From 143ea35dc1347e80147357ad775ae89c9f6b1419 Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Thu, 14 May 2026 17:18:39 +0200
Subject: [PATCH] Ldap setup jellyfin

---
 modules/server/containers/apps/gitea.nix      |  7 ++--
 modules/server/containers/apps/jellyfin.nix   | 35 ++++++++++++++-----
 .../containers/data/jellyfin/LDAP-Auth.xml    | 29 ---------------
 3 files changed, 31 insertions(+), 40 deletions(-)
 delete mode 100644 modules/server/containers/data/jellyfin/LDAP-Auth.xml

diff --git a/modules/server/containers/apps/gitea.nix b/modules/server/containers/apps/gitea.nix
index de616b5..2f66845 100644
--- a/modules/server/containers/apps/gitea.nix
+++ b/modules/server/containers/apps/gitea.nix
@@ -129,10 +129,11 @@ in {
 
 
       ${lib.optionalString (serverCfg.containers ? authentik) ''
-      $GT admin auth delete --id 1
-      $GT admin auth add-ldap --name Authentik --host ${builder.host} --port 636 --security-protocol ldaps \
+      $GT admin auth add-ldap --name Authentik --host authentik-ldap --port 6636 --security-protocol ldaps --skip-tls-verify \
           --bind-dn "cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}" --bind-password $DEFAULT_LDAP_PASSWORD \
-          --user-search-base "ou=users,${LDAP_DC_DOMAIN}" --user-filter "(|(username=%s)(email=%s))" \
+          --user-search-base "ou=users,${LDAP_DC_DOMAIN}" \
+          --user-filter "(&(objectClass=user)(|(uid=%[1]s)(mail=%[1]s)))" \
+          --admin-filter "(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})" \
           --username-attribute "username" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" \
           --synchronize-users
       ''}
diff --git a/modules/server/containers/apps/jellyfin.nix b/modules/server/containers/apps/jellyfin.nix
index 32b8ee4..927b6e7 100644
--- a/modules/server/containers/apps/jellyfin.nix
+++ b/modules/server/containers/apps/jellyfin.nix
@@ -1,6 +1,7 @@
 { config, containerCfg, pkgs, lib, builder, name, ... }:
 let
   serverCfg = config.syscfg.server;
+  LDAP_DC_DOMAIN = "dc=ldap," + (lib.concatMapStringsSep "," (x: "dc=${x}") (lib.splitString "." serverCfg.hostDomain));
   nss = pkgs.dockerTools.fakeNss.override {
     extraPasswdLines = [
       "jellyfin:x:1000:1000:Jellyfin Daemon:/config/data:/bin/false"
@@ -23,14 +24,6 @@ let
       ];
     };
   };
-
-  #LDAP_DC_DOMAIN = "dc=ldap,dc=helcel,dc=net"
-  #HOST=...
-  #LDAP_BIND_USER=ldap-sa
-  #LDAP_BIND_PASSWORD=...
-  #LDAP_GROUP=flix
-  #LDAP_ADMIN=admin
-
 in {
   paths = [
     {
@@ -153,6 +146,32 @@ in {
         echo "ERROR: Server failed to accept restart command."
         exit 1
       fi
+      sleep 5
+      until ${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health" > /dev/null 2>&1; do
+        sleep 5
+      done
+      echo "Jellyfin is up. Sleeping for 20 seconds..."
+      sleep 20
+
+      SETUP_LDAP_PAYLOAD=$(${pkgs.jq}/bin/jq -n \
+          --arg ldap_pass "$DEFAULT_LDAP_PASSWORD" \
+          '{"LdapUsers":[],"LdapServer":"authentik-ldap","LdapPort":6636,"UseSsl":true,"UseStartTls":false,"SkipSslVerify":true,
+          "LdapBindUser":"cn=ldap-service,ou=users,${LDAP_DC_DOMAIN}","LdapBindPassword":$ldap_pass,
+          "LdapBaseDn":"${LDAP_DC_DOMAIN}","LdapSearchFilter":"(memberOf=cn=flix,ou=groups,${LDAP_DC_DOMAIN})",
+          "LdapSearchAttributes":"uid, cn, mail, displayName",
+          "LdapAdminBaseDn":"","LdapAdminFilter":"(memberOf=cn=admin,ou=groups,${LDAP_DC_DOMAIN})",
+          "EnableLdapAdminFilterMemberUid":false,"LdapUidAttribute":"uid","LdapUsernameAttribute":"cn","LdapPasswordAttribute":"userPassword",
+          "EnableLdapProfileImageSync":false,"RemoveImagesNotInLdap":false,"LdapProfileImageAttribute":"jpegphoto","LdapProfileImageFormat":"Default",
+          "LdapClientCertPath":"","LdapClientKeyPath":"","LdapRootCaPath":"","CreateUsersFromLdap":true,"AllowPassChange":false,
+          "EnableAllFolders":true,"EnabledFolders":[],"PasswordResetUrl":""}')
+
+      if ! ${pkgs.curl}/bin/curl -sSf -X POST "$JELLYFIN_URL/Plugins/958aad66-3784-4d2a-b89a-a7b6fab6e25c/Configuration" \
+          -H "Authorization: MediaBrowser Token=\"$JELLYFIN_TOKEN\"" \
+          -H "Content-Type: application/json" -H 'accept: */*' \
+          -d "$SETUP_USER_PAYLOAD"; then
+        echo "ERROR: LDAP Plugin Setup Failed."
+        exit 1
+      fi
 
       echo "Completed Setup"
 
diff --git a/modules/server/containers/data/jellyfin/LDAP-Auth.xml b/modules/server/containers/data/jellyfin/LDAP-Auth.xml
deleted file mode 100644
index 17146ce..0000000
--- a/modules/server/containers/data/jellyfin/LDAP-Auth.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
-  <LdapUsers />
-  <LdapServer>@HOST@</LdapServer>
-  <LdapPort>389</LdapPort>
-  <UseSsl>false</UseSsl>
-  <UseStartTls>false</UseStartTls>
-  <SkipSslVerify>true</SkipSslVerify>
-  <LdapBindUser>cn=@LDAP_BIND_USER@,ou=users,@LDAP_DC_DOMAIN@</LdapBindUser>
-  <LdapBindPassword>@LDAP_BIND_PASSWORD@</LdapBindPassword>
-  <LdapBaseDn>@LDAP_DC_DOMAIN@</LdapBaseDn>
-  <LdapSearchFilter>(memberOf=cn=@LDAP_GROUP@,ou=groups,@LDAP_DC_DOMAIN@)</LdapSearchFilter>
-  <LdapAdminBaseDn />
-  <LdapAdminFilter>(memberOf=cn=@LDAP_ADMIN@,ou=groups,@LDAP_DC_DOMAIN@)</LdapAdminFilter>
-  <EnableLdapAdminFilterMemberUid>false</EnableLdapAdminFilterMemberUid>
-  <LdapSearchAttributes>uid, cn, mail, displayName</LdapSearchAttributes>
-  <LdapClientCertPath />
-  <LdapClientKeyPath />
-  <LdapRootCaPath />
-  <CreateUsersFromLdap>true</CreateUsersFromLdap>
-  <AllowPassChange>false</AllowPassChange>
-  <LdapUidAttribute>uid</LdapUidAttribute>
-  <LdapUsernameAttribute>cn</LdapUsernameAttribute>
-  <LdapPasswordAttribute>userPassword</LdapPasswordAttribute>
-  <EnableLdapProfileImageSync>false</EnableLdapProfileImageSync>
-  <LdapProfileImageAttribute>jpegphoto</LdapProfileImageAttribute>
-  <EnableAllFolders>true</EnableAllFolders>
-  <EnabledFolders />
-  <PasswordResetUrl />
\ No newline at end of file