r/jellyfin: Mount LDAP CA certificate in container

In order to enable authentication using LDAP over TLS in Jellyfin, we
need to expose the CA certificate that issues the LDAP server
certificates to the container.

roles/jellyfin/defaults/main.yml

@@ -6,6 +6,7 @@ jellyfin_media_dirs:
 - /srv/cifs/TV Shows
 jellyfin_server_name: jellyfin.pyrocufflink.blue
 jellyfin_server_url: https://{{ jellyfin_server_name }}
+jellyfin_ldap_ca_cert: /etc/pki/ca-trust/source/anchors/dch-root-ca-r2.crt
 
 jellyfin_ssl_certificate: >-
   {{ apache_ssl_certificate }}

roles/jellyfin/tasks/deploy.yml

@@ -62,6 +62,15 @@
   - systemd
   - container
 
+- name: ensure selinux allows containers to read certificate files
+  seboolean:
+    name: container_read_certs
+    persistent: true
+    state: true
+  when: jellyfin_ldap_ca_cert|d
+  tags:
+  - selinux
+
 - name: flush handlers
   meta: flush_handlers
 

roles/jellyfin/templates/jellyfin.container.j2

@@ -14,6 +14,9 @@ Volume=/var/cache/jellyfin:/cache:rw,z
 {% for path in jellyfin_media_dirs %}
 Volume={{ path }}:/media/{{ path | basename }}:ro
 {% endfor %}
+{% if jellyfin_ldap_ca_cert|d %}
+Volume={{ jellyfin_ldap_ca_cert }}:/config/ldap-ca.crt:ro
+{% endif %}
 Network=host
 NoNewPrivileges=yes