I ended up just making my own helper container for authelia. It can generate a link that expires after a set time and only allows a set number of users to access. Then I can just give the link to whoever I want to join and they can fill in their own username and pwd. It then adds them to the authelia user db with the correct groups and PW hashing. Only issue is I have to manually restart authelia for the changes to take effect. Eventually I want to see if I can automate that.
I'm still working on editing the configuration through the app though. I want to be able to change the access control rules, etc.
As far as having the services behind authelia automatically detect and login the user, that will depend on the service, but authelia does pass user credentials and login status in the request headers. Many of the services I host were created myself, so it's pretty trivial to have it automatically "log in" from the authelia sign on.