Erich Blume
07fb48626d
## Summary - Add Authentik OIDC provider + application for Jellyfin via blueprint (all authenticated users allowed, no policy binding) - Wire `jellyfin-client-secret` through ExternalSecret and Authentik worker deployment - Install [jellyfin-plugin-sso](https://github.com/9p4/jellyfin-plugin-sso) v4.0.0.3 via Ansible, with OIDC config template - Authentik `admins` group maps to Jellyfin administrator role - Local login left enabled; SSO is additive ## Deployment and Testing - [ ] Sync ArgoCD `authentik` app on branch — verify provider + application appear in Authentik admin - [ ] `mise run provision-indri -- --tags jellyfin --check --diff` (dry run) - [ ] `mise run provision-indri -- --tags jellyfin` (deploy plugin + config) - [ ] Test SSO flow: `https://jellyfin.ops.eblu.me/sso/OID/start/authentik` - [ ] Verify `eblume` account auto-links via `preferred_username` match - [ ] Verify admins group → Jellyfin admin - [ ] Reset ArgoCD app revision to main after merge 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/239
33 lines
1.2 KiB
Django/Jinja
33 lines
1.2 KiB
Django/Jinja
<?xml version="1.0" encoding="utf-8"?>
|
|
<!-- {{ ansible_managed }} -->
|
|
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
|
|
<SamlConfigs />
|
|
<OidConfigs>
|
|
<item>
|
|
<key><string>{{ jellyfin_sso_provider_name }}</string></key>
|
|
<value>
|
|
<PluginConfiguration>
|
|
<OidEndpoint>https://authentik.ops.eblu.me/application/o/jellyfin</OidEndpoint>
|
|
<OidClientId>{{ jellyfin_sso_client_id }}</OidClientId>
|
|
<OidSecret>{{ jellyfin_sso_client_secret }}</OidSecret>
|
|
<Enabled>true</Enabled>
|
|
<EnableAuthorization>true</EnableAuthorization>
|
|
<EnableAllFolders>true</EnableAllFolders>
|
|
<EnabledFolders />
|
|
<AdminRoles><string>admins</string></AdminRoles>
|
|
<Roles />
|
|
<EnableFolderRoles>false</EnableFolderRoles>
|
|
<FolderRoleMappings />
|
|
<RoleClaim>groups</RoleClaim>
|
|
<OidScopes>
|
|
<string>openid</string>
|
|
<string>email</string>
|
|
<string>profile</string>
|
|
</OidScopes>
|
|
<SchemeOverride>https</SchemeOverride>
|
|
<CanonicalLinks />
|
|
</PluginConfiguration>
|
|
</value>
|
|
</item>
|
|
</OidConfigs>
|
|
</PluginConfiguration>
|