OpenHAB was OK the last time I used it. I’m not sure what other big options there are.

You can use docker exec with garage docker image.

I’m on mobile but I think you just need something like: docker exec containerid ./garage stats

Garage is the simplest of the three imo.

I’ve only used it in a cluster, but it should be even simpler for one instance

A subscription is required??

What you read online may have been referring to how cloudflare itself can always see the unencrypted traffic?

Cloudflare tunnels are encrypted, but inside of that encrypted tunnel could be a regular http stream.

Restic with rest-server is great.

Kopia is a little newer and has an actual web ui, so may be a good choice too.

I still use restic on all of my severs, but have started using Kopia for my non server machines.

Both support compression, encryption, and deduplication.

Thanks for the recommendation, I’ll take a look at some of his videos. I managed to get the un/pw on one page, but haven’t done much with webauthn/passwordless stuff yet so that might be useful too.

Thanks! I managed to get user/pass on the same page and it works great with the compatibility mode

That’s essentially what I am doing. Everything is on the LAN by default. I have two instances of Traefik. One that runs only on internal VPN ips, and another on remote servers using public ips. So I can choose which services are accessible over lan/vpn or public (routed through a vpn to lan).

That doesn’t solve the authentication problem if I want to expose something to the internet though, or even sso inside the lan.

You can change the logon flow to make the username and password on the same page There is a comparability button as well on the login flow that allows bitwarden and other to auto fill correctly.

Thanks for the tips, I found the compatibility button and will try it out. I’m not sure I see how to change the username/password to be on the same page though. Do you have to create a whole new login flow?

Do you have a link for padlock by any chance?

I’m not sure if this is it, but I found a password manager named padloc: https://github.com/padloc/padloc

Did you move to Keycloak, or something else?

Thanks for confirming, I just saw that as well.

I’m going to try some of the other solutions in this thread, but I might still come back to authelia and just ignore my requirement for having social login. I like the idea of sending someone a link and saying “Hey just log in with your google account” instead of having to create an actual user for them, but maybe I can use something else specifically for those cases.

cloudflare access + cloudflare tunnels is a cool solution, and was easy to set up in the past, but I’d rather stick to something completely self-hosted. I’d probably use it for something completely public, but not things that route into my homelab.

Once I’m authenticated, it’s actually pretty okay. It goes through the redirections fast enough that I wouldn’t notice usually. But the login pages would take several seconds to load for me, and navigating around the admin ui also seemed to take several seconds for each page change. So not extremely slow, but slow enough to notice and get annoyed by it. Admittedly I probably could increase the session duration or something to help with that too.

Canaille looks pretty interesting and simple too, thanks for the link!

Thanks, I’ll take a look! It might be helpful even if I use a different idp

Do you have any issues with Authentik being slow? It might be my environment since I haven’t done much troubleshooting yet.

As long as it’s a web app, it’s usually fine and can provide an extra layer of security. The app does need to have some support for sso if you want it to be seamless though, without logging in twice.

Most of my services are internal only, but sometimes I want to give access to someone on the internet without also giving them VPN access. If the app doesn’t support any kind of login, having an Auth proxy in front of it really helps for that use case.

Remembering lots of passwords isn’t a big deal if you have a password manager, but not having to log in to each app separately is nice. It’s also nice to be able to put Auth in front of things that don’t support it natively.

That doesn’t sound too bad, thanks for the instructions. I’ll probably give keycloak another try too.

Do you know what kind of cpu memory usage it has? I saw the newer versions are supposed to be lighter, but haven’t tested it yet.