From 30a114462c05dc76dce8dc665dd3009fb4c58e76 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Mon, 16 Mar 2026 21:19:26 -0700
Subject: [PATCH] Allow all Authentik users to access Mealie

Remove admins-only policy binding from Mealie app. Any authenticated
Authentik user can log in (account auto-created). Mealie's
OIDC_ADMIN_GROUP=admins handles admin privilege mapping internally.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../authentik/configmap-blueprint.yaml         | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

diff --git a/argocd/manifests/authentik/configmap-blueprint.yaml b/argocd/manifests/authentik/configmap-blueprint.yaml
index 8bb467c..285bb82 100644
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@@ -377,7 +377,7 @@ data:
           sub_mode: hashed_user_id
           include_claims_in_id_token: true
 
-      # Mealie application — restricted to admins group
+      # Mealie application — all authenticated users allowed (admin mapped via OIDC_ADMIN_GROUP)
       - model: authentik_core.application
         id: mealie-app
         identifiers:
@@ -387,18 +387,4 @@ data:
           slug: mealie
           provider: !KeyOf mealie-provider
           meta_launch_url: https://meals.ops.eblu.me
-          policy_engine_mode: any
-
-      # Policy binding — restrict Mealie to admins group
-      - model: authentik_policies.policybinding
-        identifiers:
-          order: 0
-          target: !KeyOf mealie-app
-          group: !Find [authentik_core.group, [name, admins]]
-        attrs:
-          target: !KeyOf mealie-app
-          group: !Find [authentik_core.group, [name, admins]]
-          order: 0
-          enabled: true
-          negate: false
-          timeout: 30
+          policy_engine_mode: all