I have switched to incus and it's really great. It's lightweight, has a working terraform provider, easy-to-use cli, pre-built images (LXC and VM) of major distros (while in proxmox, you have to create templates all the time for VMs), runs on any distro (on proxmox, you're stuck with debian), clustering is nice, supports bunch of storage drivers (dir, btrfs, ceph, zfs), simple web UI and active community. The project leader is also very active and helpful while in proxmox, it's a little unresponsive. You can even install `incus-base` package which only contains LXC specific components for only running LXC containers.
I have noticed incus has better security configs by default. For instance, all pre-built images come with secureboot enabled and there are ACLs which are easy to configure for fine-grained network rules. The only downside I feel like is lack of something like PBS
IMO the client certs are pretty elegant from a technical perspective. It works well with the CLI, but the browser experience is different enough to cause at least some base level wtf-ery.
Yeah, most enterprise deployments of Incus use OIDC for authentication and then OpenFGA for authorization with permissions typically synchronized with something like AD/Entra.
TLS certs remain used for some role account type stuff and as a break glass type of access for when OIDC is unavailable and there's an emergency. A nice characteristic of TLS certificates is that they can be generated safely in a HSM which you can then dump into a safe, works well in the corporate world, much better than passwords for this kind of thing.
I have noticed incus has better security configs by default. For instance, all pre-built images come with secureboot enabled and there are ACLs which are easy to configure for fine-grained network rules. The only downside I feel like is lack of something like PBS