## Add SSO (Single Sign-On) to `ds1` Goal: use a single user account per person across all services. ### Options - [ ] **Keycloak** Pros: Industry standard, powerful, supports OIDC/SAML Cons: Heavy, complex UI, not declarative (needs import/export) - [ ] **Authentik** Pros: Lighter than Keycloak, modern UI Cons: Less mature, not fully declarative - [ ] **Dex** Pros: Fully declarative, simple, good NixOS integration Cons: No session management, minimal UI - [ ] **Authelia** Pros: Declarative, good with reverse proxies Cons: Complex setup ### Plan Prefer declarative config, low resource usage, and easy integration with reverse proxy.
Add SSO (Single Sign-On) to
ds1Goal: use a single user account per person across all services.
Options
Keycloak
Pros: Industry standard, powerful, supports OIDC/SAML
Cons: Heavy, complex UI, not declarative (needs import/export)
Authentik
Pros: Lighter than Keycloak, modern UI
Cons: Less mature, not fully declarative
Dex
Pros: Fully declarative, simple, good NixOS integration
Cons: No session management, minimal UI
Authelia
Pros: Declarative, good with reverse proxies
Cons: Complex setup
Plan
Prefer declarative config, low resource usage, and easy integration with reverse proxy.