jellyfin: enforce ldap auth provider on start

services/jellyfin/deployment.yaml

@@ -46,6 +46,28 @@ spec:
               mountPath: /web-root
             - name: config
               mountPath: /config
+        # Force all users to authenticate via the LDAP plugin provider by updating the DB on start.
+        # This keeps Flux enforcement for auth provider drift (e.g., after UI edits).
+        - name: set-ldap-auth-provider
+          image: docker.io/library/alpine:3.20
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -euxo pipefail
+              apk add --no-cache sqlite
+              db="/config/data/jellyfin.db"
+              if [ -f "$db" ]; then
+                sqlite3 "$db" "UPDATE Users SET AuthenticationProviderId='958aad66-3784-4d2a-b89a-a7b6fab6e25c', Password=NULL, EnableLocalPassword=0 WHERE AuthenticationProviderId!='958aad66-3784-4d2a-b89a-a7b6fab6e25c';"
+              else
+                echo "db not found at $db, skipping"
+              fi
+          volumeMounts:
+            - name: config
+              mountPath: /config
       nodeSelector:
         jellyfin: "true"
       securityContext: