Add LDAP authentication configuration to Tube Archivist service

2026-05-08 22:33:22 -04:00
parent 8f1738e80a
commit 4adaf100a2
2 changed files with 45 additions and 0 deletions
--- a/komodo/media-server/tubearchivist/.env.sample
+++ b/komodo/media-server/tubearchivist/.env.sample
@@ -23,3 +23,34 @@ TA_YOUTUBE_PATH=/mnt/media/youtube

 # Elasticsearch heap sizing; Tube Archivist recommends 1g for the default stack
 ES_JAVA_OPTS=-Xms1g -Xmx1g
+
+# LDAP authentication
+# Modes: single | local | ldap | forwardauth | ldap_local
+# ldap_local lets LDAP users sign in but keeps the local TA_USERNAME admin so
+# you can promote LDAP users to staff/superuser. Switch to `ldap` once ready.
+TA_LOGIN_AUTH_MODE=ldap_local
+
+# Authentik LDAP outpost (komodo/auth/Authentik). Replace host with the
+# Authentik LDAP outpost address reachable from the tubearchivist container
+# (e.g. the Docker host's LAN IP or hostname). Use ldaps://...:6636 for TLS.
+TA_LDAP_SERVER_URI=ldap://authentik-ldap.lan:3389
+# Set to any non-empty value to skip certificate verification on LDAPS
+TA_LDAP_DISABLE_CERT_CHECK=
+
+# Service account configured in Authentik for the LDAP outpost search bind
+TA_LDAP_BIND_DN=cn=ldap-bind,ou=users,dc=ldap,dc=goauthentik,dc=io
+TA_LDAP_BIND_PASSWORD=your_secure_ldap_bind_password
+
+# Search base and filter for users in the directory
+TA_LDAP_USER_BASE=ou=users,dc=ldap,dc=goauthentik,dc=io
+TA_LDAP_USER_FILTER=(objectClass=user)
+
+# LDAP attribute mapping (Authentik LDAP outpost defaults to cn for username)
+TA_LDAP_USER_ATTR_MAP_USERNAME=cn
+TA_LDAP_USER_ATTR_MAP_PERSONALNAME=givenName
+TA_LDAP_USER_ATTR_MAP_SURNAME=sn
+TA_LDAP_USER_ATTR_MAP_EMAIL=mail
+
+# Comma-separated lists of LDAP usernames auto-promoted on first login
+TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER=
+TA_LDAP_PROMOTE_USERNAMES_TO_STAFF=
--- a/komodo/media-server/tubearchivist/compose.yaml
+++ b/komodo/media-server/tubearchivist/compose.yaml
@@ -17,6 +17,20 @@ services:
      - TA_PASSWORD=${TA_PASSWORD}
      - ELASTIC_PASSWORD=${ELASTIC_PASSWORD}
      - TZ=${TZ:-UTC}
+      # LDAP authentication (Authentik LDAP outpost by default)
+      - TA_LOGIN_AUTH_MODE=${TA_LOGIN_AUTH_MODE:-ldap_local}
+      - TA_LDAP_SERVER_URI=${TA_LDAP_SERVER_URI}
+      - TA_LDAP_DISABLE_CERT_CHECK=${TA_LDAP_DISABLE_CERT_CHECK}
+      - TA_LDAP_BIND_DN=${TA_LDAP_BIND_DN}
+      - TA_LDAP_BIND_PASSWORD=${TA_LDAP_BIND_PASSWORD}
+      - TA_LDAP_USER_BASE=${TA_LDAP_USER_BASE}
+      - TA_LDAP_USER_FILTER=${TA_LDAP_USER_FILTER:-(objectClass=user)}
+      - TA_LDAP_USER_ATTR_MAP_USERNAME=${TA_LDAP_USER_ATTR_MAP_USERNAME:-cn}
+      - TA_LDAP_USER_ATTR_MAP_PERSONALNAME=${TA_LDAP_USER_ATTR_MAP_PERSONALNAME:-givenName}
+      - TA_LDAP_USER_ATTR_MAP_SURNAME=${TA_LDAP_USER_ATTR_MAP_SURNAME:-sn}
+      - TA_LDAP_USER_ATTR_MAP_EMAIL=${TA_LDAP_USER_ATTR_MAP_EMAIL:-mail}
+      - TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER=${TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER}
+      - TA_LDAP_PROMOTE_USERNAMES_TO_STAFF=${TA_LDAP_PROMOTE_USERNAMES_TO_STAFF}
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/api/health/"]