Everything changed - major rewrite

modules/services/mealie.nix

@@ -11,6 +11,7 @@
 #
 # Secrets consumed from sops:
 #   mealie/secret_key
+#   openldap/ro_password  (shared with openldap module — used as LDAP_QUERY_PASSWORD)
 
 let
   cfg     = config.homey.mealie;
@@ -41,7 +42,8 @@ in
     # -----------------------------------------------------------------------
     # Secrets
     # -----------------------------------------------------------------------
-    sops.secrets."mealie/secret_key" = { owner = "root"; };
+    sops.secrets."mealie/secret_key"    = { owner = "root"; };
+    sops.secrets."openldap/ro_password" = { owner = "root"; };
 
     # -----------------------------------------------------------------------
     # Container
@@ -55,12 +57,14 @@ in
         ALLOW_SIGNUP = "false";
         TZ           = homeyConfig.timezone;
 
-        # LDAP auth — users log in with their LDAP uid and password.
-        # Mealie binds directly as the user (no service account needed).
+        # LDAP auth — Mealie binds as the readonly service account to search,
+        # then re-binds as the user to verify the password.
+        # LDAP_QUERY_PASSWORD is injected via the secrets env file.
         LDAP_AUTH_ENABLED    = "true";
         LDAP_SERVER_URL      = "ldap://openldap:389";
         LDAP_ENABLE_STARTTLS = "false";
         LDAP_BASE_DN         = "ou=users,${ldapBaseDn}";
+        LDAP_QUERY_BIND      = "cn=readonly,${ldapBaseDn}";
         LDAP_BIND_TEMPLATE   = "uid={username},ou=users,${ldapBaseDn}";
         LDAP_ID_ATTRIBUTE    = "uid";
         LDAP_NAME_ATTRIBUTE  = "cn";
@@ -87,6 +91,7 @@ in
             install -m 600 /dev/null /run/mealie-secrets.env
             printf '%s\n' \
               "SECRET_KEY=$(cat ${config.sops.secrets."mealie/secret_key".path})" \
+              "LDAP_QUERY_PASSWORD=$(cat ${config.sops.secrets."openldap/ro_password".path})" \
               >> /run/mealie-secrets.env
           '')
         ];