jellyfin: enforce ldap auth provider on start

2025-12-24 17:25:07 -03:00 · 2025-12-24 17:25:07 -03:00 · cd7ba1e8a8
commit cd7ba1e8a8
parent cecde3e197
1 changed files with 22 additions and 0 deletions
--- a/services/jellyfin/deployment.yaml
+++ b/services/jellyfin/deployment.yaml
@ -46,6 +46,28 @@ spec:
              mountPath: /web-root
            - name: config
              mountPath: /config
+        # Force all users to authenticate via the LDAP plugin provider by updating the DB on start.
+        # This keeps Flux enforcement for auth provider drift (e.g., after UI edits).
+        - name: set-ldap-auth-provider
+          image: docker.io/library/alpine:3.20
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -euxo pipefail
+              apk add --no-cache sqlite
+              db="/config/data/jellyfin.db"
+              if [ -f "$db" ]; then
+                sqlite3 "$db" "UPDATE Users SET AuthenticationProviderId='958aad66-3784-4d2a-b89a-a7b6fab6e25c', Password=NULL, EnableLocalPassword=0 WHERE AuthenticationProviderId!='958aad66-3784-4d2a-b89a-a7b6fab6e25c';"
+              else
+                echo "db not found at $db, skipping"
+              fi
+          volumeMounts:
+            - name: config
+              mountPath: /config
      nodeSelector:
        jellyfin: "true"
      securityContext: