Enable web updater and automate Hub updates

Co-Authored-By: Oz <oz-agent@warp.dev>

README.md

@@ -1,8 +1,10 @@
 # Nextcloud on Ubuntu via Docker for nxt.bhatfamily.in
 This repository deploys Nextcloud behind Nginx using Docker Compose.
+
 Exposed ports:
 - HTTP: `8082`
 - HTTPS: `8446`
+
 Target hostname:
 - `nxt.bhatfamily.in`
 
@@ -14,10 +16,12 @@ The stack now includes:
 - Production TLS provisioning using Let's Encrypt DNS-01 with Cloudflare
 - Automated TLS renewal job support (cron)
 - Nextcloud app startup fixes for Apache `ServerName` and writable Fontconfig cache
+- Persistent web-updater enablement (`upgrade-disable-web.config.php` forced to `false` on app startup)
 - Reverse-proxy trust configuration in Nextcloud (`trusted_proxies`, `forwarded_for_headers`)
 - Nginx hardening (`server_tokens off`, stronger HSTS, hide `X-Powered-By`, TLS session hardening)
 - Brute-force protection explicitly enabled and maintenance window configured
-- New scripted Nextcloud Hub upgrade workflow: `scripts/update-nextcloud-hub.sh`
+- Scripted Nextcloud Hub upgrade workflow: `scripts/update-nextcloud-hub.sh`
+- Automated Hub update scheduler: `scripts/setup-hub-update-cron.sh`
 
 ## Prerequisites
 - Ubuntu host with Docker + Docker Compose plugin (or `docker-compose`)
@@ -40,6 +44,24 @@ cp .env.example .env
 ./scripts/test.sh
 ```
 
+## Enable web updater (one-time verification)
+Web updater is now enabled by design for this deployment.
+
+Check values:
+```bash
+docker exec --user www-data nextcloud-app php occ config:list system | grep -E "upgrade.disable-web|updater.release.channel"
+```
+
+Expected:
+- `upgrade.disable-web: false`
+- `updater.release.channel: stable`
+
+If you need to enforce immediately without restart, run:
+```bash
+./scripts/update-nextcloud-hub.sh
+```
+This script also rewrites `config/upgrade-disable-web.config.php` inside the app container volume.
+
 ## Update Nextcloud Hub (scripted)
 Use the upgrade helper script to pull new images, apply the upgrade, run post-upgrade repairs, and validate endpoints.
 
@@ -61,14 +83,37 @@ STRICT_TLS=1 ./scripts/update-nextcloud-hub.sh
 What the script does:
 - pulls latest `db`, `app`, and `web` images
 - recreates services via Compose
-- enables maintenance mode and runs `occ upgrade`
+- ensures web updater is enabled and release channel is configured
+- ensures maintenance mode is off before `occ upgrade` (fixes prior deadlock)
+- runs `occ upgrade`
 - runs `occ app:update --all` (unless disabled)
 - runs schema and repair commands (`db:add-missing-*`, `maintenance:repair`)
-- disables maintenance mode
 - runs `occ status`, `occ setupchecks`, and `scripts/test.sh`
 
 > Recommendation: take a filesystem/database backup before major Hub upgrades.
 
+## Automate Hub updates (cron)
+Install/update a weekly cron job (default: Sunday 02:30):
+```bash
+./scripts/setup-hub-update-cron.sh
+```
+
+Optional custom schedule:
+```bash
+HUB_UPDATE_CRON_SCHEDULE="15 2 * * 6" ./scripts/setup-hub-update-cron.sh
+```
+
+This setup script will:
+- create/update `.hub-update.env` (local only, not committed)
+- install/refresh cron entry for `scripts/update-nextcloud-hub.sh`
+- write logs to `logs/hub-update.log`
+
+Defaults are tracked in `.hub-update.env.example`:
+- `RUN_APP_UPDATES=1`
+- `STRICT_TLS=0`
+- `ENABLE_WEB_UPDATER=1`
+- `UPDATER_RELEASE_CHANNEL=stable`
+
 ## Move Nextcloud data directory to external storage
 Use the migration helper to move existing data to a host path and switch the app to a bind mount.
 
@@ -136,22 +181,27 @@ List existing users:
 ```bash
 docker exec --user www-data nextcloud-app php occ user:list
 ```
+
 Reset password using helper script (interactive prompt):
 ```bash
 ./scripts/reset-admin-password.sh admin
 ```
+
 Reset password non-interactively (for automation):
 ```bash
 NEW_NEXTCLOUD_PASSWORD={{NEW_NEXTCLOUD_PASSWORD}} ./scripts/reset-admin-password.sh admin
 ```
+
 You can target a different username by passing it as the first argument.
 
 ## Operational/security changes applied (Apr 2026)
 Applied and validated in this deployment:
+
 - `docker-compose.yml` (`app` service):
-  - startup command now ensures writable `/var/cache/fontconfig`
+  - startup command ensures writable `/var/cache/fontconfig`
   - sets Apache `ServerName nxt.bhatfamily.in`
   - sets `XDG_CACHE_HOME=/tmp/.cache`
+  - forces `config/upgrade-disable-web.config.php` to `upgrade.disable-web=false`
 - `nginx/nginx.conf`:
   - `server_tokens off`
   - HSTS set to `max-age=63072000; includeSubDomains; preload`
@@ -162,6 +212,7 @@ Applied and validated in this deployment:
   - `forwarded_for_headers` set to `HTTP_X_FORWARDED_FOR`
   - `auth.bruteforce.protection.enabled=true`
   - `maintenance_window_start=1`
+  - `updater.release.channel=stable`
   - `weather_status` app disabled to remove repeated PHP warning noise
 - Host security hygiene:
   - `.env` permission reduced to `600`
@@ -185,6 +236,6 @@ Stop and remove containers/volumes:
 ```
 
 ## Security notes
-- `.env`, `.tls-renewal.env`, and runtime cert material under `nginx/ssl` are intentionally ignored by Git.
+- `.env`, `.tls-renewal.env`, `.hub-update.env`, and runtime cert material under `nginx/ssl` are intentionally ignored by Git.
 - Keep `.env` mode restricted (`chmod 600 .env`).
 - If secrets were ever committed earlier, rotate them.