Authentik with Tailscale Integration

This project sets up a Authentik instance with Tailscale VPN integration using Docker Compose. It creates a secure, private network connection for your Authentik instance using Tailscale.

Prerequisites

• Docker and Docker Compose installed on your system
• A Tailscale account and auth key (get one from https://login.tailscale.com/admin/authkeys)
• Basic understanding of Docker and networking concepts

Project Structure

ts-authentik/
├── docker-compose.yml
├── tailscale/
│   ├── tailscale-data/     # Persistent Tailscale state
│   └── config/             # Tailscale configuration files
├── authentik/
│   ├── media/              # Authentik Files
│   └── templates/          # Authentik Files
├── postgres/
│   └── data/               # Postgres data
├── redis/
│   └── data/               # Redis persistent state
└── authentik-worker/
    └── certs/              # Authetik Worker files

Setup Instructions

1. Clone the Repository

   git clone https://gitea.damconsulting.llc/DAM/ts-authentik
   cd ts-authentik
   

2. Create Required Directories

   mkdir -p tailscale/tailscale-data authentik/media authentik/templates postgres/data redis/data authentik-worker/certs
   

3. Configure Tailscale

   • Replace {{YOUR_TAILSCALE_AUTHKEY}} in the docker-compose.yml with your actual Tailscale auth key
   • Optionally, update the file in tailscale/config/serve.json if you need specific Tailscale serve configurations
     • CAUTION: Changing "${TS_CERT_DOMAIN}:443": false to true will expose the service to the internet

4. Configure Authentik

   • See docs for configuration options

5. Start the Services

   docker compose up -d
   

6. Wait for Certificate to propagate [~2m]

7. Login

   • After starting the services your service should be available via tailnet at https://authentik.{{YOUR_TAILNET_DOMAIN}}.ts.net ie https://authentik.tail12345.ts.net/

Services

authentik-ts (Tailscale)

• Runs Tailscale VPN client
• Image: tailscale/tailscale:latest
• Container name: authentik-ts
• Hostname: authentik
• Requires NET_ADMIN and SYS_MODULE capabilities
• Persists state in ./tailscale/tailscale-data
• Uses configuration from ./tailscale/config

authentik

• Depends on authentik-ts service

authentik-worker

• Depends on authentik-ts service

authentik-redis

• Depends on authentik-ts service

authentik-postgres

• Depends on authentik-ts service

Usage

• After starting the services your service should be available via tailnet at https://authentik.{{YOUR_TAILNET_DOMAIN}}.ts.net ie https://authentik.tail12345.ts.net/
• To manually get the Tailscale IP/hostname of your container:

  docker logs authentik-ts
  

  Look for the Tailscale IP address in the logs.

Optional Features

• Uncomment and adjust the ports mapping if you need direct access (without Tailscale):

  ports:
  - 9000:9000
  

• Stopping the Services

  docker compose down
  

Troubleshooting

• Check container logs:

  docker logs authentik-ts
  docker logs authentik
  

• Ensure your Tailscale auth key is valid and not expired
• Verify the configuration files have proper permissions
• Make sure required directories exist before starting

Notes

• The Authentik service uses the Tailscale service's network stack via network_mode: service:authentik-ts
• Direct port mapping is disabled by default as Tailscale handles the networking
• Services restart automatically unless explicitly stopped
• For more information:
  • Tailscale documentation: https://tailscale.com/kb/
  • Authentik documentation: https://docs.goauthentik.io/docs/
  • Authentik repository: https://github.com/goauthentik/authentik