docker-sso/docker-compose.yml

# This docker-compose file sets up ORY Kratos, ORY Hydra, and this app in a network and configures
# in such a way that ORY Kratos is the Login Provider for ORY Hydra.

version: '3.7'

services:
  hydra-migrate:
    image: oryd/hydra:v1.9.0-sqlite
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
    volumes:
      - hydra-sqlite:/var/lib/sqlite
    command:
      migrate sql -e --yes
    restart: on-failure
    networks:
      - intranet

  hydra:
    image: oryd/hydra:v1.9.0-sqlite
    depends_on:
      - hydra-migrate
    expose:
      - "4444" # Public port http://hydra.server.lan
    ports:
      - "4445:4445" # Admin port
      - "5555:5555" # Port for hydra token user
    command:
      serve all --sqa-opt-out --dangerous-force-http --dangerous-allow-insecure-redirect-urls "http://git.dev.server.lan/user/oauth2/hydra/callback","http://cloud.server.lan/apps/oidc_login/oidc"
    restart: on-failure # TODO figure out why we need this (incorporate health check into hydra migrate command?)
    environment:
      - LOG_LEAK_SENSITIVE_VALUES=true
      - URLS_SELF_ISSUER=http://hydra.server.lan
      - URLS_SELF_PUBLIC=http://hydra.server.lan
      - URLS_CONSENT=http://auth.server.lan/auth/hydra/consent
      - URLS_LOGIN=http://auth.server.lan/auth/hydra/login
      - URLS_LOGOUT=http://auth.server.lan/logout
      - SECRETS_SYSTEM=youReallyNeedToChangeThis
      - OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise
      - OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc

      - SERVE_PUBLIC_HOST=
      - PORT=4444

      - VIRTUAL_HOST=hydra.server.lan
      - VIRTUAL_PORT=4444
    networks:
      - default
      - intranet
    volumes:
      - hydra-sqlite:/var/lib/sqlite

  kratos-selfservice-ui-node:
    build:
      context: kratos-selfservice-ui-node
      dockerfile: Dockerfile
    environment:
      - HYDRA_ADMIN_URL=http://hydra:4445
      - KRATOS_PUBLIC_URL=http://kratos:4433/
      - KRATOS_ADMIN_URL=http://kratos:4434/
      - SECURITY_MODE=standalone
      - KRATOS_BROWSER_URL=http://auth.server.lan/.ory/kratos/public

      - VIRTUAL_HOST=auth.server.lan
      - VIRTUAL_PORT=3000
    expose:
      - "3000" # http://auth.server.lan
    networks:
      - default
      - intranet
    volumes:
      - /tmp/ui-node/logs:/root/.npm/_logs

  kratos-migrate:
    image: oryd/kratos:v0.5.4-alpha.1-sqlite
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
    volumes:
      - kratos-sqlite:/var/lib/sqlite
      - ./kratos:/etc/config/kratos
    command:
      -c /etc/config/kratos/.kratos.yml migrate sql -e --yes
    restart: on-failure
    networks:
      - intranet

  kratos:
    depends_on:
      - kratos-migrate
    image: oryd/kratos:v0.5.4-alpha.1-sqlite
    ports:
      - "4433:4433" # public
      - "4434:4434" # admin
    restart: unless-stopped
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
    command:
      serve -c /etc/config/kratos/.kratos.yml --dev --disable-telemetry
    volumes:
      - kratos-sqlite:/var/lib/sqlite
      - ./kratos:/etc/config/kratos
    networks:
      - intranet

# Sending emails is not part of this demo, so this is commented out:
#
#  mailslurper:
#    image: oryd/mailslurper:latest-smtps
#    ports:
#      - "4436:4436"
#      - "4437:4437"
#    networks:
#      - intranet

networks:
  default:
    external:
      name: ${NETWORK:-webservices}
  intranet:

volumes:
  kratos-sqlite:
  hydra-sqlite:
First working version 4 years ago			`# This docker-compose file sets up ORY Kratos, ORY Hydra, and this app in a network and configures`
			`# in such a way that ORY Kratos is the Login Provider for ORY Hydra.`

			`version: '3.7'`

			`services:`
			`hydra-migrate:`
			`image: oryd/hydra:v1.9.0-sqlite`
			`environment:`
			`- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc`
			`volumes:`
			`- hydra-sqlite:/var/lib/sqlite`
			`command:`
			`migrate sql -e --yes`
			`restart: on-failure`
			`networks:`
			`- intranet`

			`hydra:`
			`image: oryd/hydra:v1.9.0-sqlite`
			`depends_on:`
			`- hydra-migrate`
			`expose:`
			`- "4444" # Public port http://hydra.server.lan`
			`ports:`
			`- "4445:4445" # Admin port`
			`- "5555:5555" # Port for hydra token user`
			`command:`
			`serve all --sqa-opt-out --dangerous-force-http --dangerous-allow-insecure-redirect-urls "http://git.dev.server.lan/user/oauth2/hydra/callback","http://cloud.server.lan/apps/oidc_login/oidc"`
			`restart: on-failure # TODO figure out why we need this (incorporate health check into hydra migrate command?)`
			`environment:`
			`- LOG_LEAK_SENSITIVE_VALUES=true`
			`- URLS_SELF_ISSUER=http://hydra.server.lan`
			`- URLS_SELF_PUBLIC=http://hydra.server.lan`
			`- URLS_CONSENT=http://auth.server.lan/auth/hydra/consent`
			`- URLS_LOGIN=http://auth.server.lan/auth/hydra/login`
			`- URLS_LOGOUT=http://auth.server.lan/logout`
			`- SECRETS_SYSTEM=youReallyNeedToChangeThis`
			`- OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise`
			`- OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis`
			`- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc`

			`- SERVE_PUBLIC_HOST=`
			`- PORT=4444`

			`- VIRTUAL_HOST=hydra.server.lan`
			`- VIRTUAL_PORT=4444`
			`networks:`
			`- default`
			`- intranet`
			`volumes:`
			`- hydra-sqlite:/var/lib/sqlite`

			`kratos-selfservice-ui-node:`
			`build:`
			`context: kratos-selfservice-ui-node`
			`dockerfile: Dockerfile`
			`environment:`
			`- HYDRA_ADMIN_URL=http://hydra:4445`
			`- KRATOS_PUBLIC_URL=http://kratos:4433/`
			`- KRATOS_ADMIN_URL=http://kratos:4434/`
			`- SECURITY_MODE=standalone`
			`- KRATOS_BROWSER_URL=http://auth.server.lan/.ory/kratos/public`

			`- VIRTUAL_HOST=auth.server.lan`
			`- VIRTUAL_PORT=3000`
			`expose:`
			`- "3000" # http://auth.server.lan`
			`networks:`
			`- default`
			`- intranet`
			`volumes:`
			`- /tmp/ui-node/logs:/root/.npm/_logs`

			`kratos-migrate:`
			`image: oryd/kratos:v0.5.4-alpha.1-sqlite`
			`environment:`
			`- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc`
			`volumes:`
			`- kratos-sqlite:/var/lib/sqlite`
			`- ./kratos:/etc/config/kratos`
			`command:`
			`-c /etc/config/kratos/.kratos.yml migrate sql -e --yes`
			`restart: on-failure`
			`networks:`
			`- intranet`

			`kratos:`
			`depends_on:`
			`- kratos-migrate`
			`image: oryd/kratos:v0.5.4-alpha.1-sqlite`
			`ports:`
			`- "4433:4433" # public`
			`- "4434:4434" # admin`
			`restart: unless-stopped`
			`environment:`
			`- DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true`
			`command:`
			`serve -c /etc/config/kratos/.kratos.yml --dev --disable-telemetry`
			`volumes:`
			`- kratos-sqlite:/var/lib/sqlite`
			`- ./kratos:/etc/config/kratos`
			`networks:`
			`- intranet`

			`# Sending emails is not part of this demo, so this is commented out:`
			`#`
			`# mailslurper:`
			`# image: oryd/mailslurper:latest-smtps`
			`# ports:`
			`# - "4436:4436"`
			`# - "4437:4437"`
			`# networks:`
			`# - intranet`

			`networks:`
			`default:`
			`external:`
			`name: ${NETWORK:-webservices}`
			`intranet:`

			`volumes:`
			`kratos-sqlite:`
			`hydra-sqlite:`