From a14d2580bd3ced8e47bdd2ccaf3c2f24b2d84177 Mon Sep 17 00:00:00 2001
From: traveler <phil@pncharris.com>
Date: Wed, 31 Dec 2025 09:23:40 -0600
Subject: [PATCH] asdf

---
 mealie.yaml | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/mealie.yaml b/mealie.yaml
index 5fd66b2..91954ce 100755
--- a/mealie.yaml
+++ b/mealie.yaml
@@ -11,25 +11,34 @@ services:
       PGID: "998"
       TZ: "America/Chicago"
 
-
       MAX_WORKERS: "1"
       WEB_CONCURRENCY: "1"
       BASE_URL: "https://recipe.netgrimoire.com"
 
+      # Disable local auth / signup (SSO-only)
+      ALLOW_PASSWORD_LOGIN: "false"
+      ALLOW_SIGNUP: "false"
+
+      # OIDC (authentik)
       OIDC_AUTH_ENABLED: "true"
       OIDC_PROVIDER_NAME: "authentik"
       OIDC_CONFIGURATION_URL: "https://auth.netgrimoire.com/application/o/mealie/.well-known/openid-configuration"
       OIDC_CLIENT_ID: "tidMeWe3Ak30zRzcmC5vwoCqAIHXQsaVwJEp44Mz"
-      OIDC_CLIENT_SECRET: "OD0CLgELUEWGoZ8IUnduGbxhyhh4vgjMBxBAjyopNOkATWIEWSYeWRDdfY6ulX2Fj7zuUp9dpgzjoFatNviLD8E5Cv2815eDrZxH9gNb52Taur0LzqBPk25yLCvsnjXK"
-      OIDC_SIGNUP_ENABLED: "true"
-      OIDC_USER_GROUP: "mealie-users"
-      OIDC_ADMIN_GROUP: "mealie-admins"
+      OIDC_CLIENT_SECRET: "REDACTED"
       OIDC_AUTO_REDIRECT: "true"
       OIDC_REMEMBER_ME: "true"
-      ALLOW_PASSWORD_LOGIN: "false"
-      ALLOW_SIGNUP: "false"
+
+      # User provisioning and claim mapping
+      OIDC_SIGNUP_ENABLED: "true"
       OIDC_USER_CLAIM: "sub"
       OIDC_NAME_CLAIM: "preferred_username"
+      OIDC_GROUPS_CLAIM: "groups"
+      OIDC_SCOPES_OVERRIDE: "openid profile email"
+
+      # Group-based role mapping
+      OIDC_USER_GROUP: "mealie-users"
+      OIDC_ADMIN_GROUP: "mealie-admins"
+
 
 
 
@@ -40,6 +49,9 @@ services:
       - netgrimoire
 
     deploy:
+      placement:
+        constraints:
+          - node.hostname == docker4
       labels:
         - homepage.group=PNCHarris Apps
         - homepage.name=Mealie