# Authentik with Tailscale Integration ![Authentik with Tailscale](https://goauthentik.io/img/icon_left_brand.svg "Authentik") This project sets up a Authentik instance with Tailscale VPN integration using Docker Compose. It creates a secure, private network connection for your Authentik instance using Tailscale. ## Prerequisites - Docker and Docker Compose installed on your system - A Tailscale account and auth key (get one from https://login.tailscale.com/admin/authkeys) - Basic understanding of Docker and networking concepts ## Project Structure ``` ts-authentik/ ├── docker-compose.yml ├── tailscale/ │ ├── tailscale-data/ # Persistent Tailscale state │ └── config/ # Tailscale configuration files ├── authentik/ │ ├── media/ # Authentik Files │ └── templates/ # Authentik Files ├── postgres/ │ └── data/ # Postgres data ├── redis/ │ └── data/ # Redis persistent state └── authentik-worker/ └── certs/ # Authetik Worker files ``` ## Setup Instructions 1. **Clone the Repository** ```bash git clone https://gitea.damconsulting.llc/DAM/ts-authentik cd ts-authentik ``` 2. Create Required Directories ```bash mkdir -p tailscale/tailscale-data authentik/media authentik/templates postgres/data redis/data authentik-worker/certs ``` 3. Configure Tailscale - Replace `{{YOUR_TAILSCALE_AUTHKEY}}` in the docker-compose.yml with your actual Tailscale auth key - Optionally, update the file in `tailscale/config/serve.json` if you need specific Tailscale serve configurations - CAUTION: Changing `"${TS_CERT_DOMAIN}:443": false` to `true` will expose the service to the internet 4. Configure Authentik - See [docs](https://docs.goauthentik.io/docs/) for configuration options 5. Start the Services ```bash docker compose up -d ``` 6. Wait for Certificate to propagate [~2m] 7. Login - After starting the services your service should be available via tailnet at https://authentik.{{YOUR_TAILNET_DOMAIN}}.ts.net ie https://authentik.tail12345.ts.net/ ## Services ### authentik-ts (Tailscale) - Runs Tailscale VPN client - Image: tailscale/tailscale:latest - Container name: authentik-ts - Hostname: authentik - Requires NET_ADMIN and SYS_MODULE capabilities - Persists state in ./tailscale/tailscale-data - Uses configuration from ./tailscale/config ### authentik - Depends on authentik-ts service ### authentik-worker - Depends on authentik-ts service ### authentik-redis - Depends on authentik-ts service ### authentik-postgres - Depends on authentik-ts service ## Usage - After starting the services your service should be available via tailnet at `https://authentik.{{YOUR_TAILNET_DOMAIN}}.ts.net` ie `https://authentik.tail12345.ts.net/` - To manually get the Tailscale IP/hostname of your container: ```bash docker logs authentik-ts ``` Look for the Tailscale IP address in the logs. ## Optional Features - Uncomment and adjust the ports mapping if you need direct access (without Tailscale): ```yaml ports: - 9000:9000 ``` - Stopping the Services ```bash docker compose down ``` ## Troubleshooting - Check container logs: ```bash docker logs authentik-ts docker logs authentik ``` - Ensure your Tailscale auth key is valid and not expired - Verify the configuration files have proper permissions - Make sure required directories exist before starting ## Notes - The Authentik service uses the Tailscale service's network stack via `network_mode: service:authentik-ts` - Direct port mapping is disabled by default as Tailscale handles the networking - Services restart automatically unless explicitly stopped - For more information: - Tailscale documentation: https://tailscale.com/kb/ - Authentik documentation: https://docs.goauthentik.io/docs/ - Authentik repository: https://github.com/goauthentik/authentik