Right now none of the native clients support SSO. It is a frequently requested feature but, unfortunately, it doesn’t look like it will be implemented any time soon. As with many OSS projects it is probably a case of “you want it, you build it” - but nobody has actually stepped up.

For web access, stick it behind a reverse proxy and use something like Authentik/Authelia/SSO provider of your choice to secure it.

For full access including native clients, set up a VPN.

We refer to it as kew-bee-cuttle

As a developer myself I’m not sure if I would trust any application to safely handle a configuration that has become invalid due to a breaking change, especially not an app that is still under active development! Better safe than sorry.

Immich has completely replaced Google Photos for me, love it!

My only bugbear is that it is updated very frequently (what a nice problem to have!) which in my case requires a manual once-over of my docker-compose file every time in case there are breaking changes.

Nah, the SWAT would have to arrest themselves.

I use both. Pi-hole running in a docker container on one of my home servers which my gateway is configured to assign as the default DNS for all clients, and uBlock Origin on all my browsers to catch everything else.

Pihole is pretty good at catching ads on platforms that are not suited to browser based blockers (IoT devices, streaming boxes etc) but it isn’t perfect and is best used in conjunction with another solution.