- 4 Posts
- 32 Comments
1·8 months agoThey don’t really do the same thing. I use both. Authentik provides 1 password/account for all my self hosted apps. Along with other people that use my services. I create one account on authentik and suddenly they can access everything.
I then save that password in vaultwarden.
For what it’s worth I don’t use SSO for my vault warden master password, that is a separate password not saved anywhere
Do you want to create your own certs? You can use let’s encrypt certs on internal only local subdomains using DNS challenge.
I do this with traefik and authentik and use SSO for both internal and external domains.
I can’t imagine why it wouldn’t. The configuration just needs a URL, what domain they are actually on should be irrelevant.
Highly recommend Authentik for SSO.
I run it on it’s own sub domain and all my other apps on their own sub domains.
It has pretty much every login protocol you could want (oauth, saml, ldap) etc.
Currently using it for jellyfin, immich, linkwarden, freshrss, and seafile.
The above YouTube video shows that you can get authentik to send a 2fa push authentication that requires the phone to hit a button in order to complete the authentication flow.
Because authentik uses flows, you can insert the 2FA part into any login flow (proxy, oauth, ldap etc)
This, I used to have a kubernetes setup but how much redudency can you really have at home. Do you have a generator? Multiple Internet lines?
The fact is most hardware is highly reliable. Having good backups to restore from is all you need and you gain a huge improvement in simplicity which adds reliability in and of itself.
For your last point, portainer fixes that. I use portainer to pull compose files from my gitea instance. There is an option to auto update on git comit but I prefer to press the button to update.
I write the compose files in vscode and push them to my repo.
I have a setup similar to what you want.
My nas is a low powered atom board that runs unraid.
My dockets run on a ryzen CPU with proxmox. I don’t have a cluster, just 1.
In proxmox I run a VM that runs a all my dockets.
I use portainer to run all my services as stacks. So the arr stack has all the arrs together in a docker compose file. The docker compose files are stored in gitea (one of the few things I still run on unraid) and Everytime I make a change to the git, I press one button on portainer and it pulls down the latest docker compose.
For storage, on proxmox I use zfs with ssds only. The only thing that needs HDDs is the media on my unraid.
When a docker needs to access the media it uses an NFS mount to the unraid server.
Everything else is on my zfs array on proxmox. I have auto zfs snapshots every hour. Borg backup also takes hourly incremental backups of the zfs array and sends it to the unraid server locally and borg base for off-site backup.
The whole setup works very well and it very stable.
The flexibility of using proxmox means that things that work better in a VM (HaOS) I can install as a VM. Everything else is docker.
Free for self hosted which is probably what matters to most here
If you have to add a whole other app the match what authentik can do, is authelia really lighter weight?
Im joking because authentik does takes a decent chunk of ram but having all protocols together is nice. You can actually make ldap authentication 2FA if you want.
The general principle is called single sign on (sso).
The idea is that instead of each all keeping track of users itself, there is another app (sometimes called an identity provider) that does this. Then when you try to log into an app, it takes to the to login of your identity provider instead. When the IP says you are the correct user, it sends a token to the app saying to let you access your account.
The huge benefits are if you are already logged into the IP on a browser for example, the other apps will login automatically without having to put in your password again.
Also for me the biggest benefit is not having to manage passwords for a large number of apps so family that uses my server have 1 account which gives them access to jellyfin, seafile, immich, freshrss etc. If they change that password it changes it for everything. You can enforce minimum password requirements. You can also add 2FA to any app now immediately.
I use Authentik as my identity provider: https://goauthentik.io/https://goauthentik.io/
There’s good guides to settings it up with traefik so that you get let encrypt certificates and can use traefik for proxy authentication on web based apps like sonarr. There are many different authentication methods an app can choose to use and Authentik essentially supports everything.
SSO should really be the standard for self hosted apps because this way they don’t have to worry about ensuring they have the latest security for user management etc. The app just allows a dedicated identity provider to worry about user management security so the app devs can focus on just the app.
Thank you for including oAuth options for sign on. Makes a big difference being able to use the same account for all the things like freshRSS, seafile, immich etc.
1·8 months agoI also use glutun, works really well. Lots of VPNs are supported. Easy to add any docker container you want to it.
The new oAuth feature is also great and integrates well with my other services for family (immich, seafile, etc)
That’s pretty much exactly what this device is supposed to do. But just to be clear, any computer with a NIC (ethernet port) can be a router.
Do make a useful router for your home, you need a Intel or AMD CPU (x86) and 2 NICs.
This device is specifically designed for someone who wants to setup 10gbe networking.
You also need software.
OPNsense is a great example of software like this. Many home labbers use something like OPNsense installed on a device such as this for their router.
I have my obsidian in a seafile folder and the constant syncing doesn’t cause any issues. Sounds like a proton drive issue
Also if you are into self hosting, obsidian-live sync works very well across all my windows, Linux and android clients.
I’ve been running nextcloud since before it was nextcloud. Was owncloud then moved to next cloud.
Another user put it best. It always feels 75% complete. Sync isn’t fast, gives errors that self correct when restarting the all. Most plugins are even more janky or feel super barren.
I wanted to like it so much but I stopped being able to trust most plugins which meant I had dedicated apps for those things and used nextcloud only for file sync.
If you only want file sync then seafile is vastly superior so that’s what I now have.
You are completely correct…for normal certs. Internal domains require a wild card cert with DNS challenge.
This video explains how to set it up with traefik
I’d bet caddy can do something similar.
Basically you have:
- Seafile.domain.com -> has it’s own cert
- *.local.domain.com -> has its own cert but the * can be anything and the same cert can be used for anything in place of the star as many times as you want and therefore doesn’t need to be internet accessible to verify. That way vaultwarden.local.domain.com remains local only.
Yes, when you look into a new self hosted app, you have to check if they offer some kind of SSO option. Authentik can pretty much do every protocol there is. Each all will have different instructions on how to set it up.