feat(docker): install and configure kratos

docker/prod/docker-compose.yml

@@ -222,6 +222,9 @@ services:
       PORT: ${RAFIKI_FRONTEND_PORT}
       GRAPHQL_URL: ${RAFIKI_FRONTEND_GRAPHQL_URL}
       OPEN_PAYMENTS_URL: ${RAFIKI_FRONTEND_OPEN_PAYMENTS_URL}
+      KRATOS_CONTAINER_PULIC_URL: 'http://kratos:4433'
+      KRATOS_BROWSER_PUBLIC_URL: 'https://admin.rafiki.money/kratos'
+      KRATOS_ADMIN_URL: 'http://kratos:4434/admin'
     networks:
       - testnet
     restart: always
@@ -262,6 +265,19 @@ services:
     networks:
       - testnet
 
+  kratos:
+    image: 'oryd/kratos:v0.13.0'
+    privileged: true
+    ports:
+      - '4433:4433'
+    volumes:
+      - ./entrypoint.sh:/entrypoint.sh
+      - ./identity.schema.json:/etc/config/kratos/identity.schema.json
+      - ./kratos.yml:/etc/config/kratos/kratos.yml
+    entrypoint: ['/entrypoint.sh']
+    networks:
+      - testnet
+
 networks:
   testnet:
     driver: bridge

docker/prod/entrypoint.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+echo "Running Kratos Migrations..."
+kratos -c /etc/config/kratos/kratos.yml migrate sql -e --yes
+
+if [ "$DEV_MODE" = true ]; then
+  echo "Starting Kratos in dev mode..."
+  exec kratos serve -c /etc/config/kratos/kratos.yml --dev --watch-courier
+else
+  echo "Starting Kratos..."
+  exec kratos serve -c /etc/config/kratos/kratos.yml
+fi

docker/prod/identity.schema.json

@@ -0,0 +1,33 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Person",
+  "type": "object",
+  "properties": {
+    "traits": {
+      "type": "object",
+      "properties": {
+        "email": {
+          "type": "string",
+          "format": "email",
+          "title": "E-Mail",
+          "minLength": 3,
+          "ory.sh/kratos": {
+            "credentials": {
+              "password": {
+                "identifier": true
+              }
+            },
+            "verification": {
+              "via": "email"
+            },
+            "recovery": {
+              "via": "email"
+            }
+          }
+        }
+      },
+      "required": ["email"],
+      "additionalProperties": false
+    }
+  }
+}

docker/prod/kratos.yml

@@ -0,0 +1,91 @@
+version: v0.13.0
+
+dsn: postgres://kratos:kratos@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
+
+serve:
+  public:
+    base_url: https://admin.rafiki.money/kratos
+    cors:
+      enabled: true
+  admin:
+    base_url: http://cloud-nine-kratos:4434/
+
+selfservice:
+  default_browser_return_url: https://admin.rafiki.money/
+  allowed_return_urls:
+    - https://admin.rafiki.money
+
+  methods:
+    link:
+      config:
+        lifespan: 1h
+        base_url: https://admin.rafiki.money/kratos
+      enabled: true
+    password:
+      enabled: true
+
+  flows:
+    error:
+      ui_url: https://admin.rafiki.money/error
+
+    settings:
+      ui_url: https://admin.rafiki.money/settings
+      privileged_session_max_age: 15m
+      required_aal: highest_available
+
+    recovery:
+      enabled: true
+      ui_url: https://admin.rafiki.money/auth/recovery
+      use: link
+      after:
+        hooks:
+          - hook: revoke_active_sessions
+
+    verification:
+      enabled: false
+
+    logout:
+      after:
+        default_browser_return_url: https://admin.rafiki.money/auth
+
+    login:
+      ui_url: https://admin.rafiki.money/auth/login
+      lifespan: 10m
+
+    registration:
+      enabled: false
+
+log:
+  level: debug
+  format: json
+  leak_sensitive_values: true
+
+secrets:
+  cookie:
+    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
+  cipher:
+    - 32-LONG-SECRET-NOT-SECURE-AT-ALL
+
+ciphers:
+  algorithm: xchacha20-poly1305
+
+hashers:
+  algorithm: bcrypt
+  bcrypt:
+    cost: 8
+
+identity:
+  schemas:
+    - id: default
+      url: file:///etc/config/kratos/identity.schema.json
+
+courier:
+  smtp:
+    connection_uri: smtps://test:test@mailslurper:1025/?skip_ssl_verify=true
+
+session:
+  lifespan: 1h
+  cookie:
+    persistent: false
+    same_site: Strict
+    path: /