Erich Blume
625af2a1ec
Wire up OIDC authentication via jellyfin-plugin-sso so all Authentik users can access Jellyfin, with admins group mapped to Jellyfin admin. - Authentik blueprint: OAuth2 provider + application (no policy binding) - ExternalSecret + worker env var for client secret - Ansible: fetch client secret, install SSO-Auth plugin, deploy config - Local login left enabled (no branding override) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
55 lines
1.5 KiB
YAML
55 lines
1.5 KiB
YAML
---
|
|
apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: authentik-config
|
|
namespace: authentik
|
|
spec:
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: onepassword-blumeops
|
|
target:
|
|
name: authentik-config
|
|
creationPolicy: Owner
|
|
data:
|
|
- secretKey: secret-key
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: secret-key
|
|
- secretKey: postgresql-host
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-host
|
|
- secretKey: postgresql-port
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-port
|
|
- secretKey: postgresql-name
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-name
|
|
- secretKey: postgresql-user
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-user
|
|
- secretKey: postgresql-password
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-password
|
|
- secretKey: grafana-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: grafana-client-secret
|
|
- secretKey: forgejo-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: forgejo-client-secret
|
|
- secretKey: zot-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: zot-client-secret
|
|
- secretKey: jellyfin-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: jellyfin-client-secret
|