Erich Blume
07fb48626d
## Summary - Add Authentik OIDC provider + application for Jellyfin via blueprint (all authenticated users allowed, no policy binding) - Wire `jellyfin-client-secret` through ExternalSecret and Authentik worker deployment - Install [jellyfin-plugin-sso](https://github.com/9p4/jellyfin-plugin-sso) v4.0.0.3 via Ansible, with OIDC config template - Authentik `admins` group maps to Jellyfin administrator role - Local login left enabled; SSO is additive ## Deployment and Testing - [ ] Sync ArgoCD `authentik` app on branch — verify provider + application appear in Authentik admin - [ ] `mise run provision-indri -- --tags jellyfin --check --diff` (dry run) - [ ] `mise run provision-indri -- --tags jellyfin` (deploy plugin + config) - [ ] Test SSO flow: `https://jellyfin.ops.eblu.me/sso/OID/start/authentik` - [ ] Verify `eblume` account auto-links via `preferred_username` match - [ ] Verify admins group → Jellyfin admin - [ ] Reset ArgoCD app revision to main after merge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/239
55 lines
1.5 KiB
YAML
55 lines
1.5 KiB
YAML
---
|
|
apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: authentik-config
|
|
namespace: authentik
|
|
spec:
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: onepassword-blumeops
|
|
target:
|
|
name: authentik-config
|
|
creationPolicy: Owner
|
|
data:
|
|
- secretKey: secret-key
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: secret-key
|
|
- secretKey: postgresql-host
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-host
|
|
- secretKey: postgresql-port
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-port
|
|
- secretKey: postgresql-name
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-name
|
|
- secretKey: postgresql-user
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-user
|
|
- secretKey: postgresql-password
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-password
|
|
- secretKey: grafana-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: grafana-client-secret
|
|
- secretKey: forgejo-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: forgejo-client-secret
|
|
- secretKey: zot-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: zot-client-secret
|
|
- secretKey: jellyfin-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: jellyfin-client-secret
|