I thought everyone loved ICE

The Swiss government will ​continue to withhold payments to the ‌United States for a Patriot missile system order until Washington provides binding delivery dates, adding that terminating the purchase ​is an option, it said on Wednesday.

Not sure how long it had been there! It had no smell 🤔

I'm currently in the long process of rebuilding my declarative homelab using k3s, ArgoCD and NixOS.

I had previously used Keycloak but that always seemed massively overqualified and way too complex for my purposes. With this rebuild I saw my chance to try out Authentik which appears to be in good standing with the homelab community.
They have tons of documentation for pretty much anything which was encouraging to me. Well except for the documentation for their Helm Charts maybe...

Started off with version 2025.12.x, am now onto 2026.02.x and have spent most weekends in between that on getting Authentik to even just deploy to the cluster.
It's partially my fault for attempting to use Secrets initially but even now with hardcoded keys in my git repo the default example chart doesn't work:

authentik:
  existingSecret:
    secretName: authentik-secret

  postgresql: # None of this gets applied at all so I do it manually below...
    password: "somepasswd"

server:
  replicas: 1

  env: # Manually apply all the configuration values. Why am I using Helm charts again?
    - name: AUTHENTIK_POSTGRESQL__HOST
      value: authentik-postgresql
    - name: AUTHENTIK_POSTGRESQL__USER
      value: authentik
    - name: AUTHENTIK_POSTGRESQL__PASSWORD
      value: "somepasswd"
    - name: AUTHENTIK_POSTGRESQL__NAME
      value: authentik

  route:
    main:
      # ...

postgresql:
  enabled: true

  auth: # And set everything here once again
    username: authentik
    password: "somepasswd"
    postgresPassword: "somepasswd"
    usePasswordFiles: false
    database: authentik

  primary:
    persistence:
      size: 4Gi

I started off with the official example and after all these undocumented changes it still only deploys-ish:

With the defaults authentik-server would always try to reach the DB under localhost which doesn't work in the context of this chart/k8s.
So after a while I figured out that the authentik: configuration block doesn't actually do anything and I set all the values the chart should set by hand.

Now the DB connects but the liveliness probe on the authentik-server pod fails. It logs the incoming probe requests but apparently doesn't answer them (correctly) leading to k8s killing the pod.

Sorry for the ramble but I've hit my motivational breaking point with Authentik.
Since the community seems to like it a bit I am left wondering what I'm doing wrong to have this many issues with it.

Did you people have this much trouble with Authentik and what have you switched to instead?

I'm pretty new to self-hosting in general, so I'm sorry if I'm not using correct terminology or if this is a dumb question.

I did a big archival project last year, and ripped all 700 or so DVDs/Blu-rays I own. Ngl, I had originally planned on just having them all in a big media folder and picking out whatever I wanted to watch that way. Fortunately, I discovered Jellyfin, and went with that instead.

So I bought a mini pc to run Ubuntu server on, and I just installed Jellyfin directly there. Eventually I decided to try hosting a few other services (like Home Assistant and BookLore (R.I.P.)), which I did through Docker.

So I'm wondering, should I be running Jellyfin through Docker as well? Are there advantages to running Jellyfin through Docker as opposed to installed directly on the server? Would transitioning my Jellyfin instance to Docker be a complicated process (bearing in mind that I'm new and dumb)?

Thanks for any assistance.

Let’s say someone’s family was in the army, so they moved around a lot from birth, and they didn’t really have a ‘home,’ but they’re into sports—how do they choose their favorite team? Do they just decide to hold off until they move somewhere permanently, and then choose that city’s team as theirs?

You’ll need at least 6GB of RAM to run Ubuntu 26.04 LTS comfortably, as the upcoming version of the distro raises its minimum memory requirement for the first time since 2019.

All of these issues are from today.

Full Research(52 Pages PDF).

Our recent research paper into Snapchat's gamification features shows that some of the respondents are experiencing negative effects. Think of the feeling of pressure and having more screen time than desired. The results of the research support the importance of freedom of choice on large online platforms. Young people need to have more control over where their attention is going, what they are seeing and what they are displaying of themselves online. We therefore want to use the report to advise policy makers on guidelines on gamification on social media.

I'm using TinyAuth for forwardauth but the service I'm trying to use consistently is saying the headers are not set (and I can verify, they're not there.)

Traefik: in static config

entryPoints:
  web:
    address: ':80'
    transport:
      respondingTimeouts:
        readTimeout: 600s
        idleTimeout: 600s
        writeTimeout: 600s
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ':443'
    http:
      tls:
        certResolver: letsencrypt
        domains:
          - main: domain.tld
            sans:
              - '*.domain.tld'
    forwardedHeaders:
      trustedIPs:
        - [TinyAuth IP]

in dynamic config:

   tinyauth-auth:
     forwardAuth:
       address: "http://[TinyAuth IP]:3000/api/auth/traefik"
       trustForwardHeader: true
       authResponseHeaders:
         - Remote-User
         - Remote-Groups
         - Remote-Name
         - Remote-Email

This is set as a middleware in the app I'm trying to use.

in tinyauth:

TINYAUTH_APPURL=https://tinyapp.domain.tld/
TINYAUTH_AUTH_TRUSTEDPROXIES=[Traefik IP]
TINYAUTH_APPS_APP_CONFIG_DOMAIN='app.domain.tld'
TINYAUTH_APPS_APP_RESPONSE_HEADERS='Remote-User,Remote-Email,Remote-Group,Remote-Name,X-Remote-Name,X-Remote-User,X-Remote-Group,X-Remote-Email,Forwarded-Host,Forwarded-URI'

(I kept adding response headers hoping something would change)

PocketID is set as an OAuth provider and seems to be working fine, but I can provide further detail if needed.

Curiously, I tried changing the address in the traefik config to "https://tinyauth.domain.tld/" and the headers came through properly, but the redirect went to https://tinyauth.domain.tld/api/auth/traefik.

I think this is actually my issue but they never posted their solution.