One Identity Provider for Everything

Jun 4, 2026

Replacing scattered logins with Authentik on Oracle Cloud. Google login everywhere, proxy auth for Guacamole, OAuth2 for Portainer, and a K8s outpost for cluster services.

Every homelab reaches a point where the authentication situation becomes embarrassing. Mine had: Cloudflare Access for Portainer, Guacamole with its own user database, Homepage with no auth, Pi-hole with a hardcoded password. Each service its own island.

The fix isn’t another password manager. It’s a single identity provider that everything talks to. This is that setup — Authentik on Oracle Cloud, Google login everywhere, TOTP on all flows, and a proxy outpost inside K8s for cluster services.

Architecture

Authentik runs on Oracle Cloud, not on the home K8s cluster. The reasoning is practical: if the cluster goes down, I still need to access Portainer to diagnose it — which means auth needs to be on a separate failure domain.

1
Internet
2
  └── Cloudflare Tunnel (Oracle Cloud)
3
        └── Authentik Server :9000
4
              ├── sso.merox.dev      → login portal
5
              └── rmt.merox.dev      → Guacamole (proxied)
6

7
K8s Cluster (home)
8
  └── Authentik Proxy Outpost
9
        └── download.merox.dev → Jellyseerr (proxied)

Portainer stays Tailscale-only — no internet exposure — but uses Authentik as its OAuth2 provider.

1. Deploy Authentik

Generate the secrets first — these go in a .env file next to your compose:

echo "PG_PASS=$(openssl rand -base64 36)" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60)" >> .env

docker-compose.yml:

1
services:
2
  postgresql:
3
    image: docker.io/library/postgres:16-alpine
4
    restart: unless-stopped
5
    environment:
6
      POSTGRES_PASSWORD: ${PG_PASS}
7
      POSTGRES_USER: authentik
8
      POSTGRES_DB: authentik
9
    volumes:
10
      - postgres_data:/var/lib/postgresql/data
11

12
  redis:
13
    image: docker.io/library/redis:alpine
14
    restart: unless-stopped
15

34 collapsed lines
16
  server:
17
    image: ghcr.io/goauthentik/server:2026.2.3
18
    restart: unless-stopped
19
    command: server
20
    environment:
21
      AUTHENTIK_REDIS__HOST: redis
22
      AUTHENTIK_POSTGRESQL__HOST: postgresql
23
      AUTHENTIK_POSTGRESQL__USER: authentik
24
      AUTHENTIK_POSTGRESQL__NAME: authentik
25
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
26
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
27
    ports:
28
      - '9000:9000'
29
    depends_on:
30
      - postgresql
31
      - redis
32

33
  worker:
34
    image: ghcr.io/goauthentik/server:2026.2.3
35
    restart: unless-stopped
36
    command: worker
37
    environment:
38
      AUTHENTIK_REDIS__HOST: redis
39
      AUTHENTIK_POSTGRESQL__HOST: postgresql
40
      AUTHENTIK_POSTGRESQL__USER: authentik
41
      AUTHENTIK_POSTGRESQL__NAME: authentik
42
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
43
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
44
    depends_on:
45
      - postgresql
46
      - redis
47

48
volumes:
49
  postgres_data:

docker compose up -d

Authentik is available at http://<your-server>:9000. Complete the initial setup wizard at /if/flow/initial-setup/.

DNS

sso.merox.dev uses Cloudflare’s Universal SSL wildcard (*.merox.dev) — no extra cert config needed. Add routes in Cloudflare Zero Trust pointing to your server’s Authentik port:

1
sso.merox.dev  → http://<authentik-server>:9000
2
rmt.merox.dev  → http://<authentik-server>:9000   (for Guacamole)

2. Google OAuth

In Google Cloud Console: APIs & Services → Credentials → OAuth 2.0 Client ID

Redirect URI:

1
https://sso.merox.dev/source/oauth/callback/google/

In Authentik: Admin → Directory → Federation & Social Login → Create → Google — paste Client ID and Secret.

Visiting sso.merox.dev now auto-redirects to Google login.

Tip

New users via Google are “External” by default — they can’t access the admin panel. Set type to “Internal” and add to authentik Admins group if needed.

3. Two-Factor Authentication

Admin → Flows & Stages → Flows → default-source-authentication → Stage Bindings

Add two bindings:

Order	Stage	Type
0	totp-validation	Authenticator Validate Stage
10	default-authentication-login	User Login Stage

In the Authenticator Validate Stage: Device classes: TOTP, Not configured action: Force configure.

First-time login now prompts TOTP enrollment automatically.

Note

Disable akadmin after your account is set up — it has a static password and bypasses 2FA. Admin → Directory → Users → akadmin → Disable.

4. Guacamole — Proxy Mode

Admin → Applications → Providers → Create → Proxy Provider

1
Name:          guacamole-proxy
2
Mode:          Proxy
3
External host: https://rmt.merox.dev
4
Internal host: http://<guacamole-host>:8080
5
Authorization flow: default-provider-authorization-implicit-consent

Admin → Applications → Applications → Create

1
Name:     Guacamole
2
Slug:     guacamole
3
Provider: guacamole-proxy

The Cloudflare tunnel already routes rmt.merox.dev to Authentik at :9000. Guacamole is never directly reachable — traffic hits Authentik first, always.

Note

Guacamole shows its own login after Authentik auth — that’s intentional. Authentik handles identity; Guacamole handles access control to specific connections.

5. Portainer — OAuth2 Native SSO

Portainer has direct Docker socket access — exposing it to the internet, even behind Authentik, is unnecessary risk. It stays Tailscale-only, but uses Authentik as its OAuth2 provider so there’s no separate login screen.

Bind it to the Tailscale interface instead of 0.0.0.0 — so only VPN-connected devices can reach it:

1
ports:
2
  - '<tailscale-ip>:9000:9000'
3
  - '<tailscale-ip>:9443:9443'

Admin → Applications → Providers → Create → OAuth2/OpenID Provider

1
Name:         portainer-oauth
2
Client type:  Confidential
3
Redirect URI: http://<tailscale-ip>:9000

In Portainer: Settings → Authentication → OAuth → Enable

1
Authorization URL: https://<authentik-domain>/application/o/authorize/
2
Access Token URL:  https://<authentik-domain>/application/o/token/
3
Resource URL:      https://<authentik-domain>/application/o/userinfo/
4
User identifier:   preferred_username

Enable Hide internal authentication prompt — Portainer redirects directly to Authentik on load.

6. K8s Outpost — Jellyseerr

The outpost runs inside the cluster as a pod and proxies back to sso.merox.dev for session validation. Every request hits the outpost first — if there’s no valid Authentik session, the user gets redirected to login.

Authentik UI setup

Provider: Admin → Applications → Providers → Create → Proxy Provider

1
Name:          jellyseerr-proxy
2
Mode:          Proxy
3
External host: https://<your-app-domain>
4
Internal host: http://<app-service>.<namespace>.svc.cluster.local:<port>
5
SSL validation: OFF

Application: Admin → Applications → Applications → Create

1
Name:     Jellyseerr
2
Slug:     jellyseerr
3
Provider: jellyseerr-proxy

Outpost: Admin → Outposts → Create

1
Name:        k8s-outpost
2
Type:        Proxy
3
Integration: None
4
Apps:        Jellyseerr

After creation → View Deployment Info → copy the token.

Tip

Integration: None is intentional — if you use GitOps, your tooling owns the deployment and Authentik only owns the config. No cluster API access needed from the Authentik server.

Option A — Helm

The quickest path, works on any K8s setup:

kubectl create secret generic authentik-outpost-secret \
  --from-literal=AUTHENTIK_TOKEN=<token>

helm upgrade --install authentik-outpost oci://ghcr.io/goauthentik/helm-charts/authentik-remote-cluster \
  --set authentik.host=https://sso.merox.dev \
  --set authentik.token=<token>

Then expose the outpost with an Ingress or Gateway route pointing to port 9000.

Option B — Flux + app-template (GitOps)

For GitOps setups with Flux and bjw-s app-template. Create the following files under kubernetes/apps/<namespace>/authentik-outpost/:

app/secret.sops.yaml — encrypt with SOPS before committing:

1
apiVersion: v1
2
kind: Secret
3
metadata:
4
  name: authentik-outpost-secret
5
type: Opaque
6
stringData:
7
  AUTHENTIK_TOKEN: <token from outpost>

app/helmrelease.yaml:

1
apiVersion: helm.toolkit.fluxcd.io/v2
2
kind: HelmRelease
3
metadata:
4
  name: authentik-outpost
5
spec:
6
  interval: 1h
7
  chartRef:
8
    kind: OCIRepository
9
    name: app-template
10
  values:
11
    controllers:
12
      authentik-outpost:
13
        replicas: 1
14
        strategy: RollingUpdate
15
        containers:
57 collapsed lines
16
          app:
17
            image:
18
              repository: ghcr.io/goauthentik/proxy
19
              tag: 2026.2.3
20
            env:
21
              AUTHENTIK_HOST: 'https://sso.merox.dev'
22
              AUTHENTIK_INSECURE: 'false'
23
              AUTHENTIK_HOST_BROWSER: 'https://sso.merox.dev'
24
            envFrom:
25
              - secretRef:
26
                  name: authentik-outpost-secret
27
            probes:
28
              liveness:
29
                enabled: true
30
                custom: true
31
                spec:
32
                  httpGet:
33
                    path: /outpost.goauthentik.io/ping
34
                    port: &port 9000
35
                  initialDelaySeconds: 10
36
                  periodSeconds: 10
37
              readiness:
38
                enabled: true
39
                custom: true
40
                spec:
41
                  httpGet:
42
                    path: /outpost.goauthentik.io/ping
43
                    port: *port
44
                  initialDelaySeconds: 5
45
                  periodSeconds: 10
46
            securityContext:
47
              allowPrivilegeEscalation: false
48
              readOnlyRootFilesystem: true
49
              capabilities: { drop: ['ALL'] }
50
            resources:
51
              requests:
52
                cpu: 10m
53
              limits:
54
                memory: 256Mi
55
    defaultPodOptions:
56
      securityContext:
57
        runAsNonRoot: true
58
        runAsUser: 1000
59
        runAsGroup: 1000
60
    service:
61
      app:
62
        ports:
63
          http:
64
            port: *port
65
    persistence:
66
      tmpfs:
67
        type: emptyDir
68
        advancedMounts:
69
          authentik-outpost:
70
            app:
71
              - path: /tmp
72
                subPath: tmp

app/httproute.yaml (Gateway API — adjust for your ingress if needed):

1
apiVersion: gateway.networking.k8s.io/v1
2
kind: HTTPRoute
3
metadata:
4
  name: jellyseerr-external
5
spec:
6
  parentRefs:
7
    - name: external
8
      namespace: kube-system
9
      sectionName: https
10
  hostnames:
11
    - 'download.merox.dev'
12
  rules:
13
    - backendRefs:
14
        - name: authentik-outpost
15
          port: 9000

app/kustomization.yaml:

1
apiVersion: kustomize.config.k8s.io/v1beta1
2
kind: Kustomization
3
resources:
4
  - ./secret.sops.yaml
5
  - ./helmrelease.yaml
6
  - ./httproute.yaml

Encrypt and push:

sops --encrypt --in-place app/secret.sops.yaml
git add . && git commit -m "feat: add authentik k8s outpost" && git push

Note

Jellyseerr doesn’t support OIDC, so it still shows its own login after Authentik auth. The outpost acts as a gate — unauthenticated requests never reach the app. Once logged in to Jellyseerr, the session persists.

Result

Service	URL	Method
Guacamole	rmt.merox.dev	Authentik Proxy
Portainer	100.72.22.38	OAuth2 (Tailscale only)
Jellyseerr	download.merox.dev	K8s Outpost Proxy

One login at sso.merox.dev. Google auth + TOTP. Every externally-exposed service requires a valid Authentik session before traffic reaches it.

For apps with native OIDC support — Grafana, n8n — the same pattern applies but without the double login: use an OAuth2 provider instead of the proxy outpost.

Infrastructure repo: github.com/meroxdotdev/cloudlab-merox. Full homelab overview: The Rack — Homelab 2026.