jellyfin: bootstrap oidc plugin
This commit is contained in:
parent
303e7e770f
commit
b9144ebb5e
@ -28,6 +28,94 @@ spec:
|
||||
fsGroup: 65532
|
||||
fsGroupChangePolicy: OnRootMismatch
|
||||
runAsGroup: 65532
|
||||
initContainers:
|
||||
- name: install-oidc-plugin
|
||||
image: alpine:3.20
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
env:
|
||||
- name: OIDC_PLUGIN_VERSION
|
||||
value: "1.0.2.0"
|
||||
- name: OIDC_PLUGIN_URL
|
||||
value: "https://raw.githubusercontent.com/lolerskatez/JellyfinOIDCPlugin/master/OIDC_Authentication_1.0.2.0.zip"
|
||||
- name: OIDC_ISSUER
|
||||
value: "https://sso.bstein.dev/realms/atlas"
|
||||
- name: OIDC_REDIRECT_URI
|
||||
value: "https://stream.bstein.dev/oauth2/callback"
|
||||
- name: OIDC_LOGOUT_URI
|
||||
value: "https://sso.bstein.dev/realms/atlas/protocol/openid-connect/logout?redirect_uri=https://stream.bstein.dev/"
|
||||
- name: OIDC_SCOPES
|
||||
value: "openid,profile,email,groups"
|
||||
- name: OIDC_ROLE_CLAIM
|
||||
value: "groups"
|
||||
- name: OIDC_CLIENT_ID
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: jellyfin-oidc
|
||||
key: client-id
|
||||
- name: OIDC_CLIENT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: jellyfin-oidc
|
||||
key: client-secret
|
||||
command: ["/bin/sh", "-c"]
|
||||
args:
|
||||
- |
|
||||
set -euo pipefail
|
||||
if [ -z "${OIDC_CLIENT_ID:-}" ] || [ -z "${OIDC_CLIENT_SECRET:-}" ]; then
|
||||
echo "OIDC_CLIENT_ID or OIDC_CLIENT_SECRET missing; create secret jellyfin-oidc" >&2
|
||||
exit 1
|
||||
fi
|
||||
apk add --no-cache wget unzip
|
||||
plugin_dir="/config/plugins/OIDC Authentication_${OIDC_PLUGIN_VERSION}"
|
||||
config_dir="/config/plugins/configurations"
|
||||
tmp_zip="$(mktemp)"
|
||||
echo "Downloading OIDC plugin ${OIDC_PLUGIN_VERSION} from ${OIDC_PLUGIN_URL}"
|
||||
wget -O "${tmp_zip}" "${OIDC_PLUGIN_URL}"
|
||||
rm -rf "${plugin_dir}"
|
||||
mkdir -p "${plugin_dir}" "${config_dir}"
|
||||
unzip -o "${tmp_zip}" -d "${plugin_dir}"
|
||||
rm -f "${tmp_zip}"
|
||||
cat >"${plugin_dir}/meta.json" <<'EOF'
|
||||
{
|
||||
"category": "Authentication",
|
||||
"changelog": "OIDC SSO authentication plugin; auto user creation and role mapping",
|
||||
"description": "OpenID Connect (OIDC) authentication provider for Jellyfin with SSO support.",
|
||||
"guid": "a1b2c3d4-e5f6-47a8-b9c0-d1e2f3a4b5c6",
|
||||
"name": "OIDC Authentication",
|
||||
"overview": "Enable Single Sign-On (SSO) for Jellyfin using an OpenID Connect provider.",
|
||||
"owner": "lolerskatez",
|
||||
"targetAbi": "10.10.7.0",
|
||||
"timestamp": "2025-12-17T04:00:00Z",
|
||||
"version": "1.0.2.0",
|
||||
"status": "Active",
|
||||
"autoUpdate": false,
|
||||
"imagePath": "",
|
||||
"assemblies": []
|
||||
}
|
||||
EOF
|
||||
IFS=',' read -ra scopes <<< "${OIDC_SCOPES}"
|
||||
{
|
||||
echo '<?xml version="1.0" encoding="utf-8"?>'
|
||||
echo '<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">'
|
||||
echo " <OidEndpoint>${OIDC_ISSUER}</OidEndpoint>"
|
||||
echo " <OidClientId>${OIDC_CLIENT_ID}</OidClientId>"
|
||||
echo " <OidSecret>${OIDC_CLIENT_SECRET}</OidSecret>"
|
||||
echo ' <OidScopes>'
|
||||
for s in "${scopes[@]}"; do
|
||||
trimmed="$(echo "${s}" | xargs)"
|
||||
[ -z "${trimmed}" ] && continue
|
||||
echo " <string>${trimmed}</string>"
|
||||
done
|
||||
echo ' </OidScopes>'
|
||||
echo " <RoleClaim>${OIDC_ROLE_CLAIM}</RoleClaim>"
|
||||
echo " <RedirectUri>${OIDC_REDIRECT_URI}</RedirectUri>"
|
||||
echo " <LogoutUri>${OIDC_LOGOUT_URI}</LogoutUri>"
|
||||
echo ' <CertificatePath />'
|
||||
echo ' <AutoCreateUser>true</AutoCreateUser>'
|
||||
echo ' <AllowRememberMe>false</AllowRememberMe>'
|
||||
echo '</PluginConfiguration>'
|
||||
} >"${config_dir}/OIDC Authentication.xml"
|
||||
runtimeClassName: nvidia
|
||||
containers:
|
||||
- name: jellyfin
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user