make jellyfin LDAP config declarative
This commit is contained in:
parent
b803d55766
commit
ee1ea1c838
2 changed files with 85 additions and 2 deletions
|
@ -31,11 +31,11 @@ services. Also, the design will be extendable to allow users to add services not
|
||||||
- [X] Backup support.
|
- [X] Backup support.
|
||||||
- [X] Home Assistant.
|
- [X] Home Assistant.
|
||||||
- [ ] Export metrics to Prometheus.
|
- [ ] Export metrics to Prometheus.
|
||||||
- [X] LDAP auth through homeassistant_user LDAP group.
|
- [X] LDAP auth through `homeassistant_user` LDAP group.
|
||||||
- [ ] SSO auth.
|
- [ ] SSO auth.
|
||||||
- [X] Backup support.
|
- [X] Backup support.
|
||||||
- [X] Jellyfin
|
- [X] Jellyfin
|
||||||
- [ ] Export metrics to Prometheus.
|
- [ ] Export metrics to Prometheus.
|
||||||
- [X] LDAP auth, unfortunately we need to configure this manually.
|
- [X] LDAP auth through `jellyfin_user` and `jellyfin_admin` LDAP groups.
|
||||||
- [ ] SSO auth.
|
- [ ] SSO auth.
|
||||||
- [X] Backup support.
|
- [X] Backup support.
|
||||||
|
|
|
@ -4,6 +4,18 @@ let
|
||||||
cfg = config.shb.jellyfin;
|
cfg = config.shb.jellyfin;
|
||||||
|
|
||||||
fqdn = "${cfg.subdomain}.${cfg.domain}";
|
fqdn = "${cfg.subdomain}.${cfg.domain}";
|
||||||
|
|
||||||
|
template = file: newPath: replacements:
|
||||||
|
let
|
||||||
|
templatePath = newPath + ".template";
|
||||||
|
|
||||||
|
sedPatterns = lib.strings.concatStringsSep " " (lib.attrsets.mapAttrsToList (from: to: "\"s|${from}|${to}|\"") replacements);
|
||||||
|
in
|
||||||
|
''
|
||||||
|
ln -fs ${file} ${templatePath}
|
||||||
|
rm ${newPath} || :
|
||||||
|
sed ${sedPatterns} ${templatePath} > ${newPath}
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.shb.jellyfin = {
|
options.shb.jellyfin = {
|
||||||
|
@ -20,6 +32,30 @@ in
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
example = "domain.com";
|
example = "domain.com";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ldapHost = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "host serving the LDAP server";
|
||||||
|
example = "127.0.0.1";
|
||||||
|
};
|
||||||
|
|
||||||
|
ldapPort = lib.mkOption {
|
||||||
|
type = lib.types.int;
|
||||||
|
description = "port where the LDAP server is listening";
|
||||||
|
example = 389;
|
||||||
|
};
|
||||||
|
|
||||||
|
dcdomain = lib.mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "dc domain for ldap.";
|
||||||
|
example = "dc=mydomain,dc=com";
|
||||||
|
};
|
||||||
|
|
||||||
|
sopsFile = lib.mkOption {
|
||||||
|
type = lib.types.path;
|
||||||
|
description = "Sops file location";
|
||||||
|
example = "secrets/jellyfin.yaml";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
@ -147,6 +183,14 @@ in
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
sops.secrets."jellyfin/ldap_password" = {
|
||||||
|
inherit (cfg) sopsFile;
|
||||||
|
mode = "0440";
|
||||||
|
owner = "jellyfin";
|
||||||
|
group = "jellyfin";
|
||||||
|
restartUnits = [ "jellyfin.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
shb.backup.instances.jellyfin = {
|
shb.backup.instances.jellyfin = {
|
||||||
sourceDirectories = [
|
sourceDirectories = [
|
||||||
"/var/lib/jellyfin"
|
"/var/lib/jellyfin"
|
||||||
|
@ -162,6 +206,45 @@ in
|
||||||
];
|
];
|
||||||
}];
|
}];
|
||||||
|
|
||||||
|
# LDAP config but you need to install the plugin by hand
|
||||||
|
|
||||||
|
systemd.services.jellyfin.preStart =
|
||||||
|
let
|
||||||
|
ldapConfig = pkgs.writeText "LDAP-Auth.xml" ''
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<PluginConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
|
||||||
|
<LdapServer>${cfg.ldapHost}</LdapServer>
|
||||||
|
<LdapPort>${builtins.toString cfg.ldapPort}</LdapPort>
|
||||||
|
<UseSsl>false</UseSsl>
|
||||||
|
<UseStartTls>false</UseStartTls>
|
||||||
|
<SkipSslVerify>false</SkipSslVerify>
|
||||||
|
<LdapBindUser>uid=admin,ou=people,${cfg.dcdomain}</LdapBindUser>
|
||||||
|
<LdapBindPassword>%LDAP_PASSWORD%</LdapBindPassword>
|
||||||
|
<LdapBaseDn>ou=people,${cfg.dcdomain}</LdapBaseDn>
|
||||||
|
<LdapSearchFilter>(memberof=cn=jellyfin_user,ou=groups,${cfg.dcdomain})</LdapSearchFilter>
|
||||||
|
<LdapAdminBaseDn>ou=people,${cfg.dcdomain}</LdapAdminBaseDn>
|
||||||
|
<LdapAdminFilter>(memberof=cn=jellyfin_admin,ou=groups,${cfg.dcdomain})</LdapAdminFilter>
|
||||||
|
<EnableLdapAdminFilterMemberUid>false</EnableLdapAdminFilterMemberUid>
|
||||||
|
<LdapSearchAttributes>uid, cn, mail, displayName</LdapSearchAttributes>
|
||||||
|
<LdapClientCertPath />
|
||||||
|
<LdapClientKeyPath />
|
||||||
|
<LdapRootCaPath />
|
||||||
|
<CreateUsersFromLdap>true</CreateUsersFromLdap>
|
||||||
|
<AllowPassChange>false</AllowPassChange>
|
||||||
|
<LdapUsernameAttribute>uid</LdapUsernameAttribute>
|
||||||
|
<LdapPasswordAttribute>userPassword</LdapPasswordAttribute>
|
||||||
|
<EnableAllFolders>true</EnableAllFolders>
|
||||||
|
<EnabledFolders />
|
||||||
|
<PasswordResetUrl />
|
||||||
|
</PluginConfiguration>
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
template ldapConfig "/var/lib/jellyfin/plugins/configurations/LDAP-Auth.xml" {
|
||||||
|
"%LDAP_PASSWORD%" = "$(cat /run/secrets/jellyfin/ldap_password)";
|
||||||
|
};
|
||||||
|
|
||||||
|
# For backup
|
||||||
|
|
||||||
systemd.services.jellyfin.serviceConfig = {
|
systemd.services.jellyfin.serviceConfig = {
|
||||||
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
|
# Setup permissions needed for backups, as the backup user is member of the jellyfin group.
|
||||||
UMask = lib.mkForce "0027";
|
UMask = lib.mkForce "0027";
|
||||||
|
|
Loading…
Reference in a new issue