Add LDAP authentication configuration to Tube Archivist service

komodo/media-server/tubearchivist/.env.sample

@@ -23,3 +23,34 @@ TA_YOUTUBE_PATH=/mnt/media/youtube
 
 # Elasticsearch heap sizing; Tube Archivist recommends 1g for the default stack
 ES_JAVA_OPTS=-Xms1g -Xmx1g
+
+# LDAP authentication
+# Modes: single | local | ldap | forwardauth | ldap_local
+# ldap_local lets LDAP users sign in but keeps the local TA_USERNAME admin so
+# you can promote LDAP users to staff/superuser. Switch to `ldap` once ready.
+TA_LOGIN_AUTH_MODE=ldap_local
+
+# Authentik LDAP outpost (komodo/auth/Authentik). Replace host with the
+# Authentik LDAP outpost address reachable from the tubearchivist container
+# (e.g. the Docker host's LAN IP or hostname). Use ldaps://...:6636 for TLS.
+TA_LDAP_SERVER_URI=ldap://authentik-ldap.lan:3389
+# Set to any non-empty value to skip certificate verification on LDAPS
+TA_LDAP_DISABLE_CERT_CHECK=
+
+# Service account configured in Authentik for the LDAP outpost search bind
+TA_LDAP_BIND_DN=cn=ldap-bind,ou=users,dc=ldap,dc=goauthentik,dc=io
+TA_LDAP_BIND_PASSWORD=your_secure_ldap_bind_password
+
+# Search base and filter for users in the directory
+TA_LDAP_USER_BASE=ou=users,dc=ldap,dc=goauthentik,dc=io
+TA_LDAP_USER_FILTER=(objectClass=user)
+
+# LDAP attribute mapping (Authentik LDAP outpost defaults to cn for username)
+TA_LDAP_USER_ATTR_MAP_USERNAME=cn
+TA_LDAP_USER_ATTR_MAP_PERSONALNAME=givenName
+TA_LDAP_USER_ATTR_MAP_SURNAME=sn
+TA_LDAP_USER_ATTR_MAP_EMAIL=mail
+
+# Comma-separated lists of LDAP usernames auto-promoted on first login
+TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER=
+TA_LDAP_PROMOTE_USERNAMES_TO_STAFF=