Erich Blume
07fb48626d
## Summary - Add Authentik OIDC provider + application for Jellyfin via blueprint (all authenticated users allowed, no policy binding) - Wire `jellyfin-client-secret` through ExternalSecret and Authentik worker deployment - Install [jellyfin-plugin-sso](https://github.com/9p4/jellyfin-plugin-sso) v4.0.0.3 via Ansible, with OIDC config template - Authentik `admins` group maps to Jellyfin administrator role - Local login left enabled; SSO is additive ## Deployment and Testing - [ ] Sync ArgoCD `authentik` app on branch — verify provider + application appear in Authentik admin - [ ] `mise run provision-indri -- --tags jellyfin --check --diff` (dry run) - [ ] `mise run provision-indri -- --tags jellyfin` (deploy plugin + config) - [ ] Test SSO flow: `https://jellyfin.ops.eblu.me/sso/OID/start/authentik` - [ ] Verify `eblume` account auto-links via `preferred_username` match - [ ] Verify admins group → Jellyfin admin - [ ] Reset ArgoCD app revision to main after merge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/239
63 lines
2 KiB
YAML
63 lines
2 KiB
YAML
---
|
|
- name: Install Jellyfin via Homebrew cask
|
|
community.general.homebrew_cask:
|
|
name: jellyfin
|
|
state: present
|
|
|
|
- name: Ensure Jellyfin data directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ jellyfin_data_dir }}"
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Deploy Jellyfin LaunchAgent plist
|
|
ansible.builtin.template:
|
|
src: mcquack.jellyfin.plist.j2
|
|
dest: ~/Library/LaunchAgents/mcquack.jellyfin.plist
|
|
mode: '0644'
|
|
notify: Reload jellyfin
|
|
|
|
- name: Check if Jellyfin LaunchAgent is loaded
|
|
ansible.builtin.command: launchctl list mcquack.jellyfin
|
|
register: jellyfin_launchctl_check
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Load Jellyfin LaunchAgent if not loaded
|
|
ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.jellyfin.plist
|
|
when: jellyfin_launchctl_check.rc != 0
|
|
changed_when: true
|
|
failed_when: false
|
|
|
|
# SSO plugin installation
|
|
- name: Ensure SSO-Auth plugin directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ jellyfin_plugins_dir }}/SSO-Auth_{{ jellyfin_sso_plugin_version }}"
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Download SSO-Auth plugin archive
|
|
ansible.builtin.get_url:
|
|
url: "https://github.com/9p4/jellyfin-plugin-sso/releases/download/v{{ jellyfin_sso_plugin_version }}/sso-authentication_{{ jellyfin_sso_plugin_version }}.zip"
|
|
dest: "/tmp/sso-authentication_{{ jellyfin_sso_plugin_version }}.zip"
|
|
mode: '0644'
|
|
|
|
- name: Extract SSO-Auth plugin
|
|
ansible.builtin.unarchive:
|
|
src: "/tmp/sso-authentication_{{ jellyfin_sso_plugin_version }}.zip"
|
|
dest: "{{ jellyfin_plugins_dir }}/SSO-Auth_{{ jellyfin_sso_plugin_version }}"
|
|
remote_src: true
|
|
notify: Reload jellyfin
|
|
|
|
- name: Ensure plugin configurations directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ jellyfin_plugins_dir }}/configurations"
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Deploy SSO-Auth plugin configuration
|
|
ansible.builtin.template:
|
|
src: sso-auth.xml.j2
|
|
dest: "{{ jellyfin_plugins_dir }}/configurations/SSO-Auth.xml"
|
|
mode: '0644'
|
|
notify: Reload jellyfin
|