No, authentik is always better. There are no unique integrations to Red Hat systems that Keycloak offers that are more capable than Authentik is capable of.

Now, keycloak has a paid version based on it that might have extra features (but probably doesn’t, Red Hat usually doesn’t enhance the software itself, just deployment/maintainence). And it is easier to justify expenditure to a corporation you are already buying from like Red Hat or AWS, than it is to buy from a new entity. If you’ve ever interacted with any of the beuracracies, you’ll understand that their are almost always considerations in the purchase of the software beyond the quality itself.

No, you should use traefik. I use traefik, it’s currently the easiest to deploy while supporting all the standard features of both ingress and gateway api in one app. Just try to avoid any features that are specific to traefik.

RE: Traefik

My recommendation is to avoid using any of the Traefik custom CRD’s to avoid vendor lock in. I use Traefik strictly as an Ingress Controller (and I don’t bother to use Gateway API, which is more complex. Kubernetes Ingresses still work and will be maintained).

https://integrations.goauthentik.io/media/jellyfin/

The jellyfin sso plugin linked there is now archived and dead.

Authentik supports ldap keycloak does not.

Authentik also has proxy based authentication, to authwall any app that doesn’t support external sso. People use that with jellyfin a lot.

I agree but running headfirst into this wall was a learning experience for me, even if I did fail miserably.

Also SAML sucks, oidc is way better and more popular nowadays.

“Log in with google/github/etc” is actually OIDC (I’ve had people think it was saml before so I am clarifying.

Most of the apps you mentioned will only support oidc and not saml.

No. K3s uses a different container rundime, containerd as a backend.

If you set up k3s you don’t need docker. Though I suspect you’ll want it fir apps that have better support for docker (offer docker compose but no official helm, more docs, more forum posts, etc).

No don’t use keycloak it sucks. Trust me authentik is way better (also FOSS + under the Cloud native computing foundation).

You can deploy keycloak as a test, but authentik has way more features, like it supports being ldap server.

For secrets and security, hashicorp vault and ESO are a pain. It’s probably easier to encrypt them directly in the git repo and get argocd to decrypt them (this is what I do with fluxcd).

See: https://github.com/bitnami-labs/sealed-secrets

Re: storage/backups:

You need to figure out a persistentvolume class/provider that you can use.

I recommend Longhorn.

Are you going to use both docker and k3s?

You could only use k3s, but if you are using both docker and k3s see my gpu notes below.

If you are using docker, check out https://komo.do/ to gitops it.

You probably don’t need to host your own container registry or even CI, it’s more trouble than it’s worth for a homelab.

You can deploy them as learning experiences but I would not recommend having any part of you lab be dependent on them, it’s simpler to just use public container images/registries.

Minio is now closed source. Check out garage, seaweadfs or rustfs as alternatives.

Okay long post so I’m probably gonna make multiple comments:

GPU usage: you have moonlight, and also jellyfin. Both of those are gonna want your gpu.

You are gonna have to figure out hoa to do this. I suspect if you are using k3s, the easiest way is for one (virtual machine) node of the k3s cluster to have the gpu passed through to it and activated, and k3s will assign containers that need the gpu to that host. Although I’m not sure jf moonlight itself runs in a container.

It technically possible to share a gpu between vms (https://github.com/DualCoder/vgpu_unlock) but it is a hack and it is a lot of trouble. It is very easy to share a gpu between containers. You can also use proxmox’s LXC containers, and share a gpu between them, but there are caveats about running (k3s/docker) containers in containers.