Theorycrafting: SSO for multiple Apps hosted on TrueNAS

At the moment, my home setup is pretty much just for me - I don’t have kids, and my wife isn’t the sort to be heavily into tech (she’ll ask me to set things up for her). So this post is mostly theorycrafting, or potentially seeding ideas for other people who may be looking to set this up in the future.

The thought occured to me that most of the apps I have set up in Docker on my system (Nextcloud, FreshRSS, Jellyfin, Piwigo) have a login involved, and can potentially authenticate back to a single source (Google, OAuth2, LDAP, etc.). The TrueNAS itself also has user logins, which are needed for each household member if they want to authenticate back to the NAS for backups, home / share storage, etc.

What would be the ideal setup for having multiple apps authenticate against a single authority, that includes the host TrueNAS itself (either as the source, or as a client)? So if I wanted to give a housemate a single login, this would work for the NAS, Nextcloud, FreshRSS, Jellyfin, etc (Assuming the apps can authenticate against another source, of course).

Basically you need to setup a reverse proxy (Nginx-Proxy-Manager is basic and in the catalog, but things like pure Nginx/Caddy/Traefik are more versatile) and then external authentication like Authelia or Authentik

OK, so run one of those as a container on the TrueNAS itself, then configure the NAS and other apps to authenticate against it? That makes sense.

I wasn’t aware those apps existed, that is what I was looking for, I think!

I’m using traefik and authentik, works really well but has a bit of a learning curve to set up