If you want to do the mTLS, I’d also suggest step-ca [0], it’s an open source TLS and SSH CA. You can setup a variety of methods to be the identity provider, then have step provide the certs

0: https://smallstep.com/docs/step-ca/