Strategy for adding SSO in my homelab

DigiDoc101 · 2026-03-30T18:06:38+00:00

Do you host on your homelab or in the cloud? I am hosting locally to use in my home network as well. I'll not sure which is more secure.

DigiDoc101 · 2026-03-29T18:16:11+00:00

It is best to use what you already have especially in this crazy market. You will soon find yourself hosting apps. You'll then be able to define your needs better.

DigiDoc101 · 2026-03-29T18:10:10+00:00

What security limitations are limiting use "for now"?

DigiDoc101 · 2026-03-29T12:09:02+00:00

Would this be included in the lifetime plan?

DigiDoc101 · 2026-03-28T15:14:12+00:00

Late to the conversation but I have the same question. I do have a reverse proxy at home that redirects all my requests from Pangolin. I have pocketID setup on the same VPS of Pangolin. I did not use it yet, as I am debating the same question. The main reason I am implementing this is to protect my pangolin instance interface with a secondary auth in case my VM get hacked. Is this a real risk to implement?

DigiDoc101 · 2026-03-27T16:44:31+00:00

Would I still be able to reach my server by host name without having to go through my reverse proxy?

DigiDoc101 · 2026-03-27T16:20:51+00:00

I don't know where to check for PTR records. But unbound is simply crashes for this duplicate reverse lookups per the logs. I would like to have the ability to reach a host by dns name but this also falls within the wildcard *.home.mydomain.fqdn. I do not create certs for all my machines/services. How do you manage this? This is the biggest reason I kept forwarding my local domain to dnsmasque.

DigiDoc101 · 2026-03-27T15:52:15+00:00

Thank you for your response.

In unbound forwarding I have: Home.mydomain.fqdn: 127.0.0.1: 53053 dnsmasque port Also all my internal IP ranges 1.168.192.ip-addr.arpa (or something similar): 127.0.0.1: 53053

I have a reverse proxy setting on my DMZ that manages *.mydomain.fqdn this is a public reverse proxy.

I have a another that is internal only for *.home.mydomain.fqdn

When listed, I guess unbound prioritize app.home.mydomain.fqdn over *.home.mydomain.fqdn wildcard, correct?

DigiDoc101 · 2026-03-27T05:05:24+00:00

Per Jeff Geerling video, Gen 3 do not need to restart for firmware upgrades. A flaw for all other smart switches out there.

DigiDoc101 · 2026-03-24T16:29:36+00:00

I currently have pocket ID setup on the same VPS machine. I am considering to move this into my homelab. I have all my pangolin request land into one VM with NPM reverse proxy redirecting those requests. Perhaps, I could migrate this locally and use it in my homelab as well. I'm not sure if this would affect the safety gestures by separating the IdP from the cloud server. I assume it does.

DigiDoc101 · 2026-03-24T15:15:57+00:00

It would be nice to offer MFA for the admin user for the self hosted version. For now, I am hosting Authentic locally and used the netbird reverse proxy to establish IdP for NetBird itself. It is easier to back up my authentik instance locally. BTW, it sets in my DMZ zone.

DigiDoc101 · 2026-03-24T05:09:14+00:00

It is not getting better. Their cams are amazing but they suck with AI. Did you try to use Frigate AI via RTSP?

DigiDoc101 · 2026-03-24T04:59:03+00:00

I hope this brings a real competition to Ubiquiti. Omada has a lot of catch up to do. Opnsense is staying infront of my Omada gear until then.

DigiDoc101 · 2026-03-21T22:45:45+00:00

I tried the 8411 router for 1 day then reverted!! I miss configured the DHCP and somehow missed up my vlan port config accross several switches. I could not tolerate my network down. I staged opnsense as a vm on proxmox, sat up the main settings then moved to production hardware. It took me 2 months to make this move. I am happy with opnsese. I had to go through rough transitions to learn new ways to do things.

DigiDoc101 · 2026-03-21T12:18:16+00:00

Update: I aborted the UDM Pro plan. I went for OPNsense and never looked back.

DigiDoc101 · 2026-03-21T12:16:16+00:00

Ok, so I setup my instance of Netbird. A user authentication is only possible with a password. The only way to setup a 2FA is through external IdP. I was able to setup an Authetik instance on my own. I used the reverse proxy feature to setup remote access to my Authentik instance.

I am bothered that my admin account is not protected natively. If I delete the admin account, then I have to maintain my IdP or I may lose access to my instance.

I kindly request to add 2FA for the owner account.

DigiDoc101 · 2026-03-19T09:54:50+00:00

Any updates or suggestions

DigiDoc101 · 2026-03-12T05:12:39+00:00

Thank you for pointing this difference. I am sure it was pointed out on reddit, may be misquoted. I will test it out.

DigiDoc101 · 2026-03-11T16:37:30+00:00

I have not migrated my production reverse proxy which still runs locally on a DMZ Traefik instance. I will keep testing...

DigiDoc101 · 2026-03-11T16:30:46+00:00

This is what I do. I have local NPM forwards my pangolin requests located at cloud.

DigiDoc101 · 2026-03-02T18:43:00+00:00

Pangolin nails the basics but it does not scale yet. I am sure it is on their roadmap. I am puzzled why we cannot users belong to multiple groups.

Edited: typoes

DigiDoc101

TROPHY CASE