From cd7ba1e8a8ea287bb324484de8c51b2f817e7d6d Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 24 Dec 2025 17:25:07 -0300
Subject: [PATCH] jellyfin: enforce ldap auth provider on start

---
 services/jellyfin/deployment.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/services/jellyfin/deployment.yaml b/services/jellyfin/deployment.yaml
index 14e9686..faec4f7 100644
--- a/services/jellyfin/deployment.yaml
+++ b/services/jellyfin/deployment.yaml
@@ -46,6 +46,28 @@ spec:
               mountPath: /web-root
             - name: config
               mountPath: /config
+        # Force all users to authenticate via the LDAP plugin provider by updating the DB on start.
+        # This keeps Flux enforcement for auth provider drift (e.g., after UI edits).
+        - name: set-ldap-auth-provider
+          image: docker.io/library/alpine:3.20
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -euxo pipefail
+              apk add --no-cache sqlite
+              db="/config/data/jellyfin.db"
+              if [ -f "$db" ]; then
+                sqlite3 "$db" "UPDATE Users SET AuthenticationProviderId='958aad66-3784-4d2a-b89a-a7b6fab6e25c', Password=NULL, EnableLocalPassword=0 WHERE AuthenticationProviderId!='958aad66-3784-4d2a-b89a-a7b6fab6e25c';"
+              else
+                echo "db not found at $db, skipping"
+              fi
+          volumeMounts:
+            - name: config
+              mountPath: /config
       nodeSelector:
         jellyfin: "true"
       securityContext: