Added docker compose and configs

docker/Makefile

@@ -0,0 +1,7 @@
+
+
+up:
+	docker compose -f docker-compose.yaml up
+down:
+	docker compose -f docker-compose.yaml down --volumes
+#	docker rm /hydra /hydra-migrate /kratos /kratos-migrate /postgres

docker/configs/config.yml

@@ -0,0 +1,16 @@
+networks:
+- name: hardware_management
+  subnet: 10.10.10.10/24
+- name: system_management
+  subnet: 10.10.10.10/24
+- name: high_speed
+  subnet: 192.168.1.128/24
+databases:
+- name: hydradb
+  users:
+  - name: hydra-user
+    password: hydra
+- name: kratosdb
+  users:
+  - name: kratos-user
+    password: kratos

docker/configs/hydra/hydra.yml

@@ -0,0 +1,22 @@
+serve:
+  cookies:
+    same_site_mode: Lax
+
+urls:
+  self:
+    issuer: http://127.0.0.1:4444
+  consent: http://127.0.0.1:3000/consent
+  login: http://127.0.0.1:3000/login
+  logout: http://127.0.0.1:3000/logout
+
+secrets:
+  system:
+    - youReallyNeedToChangeThis
+
+oidc:
+  subject_identifiers:
+    supported_types:
+      - pairwise
+      - public
+    pairwise:
+      salt: youReallyNeedToChangeThis

docker/configs/kratos/kratos.yml

@@ -0,0 +1,115 @@
+version: v0.13.0
+
+dsn: memory
+
+serve:
+  public:
+    base_url: http://127.0.0.1:4433/
+    cors:
+      enabled: true
+  admin:
+    base_url: http://kratos:4434/
+
+selfservice:
+  default_browser_return_url: http://127.0.0.1:4455/
+  allowed_return_urls:
+    - http://127.0.0.1:4455
+    - http://localhost:19006/Callback
+    - exp://localhost:8081/--/Callback
+
+  methods:
+    oidc:
+      enabled: true
+      config:
+        base_redirect_uri: http://127.0.0.1:4433
+        providers:
+          - id: forgejo
+            provider: forgejo
+            client_id: 7527e7b4-c96a-4df0-8fc5-00fde18bb65d
+            client_secret: gto_cc5uvpb5lsdczkwnbarvwmbpv5kcjwg7nhbc75zt65yrfh2ldenq
+            issuer_url: http://git.towk.local
+            mapper_url: "base64://bG9jYWwgY2xhaW1zID0gewogIGVtYWlsX3ZlcmlmaWVkOiBmYWxzZQp9ICsgc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICAvLyBBbGxvd2luZyB1bnZlcmlmaWVkIGVtYWlsIGFkZHJlc3NlcyBlbmFibGVzIGFjY291bnQKICAgICAgLy8gZW51bWVyYXRpb24gYXR0YWNrcywgZXNwZWNpYWxseSBpZiB0aGUgdmFsdWUgaXMgdXNlZCBmb3IKICAgICAgLy8gZS5nLiB2ZXJpZmljYXRpb24gb3IgYXMgYSBwYXNzd29yZCBsb2dpbiBpZGVudGlmaWVyLgogICAgICAvLwogICAgICAvLyBUaGVyZWZvcmUgd2Ugb25seSByZXR1cm4gdGhlIGVtYWlsIGlmIGl0IChhKSBleGlzdHMgYW5kIChiKSBpcyBtYXJrZWQgdmVyaWZpZWQKICAgICAgLy8gYnkgR2l0TGFiLgogICAgICBbaWYgImVtYWlsIiBpbiBjbGFpbXMgJiYgY2xhaW1zLmVtYWlsX3ZlcmlmaWVkIHRoZW4gImVtYWlsIiBlbHNlIG51bGxdOiBjbGFpbXMuZW1haWwsCiAgICB9LAogIH0sCn0K"
+            scope:
+              - read_user
+              - openid
+              - profile
+              - email 
+    password:
+      enabled: true
+    totp:
+      config:
+        issuer: Kratos
+      enabled: true
+    lookup_secret:
+      enabled: true
+    link:
+      enabled: true
+    code:
+      enabled: true
+
+  flows:
+    error:
+      ui_url: http://127.0.0.1:4455/error
+
+    settings:
+      ui_url: http://127.0.0.1:4455/settings
+      privileged_session_max_age: 15m
+      required_aal: highest_available
+
+    recovery:
+      enabled: true
+      ui_url: http://127.0.0.1:4455/recovery
+      use: code
+
+    verification:
+      enabled: true
+      ui_url: http://127.0.0.1:4455/verification
+      use: code
+      after:
+        default_browser_return_url: http://127.0.0.1:4455/
+
+    logout:
+      after:
+        default_browser_return_url: http://127.0.0.1:4455/login
+
+    login:
+      ui_url: http://127.0.0.1:4455/login
+      lifespan: 10m
+
+    registration:
+      lifespan: 10m
+      ui_url: http://127.0.0.1:4455/registration
+      after:
+        password:
+          hooks:
+            - hook: session
+            - hook: show_verification_ui
+
+log:
+  level: debug
+  format: text
+  leak_sensitive_values: true
+
+secrets:
+  cookie:
+    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
+  cipher:
+    - 32-LONG-SECRET-NOT-SECURE-AT-ALL
+
+ciphers:
+  algorithm: xchacha20-poly1305
+
+hashers:
+  algorithm: bcrypt
+  bcrypt:
+    cost: 8
+
+identity:
+  default_schema_id: default
+  schemas:
+    - id: default
+      url: file:///etc/config/kratos/identity.schema.json
+
+courier:
+  smtp:
+    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

docker/docker-compose.yaml

@@ -0,0 +1,146 @@
+version: "3.7"
+
+networks:
+  internal:
+  external:
+    external: true
+
+volumes:
+  postgres-data:
+
+services:
+  postgres: # Postgres
+    image: postgres:11.5-alpine
+    container_name: postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_MULTIPLE_DATABASES: hydradb:hydra-user:hydra,kratosdb:kratos-user:kratos
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+      - ./pg-init:/docker-entrypoint-initdb.d
+    networks:
+      - internal
+    ports:
+      - 5432:5432
+    healthcheck:
+      test: ["CMD", "pg_isready", "-d", "postgres", "-U", "postgres"]
+      interval: 10s
+      timeout: 10s
+      retries: 5
+  hydra:
+    image: oryd/hydra:v2.2.0-rc.3
+    ports:
+      - "4444:4444" # Public port
+      - "4445:4445" # Admin port
+      - "5555:5555" # Port for hydra token user
+    command: serve -c /etc/config/hydra/hydra.yml all --dev
+    volumes:
+      - type: bind
+        source: ./configs/hydra
+        target: /etc/config/hydra
+    environment:
+      - DSN=postgres://hydra-user:hydra@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4
+    restart: unless-stopped
+    depends_on:
+      hydra-migrate:
+        condition: service_completed_successfully
+    networks:
+      - internal
+  hydra-migrate:
+    image: oryd/hydra:v2.2.0-rc.3
+    environment:
+      - DSN=postgres://hydra-user:hydra@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4
+    command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes
+    volumes:
+      - type: bind
+        source: ./configs/hydra
+        target: /etc/config/hydra
+    restart: on-failure
+    networks:
+      - internal
+    depends_on:
+      postgres:
+        condition: service_healthy
+  consent:
+    environment:
+      - HYDRA_ADMIN_URL=http://hydra:4445
+      - KRATOS_ADMIN_URL=http://kratos:4434
+      - LISTEN_ADDRESS=:3001
+    image: oryd/hydra-login-consent-node:v2.2.0-rc.3
+    ports:
+      - "3001:3001"
+    restart: unless-stopped
+    networks:
+      - internal
+  kratos:
+    image: oryd/kratos:latest
+    container_name: kratos
+    hostname: kratos
+    ports:
+      - "4433:4433" # public
+      - "4434:4434" # admin
+    command: serve -c /etc/config/kratos/kratos.yml all --dev --watch-courier
+    volumes:
+      - type: bind
+        source: ./configs/kratos
+        target: /etc/config/kratos
+    environment:
+      - DSN=postgres://kratos-user:kratos@postgres:5432/kratosdb?sslmode=disable&max_conns=20&max_idle_conns=4
+      - USER_ID=1000
+      - GROUP_ID=1000
+      - LOG_LEVEL=trace
+    restart: unless-stopped
+    depends_on:
+      kratos-migrate:
+        condition:
+          service_completed_successfully
+      postgres:
+        condition:
+          service_healthy
+    networks:
+      - internal
+  kratos-migrate:
+    image: oryd/kratos:latest
+    container_name: kratos-migrate
+    environment:
+      - DSN=postgres://kratos-user:kratos@postgres:5432/kratosdb?sslmode=disable&max_conns=20&max_idle_conns=4
+      - USER_ID=1000
+      - GROUP_ID=1000
+    user: "${USER_ID}:${GROUP_ID}"
+    volumes:
+      - type: bind
+        source: ./configs/kratos
+        target: /etc/config/kratos
+    command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
+    restart: on-failure
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - internal
+  kratos-selfservice-ui-node:
+    image: oryd/kratos-selfservice-ui-node:latest
+    environment:
+      - PORT=4455
+      - SECURITY_MODE=
+      - HYDRA_ADMIN_URL=http://127.0.0.1:4445/
+      - KRATOS_PUBLIC_URL=http://kratos:4433/
+      - KRATOS_BROWSER_URL=http://127.0.0.1:4433/
+      - COOKE_SECRET=1234567890
+      - CSRF_COOKIE_NAME=_OPENCHAMI-CSRF
+      - CSRF_COOKIE_SECRET=OCHAMI1234
+      - COOKIE_SECRET=testTESTtestTESTtestTEST
+    networks:
+      - internal
+    restart: on-failure
+    ports:
+      - "4455:4455"
+  mailslurper:
+    image: oryd/mailslurper:latest-smtps
+    ports:
+      - '4436:4436'
+      - '4437:4437'
+    networks:
+      - internal

docker/oidc.jsonnet

@@ -0,0 +1,21 @@
+local claims = {
+  email_verified: false
+} + std.extVar('claims');
+
+{
+  identity: {
+    traits: {
+      // Allowing unverified email addresses enables account
+      // enumeration attacks, especially if the value is used for
+      // e.g. verification or as a password login identifier.
+      //
+      // Therefore we only return the email if it (a) exists and (b) is marked verified
+      // by GitLab.
+      [if "email" in claims && claims.email_verified then "email" else null]: claims.email,
+    },
+    verified_addresses: std.prune([
+      // Carry over verified status from Social Sign-In provider.
+      if 'email' in claims && claims.email_verified then { via: 'email', value: claims.email },
+    ]),
+  },
+}

docker/pg-init/multi-pgsql-db.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+#
+# Adapted from:
+# https://github.com/mrts/docker-postgresql-multiple-databases/blob/master/create-multiple-postgresql-databases.sh
+
+set -e
+set -u
+
+function create_user_and_database() {
+        local database=$1
+        local username=$2
+        local password=$3
+        echo "  Creating user '$username' and database '$database'"
+        psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+            CREATE USER "$username" WITH PASSWORD '$password';
+            CREATE DATABASE "$database";
+            GRANT ALL PRIVILEGES ON DATABASE "$database" TO "$username";
+EOSQL
+}
+
+if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
+        echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES"
+        for dbstr in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
+                dbname=$(echo $dbstr | cut -d: -f1)
+                username=$(echo $dbstr | cut -d: -f2)
+                password=$(echo $dbstr | cut -d: -f3)
+                echo "Creating: db=$dbname user=$username"
+                create_user_and_database $dbname $username $password
+        done
+        echo "Multiple databases created"
+fi