Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Caveat: this is not my area of expertise. However, I agree SSO is going to be the hardest part of this.
OP, you can use lldap to centralize authentication, so that each user had only one account and one password for all sites. It's trickier to get each of these platforms to work together with SSO. For that, you'll need something like Authentik (OSS SSO solution, like Okta) which you then back by lldap - Authentik handles the SSO and authorization part, and uses lldap for the authentication part. I suggest doing it in stages: install your servers, get them using lldap to log in, and then when it's all working insert Authentik into the mix. Doing something like this and learning all the technology at once is boiling the ocean.
I'm recommending lldap over OpenLDAP because I've used both extensively, and OpenLDAP is a nightmare whereas lldap isn't. lldap is trivial to install, and comes with a nice, simple user/group admin web interface, a sane default schema configuration, and is stupid easy to back up. Just getting OpenLDAP configured with the right schemas can take forever. If you'd said you already had a lot of experience with LDAP in general, then sure: OpenLDAP is capable and powerful. But it's harder.
My one caveat about lldap is that I'm not sure that it's possible to set up master/slave replication - or any sort of replication - which is probably not going to be an issue for your all-in-one set-up, but would limit scaling and failover if you ever get there.
I do rant a little about OpenLDAP because LDAP was in supposed to be lightweight OLAP, and yet is some of the most frustrating software I've ever had to deal with.
Again, I'm not a devops, or any sort of ops, guy, so my perspective is colored by the an attitude that ops is a necessary evil, and not something I love, so easier==better.
Alternatively, you can add an LDAP outpost/provider to Authentik. Now you don't need to manage any LDAP server at all, and use the Authentik directory to manage users and groups. wiki link
I haven't used Authentik myself at all; Okta at one place I worked, but that was managed by the ops team so I didn't have much to do with it.
Committing to LDAP is one thing; getting SSO is a whole other level of effort. Again, I have experience with LDAP so it seems manageable, and common enough to be worth setting up - does a large enough portion of OSS hosted software support SAML or OpenID or whatever to make setting up Authentik worth the effort?
I'll re-iterate, I do not enjoy ops. I do it only because it's slightly more important to me to have control over my data than it is to not have to admin stuff. I like lldap specifically because it's a single executable, one or two really basic config files (requiring a bare minimum of understanding LDAP to configure), and one SQLite DB file - backing it up is, like, 3 files. This has huge value to someone like me, far exceeding the capability limitations of lldap vs OpenLDAP. If Authentik is just as easy, with minimum external dependencies, then I'm interested. If I have to install, configure, and administer and maintain PostgreSQL, redis, and a half dozen other external dependencies... then my family can live without SSO :-)
Yea no I'd never recommend Authentik for its simplicity. In fact I'd say it's pretty complicated to set up and a lot harder to learn how to use.
It does indeed need an external database, and likes to run in a kubernetes cluster...
I mostly set it up to learn about SSO, but by now it's hooked into everything I could hook it up with.
Definitely not worth the effort in any normal homelab scenario, apart from needing some cool points
Thanks!