# This docker-compose file sets up ORY Kratos, ORY Hydra, and this app in a network
# and configures in such a way that ORY Kratos is the Login Provider for ORY Hydra.

version: '3.7'

services:
  hydra-migrate:
    image: oryd/hydra:v1.9.0-sqlite
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
    volumes:
      - hydra-sqlite:/var/lib/sqlite
    command:
      migrate sql -e --yes
    restart: on-failure
    networks:
      - intranet

  hydra:
    image: oryd/hydra:v1.9.0-sqlite
    depends_on:
      - hydra-migrate
    expose:
      - "4444" # Public port http://hydra.server.lan
      - "4445" # Admin port
    ports:
      - "5555:5555" # Port for hydra token user
    command:
      serve all --sqa-opt-out --dangerous-force-http \
      --dangerous-allow-insecure-redirect-urls \
      "http://git.dev.server.lan/user/oauth2/hydra/callback",\
      "http://cloud.server.lan/apps/oidc_login/oidc"
    restart: on-failure
    environment:
      - LOG_LEAK_SENSITIVE_VALUES=true
      - URLS_SELF_ISSUER=http://hydra.server.lan
      - URLS_SELF_PUBLIC=http://hydra.server.lan
      - URLS_CONSENT=http://auth.server.lan/auth/hydra/consent
      - URLS_LOGIN=http://auth.server.lan/auth/hydra/login
      - URLS_LOGOUT=http://auth.server.lan/logout
      - SECRETS_SYSTEM=youReallyNeedToChangeThis
      - OIDC_SUBJECT_IDENTIFIERS_SUPPORTED_TYPES=public,pairwise
      - OIDC_SUBJECT_IDENTIFIERS_PAIRWISE_SALT=youReallyNeedToChangeThis
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc

      - SERVE_PUBLIC_HOST=
      - PORT=4444

      - VIRTUAL_HOST=hydra.server.lan
      - VIRTUAL_PORT=4444
    networks:
      - default
      - intranet
    volumes:
      - hydra-sqlite:/var/lib/sqlite

  kratos-selfservice-ui-node:
    build:
      context: kratos-selfservice-ui-node
      dockerfile: Dockerfile
    environment:
      - HYDRA_ADMIN_URL=http://hydra:4445
      - KRATOS_PUBLIC_URL=http://kratos:4433/
      - KRATOS_ADMIN_URL=http://kratos:4434/
      - SECURITY_MODE=standalone
      - KRATOS_BROWSER_URL=http://auth.server.lan/.ory/kratos/public

      - VIRTUAL_HOST=auth.server.lan
      - VIRTUAL_PORT=3000
    expose:
      - "3000" # http://auth.server.lan
    networks:
      - default
      - intranet
    volumes:
      - /tmp/ui-node/logs:/root/.npm/_logs

  kratos-migrate:
    image: oryd/kratos:v0.5.4-alpha.1-sqlite
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true&mode=rwc
    volumes:
      - kratos-sqlite:/var/lib/sqlite
      - ./kratos:/etc/config/kratos
    command:
      -c /etc/config/kratos/.kratos.yml migrate sql -e --yes
    restart: on-failure
    networks:
      - intranet

  kratos:
    depends_on:
      - kratos-migrate
    image: oryd/kratos:v0.5.4-alpha.1-sqlite
    expose:
      - "4433" # public
      - "4434" # admin
    restart: unless-stopped
    environment:
      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
    command:
      serve -c /etc/config/kratos/.kratos.yml --dev --disable-telemetry
    volumes:
      - kratos-sqlite:/var/lib/sqlite
      - ./kratos:/etc/config/kratos
    networks:
      - intranet

# Sending emails is not part of this demo, so this is commented out:
#
#  mailslurper:
#    image: oryd/mailslurper:latest-smtps
#    ports:
#      - "4436:4436"
#      - "4437:4437"
#    networks:
#      - intranet

networks:
  default:
    external:
      name: ${NETWORK:-webservices}
  intranet:

volumes:
  kratos-sqlite:
  hydra-sqlite: