From 2864a4185c32c431ef7b20a3e373bbeb0f33b106 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 1 Sep 2024 12:39:14 -0500 Subject: [PATCH] r/jellyfin: Mount LDAP CA certificate in container In order to enable authentication using LDAP over TLS in Jellyfin, we need to expose the CA certificate that issues the LDAP server certificates to the container. --- roles/jellyfin/defaults/main.yml | 1 + roles/jellyfin/tasks/deploy.yml | 9 +++++++++ roles/jellyfin/templates/jellyfin.container.j2 | 3 +++ 3 files changed, 13 insertions(+) diff --git a/roles/jellyfin/defaults/main.yml b/roles/jellyfin/defaults/main.yml index 737e2ae..8a5cd77 100644 --- a/roles/jellyfin/defaults/main.yml +++ b/roles/jellyfin/defaults/main.yml @@ -6,6 +6,7 @@ jellyfin_media_dirs: - /srv/cifs/TV Shows jellyfin_server_name: jellyfin.pyrocufflink.blue jellyfin_server_url: https://{{ jellyfin_server_name }} +jellyfin_ldap_ca_cert: /etc/pki/ca-trust/source/anchors/dch-root-ca-r2.crt jellyfin_ssl_certificate: >- {{ apache_ssl_certificate }} diff --git a/roles/jellyfin/tasks/deploy.yml b/roles/jellyfin/tasks/deploy.yml index 45031a3..12dff67 100644 --- a/roles/jellyfin/tasks/deploy.yml +++ b/roles/jellyfin/tasks/deploy.yml @@ -62,6 +62,15 @@ - systemd - container +- name: ensure selinux allows containers to read certificate files + seboolean: + name: container_read_certs + persistent: true + state: true + when: jellyfin_ldap_ca_cert|d + tags: + - selinux + - name: flush handlers meta: flush_handlers diff --git a/roles/jellyfin/templates/jellyfin.container.j2 b/roles/jellyfin/templates/jellyfin.container.j2 index eadc90e..85b0aad 100644 --- a/roles/jellyfin/templates/jellyfin.container.j2 +++ b/roles/jellyfin/templates/jellyfin.container.j2 @@ -14,6 +14,9 @@ Volume=/var/cache/jellyfin:/cache:rw,z {% for path in jellyfin_media_dirs %} Volume={{ path }}:/media/{{ path | basename }}:ro {% endfor %} +{% if jellyfin_ldap_ca_cert|d %} +Volume={{ jellyfin_ldap_ca_cert }}:/config/ldap-ca.crt:ro +{% endif %} Network=host NoNewPrivileges=yes