Apps directory configs
-    apps.config.php: false
-    # Used for auto configure database
-    autoconfig.php: false
-    # Redis default configuration
-    redis.config.php: true
-    # Reverse proxy default configuration
-    reverse-proxy.config.php: false
-    # S3 Object Storage as primary storage
-    s3.config.php: true
-    # SMTP default configuration via environment variables
-    smtp.config.php: true
-    # Swift Object Storage as primary storage
-    swift.config.php: false
-    # disables the web based updater as the default nextcloud docker image does not support it
-    upgrade-disable-web.config.php: true
-
-  # Extra config files created in /var/www/html/config/
-  # ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
-  configs: {} #FIXME?
-  # For example, to enable image and text file previews:
-  #  previews.config.php: |-
-  #    <?php
-  #    $CONFIG = array (
-  #      'enable_previews' => true,
-  #      'enabledPreviewProviders' => array (
-  #        'OC\Preview\Movie',
-  #        'OC\Preview\PNG',
-  #        'OC\Preview\JPEG',
-  #        'OC\Preview\GIF',
-  #        'OC\Preview\BMP',
-  #        'OC\Preview\XBitmap',
-  #        'OC\Preview\MP3',
-  #        'OC\Preview\MP4',
-  #        'OC\Preview\TXT',
-  #        'OC\Preview\MarkDown',
-  #        'OC\Preview\PDF'
-  #      ),
-  #    );
-
-  # Hooks for auto configuration
-  # Here you could write small scripts which are placed in `/docker-entrypoint-hooks.d/<hook-name>/helm.sh`
-  # ref: https://github.com/nextcloud/docker?tab=readme-ov-file#auto-configuration-via-hook-folders
-  hooks:
-    pre-installation:
-    post-installation:
-    pre-upgrade:
-    post-upgrade:
-    before-starting:
-
-  ## Strategy used to replace old pods
-  ## IMPORTANT: use with care, it is suggested to leave as that for upgrade purposes
-  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
-  strategy:
-    type: Recreate
-    # type: RollingUpdate
-    # rollingUpdate:
-    #   maxSurge: 1
-    #   maxUnavailable: 0
-
-  ##
-  ## Extra environment variables
-  extraEnv:
-  #  - name: SOME_SECRET_ENV
-  #    valueFrom:
-  #      secretKeyRef:
-  #        name: nextcloud
-  #        key: secret_key
-
-  # Extra init containers that runs before pods start.
-  extraInitContainers: []
-  #  - name: do-something
-  #    image: busybox
-  #    command: ['do', 'something']
-
-  # Extra sidecar containers.
-  extraSidecarContainers: []
-  #  - name: nextcloud-logger
-  #    image: busybox
-  #    command: [/bin/sh, -c, 'while ! test -f "/run/nextcloud/data/nextcloud.log"; do sleep 1; done; tail -n+1 -f /run/nextcloud/data/nextcloud.log']
-  #    volumeMounts:
-  #    - name: nextcloud-data
-  #      mountPath: /run/nextcloud/data
-
-  # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume
-  # to NextCloud pods in Kubernetes. This can then be configured in External Storage
-  extraVolumes:
-  #  - name: nfs
-  #    nfs:
-  #      server: "10.0.0.1"
-  #      path: "/nextcloud_data"
-  #      readOnly: false
-  extraVolumeMounts:
-  #  - name: nfs
-  #    mountPath: "/legacy_data"
-
-  # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container).
-  # For example, you may need to define runAsNonRoot directive
-  securityContext: {}
-  #   runAsUser: 33
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: false
-
-  # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive
-  podSecurityContext: {}
-  #   runAsUser: 33
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: false
-
-  # Settings for the MariaDB init container
-  mariaDbInitContainer:
-    resources: {}
-    # Set mariadb initContainer securityContext parameters. For example, you may need to define runAsNonRoot directive
-    securityContext: {}
-
-  # Settings for the PostgreSQL init container
-  postgreSqlInitContainer:
-    resources: {}
-    # Set postgresql initContainer securityContext parameters. For example, you may need to define runAsNonRoot directive
-    securityContext: {}
-
-internalDatabase:
-  enabled: false
-
-externalDatabase:
-  enabled: true
-  type: 'mysql'
-  host: 'proxysqlcluster.proxysql:6033'
-  database: 'nextcloud_richir'
-  existingSecret:
-    enabled: true
-    secretName: 'db-secret'
-    passwordKey: 'db_password'
-    usernameKey: 'db_username'
-
-redis:
-  enabled: true
-  auth:
-    enabled: false
-  global:
-    storageClass: ""
-  master:
-    persistence:
-      enabled: true
-  replica:
-    persistence:
-      enabled: true
-
-## Cronjob to execute Nextcloud background tasks
-## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron
-##
-cronjob:
-  enabled: false
-
-  ## Cronjob sidecar resource requests and limits
-  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
-  ##
-  resources: {}
-
-  # Allow configuration of lifecycle hooks
-  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
-  lifecycle:
-    postStartCommand: ["/bin/bash", "-c", "/usr/local/bin/nc-upgrade"]
-    # preStopCommand: []
-  # Set securityContext parameters. For example, you may need to define runAsNonRoot directive
-  securityContext: {}
-  #   runAsUser: 33
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: true
-
-service:
-  type: 'ClusterIP'
-  port: 8080
-  loadBalancerIP: ""
-  nodePort:
-  # -- use additional annotation on service for nextcloud
-  annotations: {}
-
-persistence:
-  enabled: true
-  storageClass: 'csi-sc-cinderplugin'
-  accessMode: 'ReadWriteOnce'
-  size: '1Gi'
-  nextcloudData:
-    enabled: false
-
-resources:
-  limits:
-    cpu: '2'
-    memory: '2Gi'
-  requests:
-    cpu: '1'
-    memory: '512Mi'
-
-readinessProbe:
-  tcpSocket:
-    port: 80
-  initialDelaySeconds: 10
-  periodSeconds: 60
-livenessProbe:
-  tcpSocket:
-    port: 80
-  initialDelaySeconds: 20
-  periodSeconds: 180
-
-## Prometheus Exporter / Metrics
-##
-metrics:
-  enabled: false
-
-  replicaCount: 1
-  # Optional: becomes NEXTCLOUD_SERVER env var in the nextcloud-exporter container.
-  # Without it, we will use the full name of the nextcloud service
-  server: ""
-  # The metrics exporter needs to know how you serve Nextcloud either http or https
-  https: false
-  # Use API token if set, otherwise fall back to password authentication
-  # https://github.com/xperimental/nextcloud-exporter#token-authentication
-  # Currently you still need to set the token manually in your nextcloud install
-  token: ""
-  timeout: 5s
-  # if set to true, exporter skips certificate verification of Nextcloud server.
-  tlsSkipVerify: false
-  info:
-    # Optional: becomes NEXTCLOUD_INFO_APPS env var in the nextcloud-exporter container.
-    # Enables gathering of apps-related metrics. Defaults to false
-    apps: false
-
-  image:
-    repository: xperimental/nextcloud-exporter
-    tag: 0.6.2
-    pullPolicy: IfNotPresent
-    # pullSecrets:
-    #   - myRegistrKeySecretName
-
-  ## Metrics exporter resource requests and limits
-  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
-  ##
-  resources: {}
-
-  # -- Metrics exporter pod Annotation
-  podAnnotations: {}
-
-  # -- Metrics exporter pod Labels
-  podLabels: {}
-
-  # -- Metrics exporter pod nodeSelector
-  nodeSelector: {}
-
-  # -- Metrics exporter pod tolerations
-  tolerations: []
-
-  # -- Metrics exporter pod affinity
-  affinity: {}
-
-  service:
-    type: ClusterIP
-    # Use serviceLoadBalancerIP to request a specific static IP,
-    # otherwise leave blank
-    loadBalancerIP:
-    annotations:
-      prometheus.io/scrape: "true"
-      prometheus.io/port: "9205"
-    labels: {}
-
-  # -- security context for the metrics CONTAINER in the pod
-  securityContext:
-    runAsUser: 1000
-    runAsNonRoot: true
-    # allowPrivilegeEscalation: false
-    # capabilities:
-    #   drop:
-    #     - ALL
-
-  # -- security context for the metrics POD
-  podSecurityContext: {}
-  # runAsNonRoot: true
-  # seccompProfile:
-  #   type: RuntimeDefault
-
-  ## Prometheus Operator ServiceMonitor configuration
-  ##
-  serviceMonitor:
-    ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
-    ##
-    enabled: false
-
-    ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
-    ##
-    namespace: ""
-
-    ## @param metrics.serviceMonitor.namespaceSelector The selector of the namespace where the target service is located (defaults to the release namespace)
-    namespaceSelector:
-
-    ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
-    ##
-    jobLabel: ""
-
-    ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
-    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
-    ##
-    interval: 30s
-
-    ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
-    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
-    ##
-    scrapeTimeout: ""
-
-    ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
-    ##
-    labels: {}

backups/base/backup-cronjob.yaml

@@ -0,0 +1,60 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup
+spec:
+  schedule: "0 0 * * *"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          volumes:
+            - name: backup-storage
+              emptyDir: {}
+            - name: ipc-storage
+              emptyDir: {}
+          restartPolicy: Never
+          containers:
+            - name: backup-container
+              image: docker.sunet.se/drive/duplicity:bookworm-slim-1
+              command: ["bash"]
+              args: [ "-c", "duplicity /backup_storage rclone://destination:$(BUCKET) --no-encryption --full-if-older-than 1M; touch /backup_ipc/stop" ]
+              env:
+                - name: RCLONE_CONFIG_DESTINATION_ACL
+                  value: private
+                - name: RCLONE_CONFIG_DESTINATION_TYPE
+                  value: s3
+                - name: RCLONE_CONFIG_DESTINATION_ENDPOINT
+                  value: s3.sto3.safedc.net
+                - name: RCLONE_CONFIG_DESTINATION_PROVIDER
+                  value: Ceph
+              volumeMounts:
+                - name: backup-storage
+                  mountPath: /backup_storage
+                  mountPropagation: HostToContainer
+                - name: ipc-storage
+                  mountPath: /backup_ipc
+            - name: mount-container
+              image: rclone/rclone:1.69.0
+              args: ["mount", "--allow-non-empty", "source:$(BUCKET)", "/backup_storage"]
+              securityContext:
+                privileged: true
+              env:
+                - name: RCLONE_CONFIG_SOURCE_ACL
+                  value: private
+                - name: RCLONE_CONFIG_SOURCE_TYPE
+                  value: s3
+                - name: RCLONE_CONFIG_SOURCE_ENDPOINT
+                  value: s3.sto4.safedc.net
+                - name: RCLONE_CONFIG_SOURCE_PROVIDER
+                  value: Ceph
+              volumeMounts:
+                - name: backup-storage
+                  mountPath: /backup_storage
+                  mountPropagation: Bidirectional
+                - name: ipc-storage
+                  mountPath: /backup_ipc
+              livenessProbe:
+                exec:
+                  command: ["sh", "-c", "if test -f /backup_ipc/stop; then umount /backup_storage; exit 1; fi;"]

backups/base/kustomization.yaml

@@ -0,0 +1,4 @@
+---
+kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+resources: ['backup-cronjob.yaml']

backups/overlays/test/xrootd/backup-cronjob.yaml

@@ -0,0 +1,40 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup
+spec:
+  schedule: "15 02 * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          hostname: xrootd-test-mirror
+          containers:
+            - name: backup-container
+              env:
+                - name: BUCKET
+                  value: "xrootd-test-mirror"
+                - name: RCLONE_CONFIG_DESTINATION_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: xrootd-secret
+                      key: "destination-access-key-id"
+                - name: RCLONE_CONFIG_DESTINATION_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: xrootd-secret
+                      key: "destination-secret-access-key"
+            - name: mount-container
+              env:
+                - name: BUCKET
+                  value: "xrootd-test"
+                - name: RCLONE_CONFIG_SOURCE_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: xrootd-secret
+                      key: "source-access-key-id"
+                - name: RCLONE_CONFIG_SOURCE_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: xrootd-secret
+                      key: "source-secret-access-key"

backups/overlays/test/xrootd/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+kind: Kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+resources: [../../../base]
+patches: 
+  - path: backup-cronjob.yaml
+

customers/base/nextcloud-deployment.yml

@@ -30,7 +30,7 @@ spec:
       restartPolicy: Always
       containers:
         - name: customer
-          image: docker.sunet.se/drive/nextcloud-custom:29.0.10.3-1
+          image: docker.sunet.se/drive/nextcloud-custom:30.0.5.2-2
           volumeMounts:
             - name: nextcloud-data
               mountPath: /var/www/html/config/
@@ -127,7 +127,7 @@ spec:
             - name: NEXTCLOUD_ADMIN_USER
               value: admin
             - name: NEXTCLOUD_VERSION_STRING
-              value: "28.0.3.3"
+              value: "30.0.5.2"
             - name: NEXTCLOUD_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:

customers/base/script-configmap.yml

@@ -7,9 +7,7 @@ data:
     #!/bin/bash
     sed "s/config_is_read_only\(.\) => true,/config_is_read_only\1 => false,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
     mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
-    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ app:disable globalsiteselector
     php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ upgrade
-    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ app:enable globalsiteselector
     php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:repair
     php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:mode --off
     php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-primary-keys
@@ -17,3 +15,4 @@ data:
     php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-indices
     sed "s/config_is_read_only\(.\) => false,/config_is_read_only\1 => true,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
     mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
+    chown www-data:www-data /var/www/html/config/config.php

jupyter/overlays/test/sunet/values/values.yaml

@@ -19,10 +19,12 @@ hub:
       from oauthenticator.generic import GenericOAuthenticator
       token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
       debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
+      os.environ['OAUTH2_TOKEN_URL'] = token_url 
+      os.environ['OAUTH2_AUTHORIZE_URL'] = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
 
       def get_nextcloud_access_token(refresh_token):
-        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+        client_id = os.environ['OAUTH2_CLIENT_ID']
-        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+        client_secret = os.environ['OAUTH2_CLIENT_SECRET']
 
         code = refresh_token
         data = {
@@ -97,12 +99,12 @@ hub:
           return True
 
       c.JupyterHub.authenticator_class = NextcloudOAuthenticator
-      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+      c.NextcloudOAuthenticator.client_id = os.environ['OAUTH2_CLIENT_ID']
-      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
+      c.NextcloudOAuthenticator.client_secret = os.environ['OAUTH2_CLIENT_SECRET']
       c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
-      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
+      c.NextcloudOAuthenticator.username_claim = 'kano@sunet.se' # lambda r: r.get('ocs', {}).get('data', {}).get('id')
       c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
-      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
+      c.NextcloudOAuthenticator.authorize_url = os.environ['OAUTH2_AUTHORIZE_URL']
       c.NextcloudOAuthenticator.token_url = token_url
       c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
       c.NextcloudOAuthenticator.allow_all = True
@@ -276,7 +278,7 @@ hub:
         targetPort: 8082
         name: refresh-token
   extraEnv:
-    NEXTCLOUD_DEBUG_OAUTH: "no"
+    NEXTCLOUD_DEBUG_OAUTH: "yes"
     NEXTCLOUD_HOST: sunet.drive.test.sunet.se
     JUPYTER_HOST: sunet-jupyter.drive.test.sunet.se
     JUPYTERHUB_API_KEY:
@@ -289,12 +291,12 @@ hub:
         secretKeyRef:
           name: jupyterhub-secrets
           key: crypt-key
-    NEXTCLOUD_CLIENT_ID:
+    OAUTH2_CLIENT_ID:
       valueFrom:
         secretKeyRef:
           name: nextcloud-oauth-secrets
           key: client-id
-    NEXTCLOUD_CLIENT_SECRET:
+    OAUTH2_CLIENT_SECRET:
       valueFrom:
         secretKeyRef:
           name: nextcloud-oauth-secrets
@@ -315,7 +317,7 @@ proxy:
 singleuser:
   image:
     name: docker.sunet.se/drive/jupyter-custom
-    tag: lab-4.0.10-sunet5
+    tag: lab-4.0.10-sunet4
   storage:
     dynamic:
       storageClass: csi-sc-cinderplugin