From d9e07543ba67fa2f1362301371bd84e8b5050ea9 Mon Sep 17 00:00:00 2001
From: soraefir <soraefir+git@helcel>
Date: Thu, 14 May 2026 20:19:25 +0200
Subject: [PATCH] fix ldap authentik

---
 modules/server/containers/apps/jellyfin.nix   |  2 +-
 .../containers/data/authentik/gitea.yaml      |  2 --
 .../containers/data/authentik/jellyfin.yaml   |  2 --
 .../containers/data/authentik/ldap.yaml       | 13 ++++----
 .../containers/data/authentik/nextcloud.yaml  | 30 -------------------
 5 files changed, 8 insertions(+), 41 deletions(-)

diff --git a/modules/server/containers/apps/jellyfin.nix b/modules/server/containers/apps/jellyfin.nix
index abda0e0..d9d04f6 100644
--- a/modules/server/containers/apps/jellyfin.nix
+++ b/modules/server/containers/apps/jellyfin.nix
@@ -143,7 +143,7 @@ in {
           echo "ERROR: Server failed to accept restart command."
           exit 1
         fi
-        sleep 5
+        sleep 1-
         until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
           sleep 5
         done
diff --git a/modules/server/containers/data/authentik/gitea.yaml b/modules/server/containers/data/authentik/gitea.yaml
index 570d83a..61688ad 100644
--- a/modules/server/containers/data/authentik/gitea.yaml
+++ b/modules/server/containers/data/authentik/gitea.yaml
@@ -8,6 +8,4 @@ entries:
       slug: gitea
     attrs:
       name: Gitea
-      provider:
-        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
       launch_url: "@GITEA_DOMAIN@"
diff --git a/modules/server/containers/data/authentik/jellyfin.yaml b/modules/server/containers/data/authentik/jellyfin.yaml
index d5c3b84..9c8689e 100644
--- a/modules/server/containers/data/authentik/jellyfin.yaml
+++ b/modules/server/containers/data/authentik/jellyfin.yaml
@@ -8,6 +8,4 @@ entries:
       slug: jellyfin
     attrs:
       name: Jellyfin
-      provider:
-        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
       launch_url: "@JELLYFIN_DOMAIN@"
diff --git a/modules/server/containers/data/authentik/ldap.yaml b/modules/server/containers/data/authentik/ldap.yaml
index d90931f..7534949 100644
--- a/modules/server/containers/data/authentik/ldap.yaml
+++ b/modules/server/containers/data/authentik/ldap.yaml
@@ -44,18 +44,19 @@ entries:
       attributes:
         ak_recovery_immutable: true
 
-  - model: authentik_core.group
+  - model: authentik_core.role
     state: present
     identifiers:
-      name: "LDAP Bind Service Account Group"
+      name: "LDAP Search Role"
     attrs:
       users:
         - !Find [authentik_core.user, [username, ldap-service]]
 
-  - model: authentik_policies.policybinding
+  - model: authentik_core.objectpermission
     state: present
     identifiers:
-      target:
+      permission: !KeyOf authentik_core.permission:codename=search_full_directory,content_type__app_label=authentik_providers_ldap
+      role: !Find [authentik_core.role, [name, LDAP Search Role]]
+    attrs:
+      object_pk:
         !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
-      permission: "authentik_providers_ldap.search_full_directory"
-      user: !Find [authentik_core.user, [username, ldap-service]]
diff --git a/modules/server/containers/data/authentik/nextcloud.yaml b/modules/server/containers/data/authentik/nextcloud.yaml
index 8ca927b..82f5eeb 100644
--- a/modules/server/containers/data/authentik/nextcloud.yaml
+++ b/modules/server/containers/data/authentik/nextcloud.yaml
@@ -2,7 +2,6 @@ version: 1
 metadata:
   name: nextcloud-saml-setup
 entries:
-  # 1. Create the SAML Provider
   - model: authentik_providers_saml.samlprovider
     identifiers:
       name: Nextcloud SAML
@@ -15,12 +14,10 @@ entries:
       invalidation_flow:
         !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
 
-      # Adjust these URLs to match your Nextcloud domain
       acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
       audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
       issuer: https://@AUTHENTIK_DOMAIN@
       sp_binding: post
-      # Map the attributes for Name, Email, and Groups
       property_mappings:
         - !Find [
             authentik_core.propertymapping,
@@ -43,32 +40,6 @@ entries:
             [name, "authentik default SAML Mapping: User ID"],
           ]
 
-        # - !Find [
-        #     authentik_providers_saml.samlpropertymapping,
-        #     [managed, "goauthentik.io/providers/saml/ms-name"],
-        #   ]
-        # - !Find [
-        #     authentik_providers_saml.samlpropertymapping,
-        #     [managed, "goauthentik.io/providers/saml/ms-email"],
-        #   ]
-        # - !Find [
-        #     authentik_providers_saml.samlpropertymapping,
-        #     [managed, "goauthentik.io/providers/saml/ms-groups"],
-        #   ]
-
-        # - !Find [
-        #     authentik_core.propertymapping,
-        #     [managed, goauthentik.io/providers/saml/ms-name],
-        #   ]
-        # - !Find [
-        #     authentik_core.propertymapping,
-        #     [managed, goauthentik.io/providers/saml/ms-email],
-        #   ]
-        # - !Find [
-        #     authentik_core.propertymapping,
-        #     [managed, goauthentik.io/providers/saml/ms-groups],
-        #   ]
-      # Select your signing certificate (default is usually self-signed)
       signing_kp:
         !Find [
           authentik_crypto.certificatekeypair,
@@ -77,7 +48,6 @@ entries:
       sign_assertion: true
       sign_response: false
 
-  # 2. Create the Application
   - model: authentik_core.application
     identifiers:
       slug: nextcloud