Authentik with Tailscale Integration

This project sets up a Authentik instance with Tailscale VPN integration using Docker Compose. It creates a secure, private network connection for your Authentik instance using Tailscale.

Prerequisites

• Docker and Docker Compose installed on your system
• A Tailscale account and auth key (get one from https://login.tailscale.com/admin/authkeys)
• Basic understanding of Docker and networking concepts

Project Structure

ts-authentik/
├── .env
├── docker-compose.yml
├── tailscale/
│   ├── tailscale-data/     # Persistent Tailscale state
│   └── config/             # Tailscale configuration files
├── authentik/
│   ├── media/              # Authentik Files
│   └── templates/          # Authentik Files
├── postgres/
│   └── data/               # Postgres data
├── redis/
│   └── data/               # Redis persistent state
└── authentik-worker/
    └── certs/              # Authetik Worker files

Setup Instructions

1. Clone the Repository

   git clone https://gitea.damconsulting.llc/DAM/ts-authentik
   cd ts-authentik
   

2. Create Required Directories

   mkdir -p tailscale/tailscale-data authentik/media authentik/templates postgres/data redis/data authentik-worker/certs
   

3. Configure Tailscale

   • Replace {{YOUR_TAILSCALE_AUTHKEY}} in the docker-compose.yml with your actual Tailscale auth key
   • Optionally, update the file in tailscale/config/serve.json if you need specific Tailscale serve configurations
     • CAUTION: Changing "${TS_CERT_DOMAIN}:443": false to true will expose the service to the internet

4. Configure Authentik

   • Authentik uses an environment variable file, or .env, that is passed in the compose to handle much of the configuration options. They then turn this to yaml 🤦‍♂️. Maybe one day when we fork all of these projects we can standardize the config format for all services to be yaml from the start. Because of this and to stay consistent with the original documentation the database username and password as well as other fields commonly found in the compose are set in the .env. The following directions are for generating the .env file from linux cli. This method is recomended to ensure a strong AUTHENTIK_SECRET_KEY although you could just create your own manually.

   # You can also use openssl instead: `openssl rand -base64 36`
   sudo apt-get install -y pwgen
   # Because of a PostgreSQL limitation, only passwords up to 99 chars are supported
   # See https://www.postgresql.org/message-id/09512C4F-8CB9-4021-B455-EF4C4F0D55A0@amazon.com
   echo "PG_PASS=$(pwgen -s 40 1)" >> .env
   echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env
   # Skip if you don't want to enable error reporting
   echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env
   

   • OPTIONAL See docs for additional configuration options
   • A note about the docker-compose values.
     • POSTGRES_PASSWORD: This variable holds the password for the PostgreSQL database. The ${PG_PASS:?database password required} syntax means that if this variable is not set, the system will throw an error and prompt the user to set it.
     • POSTGRES_USER: This variable holds the username for the PostgreSQL database. The ${PG_USER:-authentik} syntax means that if this variable is not set, it will default to the value authentik.
     • POSTGRES_DB: This variable holds the name of the PostgreSQL database. The ${PG_DB:-authentik} syntax means that if this variable is not set, it will default to the value authentik.

5. Start the Services

   docker compose up -d
   

6. Wait for Certificate to propagate [~2m]

7. Login with the inital flow url

   • After starting the services your service should be available via tailnet at https://authentik.{{YOUR_TAILNET_DOMAIN}}.ts.net/if/flow/initial-setup/ ie https://authentik.tail12345.ts.net/if/flow/initial-setup/

Services

authentik-ts (Tailscale)

• Runs Tailscale VPN client
• Image: tailscale/tailscale:latest
• Container name: authentik-ts
• Hostname: authentik
• Requires NET_ADMIN and SYS_MODULE capabilities
• Persists state in ./tailscale/tailscale-data
• Uses configuration from ./tailscale/config

authentik

• Depends on authentik-ts service

authentik-worker

• Depends on authentik-ts service

authentik-redis

• Depends on authentik-ts service

authentik-postgres

• Depends on authentik-ts service

Usage

• After starting the services your service should be available via tailnet at https://authentik.{{YOUR_TAILNET_DOMAIN}}.ts.net ie https://authentik.tail12345.ts.net/
• To manually get the Tailscale IP/hostname of your container:

  docker logs authentik-ts
  

  Look for the Tailscale IP address in the logs.

Optional Features

• Uncomment and adjust the ports mapping if you need direct access (without Tailscale):

  ports:
  - 9000:9000
  

• Stopping the Services

  docker compose down
  

Troubleshooting

• Check container logs:

  docker logs authentik-ts
  docker logs authentik
  

• Ensure your Tailscale auth key is valid and not expired
• Verify the configuration files have proper permissions
• Make sure required directories exist before starting

Notes

• The Authentik service uses the Tailscale service's network stack via network_mode: service:authentik-ts
• Direct port mapping is disabled by default as Tailscale handles the networking
• Services restart automatically unless explicitly stopped
• For more information:
  • Tailscale documentation: https://tailscale.com/kb/
  • Authentik documentation: https://docs.goauthentik.io/docs/
  • Authentik repository: https://github.com/goauthentik/authentik