A place to share, discuss, discover, assist with, gain assistance for, and critique self-hosted alternatives to our favorite web apps, web services, and online tools.
Is Authentik too much for a HomeLab?
I've got 2 hosts. A slightly more powerful sff tower running my media stuff and arr services. VPN gateway that the arr's route through etc. I have a raspberry pi that's running my Adblocker, reverse proxy, Wireguard some stuff for a small business I run... So a website platform and invoice/time logging system.
Anyway these various services are mostly secured by password. Only the website is accessible externally. Any other service is only accessible internally or via Wireguard VPN.
Just at that stage asking myself "where do I draw the line?"
Would be nice to centrally manage logins but I suspect the mismash of services I run wont all support SSO.
I think In today it must be near 25-30 services / containers.
Authentik looks good. But wondering whether it's just going to be something I only use a fraction of and "a bit overkill" for my needs?
You're right probably not everything will support SSO but you'll be surprised with how many actually do in some capacity.
Nextcloud, Mealie, Portainer, Proxmox, Jellyfin and by extension jellyseerr Are just some of the things I run that support it. And your *arrs could support it in some capacity by putting the proxy Auth in front and removing the password from the application.
I went for it because the applications other people use that I'd like to manage have the support for it.
Sure in my and most people's homelab it's overkill, but it's fun!
How does sso work with the jellyfin clients like the android and roku clients?
The whole point of a homelab is traditionally overkill, so I don’t think there is such a line :)
Too much for a home lab?
Is this a challenge? People here have better equipment at home than my isp does. Don’t challenge this sub lol
As you said: Not all of your containers will support SSO. Therefore, having Authentik in front does not bring that many benefits. You would still have to login to the proxy service regularly as of now. If the service supports basic auth though, you can passthrough those creds directly via Authentik.
Nonetheless, the service would sit behind Authentik. So it could be seen as an additional authentication wall or security measure to restrict unauthorized access. As everything runs on local lan or behind VPN, it's questionable whether Authentik is beneficial in your case.
For proxied services that support SSO, Authentik is great. The learning curve is a bit steep, due to custom namings like flows, binds etc. but once you get it, it's quite easy. If you want a more lightweight alternative, may have a look into Authelia.
I personally do not implement such auth providers due to the missing SSO support of many apps. I use a password manager nonetheless, so logging in is not really a hassle. I do use Authelia though in front of services that do not support any auth at all.
I use authelia and lldap.
Tried Authentik, it used too much memory.
I just setup Authentik and it's definitely the most confusing self-hosted thing I've setup thus far. But eventually with YouTube tutorials and a lot of Googling, I got the gist of it.
But as others have pointed out, you can only really use it with some services. I use it with the *arrs and with Homepage.
I mostly wanted to try it because Homepage doesn't support any authentication at all. So it was this or basic auth via NPM.
Authentik rules, highly recommend. Its a nice to have for a homelab, but definitely not required (it does take a lot of configuration to get correct).
Comment deleted by user
I use Authentik exclusively for Immich and I have no regrets. The application is wonderful and I can use for other things if needed.
Immich is the only service that I host and expose that contains important data, so having the SSO (which I also have 2FA) already adds a lot of comfort to my mind.
edit: after reading some comments I believe my experience was a little bit different than from most of the people.
I'm using docker to host it in my local server and I expose it through Headscale + Tailscale + Nginx (exposed as well).
I agree that it could be overkill depending on your use cases but, as someone that isn't that experienced, I didn't have any problems with setting it up.
Creating the app for Immich was also simple for me and I just followed the docs briefly.
Of course, as I'm mentioning since the start, I'm using a single application which supports SSO by default, so I understand a lot of people having problems with it.