Then you add authentik which does SSO for many app like nextcloud, immich, linkwarden etc. For apps that don’t integrate, you can still use his with reverse proxy authentication (sonarr).
Naturally this is more complex to setup but nothing beats the versatility.
I can choose extra protection for things like vaultwarden (need to connect via wiregaurd). Make things external for other users to access easily (immich, jellyfin, etc). Everything is based on users that are made in authenticatik and they all have the same password with single sign on.
You would approach this is pieces. get the domain and reverse proxy working first. Then authentik. this is only realistic with docker compose.
authentik is an identity server. theres a couple free ones available, this one just worked for me. it provides oauth and ldap fallback for the jellyfin server. along with login for most of the other servers i host like nextcloud/calibre-web/lychee etc. it has a nice easy log in process along with a ‘homepage’ kinda thing for everything my users can access with their account. makes it easier to support the non technical friends and family.
Its a pre-authentication gateway and SSO provider for OAuth/SAML. So if you dont trust a random docker container to be secure it requires you to authenticate and then it automatically passes a token to the app for SSO if it supports OAuth/SAML.
What is authentik and could I use it on podman with compose?
The best and most versatile system is having domains and a reverse proxy that has internal and external domains. Ie jelly.example.com and Vaultwarden.internal.example.com
Then you add authentik which does SSO for many app like nextcloud, immich, linkwarden etc. For apps that don’t integrate, you can still use his with reverse proxy authentication (sonarr).
Naturally this is more complex to setup but nothing beats the versatility.
I can choose extra protection for things like vaultwarden (need to connect via wiregaurd). Make things external for other users to access easily (immich, jellyfin, etc). Everything is based on users that are made in authenticatik and they all have the same password with single sign on.
You would approach this is pieces. get the domain and reverse proxy working first. Then authentik. this is only realistic with docker compose.
authentik is an identity server. theres a couple free ones available, this one just worked for me. it provides oauth and ldap fallback for the jellyfin server. along with login for most of the other servers i host like nextcloud/calibre-web/lychee etc. it has a nice easy log in process along with a ‘homepage’ kinda thing for everything my users can access with their account. makes it easier to support the non technical friends and family.
Its a pre-authentication gateway and SSO provider for OAuth/SAML. So if you dont trust a random docker container to be secure it requires you to authenticate and then it automatically passes a token to the app for SSO if it supports OAuth/SAML.