diff --git a/docker/Makefile b/docker/Makefile new file mode 100644 index 0000000..a6a2282 --- /dev/null +++ b/docker/Makefile @@ -0,0 +1,7 @@ + + +up: + docker compose -f docker-compose.yaml up +down: + docker compose -f docker-compose.yaml down --volumes +# docker rm /hydra /hydra-migrate /kratos /kratos-migrate /postgres diff --git a/docker/configs/config.yml b/docker/configs/config.yml new file mode 100644 index 0000000..9ae7182 --- /dev/null +++ b/docker/configs/config.yml @@ -0,0 +1,16 @@ +networks: +- name: hardware_management + subnet: 10.10.10.10/24 +- name: system_management + subnet: 10.10.10.10/24 +- name: high_speed + subnet: 192.168.1.128/24 +databases: +- name: hydradb + users: + - name: hydra-user + password: hydra +- name: kratosdb + users: + - name: kratos-user + password: kratos \ No newline at end of file diff --git a/docker/configs/hydra/hydra.yml b/docker/configs/hydra/hydra.yml new file mode 100644 index 0000000..3f9d1da --- /dev/null +++ b/docker/configs/hydra/hydra.yml @@ -0,0 +1,22 @@ +serve: + cookies: + same_site_mode: Lax + +urls: + self: + issuer: http://127.0.0.1:4444 + consent: http://127.0.0.1:3000/consent + login: http://127.0.0.1:3000/login + logout: http://127.0.0.1:3000/logout + +secrets: + system: + - youReallyNeedToChangeThis + +oidc: + subject_identifiers: + supported_types: + - pairwise + - public + pairwise: + salt: youReallyNeedToChangeThis \ No newline at end of file diff --git a/docker/configs/kratos/kratos.yml b/docker/configs/kratos/kratos.yml new file mode 100644 index 0000000..1d1de1e --- /dev/null +++ b/docker/configs/kratos/kratos.yml @@ -0,0 +1,115 @@ +version: v0.13.0 + +dsn: memory + +serve: + public: + base_url: http://127.0.0.1:4433/ + cors: + enabled: true + admin: + base_url: http://kratos:4434/ + +selfservice: + default_browser_return_url: http://127.0.0.1:4455/ + allowed_return_urls: + - http://127.0.0.1:4455 + - http://localhost:19006/Callback + - exp://localhost:8081/--/Callback + + methods: + oidc: + enabled: true + config: + base_redirect_uri: http://127.0.0.1:4433 + providers: + - id: forgejo + provider: forgejo + client_id: 7527e7b4-c96a-4df0-8fc5-00fde18bb65d + client_secret: gto_cc5uvpb5lsdczkwnbarvwmbpv5kcjwg7nhbc75zt65yrfh2ldenq + issuer_url: http://git.towk.local + mapper_url: "base64://bG9jYWwgY2xhaW1zID0gewogIGVtYWlsX3ZlcmlmaWVkOiBmYWxzZQp9ICsgc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICAvLyBBbGxvd2luZyB1bnZlcmlmaWVkIGVtYWlsIGFkZHJlc3NlcyBlbmFibGVzIGFjY291bnQKICAgICAgLy8gZW51bWVyYXRpb24gYXR0YWNrcywgZXNwZWNpYWxseSBpZiB0aGUgdmFsdWUgaXMgdXNlZCBmb3IKICAgICAgLy8gZS5nLiB2ZXJpZmljYXRpb24gb3IgYXMgYSBwYXNzd29yZCBsb2dpbiBpZGVudGlmaWVyLgogICAgICAvLwogICAgICAvLyBUaGVyZWZvcmUgd2Ugb25seSByZXR1cm4gdGhlIGVtYWlsIGlmIGl0IChhKSBleGlzdHMgYW5kIChiKSBpcyBtYXJrZWQgdmVyaWZpZWQKICAgICAgLy8gYnkgR2l0TGFiLgogICAgICBbaWYgImVtYWlsIiBpbiBjbGFpbXMgJiYgY2xhaW1zLmVtYWlsX3ZlcmlmaWVkIHRoZW4gImVtYWlsIiBlbHNlIG51bGxdOiBjbGFpbXMuZW1haWwsCiAgICB9LAogIH0sCn0K" + scope: + - read_user + - openid + - profile + - email + password: + enabled: true + totp: + config: + issuer: Kratos + enabled: true + lookup_secret: + enabled: true + link: + enabled: true + code: + enabled: true + + flows: + error: + ui_url: http://127.0.0.1:4455/error + + settings: + ui_url: http://127.0.0.1:4455/settings + privileged_session_max_age: 15m + required_aal: highest_available + + recovery: + enabled: true + ui_url: http://127.0.0.1:4455/recovery + use: code + + verification: + enabled: true + ui_url: http://127.0.0.1:4455/verification + use: code + after: + default_browser_return_url: http://127.0.0.1:4455/ + + logout: + after: + default_browser_return_url: http://127.0.0.1:4455/login + + login: + ui_url: http://127.0.0.1:4455/login + lifespan: 10m + + registration: + lifespan: 10m + ui_url: http://127.0.0.1:4455/registration + after: + password: + hooks: + - hook: session + - hook: show_verification_ui + +log: + level: debug + format: text + leak_sensitive_values: true + +secrets: + cookie: + - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE + cipher: + - 32-LONG-SECRET-NOT-SECURE-AT-ALL + +ciphers: + algorithm: xchacha20-poly1305 + +hashers: + algorithm: bcrypt + bcrypt: + cost: 8 + +identity: + default_schema_id: default + schemas: + - id: default + url: file:///etc/config/kratos/identity.schema.json + +courier: + smtp: + connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml new file mode 100644 index 0000000..b40f688 --- /dev/null +++ b/docker/docker-compose.yaml @@ -0,0 +1,146 @@ +version: "3.7" + +networks: + internal: + external: + external: true + +volumes: + postgres-data: + +services: + postgres: # Postgres + image: postgres:11.5-alpine + container_name: postgres + restart: unless-stopped + environment: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: postgres + POSTGRES_MULTIPLE_DATABASES: hydradb:hydra-user:hydra,kratosdb:kratos-user:kratos + volumes: + - postgres-data:/var/lib/postgresql/data + - ./pg-init:/docker-entrypoint-initdb.d + networks: + - internal + ports: + - 5432:5432 + healthcheck: + test: ["CMD", "pg_isready", "-d", "postgres", "-U", "postgres"] + interval: 10s + timeout: 10s + retries: 5 + hydra: + image: oryd/hydra:v2.2.0-rc.3 + ports: + - "4444:4444" # Public port + - "4445:4445" # Admin port + - "5555:5555" # Port for hydra token user + command: serve -c /etc/config/hydra/hydra.yml all --dev + volumes: + - type: bind + source: ./configs/hydra + target: /etc/config/hydra + environment: + - DSN=postgres://hydra-user:hydra@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4 + restart: unless-stopped + depends_on: + hydra-migrate: + condition: service_completed_successfully + networks: + - internal + hydra-migrate: + image: oryd/hydra:v2.2.0-rc.3 + environment: + - DSN=postgres://hydra-user:hydra@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4 + command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes + volumes: + - type: bind + source: ./configs/hydra + target: /etc/config/hydra + restart: on-failure + networks: + - internal + depends_on: + postgres: + condition: service_healthy + consent: + environment: + - HYDRA_ADMIN_URL=http://hydra:4445 + - KRATOS_ADMIN_URL=http://kratos:4434 + - LISTEN_ADDRESS=:3001 + image: oryd/hydra-login-consent-node:v2.2.0-rc.3 + ports: + - "3001:3001" + restart: unless-stopped + networks: + - internal + kratos: + image: oryd/kratos:latest + container_name: kratos + hostname: kratos + ports: + - "4433:4433" # public + - "4434:4434" # admin + command: serve -c /etc/config/kratos/kratos.yml all --dev --watch-courier + volumes: + - type: bind + source: ./configs/kratos + target: /etc/config/kratos + environment: + - DSN=postgres://kratos-user:kratos@postgres:5432/kratosdb?sslmode=disable&max_conns=20&max_idle_conns=4 + - USER_ID=1000 + - GROUP_ID=1000 + - LOG_LEVEL=trace + restart: unless-stopped + depends_on: + kratos-migrate: + condition: + service_completed_successfully + postgres: + condition: + service_healthy + networks: + - internal + kratos-migrate: + image: oryd/kratos:latest + container_name: kratos-migrate + environment: + - DSN=postgres://kratos-user:kratos@postgres:5432/kratosdb?sslmode=disable&max_conns=20&max_idle_conns=4 + - USER_ID=1000 + - GROUP_ID=1000 + user: "${USER_ID}:${GROUP_ID}" + volumes: + - type: bind + source: ./configs/kratos + target: /etc/config/kratos + command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes + restart: on-failure + depends_on: + postgres: + condition: service_healthy + networks: + - internal + kratos-selfservice-ui-node: + image: oryd/kratos-selfservice-ui-node:latest + environment: + - PORT=4455 + - SECURITY_MODE= + - HYDRA_ADMIN_URL=http://127.0.0.1:4445/ + - KRATOS_PUBLIC_URL=http://kratos:4433/ + - KRATOS_BROWSER_URL=http://127.0.0.1:4433/ + - COOKE_SECRET=1234567890 + - CSRF_COOKIE_NAME=_OPENCHAMI-CSRF + - CSRF_COOKIE_SECRET=OCHAMI1234 + - COOKIE_SECRET=testTESTtestTESTtestTEST + networks: + - internal + restart: on-failure + ports: + - "4455:4455" + mailslurper: + image: oryd/mailslurper:latest-smtps + ports: + - '4436:4436' + - '4437:4437' + networks: + - internal diff --git a/docker/oidc.jsonnet b/docker/oidc.jsonnet new file mode 100644 index 0000000..1f2c9b8 --- /dev/null +++ b/docker/oidc.jsonnet @@ -0,0 +1,21 @@ +local claims = { + email_verified: false +} + std.extVar('claims'); + +{ + identity: { + traits: { + // Allowing unverified email addresses enables account + // enumeration attacks, especially if the value is used for + // e.g. verification or as a password login identifier. + // + // Therefore we only return the email if it (a) exists and (b) is marked verified + // by GitLab. + [if "email" in claims && claims.email_verified then "email" else null]: claims.email, + }, + verified_addresses: std.prune([ + // Carry over verified status from Social Sign-In provider. + if 'email' in claims && claims.email_verified then { via: 'email', value: claims.email }, + ]), + }, +} \ No newline at end of file diff --git a/docker/pg-init/multi-pgsql-db.sh b/docker/pg-init/multi-pgsql-db.sh new file mode 100644 index 0000000..7e99037 --- /dev/null +++ b/docker/pg-init/multi-pgsql-db.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# +# Adapted from: +# https://github.com/mrts/docker-postgresql-multiple-databases/blob/master/create-multiple-postgresql-databases.sh + +set -e +set -u + +function create_user_and_database() { + local database=$1 + local username=$2 + local password=$3 + echo " Creating user '$username' and database '$database'" + psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL + CREATE USER "$username" WITH PASSWORD '$password'; + CREATE DATABASE "$database"; + GRANT ALL PRIVILEGES ON DATABASE "$database" TO "$username"; +EOSQL +} + +if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then + echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES" + for dbstr in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do + dbname=$(echo $dbstr | cut -d: -f1) + username=$(echo $dbstr | cut -d: -f2) + password=$(echo $dbstr | cut -d: -f3) + echo "Creating: db=$dbname user=$username" + create_user_and_database $dbname $username $password + done + echo "Multiple databases created" +fi \ No newline at end of file