That's fair, a VPN might've been a better approach. I've been having some weird routing issues with WireGuard, that seem to work differently based on the client, but I've not had time to sort that out.
At the end of the post I mention, that having proper separation would've helped, but again, that's a whole project...
It's not really "piling on more complexity". I already have a well-configured OIDC provider that already handles a lot of home lab software that supports OIDC natively.
For things not supporting OIDC natively there's OIDC Proxy for traefik. So in this case the solution is adding a label requesting the OIDC Proxy Middleware, and adding a redirect URL to the OIDC application.
You could argue that it's "more complexity", but routing it through a home vpn, for instance, is also "more complexity".
What, in your opinion is "simple, performant, and sane"? You casually throw that around, but never explain...
The community has managed to drastically lower hardware requirements, but so far I think only Nvidia cards are supported, so as an AMD owner I'm still missing out :(
I still can't comprehend why they implemented FIDO/WebAuthn support in Play Services. Passkeys are extremely difficult to support in apps that don't depend on Play Services client libraries.
