I’m using headscale with headplane as the UI, looks like tailscale, is feature complete (at least it says so on their GitHub readme). Headplane even integrates with an external OIDC provider (I self-host Keycloak for centralized identity management across my services).

Only mechanically. You could technically remove the small piece of plastic at the end of the slot, and still put a x16 card in a x1 or x4 slot, should work anyways. Some mainboards even have open-ended slots directly instead of closed ended. Haven’t done it and wouldn’t recommend it, but it would technically be possible.

I’m on Keycloak + lldap for user provisioning and services that don’t support OIDC or SAML. I have yet to find a OAuth or SAML feature it doesn’t have. It does have a steep learning curve tho, so Authentik is maybe a better solution to get started with.

I personally hit a wall with Authentik when I was trying to get different signature key algorithms for different services (some services have different supported set of key algorithms than others) and custom plugins for custom JWT fields and user attributes.

I believe Authentik has something for extensions as well, but Keycloak is just Java, which has a much better development and deployment experience than throwing a .py or .js file in some directory and hoping it works.

I recreated the Keycloak account from LDAP, and then manually patched the databases for all OIDC-based services to the new account UUID, so the existing accounts are linked to the new Keycloak account.

I have two Keycloak accounts, one in the master realm for administrative purposes, and one in the apps realm for all my services, so I didn’t break access to Keycloak

I already had Keycloak set up, but a few services don’t support OIDC or SAML (Jellyfin, Reposilite), so I’ve deployed lldap and connected those services and Keycloak to it. Now I really have a single user across all services

Traefik also supports running on K8s, yes.

On that note, if you’re moving to K8s, I recommend looking into K8s Gateway API, it’s the successor to the old Ingress API. There are other, more complete, implementations of it than Traefik. See https://gateway-api.sigs.k8s.io/

Caddy or Traefik, depending on whether you want quick and simple (Caddy), or integration with docker, so you don’t have to write config files by hand (Traefik)

Mayastor or Linstor, Ceph requires too much CPU for these nodes

You may need to configure nginx to pass through some additional headers, I haven’t used it in a while. It could also be that memos refuses IP addresses as SITE_URL, and needs a proper domain name.

I’m using traefik (on kubernetes) as reverse proxy, and I don’t even set SITE_URL, but it still works.

There’s no reason not to expose those services to the Internet, they have authentication, and noone can access them without logging in first. There are actually reasons for exposing them, you can share a memo or a file to other people. You should enable HTTPS though to prevent passwords being transferred in clear text.

If you’re exposing memos through nginx, the SITE_URL needs to be the public url where nginx exposed memos (so exactly the same as you enter in your browser), not the Public-IP and the internal port of memos.