From 4adaf100a2e30a0863f3dfc65c7c2ae23646cf3a Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Fri, 8 May 2026 22:33:22 -0400
Subject: [PATCH] Add LDAP authentication configuration to Tube Archivist
 service

---
 komodo/media-server/tubearchivist/.env.sample | 31 +++++++++++++++++++
 .../media-server/tubearchivist/compose.yaml   | 14 +++++++++
 2 files changed, 45 insertions(+)

diff --git a/komodo/media-server/tubearchivist/.env.sample b/komodo/media-server/tubearchivist/.env.sample
index 85af106..11f8b2a 100644
--- a/komodo/media-server/tubearchivist/.env.sample
+++ b/komodo/media-server/tubearchivist/.env.sample
@@ -23,3 +23,34 @@ TA_YOUTUBE_PATH=/mnt/media/youtube
 
 # Elasticsearch heap sizing; Tube Archivist recommends 1g for the default stack
 ES_JAVA_OPTS=-Xms1g -Xmx1g
+
+# LDAP authentication
+# Modes: single | local | ldap | forwardauth | ldap_local
+# ldap_local lets LDAP users sign in but keeps the local TA_USERNAME admin so
+# you can promote LDAP users to staff/superuser. Switch to `ldap` once ready.
+TA_LOGIN_AUTH_MODE=ldap_local
+
+# Authentik LDAP outpost (komodo/auth/Authentik). Replace host with the
+# Authentik LDAP outpost address reachable from the tubearchivist container
+# (e.g. the Docker host's LAN IP or hostname). Use ldaps://...:6636 for TLS.
+TA_LDAP_SERVER_URI=ldap://authentik-ldap.lan:3389
+# Set to any non-empty value to skip certificate verification on LDAPS
+TA_LDAP_DISABLE_CERT_CHECK=
+
+# Service account configured in Authentik for the LDAP outpost search bind
+TA_LDAP_BIND_DN=cn=ldap-bind,ou=users,dc=ldap,dc=goauthentik,dc=io
+TA_LDAP_BIND_PASSWORD=your_secure_ldap_bind_password
+
+# Search base and filter for users in the directory
+TA_LDAP_USER_BASE=ou=users,dc=ldap,dc=goauthentik,dc=io
+TA_LDAP_USER_FILTER=(objectClass=user)
+
+# LDAP attribute mapping (Authentik LDAP outpost defaults to cn for username)
+TA_LDAP_USER_ATTR_MAP_USERNAME=cn
+TA_LDAP_USER_ATTR_MAP_PERSONALNAME=givenName
+TA_LDAP_USER_ATTR_MAP_SURNAME=sn
+TA_LDAP_USER_ATTR_MAP_EMAIL=mail
+
+# Comma-separated lists of LDAP usernames auto-promoted on first login
+TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER=
+TA_LDAP_PROMOTE_USERNAMES_TO_STAFF=
diff --git a/komodo/media-server/tubearchivist/compose.yaml b/komodo/media-server/tubearchivist/compose.yaml
index 89dd925..5677bca 100644
--- a/komodo/media-server/tubearchivist/compose.yaml
+++ b/komodo/media-server/tubearchivist/compose.yaml
@@ -17,6 +17,20 @@ services:
       - TA_PASSWORD=${TA_PASSWORD}
       - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
       - TZ=${TZ:-UTC}
+      # LDAP authentication (Authentik LDAP outpost by default)
+      - TA_LOGIN_AUTH_MODE=${TA_LOGIN_AUTH_MODE:-ldap_local}
+      - TA_LDAP_SERVER_URI=${TA_LDAP_SERVER_URI}
+      - TA_LDAP_DISABLE_CERT_CHECK=${TA_LDAP_DISABLE_CERT_CHECK}
+      - TA_LDAP_BIND_DN=${TA_LDAP_BIND_DN}
+      - TA_LDAP_BIND_PASSWORD=${TA_LDAP_BIND_PASSWORD}
+      - TA_LDAP_USER_BASE=${TA_LDAP_USER_BASE}
+      - TA_LDAP_USER_FILTER=${TA_LDAP_USER_FILTER:-(objectClass=user)}
+      - TA_LDAP_USER_ATTR_MAP_USERNAME=${TA_LDAP_USER_ATTR_MAP_USERNAME:-cn}
+      - TA_LDAP_USER_ATTR_MAP_PERSONALNAME=${TA_LDAP_USER_ATTR_MAP_PERSONALNAME:-givenName}
+      - TA_LDAP_USER_ATTR_MAP_SURNAME=${TA_LDAP_USER_ATTR_MAP_SURNAME:-sn}
+      - TA_LDAP_USER_ATTR_MAP_EMAIL=${TA_LDAP_USER_ATTR_MAP_EMAIL:-mail}
+      - TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER=${TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER}
+      - TA_LDAP_PROMOTE_USERNAMES_TO_STAFF=${TA_LDAP_PROMOTE_USERNAMES_TO_STAFF}
     restart: unless-stopped
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:8000/api/health/"]