# Authentik with Tailscale Integration ![Authentik with Tailscale](https://goauthentik.io/img/icon_left_brand.svg "Authentik") This project sets up a Authentik instance with Tailscale VPN integration using Docker Compose. It creates a secure, private network connection for your Authentik instance using Tailscale. ## Prerequisites - Docker and Docker Compose installed on your system - A Tailscale account and auth key (get one from https://login.tailscale.com/admin/authkeys) - Basic understanding of Docker and networking concepts ## Project Structure ``` ts-authentik/ ├── .env ├── docker-compose.yml ├── tailscale/ │ ├── tailscale-data/ # Persistent Tailscale state │ └── config/ # Tailscale configuration files ├── authentik/ │ ├── media/ # Authentik Files │ └── templates/ # Authentik Files ├── postgres/ │ └── data/ # Postgres data ├── redis/ │ └── data/ # Redis persistent state └── authentik-worker/ └── certs/ # Authetik Worker files ``` ## Setup Instructions 1. **Clone the Repository** ```bash git clone https://gitea.damconsulting.llc/DAM/ts-authentik cd ts-authentik ``` 2. Create Required Directories ```bash mkdir -p tailscale/tailscale-data authentik/media authentik/templates postgres/data redis/data authentik-worker/certs ``` 3. Configure Tailscale - Replace `{{YOUR_TAILSCALE_AUTHKEY}}` in the docker-compose.yml with your actual Tailscale auth key - Optionally, update the file in `tailscale/config/serve.json` if you need specific Tailscale serve configurations - CAUTION: Changing `"${TS_CERT_DOMAIN}:443": false` to `true` will expose the service to the internet 4. Configure Authentik - Authentik uses an environment variable file, or `.env`, that is passed in the compose to handle much of the configuration options. They then turn this to yaml 🤦‍♂️. Maybe one day when we fork all of these projects we can standardize the config format for all services to be yaml from the start. Because of this and to stay consistent with the original [documentation](https://version-2022-9.goauthentik.io/docs/installation/docker-compose#preparation) the database username and password as well as other fields commonly found in the compose are set in the `.env`. The following directions are for generating the `.env` file from linux cli. This method is recomended to ensure a strong `AUTHENTIK_SECRET_KEY` although you could just create your own manually. ``` sh # You can also use openssl instead: `openssl rand -base64 36` sudo apt-get install -y pwgen # Because of a PostgreSQL limitation, only passwords up to 99 chars are supported # See https://www.postgresql.org/message-id/09512C4F-8CB9-4021-B455-EF4C4F0D55A0@amazon.com echo "PG_PASS=$(pwgen -s 40 1)" >> .env echo "AUTHENTIK_SECRET_KEY=$(pwgen -s 50 1)" >> .env # Skip if you don't want to enable error reporting echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env ``` - **OPTIONAL** See [docs](https://version-2022-9.goauthentik.io/docs/installation/configuration) for additional configuration options - A note about the docker-compose values. - `POSTGRES_PASSWORD:` This variable holds the password for the PostgreSQL database. The `${PG_PASS:?database password required}` syntax means that if this variable is not set, the system will throw an error and prompt the user to set it. - `POSTGRES_USER:` This variable holds the username for the PostgreSQL database. The `${PG_USER:-authentik}` syntax means that if this variable is not set, it will default to the value authentik. - `POSTGRES_DB:` This variable holds the name of the PostgreSQL database. The `${PG_DB:-authentik}` syntax means that if this variable is not set, it will default to the value authentik. 5. Start the Services ```bash docker compose up -d ``` 6. Wait for Certificate to propagate [~2m] 7. Login with the inital flow url - After starting the services your service should be available via tailnet at https://authentik.{{YOUR_TAILNET_DOMAIN}}.ts.net/if/flow/initial-setup/ ie https://authentik.tail12345.ts.net/if/flow/initial-setup/ ## Services ### authentik-ts (Tailscale) - Runs Tailscale VPN client - Image: tailscale/tailscale:latest - Container name: authentik-ts - Hostname: authentik - Requires NET_ADMIN and SYS_MODULE capabilities - Persists state in ./tailscale/tailscale-data - Uses configuration from ./tailscale/config ### authentik - Depends on authentik-ts service ### authentik-worker - Depends on authentik-ts service ### authentik-redis - Depends on authentik-ts service ### authentik-postgres - Depends on authentik-ts service ## Usage - After starting the services your service should be available via tailnet at `https://authentik.{{YOUR_TAILNET_DOMAIN}}.ts.net` ie `https://authentik.tail12345.ts.net/` - To manually get the Tailscale IP/hostname of your container: ```bash docker logs authentik-ts ``` Look for the Tailscale IP address in the logs. ## Optional Features - Uncomment and adjust the ports mapping if you need direct access (without Tailscale): ```yaml ports: - 9000:9000 ``` - Stopping the Services ```bash docker compose down ``` ## Troubleshooting - Check container logs: ```bash docker logs authentik-ts docker logs authentik ``` - Ensure your Tailscale auth key is valid and not expired - Verify the configuration files have proper permissions - Make sure required directories exist before starting ## Notes - The Authentik service uses the Tailscale service's network stack via `network_mode: service:authentik-ts` - Direct port mapping is disabled by default as Tailscale handles the networking - Services restart automatically unless explicitly stopped - For more information: - Tailscale documentation: https://tailscale.com/kb/ - Authentik documentation: https://docs.goauthentik.io/docs/ - Authentik repository: https://github.com/goauthentik/authentik