I set up Authentik in front of some of my self-hosted services recently. Authentik allows you to use 2-factor auth when logging into other services that support OpenID. The first one I tried was Immich, and the docs are pretty good.
The one thing they forgot to mention was that you had to set the scope in Authentik too. In the provider configuration, make sure that all of openid, email, profile are allowed.
Also, if you use Cloudflare to proxy your services, make sure Authentik isn’t proxied, or it will try to rewrite some of the HTTP headers used. Make sure your reverse proxy generates its own SSL cert too. You might be using a Cloudflare cert if everything is going through there.
Who said self-hosting was fun, eh?