VM 1 - Authentik (SSO)¶

Specifications: 2 vCPU, 4 GB RAM, 40 GB Storage

Authentik provides Single Sign-On (SSO) via OAuth2/OpenID Connect and manages user identity and role groups for the Orcastra platform.

Step 1: Install Docker¶

Follow the common Docker installation steps.

Step 2: Deploy Authentik¶

Download Compose File¶

wget https://docs.goauthentik.io/compose.yml

Tip

If wget fails with "Network is unreachable", retry until the download completes.

Generate Secrets¶

echo "PG_PASS=$(openssl rand -base64 36 | tr -d '\n')" >> .env
echo "AUTHENTIK_SECRET_KEY=$(openssl rand -base64 60 | tr -d '\n')" >> .env
echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env

Start Authentik¶

docker compose pull
docker compose up -d

Pull Errors

If you see Error failed to resolve reference "ghcr.io/goauthentik/server:...", retry the pull command.

Step 3: Create Admin Account¶

Open your browser: http://<VM1_IP>:9000/if/flow/initial-setup/

Trailing Slash Required

The URL must end with / or you will get a "Not Found" error.
Fill in the initial setup form:
- Email: admin@orcastra.io (or your preferred email)
- Password: Set a strong password
Click Continue

Save This Password

This is your akadmin password. Store it securely - you will need it for all admin operations.

Step 4: Configure OAuth2 Provider¶

4a. Create the Provider¶

Open Authentik admin: http://<VM1_IP>:9000/if/admin/
Login with akadmin and the password from Step 3
Navigate to Applications → Providers in the left sidebar
Click Create → select OAuth2/OpenID Provider → Next

Configure the provider:

Field	Value
Name	`Orcastra Dashboard Provider`
Authorization flow	`default-provider-authorization-implicit-consent`
Client type	`Confidential`
Client ID	(auto-generated - copy and save)
Client Secret	(auto-generated - copy and save)

Set Redirect URIs/Origins (one per line):
```
http://<VM4_IP>:4321/api/auth/callback/authentik
https://app.orcastra.io/api/auth/callback/authentik
```
Info

The first line is for direct IP access. The second is for custom domain access (see Domain Setup).
Under Advanced protocol settings:
- Scopes: ensure openid, profile, email, offline_access are selected
- Subject mode: Based on the User's hashed ID
- Include claims in id_token: Enabled (required for groups to appear in token)
Click Finish

Save These Values

Client ID → used as AUTHENTIK_CLIENT_ID on VM 4
Client Secret → used as AUTHENTIK_CLIENT_SECRET on VM 4

4b. Create the Application¶

Navigate to Applications → Applications
Click Create
Configure:

Field Value

Name Orcastra Dashboard

Slug orcastra-dashboard

Provider Orcastra Dashboard Provider

Launch URL http://<VM4_IP>:4321
Click Create

Step 5: Create Role Groups¶

Orcastra uses Authentik groups for role-based access control (RBAC). Create three groups:

Navigate to Directory → Groups

Click Create and create each group:

Group Name	Dashboard Role	Access Level
`role_admin`	Admin	Full system-wide access (all clusters, users, settings)
`role_partner`	Partner	Cluster owner - manages own clusters, organizations, tenants
`role_tenant`	Tenant	End user - access to assigned projects only

Assign akadmin to the role_admin group:
- Click role_admin → Users tab → Add existing user
- Select akadmin → Add

User Assignment Rules

Each user should belong to exactly one role group
If a user is in multiple role groups, the highest-privilege role takes effect

Step 6: Create API Token¶

The API token enables the Dashboard backend to sync user groups from Authentik.

Navigate to Directory → Tokens and App passwords
Click Create
Configure:

Field Value

Identifier orcastra-dashboard-api

User akadmin

Intent API Token

Expiring Set an appropriate expiration (or leave unchecked for non-expiring)
Click Create, then click the copy icon to copy the token key

Save This Token

This is your AUTHENTIK_API_TOKEN - required in the .env file on VM 4.

Can't copy the token? (ClipboardItem error)

If you see "ClipboardItem is not defined":

Open chrome://flags/#unsafely-treat-insecure-origin-as-secure in your browser (replace chrome:// with edge:// or brave:// as appropriate)
Change the setting from Disabled to Enabled
Add http://<VM1_IP>:9000 to the text field
Restart the browser and retry

Step 7: Note the Issuer URL¶

Your Authentik issuer URL is:

http://<VM1_IP>:9000/application/o/orcastra-dashboard/

Trailing Slash Required

The Issuer URL must end with a trailing /.

This is used as AUTHENTIK_ISSUER in the Dashboard .env file on VM 4.

Output Summary¶

After completing VM 1 setup, you should have the following values saved:

Value	Environment Variable (VM 4)	Example
Authentik admin password	-	(your chosen password)
Client ID	`AUTHENTIK_CLIENT_ID`	`abc123...`
Client Secret	`AUTHENTIK_CLIENT_SECRET`	`def456...`
API Token	`AUTHENTIK_API_TOKEN`	`ghi789...`
Issuer URL	`AUTHENTIK_ISSUER`	`http://<VM1_IP>:9000/application/o/orcastra-dashboard/`

Port Forwarding Reference¶

If using LXD port forwarding to access services from outside the LXD network:

Navigate to Networking → Networks → select your network (e.g., lxdbr0)
Click Forwards → Create Forward
Set Listen Address to the LXD host's public/reachable IP
Add ports:

Listen Port Target IP Target Port

9000 <VM1_PRIVATE_IP> 9000
Click Create

Note

Port forwarding rules for all four VMs are listed in the Networking guide.

Next: VM 2 - Vault (Secrets)

Found an issue or have a suggestion? Open an issue on GitHub →

Field	Value
Name	`Orcastra Dashboard`
Slug	`orcastra-dashboard`
Provider	`Orcastra Dashboard Provider`
Launch URL	`http://<VM4_IP>:4321`

Field	Value
Identifier	`orcastra-dashboard-api`
User	`akadmin`
Intent	`API Token`
Expiring	Set an appropriate expiration (or leave unchecked for non-expiring)