towk/opaal
1
0
Fork 0
mirror of https://github.com/davidallendj/opaal.git synced 2025-12-20 03:27:02 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added docker compose and configs

Browse source
This commit is contained in:
David Allen 2024-02-25 02:36:04 -07:00
parent 37adc0e85c
commit 4f7ad29e0d
No known key found for this signature in database
GPG key ID: 1D2A29322FBB6FCB
7 changed files with 358 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
docker/Makefile Normal file
View file

@ -0,0 +1,7 @@
up:
docker compose -f docker-compose.yaml up
down:
docker compose -f docker-compose.yaml down --volumes
# docker rm /hydra /hydra-migrate /kratos /kratos-migrate /postgres

16
docker/configs/config.yml Normal file
View file

@ -0,0 +1,16 @@
networks:
- name: hardware_management
subnet: 10.10.10.10/24
- name: system_management
subnet: 10.10.10.10/24
- name: high_speed
subnet: 192.168.1.128/24
databases:
- name: hydradb
users:
- name: hydra-user
password: hydra
- name: kratosdb
users:
- name: kratos-user
password: kratos

22
docker/configs/hydra/hydra.yml Normal file
View file

@ -0,0 +1,22 @@
serve:
cookies:
same_site_mode: Lax
urls:
self:
issuer: http://127.0.0.1:4444
consent: http://127.0.0.1:3000/consent
login: http://127.0.0.1:3000/login
logout: http://127.0.0.1:3000/logout
secrets:
system:
- youReallyNeedToChangeThis
oidc:
subject_identifiers:
supported_types:
- pairwise
- public
pairwise:
salt: youReallyNeedToChangeThis

115
docker/configs/kratos/kratos.yml Normal file
View file

@ -0,0 +1,115 @@
version: v0.13.0
dsn: memory
serve:
public:
base_url: http://127.0.0.1:4433/
cors:
enabled: true
admin:
base_url: http://kratos:4434/
selfservice:
default_browser_return_url: http://127.0.0.1:4455/
allowed_return_urls:
- http://127.0.0.1:4455
- http://localhost:19006/Callback
- exp://localhost:8081/--/Callback
methods:
oidc:
enabled: true
config:
base_redirect_uri: http://127.0.0.1:4433
providers:
- id: forgejo
provider: forgejo
client_id: 7527e7b4-c96a-4df0-8fc5-00fde18bb65d
client_secret: gto_cc5uvpb5lsdczkwnbarvwmbpv5kcjwg7nhbc75zt65yrfh2ldenq
issuer_url: http://git.towk.local
mapper_url: "base64://bG9jYWwgY2xhaW1zID0gewogIGVtYWlsX3ZlcmlmaWVkOiBmYWxzZQp9ICsgc3RkLmV4dFZhcignY2xhaW1zJyk7Cgp7CiAgaWRlbnRpdHk6IHsKICAgIHRyYWl0czogewogICAgICAvLyBBbGxvd2luZyB1bnZlcmlmaWVkIGVtYWlsIGFkZHJlc3NlcyBlbmFibGVzIGFjY291bnQKICAgICAgLy8gZW51bWVyYXRpb24gYXR0YWNrcywgZXNwZWNpYWxseSBpZiB0aGUgdmFsdWUgaXMgdXNlZCBmb3IKICAgICAgLy8gZS5nLiB2ZXJpZmljYXRpb24gb3IgYXMgYSBwYXNzd29yZCBsb2dpbiBpZGVudGlmaWVyLgogICAgICAvLwogICAgICAvLyBUaGVyZWZvcmUgd2Ugb25seSByZXR1cm4gdGhlIGVtYWlsIGlmIGl0IChhKSBleGlzdHMgYW5kIChiKSBpcyBtYXJrZWQgdmVyaWZpZWQKICAgICAgLy8gYnkgR2l0TGFiLgogICAgICBbaWYgImVtYWlsIiBpbiBjbGFpbXMgJiYgY2xhaW1zLmVtYWlsX3ZlcmlmaWVkIHRoZW4gImVtYWlsIiBlbHNlIG51bGxdOiBjbGFpbXMuZW1haWwsCiAgICB9LAogIH0sCn0K"
scope:
- read_user
- openid
- profile
- email
password:
enabled: true
totp:
config:
issuer: Kratos
enabled: true
lookup_secret:
enabled: true
link:
enabled: true
code:
enabled: true
flows:
error:
ui_url: http://127.0.0.1:4455/error
settings:
ui_url: http://127.0.0.1:4455/settings
privileged_session_max_age: 15m
required_aal: highest_available
recovery:
enabled: true
ui_url: http://127.0.0.1:4455/recovery
use: code
verification:
enabled: true
ui_url: http://127.0.0.1:4455/verification
use: code
after:
default_browser_return_url: http://127.0.0.1:4455/
logout:
after:
default_browser_return_url: http://127.0.0.1:4455/login
login:
ui_url: http://127.0.0.1:4455/login
lifespan: 10m
registration:
lifespan: 10m
ui_url: http://127.0.0.1:4455/registration
after:
password:
hooks:
- hook: session
- hook: show_verification_ui
log:
level: debug
format: text
leak_sensitive_values: true
secrets:
cookie:
- PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
cipher:
- 32-LONG-SECRET-NOT-SECURE-AT-ALL
ciphers:
algorithm: xchacha20-poly1305
hashers:
algorithm: bcrypt
bcrypt:
cost: 8
identity:
default_schema_id: default
schemas:
- id: default
url: file:///etc/config/kratos/identity.schema.json
courier:
smtp:
connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true

146
docker/docker-compose.yaml Normal file
View file

@ -0,0 +1,146 @@
version: "3.7"
networks:
internal:
external:
external: true
volumes:
postgres-data:
services:
postgres: # Postgres
image: postgres:11.5-alpine
container_name: postgres
restart: unless-stopped
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_MULTIPLE_DATABASES: hydradb:hydra-user:hydra,kratosdb:kratos-user:kratos
volumes:
- postgres-data:/var/lib/postgresql/data
- ./pg-init:/docker-entrypoint-initdb.d
networks:
- internal
ports:
- 5432:5432
healthcheck:
test: ["CMD", "pg_isready", "-d", "postgres", "-U", "postgres"]
interval: 10s
timeout: 10s
retries: 5
hydra:
image: oryd/hydra:v2.2.0-rc.3
ports:
- "4444:4444" # Public port
- "4445:4445" # Admin port
- "5555:5555" # Port for hydra token user
command: serve -c /etc/config/hydra/hydra.yml all --dev
volumes:
- type: bind
source: ./configs/hydra
target: /etc/config/hydra
environment:
- DSN=postgres://hydra-user:hydra@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4
restart: unless-stopped
depends_on:
hydra-migrate:
condition: service_completed_successfully
networks:
- internal
hydra-migrate:
image: oryd/hydra:v2.2.0-rc.3
environment:
- DSN=postgres://hydra-user:hydra@postgres:5432/hydradb?sslmode=disable&max_conns=20&max_idle_conns=4
command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes
volumes:
- type: bind
source: ./configs/hydra
target: /etc/config/hydra
restart: on-failure
networks:
- internal
depends_on:
postgres:
condition: service_healthy
consent:
environment:
- HYDRA_ADMIN_URL=http://hydra:4445
- KRATOS_ADMIN_URL=http://kratos:4434
- LISTEN_ADDRESS=:3001
image: oryd/hydra-login-consent-node:v2.2.0-rc.3
ports:
- "3001:3001"
restart: unless-stopped
networks:
- internal
kratos:
image: oryd/kratos:latest
container_name: kratos
hostname: kratos
ports:
- "4433:4433" # public
- "4434:4434" # admin
command: serve -c /etc/config/kratos/kratos.yml all --dev --watch-courier
volumes:
- type: bind
source: ./configs/kratos
target: /etc/config/kratos
environment:
- DSN=postgres://kratos-user:kratos@postgres:5432/kratosdb?sslmode=disable&max_conns=20&max_idle_conns=4
- USER_ID=1000
- GROUP_ID=1000
- LOG_LEVEL=trace
restart: unless-stopped
depends_on:
kratos-migrate:
condition:
service_completed_successfully
postgres:
condition:
service_healthy
networks:
- internal
kratos-migrate:
image: oryd/kratos:latest
container_name: kratos-migrate
environment:
- DSN=postgres://kratos-user:kratos@postgres:5432/kratosdb?sslmode=disable&max_conns=20&max_idle_conns=4
- USER_ID=1000
- GROUP_ID=1000
user: "${USER_ID}:${GROUP_ID}"
volumes:
- type: bind
source: ./configs/kratos
target: /etc/config/kratos
command: -c /etc/config/kratos/kratos.yml migrate sql -e --yes
restart: on-failure
depends_on:
postgres:
condition: service_healthy
networks:
- internal
kratos-selfservice-ui-node:
image: oryd/kratos-selfservice-ui-node:latest
environment:
- PORT=4455
- SECURITY_MODE=
- HYDRA_ADMIN_URL=http://127.0.0.1:4445/
- KRATOS_PUBLIC_URL=http://kratos:4433/
- KRATOS_BROWSER_URL=http://127.0.0.1:4433/
- COOKE_SECRET=1234567890
- CSRF_COOKIE_NAME=_OPENCHAMI-CSRF
- CSRF_COOKIE_SECRET=OCHAMI1234
- COOKIE_SECRET=testTESTtestTESTtestTEST
networks:
- internal
restart: on-failure
ports:
- "4455:4455"
mailslurper:
image: oryd/mailslurper:latest-smtps
ports:
- '4436:4436'
- '4437:4437'
networks:
- internal

21
docker/oidc.jsonnet Normal file
View file

@ -0,0 +1,21 @@
local claims = {
email_verified: false
} + std.extVar('claims');
{
identity: {
traits: {
// Allowing unverified email addresses enables account
// enumeration attacks, especially if the value is used for
// e.g. verification or as a password login identifier.
//
// Therefore we only return the email if it (a) exists and (b) is marked verified
// by GitLab.
[if "email" in claims && claims.email_verified then "email" else null]: claims.email,
},
verified_addresses: std.prune([
// Carry over verified status from Social Sign-In provider.
if 'email' in claims && claims.email_verified then { via: 'email', value: claims.email },
]),
},
}

31
docker/pg-init/multi-pgsql-db.sh Normal file
View file

@ -0,0 +1,31 @@
#!/bin/bash
#
# Adapted from:
# https://github.com/mrts/docker-postgresql-multiple-databases/blob/master/create-multiple-postgresql-databases.sh
set -e
set -u
function create_user_and_database() {
local database=$1
local username=$2
local password=$3
echo " Creating user '$username' and database '$database'"
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
CREATE USER "$username" WITH PASSWORD '$password';
CREATE DATABASE "$database";
GRANT ALL PRIVILEGES ON DATABASE "$database" TO "$username";
EOSQL
}
if [ -n "$POSTGRES_MULTIPLE_DATABASES" ]; then
echo "Multiple database creation requested: $POSTGRES_MULTIPLE_DATABASES"
for dbstr in $(echo $POSTGRES_MULTIPLE_DATABASES | tr ',' ' '); do
dbname=$(echo $dbstr | cut -d: -f1)
username=$(echo $dbstr | cut -d: -f2)
password=$(echo $dbstr | cut -d: -f3)
echo "Creating: db=$dbname user=$username"
create_user_and_database $dbname $username $password
done
echo "Multiple databases created"
fi