1 aprile 2026 · 6 min lettura
Intelligenza Artificialeduck.ai promette chat AI senza tracciamento: nessun log, nessun IP, accordi con Anthropic e OpenAI. Ma DuckDuckGo ha già tradito questa fiducia una volta.
Self-HostingLa cloud sovranità europea è sovereignty washing: i datacenter sono in UE, le chiavi restano a Seattle. Gaia-X è fallito, NIS2 stringe. Il homelab risponde.
Self-HostingIscriviti alla newsletter per ricevere i migliori articoli direttamente nella tua inbox.
900k siti WordPress esposti a RCE critico, 500k a file read su wp-config.php. Se ospiti WordPress in homelab o su VPS, ecco cosa fare nei prossimi 30 minuti.
Running a homelab with 14 containers means 14 sets of credentials to manage, 14 places to forget to revoke access when someone leaves, 14 local accounts to keep in sync. SSO is not overkill — it is the only sane approach at this scale.
This post documents how I deployed Authentik Enterprise as the central identity provider for my Proxmox homelab and integrated it with Grafana and Forgejo via OAuth2/OIDC. I will cover the actual configuration files, the errors that blocked me, and an honest assessment of what the enterprise license actually adds.
Authelia does forward auth — it sits in front of your reverse proxy and checks whether a request is authenticated. That is useful but limited. Authentik is a full identity provider: OAuth2, OIDC, SAML, LDAP, SCIM, consent flows, role mapping, impersonation, and a visual flow editor for building custom authentication pipelines. The scope is different.
The enterprise license (which Authentik provided for this setup) adds persistent audit logging, advanced RBAC with multi-condition policies, and thecan_impersonateflag — which lets you assume a user's identity to reproduce their exact access context and debug permission issues without asking for their password. In a homelab with multiple collaborators, that capability alone saves significant time. Beyond these, the enterprise tier also includes native Google Workspace and Microsoft Entra integrations, password history compliance checks, CSV user exports, and the ability to embed external OAuth/SAML sources. Full details at the pricing page.
Authentik runs on CT 121 (IP) as a Docker Compose stack: server + worker + PostgreSQL 16 + Redis (note: as of authentik 2025.10, Redis has been fully removed as a dependency). Public domain:auth.homelabz.cc, behind Nginx with HTTPS. The host is a Ryzen 7 1800X with 48 GB ECC and ZFS mirror SSD — more than enough. Authentik is reasonably lightweight: the server process alone uses under 400 MB RAM at idle; the full stack with Redis (pre-2025.10) sits around 600–700 MB; since 2025.10, without Redis, the footprint is lower.
The enterprise license enables specific capability flags:can_save_media,can_asn,can_geo_ip,can_impersonate,is_enterprise. These appear in the Authentik admin under System → Licenses and can be verified via API.
Grafana 12.4.1 on CT 103. The integration uses thegeneric_oauthprovider with PKCE enabled — PKCE adds acode_verifier/code_challengeto the OAuth2 flow to prevent authorization code interception. Scopes:openid email profile.
[auth.generic_oauth]
enabled = true
name = Authentik
client_id = <CLIENT_ID>
client_secret = <CLIENT_SECRET>
scopes = openid email profile
auth_url = https://auth.homelabz.cc/application/o/authorize/
token_url = https://auth.homelabz.cc/application/o/token/
api_url = https://auth.homelabz.cc/application/o/userinfo/
use_pkce = true
role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || 'Viewer'
allow_sign_up = true
Ifroot_urlis not set ingrafana.ini, Grafana constructs the redirect URI usinglocalhostas the hostname. Authentik receiveshttp://localhost:3000/login/generic_oauthinstead of the registered URI, finds no match in the Application config, and returns a Redirect URI Error. Hard block, cryptic message, no hint in the logs about the actual cause.
[server]
root_url = https://grafana.homelabz.ccThe JMESPath role mapping works exactly as expected:contains(groups[*], 'Grafana Admins') && 'Admin' || 'Viewer'assigns Admin to members of the Grafana Admins group in Authentik, Viewer to everyone else. No per-user configuration — add someone to the group, they get the role. Remove them, they lose it.
Forgejo on CT 106 supports OpenID Connect with auto-discovery, which makes the configuration cleaner than Grafana. Point it at the Authentik discovery URL and the client fetches all endpoints automatically — token, userinfo, jwks.
forgejo admin auth add-oauth \
--name authentik \
--provider openidConnect \
--key <CLIENT_ID> \
--secret <CLIENT_SECRET> \
--auto-discover-url https://auth.homelabz.cc/application/o/forgejo/.well-known/openid-configuration \
--scopes "openid email profile" \
--auto-register \
--skip-local-two-faThe--auto-registerflag creates the Forgejo account automatically on first OIDC login.--skip-local-two-fadelegates 2FA entirely to Authentik — which handles it better, with TOTP and push notifications built in.
Forgejo still had the old container IP inROOT_URL— a leftover from when the container ran on a different address. The result was identical to the Grafana issue: redirect to an unregistered URI, login blocked. UpdatingROOT_URLfixed it. Rule of thumb: after any container migration, verifyROOT_URLbefore configuring SSO.
Third gotcha, less common but frustrating: if you run a reverse proxy in front of Authentik (Caddy, Nginx, Traefik), make sure the X-Forwarded-Proto header is set correctly. Without it, HTTPS redirects break in non-obvious ways — the login page returns blank with no useful error message. The official reverse proxy documentation covers the general requirements and includes a full Nginx example.
The enterprise RBAC goes beyond simple group membership. You can define policies that evaluate multiple conditions simultaneously: group membership AND source IP within the management subnet AND access time within a window. Conditions are combined with AND/OR logic via the Flow editor UI, no code required.
Persistent audit logging is the other enterprise feature worth having in a multi-user environment. Every auth event — successful login, failed attempt, token revoked, consent updated — is recorded with timestamp, user, IP, and application. You get full visibility into who accessed what and when without running a separate SIEM.
Adding a new collaborator now means creating one user in Authentik and assigning them to the right groups. No manual provisioning across services. Revoking access is instant and complete: disable the account in Authentik, that person loses access to every integrated service in one operation.
Our infrastructure runs on NetBird VPN across three subnets — management, backend, Docker. Authentik integrates naturally with this: you can restrict internal application access to users connected from the management subnet, without touching the applications themselves. No custom code, all through the Flow editor.
Authentik has a genuine complexity problem upfront. The UI is dense, the terminology — Flow, Stage, Provider, Application, Source, Outpost — takes time to internalize, and the documentation assumes some familiarity with OAuth2 and OIDC internals. The first few hours are rough if you are coming in without that background.
The worker is a mandatory separate process — without it, background tasks do not run: emails, expired token cleanup, event notifications. Not a design flaw, but worth accounting for in your Docker architecture.
A central identity provider reduces attack surface but concentrates it. If Authentik is compromised, an attacker has access to everything. The appropriate response: Authentik behind VPN (not directly internet-exposed), mandatory 2FA for all users, regular updates, PostgreSQL backups on separate storage.
Authentik docs:goauthentik.io/docs— Enterprise licensing:goauthentik.io/docs/enterprise— Grafana generic_oauth: Grafana docs — Forgejo OAuth CLI: Forgejo docs