Back to blog
homelabauthentikssotraefikdocker

Setting up Authentik SSO on my homelab

One Login to Rule Them All: My Journey to Authentik SSO

Setting up Authentik SSO on my homelab

It started right around the fifth container.

I had just finished spinning up Paperless-ngx, navigated to the URL, and there it was: yet another login form. Username. Password. The exact same credentials I’d just finished typing into Nextcloud. And Forgejo. And Vaultwarden.

At my day job, we use Okta. You log in once in the morning and the digital red carpet rolls out: email, internal tools, and dashboards are all just there. I found myself staring at my monitor and thinking:

I’m the admin here… why can’t I have that magic at home?

That spark of annoyance turned into a weekend project. That project turned into Authentik. And honestly? My homelab has never felt more professional.

So, what exactly is Authentik?

Think of Authentik as your homelab’s personal bouncer. It’s an open-source identity provider that handles the “Who are you?” part of your self-hosted apps centrally. Instead of every single app managing its own list of users, they all just point to Authentik.

Log in once, and you’re in everywhere. It’s glorious.

I use two main ways to make the magic happen:

  • Forward Auth: This is the “Bouncer at the Door” approach. Traefik stops everyone at the gate and asks Authentik, “Is this person allowed in?” before they even see the app. It’s perfect for apps that don’t have built-in SSO support.
  • OAuth2/OIDC: This is the “VIP Treatment.” Apps like Nextcloud or Forgejo talk directly to Authentik. You click a shiny “Login with Authentik” button, and you’re whisked right through.

Why go through the trouble? (Hint: It’s not just laziness!)

While skipping five login screens is a massive quality-of-life win, the real MVP here is security.

My homelab isn’t just a local box; I expose some services via Cloudflare so I can use them on the go. By putting Authentik in front of everything, I’m adding a massive layer of Defense in Depth. Even if one of my apps has a security hole, a hacker still has to get past Authentik’s front door first.

Plus, I can enforce 2FA (Two-Factor Authentication) in one single place, rather than trying to set it up a dozen different times. And the fact that it centralises 2FA means:

  • No per-app setup
  • Consistent enforcement
  • Less chance of forgetting to enable it somewhere important

The secret sauce (the setup)

Authentik runs neatly in Docker (usually a server, a worker, PostgreSQL, and Redis). While the setup is smooth, I hit a couple of “learning opportunities” (read: I pulled my hair out so you don’t have to) that you should know about.

1. The Traefik Handshake

To get Traefik talking to Authentik, you’ll need a snippet in your dynamic configuration. It looks like this:

authentik:
  forwardAuth:
    address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email

Once that’s set, adding SSO to a new service is as easy as adding a single label to your docker-compose.yml. It feels like a superpower.

2. The “Extra Hosts” Gotcha

This is the one that gets everyone! When an app like Nextcloud tries to verify your login, it tries to call your domain (e.g: auth.yourdomain.com).

By default, it might try to go out to the internet and back in, which usually fails. The fix? Tell the container exactly where to find Traefik internally using extra_hosts:

extra_hosts:
  - "auth.yourdomain.com:172.18.x.x"

Pro Tip: Give Traefik a static IP on your Docker network! I learned this the hard way after a RAM upgrade. Everything rebooted, Traefik got a new IP, and all my logins silently broke. Save yourself the headache: lock that IP down!

Life on the other side

Now, my homelab feels like a cohesive ecosystem rather than a pile of random apps. Whether I’m checking my documents in Paperless or pushing code to Forgejo, it’s one seamless experience.

It’s the closest thing to an “Enterprise” feel you can get at home. It’s made me appreciate just how much work goes on behind the scenes of a simple “Login” button.

If you’re running more than three or four services, go for it. Give yourself an afternoon, grab a coffee, and set up Authentik. You’ll wonder how you ever lived without it!