From b9144ebb5e0a9de1361d854599b43f7cc35ac199 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Fri, 19 Dec 2025 21:13:31 -0300
Subject: [PATCH] jellyfin: bootstrap oidc plugin

---
 services/jellyfin/deployment.yaml | 88 +++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)

diff --git a/services/jellyfin/deployment.yaml b/services/jellyfin/deployment.yaml
index fec0c78..53f79bc 100644
--- a/services/jellyfin/deployment.yaml
+++ b/services/jellyfin/deployment.yaml
@@ -28,6 +28,94 @@ spec:
         fsGroup: 65532
         fsGroupChangePolicy: OnRootMismatch
         runAsGroup: 65532
+      initContainers:
+        - name: install-oidc-plugin
+          image: alpine:3.20
+          securityContext:
+            runAsUser: 0
+          env:
+            - name: OIDC_PLUGIN_VERSION
+              value: "1.0.2.0"
+            - name: OIDC_PLUGIN_URL
+              value: "https://raw.githubusercontent.com/lolerskatez/JellyfinOIDCPlugin/master/OIDC_Authentication_1.0.2.0.zip"
+            - name: OIDC_ISSUER
+              value: "https://sso.bstein.dev/realms/atlas"
+            - name: OIDC_REDIRECT_URI
+              value: "https://stream.bstein.dev/oauth2/callback"
+            - name: OIDC_LOGOUT_URI
+              value: "https://sso.bstein.dev/realms/atlas/protocol/openid-connect/logout?redirect_uri=https://stream.bstein.dev/"
+            - name: OIDC_SCOPES
+              value: "openid,profile,email,groups"
+            - name: OIDC_ROLE_CLAIM
+              value: "groups"
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: jellyfin-oidc
+                  key: client-id
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: jellyfin-oidc
+                  key: client-secret
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -euo pipefail
+              if [ -z "${OIDC_CLIENT_ID:-}" ] || [ -z "${OIDC_CLIENT_SECRET:-}" ]; then
+                echo "OIDC_CLIENT_ID or OIDC_CLIENT_SECRET missing; create secret jellyfin-oidc" >&2
+                exit 1
+              fi
+              apk add --no-cache wget unzip
+              plugin_dir="/config/plugins/OIDC Authentication_${OIDC_PLUGIN_VERSION}"
+              config_dir="/config/plugins/configurations"
+              tmp_zip="$(mktemp)"
+              echo "Downloading OIDC plugin ${OIDC_PLUGIN_VERSION} from ${OIDC_PLUGIN_URL}"
+              wget -O "${tmp_zip}" "${OIDC_PLUGIN_URL}"
+              rm -rf "${plugin_dir}"
+              mkdir -p "${plugin_dir}" "${config_dir}"
+              unzip -o "${tmp_zip}" -d "${plugin_dir}"
+              rm -f "${tmp_zip}"
+              cat >"${plugin_dir}/meta.json" <<'EOF'
+              {
+                "category": "Authentication",
+                "changelog": "OIDC SSO authentication plugin; auto user creation and role mapping",
+                "description": "OpenID Connect (OIDC) authentication provider for Jellyfin with SSO support.",
+                "guid": "a1b2c3d4-e5f6-47a8-b9c0-d1e2f3a4b5c6",
+                "name": "OIDC Authentication",
+                "overview": "Enable Single Sign-On (SSO) for Jellyfin using an OpenID Connect provider.",
+                "owner": "lolerskatez",
+                "targetAbi": "10.10.7.0",
+                "timestamp": "2025-12-17T04:00:00Z",
+                "version": "1.0.2.0",
+                "status": "Active",
+                "autoUpdate": false,
+                "imagePath": "",
+                "assemblies": []
+              }
+              EOF
+              IFS=',' read -ra scopes <<< "${OIDC_SCOPES}"
+              {
+                echo '<?xml version="1.0" encoding="utf-8"?>'
+                echo '<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">'
+                echo "  <OidEndpoint>${OIDC_ISSUER}</OidEndpoint>"
+                echo "  <OidClientId>${OIDC_CLIENT_ID}</OidClientId>"
+                echo "  <OidSecret>${OIDC_CLIENT_SECRET}</OidSecret>"
+                echo '  <OidScopes>'
+                for s in "${scopes[@]}"; do
+                  trimmed="$(echo "${s}" | xargs)"
+                  [ -z "${trimmed}" ] && continue
+                  echo "    <string>${trimmed}</string>"
+                done
+                echo '  </OidScopes>'
+                echo "  <RoleClaim>${OIDC_ROLE_CLAIM}</RoleClaim>"
+                echo "  <RedirectUri>${OIDC_REDIRECT_URI}</RedirectUri>"
+                echo "  <LogoutUri>${OIDC_LOGOUT_URI}</LogoutUri>"
+                echo '  <CertificatePath />'
+                echo '  <AutoCreateUser>true</AutoCreateUser>'
+                echo '  <AllowRememberMe>false</AllowRememberMe>'
+                echo '</PluginConfiguration>'
+              } >"${config_dir}/OIDC Authentication.xml"
       runtimeClassName: nvidia
       containers:
         - name: jellyfin