CREATE DATABASE kestra;
CREATE USER kestra WITH PASSWORD 'your-secure-password';
GRANT ALL PRIVILEGES ON DATABASE kestra TO kestra;
ALTER DATABASE kestra OWNER TO kestra;

Host Configuration

Download configuration files to /opt/kestra (first time only):

sudo mkdir -p /opt/kestra/{tailscale,config}
sudo curl -o /opt/kestra/tailscale/serve-config.json https://gitea.arnodo.fr/Damien/kestra-deployment/raw/branch/main/serve-config.json
sudo curl -o /opt/kestra/config/application.yaml https://gitea.arnodo.fr/Damien/kestra-deployment/raw/branch/main/application.yaml

Deployment

Create a new stack in Portainer
Select "Repository" and point to this repository
Portainer will load stack.env automatically
Override sensitive values (CHANGE_ME) in the environment variables section:
- TS_AUTHKEY - Tailscale auth key (reusable recommended)
- DB_PASSWORD - PostgreSQL password
- KESTRA_ADMIN_PASSWORD - Kestra admin password
Deploy

Features

Tailscale Sidecar: HTTPS access via Tailscale with automatic certificate management
Route Acceptance: --accept-routes enabled to reach other services on the tailnet
PostgreSQL Backend: External PostgreSQL for persistent storage and queue
Docker-in-Docker: Socket mounted for running containerized tasks

Access

Once deployed: https://kestra.taila5ad8.ts.net

Directory Structure

/opt/kestra/
├── tailscale/
│   └── serve-config.json     # Tailscale HTTPS configuration
└── config/
    └── application.yaml      # Kestra configuration

Environment Variables

Variable	Description	Required
`TS_AUTHKEY`	Tailscale authentication key	Yes
`DB_HOST`	PostgreSQL host	Yes
`DB_PORT`	PostgreSQL port	Yes
`DB_NAME`	Database name	Yes
`DB_USER`	Database user	Yes
`DB_PASSWORD`	Database password	Yes
`KESTRA_ADMIN_USER`	Admin username	No (default: admin)
`KESTRA_ADMIN_PASSWORD`	Admin password	Yes