AdGuard — disable UI auth (edge SSO only)¶
AdGuard Home has its own admin login. With Traefik forward-auth, disable local UI authentication so Authentik is the only gate.
Official approach: empty users list in AdGuardHome.yaml (AdGuard wiki).
URL: https://adguard.infra.realemail.app
What changes¶
| Setting | Purpose |
|---|---|
users: [] |
Disable AdGuard web UI login |
trusted_proxies |
Include Traefik Docker subnet (172.18.0.0/16) for DoH/client IP |
DNS on port 53 is unchanged. Only the web admin UI behind Traefik drops its login form.
Apply (repo script)¶
After merge to main, on infra-services:
cd /opt/homelab
git pull origin main
sudo bash services/adguard/scripts/disable-ui-auth-for-edge-sso.sh
The script backs up AdGuardHome.yaml, sets users: [], updates trusted_proxies,
and restarts the adguard container.
Verify¶
Incognito → https://adguard.infra.realemail.app → Authentik once → AdGuard dashboard
(no AdGuard username/password form).
Break-glass¶
Re-enable UI auth by restoring the backup written beside the config file
(AdGuardHome.yaml.bak.*) or re-add a user via AdGuard docs reset-password flow.