fix ldap authentik

modules/server/containers/apps/jellyfin.nix

@@ -143,7 +143,7 @@ in {
           echo "ERROR: Server failed to accept restart command."
           exit 1
         fi
-        sleep 5
+        sleep 1-
         until [ "$(${pkgs.curl}/bin/curl -sf "$JELLYFIN_URL/health")" = "Healthy" ]; do
           sleep 5
         done

modules/server/containers/data/authentik/gitea.yaml

@@ -8,6 +8,4 @@ entries:
       slug: gitea
     attrs:
       name: Gitea
-      provider:
-        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
       launch_url: "@GITEA_DOMAIN@"

modules/server/containers/data/authentik/jellyfin.yaml

@@ -8,6 +8,4 @@ entries:
       slug: jellyfin
     attrs:
       name: Jellyfin
-      provider:
-        !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
       launch_url: "@JELLYFIN_DOMAIN@"

modules/server/containers/data/authentik/ldap.yaml

@@ -44,18 +44,19 @@ entries:
       attributes:
         ak_recovery_immutable: true
 
-  - model: authentik_core.group
+  - model: authentik_core.role
     state: present
     identifiers:
-      name: "LDAP Bind Service Account Group"
+      name: "LDAP Search Role"
     attrs:
       users:
         - !Find [authentik_core.user, [username, ldap-service]]
 
-  - model: authentik_policies.policybinding
+  - model: authentik_core.objectpermission
     state: present
     identifiers:
-      target:
+      permission: !KeyOf authentik_core.permission:codename=search_full_directory,content_type__app_label=authentik_providers_ldap
+      role: !Find [authentik_core.role, [name, LDAP Search Role]]
+    attrs:
+      object_pk:
         !Find [authentik_providers_ldap.ldapprovider, [name, ldap-provider]]
-      permission: "authentik_providers_ldap.search_full_directory"
-      user: !Find [authentik_core.user, [username, ldap-service]]

modules/server/containers/data/authentik/nextcloud.yaml

@@ -2,7 +2,6 @@ version: 1
 metadata:
   name: nextcloud-saml-setup
 entries:
-  # 1. Create the SAML Provider
   - model: authentik_providers_saml.samlprovider
     identifiers:
       name: Nextcloud SAML
@@ -15,12 +14,10 @@ entries:
       invalidation_flow:
         !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
 
-      # Adjust these URLs to match your Nextcloud domain
       acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
       audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
       issuer: https://@AUTHENTIK_DOMAIN@
       sp_binding: post
-      # Map the attributes for Name, Email, and Groups
       property_mappings:
         - !Find [
             authentik_core.propertymapping,
@@ -43,32 +40,6 @@ entries:
             [name, "authentik default SAML Mapping: User ID"],
           ]
 
-        # - !Find [
-        #     authentik_providers_saml.samlpropertymapping,
-        #     [managed, "goauthentik.io/providers/saml/ms-name"],
-        #   ]
-        # - !Find [
-        #     authentik_providers_saml.samlpropertymapping,
-        #     [managed, "goauthentik.io/providers/saml/ms-email"],
-        #   ]
-        # - !Find [
-        #     authentik_providers_saml.samlpropertymapping,
-        #     [managed, "goauthentik.io/providers/saml/ms-groups"],
-        #   ]
-
-        # - !Find [
-        #     authentik_core.propertymapping,
-        #     [managed, goauthentik.io/providers/saml/ms-name],
-        #   ]
-        # - !Find [
-        #     authentik_core.propertymapping,
-        #     [managed, goauthentik.io/providers/saml/ms-email],
-        #   ]
-        # - !Find [
-        #     authentik_core.propertymapping,
-        #     [managed, goauthentik.io/providers/saml/ms-groups],
-        #   ]
-      # Select your signing certificate (default is usually self-signed)
       signing_kp:
         !Find [
           authentik_crypto.certificatekeypair,
@@ -77,7 +48,6 @@ entries:
       sign_assertion: true
       sign_response: false
 
-  # 2. Create the Application
   - model: authentik_core.application
     identifiers:
       slug: nextcloud